Thursday, February 6, 2020

In Order to Be Robbed, They Have to Take Something

How can you claim to be robbed, when you lost no money?

A recent odious click-bait article online by a self-proclaimed online security expert no less, claims he was "hacked" and that "hackers" stole over $13,000 from him.  Problem is, he lost no money in the transaction.  The banks did.  So why the attention-getting headline?   You know by now - to make you click!

I say the article is odious as it appears to be a product placement, in this case for an online "password service" that allows you to hand over all your password information for all of your accounts to some online organization that exists God-knows-where, and they will generate "hack-proof" passwords for you and store them, so you can log onto your sites through them.   Great idea - replace all those different passwords with just one and hope no one hacks the "password" site.

Talk about all your eggs in one basket!

The author makes a good point - you shouldn't use the same password for multiple sites, nor similar passwords (e.g., your standard password plus the name of the site, for example).   Obviously, this is a pain-in-the-ass when you have over a dozen sites you visit regularly.   But if you use the same or similar passwords, they are far easier to hack, once the hackers figure out one of your passwords - which they may be able to do, simply by phishing you to cough one up (You'd be surprised how many people respond to e-mails claiming to be from Google or whatever, demanding they "verify" their password and account name).  It's called social engineering.

Fortunately, there are other options.  Two-step authentication is good for starters.   If the site doesn't recognize your computer or you haven't logged in for a while, it may send a code to your phone.  Unless the thief has both your password and your phone, he can't get in.  Unfortunately, a lot of these authentication methods have a back-door - asking you several questions based on your online profile.   If you have blabbed your life story on Facebook (or a blog) then they might know the name of your third grade teacher, your Mother's maiden name, or the street you grew up on.  For some weird reason, these sites always ask me about a street I lived on for about a year while in college.   I am not sure that is even on my credit report!

Security questions are another feature that can be hacked but also made more secure.  If they ask you to set up these questions, don't use the actual correct answers.  Your mother's maiden name is Eleanor Roosevelt.  The name of your third-grade teacher was Mrs. Douchebag.  Your dog's name is Fuck You.   Your favorite color is Shit Brown.   The "real" answers to these questions can often be found on your Facebook page - even your third grade teacher's name could be found by perusing and even downloading and looking through your school yearbooks.   Odds are, if someone wants to find the real answers to these questions, you've leaked them online.  And friends and family - who are often the perpetrators of "identity theft" as we shall discuss below - know these answers already.  So just spoof them with memorable (to you) responses.

There are other options and features, however.   For example, one financial site I use allows you to "lock down" your accounts to prevent withdrawals.   If you don't plan on moving money from the site, this can be handy.  Most sites will lock out any withdrawals for seven to ten business days after an address change, a bank account change, or other account change.  The idea is, if someone does hack your account, and try to change the e-mail address, password, mailing address, or other information, it will prevent any withdrawals for a certain period - hoping that the e-mail sent to your old address will clue you in to the fact unauthorized changes are being made.

Bank of America has a little credit card they mail to users, that has some sort of chip in it, and a digital display.  You press a button on the card and it generates a code number.  If you try to move money to a non-BOA account, it will ask you for this number.  How it works is anyone's guess.  I presume it has a battery in it - it has yet to run out after several years.  In order to "hack" the account, someone would have to have this card, which presumably you don't keep in your wallet.

Getting back to the article, the author admits that he lost no money in the transaction.  The banks either retrieved the money or took it on the chin.   The consumer was out nary a penny - just the hassle of a few phone calls.  But the actions of this "security expert" had me scratching my head.  His "grubhub" account was hacked - not his credit card, but the online account.   Food was ordered and delivered to some other city.  He seemed to lack any curiosity as to who ordered the food, and it seems to me a simple call to the police would have figured that out - after all, you need a physical address to deliver food.   Instead, he vented his rage at grubhub and foolishly sent an angry text to the number of the guy who ordered the food (again, more traceable data, not provided to the police).

But after being hacked, he didn't bother to change his passwords on other accounts.   And he didn't check his account balances daily and apparently didn't set up his accounts to automatically report the balances daily as well as when transactions are made on his accounts, both by e-mail and text message.   Yes, this results in a lot of e-mails and texts.  But it does alert you when a fraudulent charge or withdrawal is made.   I get it that some ordinary folks check their balance once a week, if that - they are just being irresponsible.  I check mine every day (and pay off my credit card balance, daily).  So should a "security expert" or someone who claims to be one.

Everyone has anxiety about using the Internet for financial transactions, and today, our entire lives are on the Internet.  It is hard to avoid doing business with some company that doesn't have a website and a login procedure.   In the back of everyone's mind is the nagging doubt about all of this - suppose someone cleans out all of my bank and savings and investment accounts?   What would I do then?   And there is an industry that generates a lot of this paranoia - one that is usually selling a product, such as a virus protection program or a password service or identity theft protection.  Fear sells - and fear is not an emotion to be trusted.

The media also is complicit in this - selling fear because it generates clicks.  What used to be called "credit card fraud" is now called "identity theft" which is a bit disingenuous.   No one is stealing your "identity" but rather a set of 16 digits, an expiration date, and a three-digit code.    Real identity theft does occur, but often it is someone from your own family stealing your identity - opening up credit card accounts in your name, or taking out loans in your name.  It is fairly rare, the real thing, and often someone you actually know.

I am not sure that a password service is the answer.  It is akin to MINT or other financial aggregation sites.   They ask you to hand over all the usernames and passwords to all of your financial accounts, and in return, they provide you with a pie chart showing how much you spent on rutabagas.   I use such a site that Bank of America provides, however with two-step authentication, it cannot automatically retrieve data from non-BoA accounts, which is probably just as well.  Once a month, I manually update that data.

There are other paranoia sites out there that feed this fear we have of the Internet.  Equifax sends me alarming e-mails telling me that I have been compromised on "the dark web"- the dark web being another word for "the internet" before we had web browsers.   A closer inspection reveals that the secret information being revealed is my name, address, telephone number, and e-mail address, which can be found on my own website, if you bother to look.   Kind of hard to run a business without people knowing your name and address, ain't it?  And by the way, don't ever do business with someone who doesn't provide this basic information.   If they can call you but you can't call them, something is very, very wrong.

But even if you are "hacked" and report it in a timely manner, as this fellow's experience shows, you are not at much risk of losing money.   Banks operate based on trust, and they realize that if people's bank accounts could be drained down to zero without any action on the part of the account holder, then people would stop doing business with the bank.

The "hacks" you often read about often require the cooperation of the hack-ee.   Not a day goes by that I get a phone call from someone with a thick Indian accent saying he is from the Social Security Administration and that my Social Security number has been "suspended".   How anyone falls for this is beyond me - the accent these foreigners have is so thick, you can barely understand them.  I actually talked with one of these guys and told him, "Dude, you have to work on your accent - it gives away the whole game!"   Maybe he appreciated my helpful suggestion.

There was a lot of talk last election about Hillary's e-mails being "hacked" but the reality was, someone in the Democratic party fell for one of these phishing scams - a ploy so simple that it is hard to believe anyone fell for it.  But like the Iowa caucuses (four days and still counting!) one wonders whether people with so little sophistication and skills should be leading the country.   Maybe Hillary would fall for a Nigerian scammer.   You laugh - her daughter's father-in-law did - and went to jail when he stole from clients and sent money to Nigeria!   You can't make this shit up.

Change your passwords frequently and don't use the same or similar passwords on all of your accounts.  Use two-step authentication.  Put a password on your laptop as well - and your phones and pad devices.  If you make a list of passwords that you store in your computer or print out, put it in some sort of code, or encrypt it.   Keep track of all your accounts and check your bank account daily.  Set up notifications so any transaction as well as daily balance is reported to you by email, text, or both.  There are steps you can take, that don't require you buy something, pay someone, or hand over all your data to some third party.

But reacting with fear - I think that is the wrong response.