22—Lever #1: Your Income (Part Ten—Protecting Your Online Identity and Accounts)
It's a jungle out there, full of creatures wanting to separate you from your money
Like most young adults, you probably use digital devices for online banking, investing, and payments. That can simplify things but also puts you at greater risk for fraud or identity theft. Therefore, you must protect your digital assets, including your online identity.
Identity theft, phishing, fraud, etc., are all cybercrimes intended to separate you from your hard-earned income and what you've saved and perhaps invested. If that happens, it can have catastrophic consequences for your" Financial Life Equation (FLE)."
We live in a fallen world, so using the best tools and techniques available to protect your identity and digital assets is wise. Fraudsters and scammers are out there (sadly, including in churches!). So don't be a victim, as Jesus said in Matthew 10:16, “Behold, I am sending you out as sheep in the midst of wolves, so be wise as serpents and innocent as doves.” (ESV)
Many measures you can take are common sense and relatively easy to implement, but many people overlook them until it's too late. For the sake of your reading time, I'm not going to cover all of them in great detail, but here is a graphic that includes most of them:
However, I will highlight some of these because they are most relevant to protecting our income, savings, and investments.
First, be extra careful who you trust with your personal information. Never share private information in an email or text, even if the requestor looks real. This threat is probably a" phishing attack," asking for that information for some urgent purpose in an email or text after sending you to a fake website.
Check the “from" address; it will probably bear no resemblance to the so-called company making the request. Poor grammar and misspellings are another tip-off (if you're going to be a crook, at least be competent, LOL). Also, remember, just because a website looks like the real thing doesn't mean it is; it can be easily replicated, so check the URL.
The second biggie is not using the same password for everything (many people do). And don't make them easy to crack (like your first name plus 1234)! Consider using an online password vault to generate different strong passwords for each online account and to keep your password information safe. (I have listed some in the resources section below.)
Use two-factor authentication (2FA) to log in to your critical financial websites. That's easy to set up on the provider's website, usually in your profile's privacy and security settings. It will force you to use something besides your username and password to access your account. The most common form of 2FA is a security code sent by text to your phone.
Using 2FA is better than not using it, and it's used a lot. But when you think about it, receiving a security code by text message is pretty weak. A mobile phone number can be hijacked through what’s called “SIM swapping.” A criminal can use it to reset your password using 2FA and gain access to your accounts after they hijack your mobile phone number. (They are the smart ones, not the ones that can't spell correctly in a phishing email.)
You can (and should) also set up 2FA for all your Peer-to-Peer (P2P) payment apps (Cash, PayPal, Venmo, etc.) with their privacy/security settings options. I’ve added a link in the Resources below to an article on Linkedin that provides more information.
Fortunately, there are more vigorous forms of 2FA. I haven't used them yet, but I am investigating. One of them involves using an" authentication app."
Authentication apps like Google Authenticator, Microsoft Authenticator, Authy, Duo, and 1 Password (which I use as my password vault) generate time-based one-time passwords (TOTP) that refresh every 30 seconds. Since these codes are tied to a specific device rather than a phone number, they offer much stronger protection than SMS text-based authentication, which is vulnerable to the SIM-swapping attacks I mentioned earlier.
Many major financial institutions, including Fidelity, Morgan Stanley, T. Rowe Price, Betterment, and Robinhood, support authentication apps as a 2FA option. I checked Fidelity (the company I use for banking and my IRA), and they support any Authenticator app that uses standard TOTP multi-factor functionality.
That’s pretty new. Previously, if I wanted to use one at Fidelity, I was limited to the non-standard Symantec VIP app, which I didn't want to deal with since I already use 1 Password. So, I was pleased to learn that they now support TOTP apps, and I plan to take a hard look at that.
You could use the Symantec VIP hardware token for a security hardware-based solution. (I’m familiar with these. Before I retired, I used an RSA token that generated random codes for remote VPN access to my company's network.) The hardware token is not connected to the internet and cannot be compromised by malware. Some financial institutions provide these tokens for free if you ask, but they can also be purchased at a minimal cost.
I checked, and I can use a hardware key for my Fidelity accounts, but they only support the Symantec VIP hardware token.
Other brokers may provide a Symantec VIP hardware token for free if you ask, but Fidelity doesn’t. If not, you can buy one at a minimal cost on Amazon.
If I go this route, I’ll have to register the token at Fidelity (you’d have to do the same at Schwab or anywhere else that also uses Symantec VIP). To do so, I have to call Fidelity customer service to link the serial number of the security token login.
If you’re a Vanguard customer, you can use Yubikey, a physical hardware key that connects via USB or NFC. You can also register multiple Yubikeys as backups in case you lose one (which is bound to happen).
You must be pretty conscientious about always having that token with you. You don’t want to get into a “forgot my token” or “lost my token” situation. Therefore, an authentication app is better for many people because it simplifies things since it works on a device you already have and keep with you. (The downside is that you could lose that one too.)
While investing in security hardware requires a small upfront cost, the extra security and peace of mind may be well worth it to some.
Finally, make sure your home Wi-Fi network is secure. By “secure,” I mean that it requires a login to access, and security is set up to encrypt the signal. If not, you can fix it in your router's security settings. Don't use unsecured public networks to conduct financial transactions; your passwords and account details could be compromised.
You can do one more thing to help with identity theft, even if it happens (usually through some data breach; there have been many of them in recent years): FREEZE YOUR CREDIT. It usually only takes 5-10 minutes to do and protects you from those threats.
When you freeze your credit, anyone who has stolen your personal information and tries to open a new credit account in your name will be rejected.
After freezing your credit on the credit bureau sites, you can unfreeze and refreeze your credit if necessary because you're legitimately applying for some credit. (In my case, this may be never since I don't foresee borrowing any money for any purpose at this point in my life.)
This is the last article in the "Lever #1—Income Series.” Next up: Taxes (fun, fun!). (Well, maybe not much fun, but more important than you might think.)
For reflection: Some are naive about online security, while others take it too seriously and don’t use internet-based financial services at all. Where are you on that spectrum? God doesn’t want you to live in constant fear, nor does he wish to presume on his continual protection if you don’t do anything to protect yourself. What wise steps must you take today to secure and protect your online self better?
Verse: “. . . for God gave us a spirit not of fear but of power and love and self-control” (2 Timothy 1:7).
Resources: