Risks of electronic access

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
easyliving
Posts: 4
Joined: Sun May 21, 2017 10:13 am

Risks of electronic access

Post by easyliving » Sun May 21, 2017 10:58 am

I am a new member, but have followed the forum for some time.

Now that we have substantial assets, we wory about Internet fraud and privacy.

A solution being considered is disconnection of all brokerage, bank, credit cards, etc., accounts from internet access. Then perform all transactions by phone or by mail. We would also get a post office box for financial mail.

The convience of internet access undoubtedly a positive factor. Our worry is that having accounts linked for payment and emails to cell phones leaves us vulnerable.

Are these concerns founded, and is our old school solution actually safer?

Your comments are appreciated.

mhalley
Posts: 6294
Joined: Tue Nov 20, 2007 6:02 am

Re: Risks of electronic access

Post by mhalley » Sun May 21, 2017 3:58 pm

The possibility always exists, but the convenience of the Internet far outweighs it imo. Take reasonable precautions, (strong passwords, two factor authentication, consider a seperate computer for financial use ( a chromebook or dual boot into Linux) and the liklihood is pretty low.

http://clark.com/personal-finance-credi ... m-hackers/


http://clark.com/home-category/online-banking-safety/

RudyS
Posts: 1355
Joined: Tue Oct 27, 2015 10:11 am

Re: Risks of electronic access

Post by RudyS » Sun May 21, 2017 4:02 pm

I do not access any financial sites from my smartphone. It just has to wait till I get to a computer. [Yes I know a smartphone is really a computer pretending to be a phone] . Also no access to financial sites via unknown wifi. Still risky, but at least better than having everything on my phone.

student
Posts: 2664
Joined: Fri Apr 03, 2015 6:58 am

Re: Risks of electronic access

Post by student » Sun May 21, 2017 4:10 pm

If this concerns you and you have substantial assets, you can buy a chromebook ($300) or a macbook ($1000) and use it exclusively for accessing your accounts. Save all the websites as your bookmarks and only access them via bookmarks. (So you don't mistype and go to a different site.) I suggested chromebook or macbook because there are less viruses for them due to the relatively smaller installed base. Then there is almost no chance for your computer to get infected.

123
Posts: 3892
Joined: Fri Oct 12, 2012 3:55 pm

Re: Risks of electronic access

Post by 123 » Sun May 21, 2017 4:53 pm

I have heard the safest electronic access is with a smartphone using "data" with the smartphone wifi turned off.
The closest helping hand is at the end of your own arm.

blueman457
Posts: 411
Joined: Sun Jul 26, 2015 12:19 pm

Re: Risks of electronic access

Post by blueman457 » Sun May 21, 2017 4:57 pm

Unfortunately I think the bigger risk is the direct hacking of the financial institutions directly or massive phishing attacks.

Blue Man

btenny
Posts: 4602
Joined: Sun Oct 07, 2007 6:47 pm

Re: Risks of electronic access

Post by btenny » Sun May 21, 2017 6:45 pm

Credit cards are different than banking accounts and different than stock investment accounts. In this modern world everyone has to use CC in lieu of cash for most transactions. It is just hard to not use them. But I treat CC carefully and have had them lost or hacked several times. We have multiple CC for different things for this reason. We have one CC dedicated to internet only stuff and never use it for other stuff. We have a different CC that we use mostly for Costco and gas. My wife has a third card she uses for groceries and her stuff only. I have a different card I use for general stuff. We save exact receipts every month and check them off every month against every credit card. Yes we have multiple CC. Yes checking receipts is a PIA. Sometimes I wish we had one or two but that is too risky. Plus having separate CC accounts makes them easy to manage and gives us a good idea who is doing what. Plus our bank knows our habits and has stopped bad transactions and hacked CC several times.

I only use debit cards to take money from our checking account at the bank ATM only. You should never use your debit card for anything but your bank ATM.

IMO the lowest risk personal stock account is doing stuff only in person. That means you use a low cost brokerage like Scottrade or Fidelity and only do business with them face to face. I went to Scottrade partly for all the branch offices I can use if needed for face to face transactions. A lot of old timers still do stocks investing this way. Other old timers use a broker and pay them a management fee so they can call him/her on the phone or go see them for face to face transactions. Both methods cost more money than internet account transactions and take more time and cannot be done off hours.

But you are taking minimum risk if you use a dedicated computer for stocks and banking stuff only and keep it up to date with virus protection. Almost all of us here are do it your self investors who use the internet for our investment transactions. I have never heard of a personal investment account being hacked. Yes you will have to set up account passwords and account names and keep track of the account details carefully. Yes you should check the account values at least once a month and make sure you agree with the balances and transactions. And you must not tell anyone what the details of you accounts are and so forth. But it is really safe.

I use the same methods as above to do internet banking. I think it is safe but I am very careful with passwords and keeping my computer up to date. But we have bank accounts at two banks for extra utility and security. Likewise we have do business with two different stock brokerage companies for extra utility and security in case of problems.

So I guess I think it is OK to do computer banking and investing and CC management. But you have to be careful and use good computer security practices.

Good Luck.

User avatar
blueblock
Posts: 865
Joined: Sun Oct 19, 2014 6:06 pm
Location: Wisconsin

Re: Risks of electronic access

Post by blueblock » Sun May 21, 2017 7:14 pm

Some of this is going to depend on your tech savvy. For example, if you are prone to opening email attachments from people you don't know, or from people you do know but have no reason to be sending you an attachment, or if you fall for emails that look like they're from a company you deal with but may be spoofed, and click on the links anyway, then yes, you should be concerned.

Me, I've been accessing my banking, brokerage, credit card and other financial accounts for over 20 years and have never had a problem. I have been filing my taxes on line for almost as long, also without incident.

One simple "Internet hygiene" tactic is never to click on link given in an email but, rather, go to the site yourself and log in from there.

I, too, am concerned about privacy, and recently switched from Firefox to the Opera browser, which has a free VPN add-on, so that websites I visit cannot know my physical location, and my activity cannot be tracked by my Internet service provider.

User avatar
pondering
Posts: 1010
Joined: Fri Jan 30, 2015 11:04 pm
Location: 412-977-3526, originally 718-273-2422

Re: Risks of electronic access

Post by pondering » Sun May 21, 2017 8:26 pm

Some of your accounts are better than others. Personal access is better protected than business access.
--Robert Sterbal | 412-977-3526 call/text

User avatar
teen persuasion
Posts: 643
Joined: Sun Oct 25, 2015 1:43 pm

Re: Risks of electronic access

Post by teen persuasion » Sun May 21, 2017 8:50 pm

I no longer trust mail delivery. Years ago we paid our credit card with a check sent snail mail. More than once the check was lost, whether in the mail or internally at the CC company I don't know. Since switching to paying online we've never had an issue with a "lost" payment.

More recently, my employer's payroll packet went AWOL in the mail. It eventually arrived, after nearly 2 weeks, and thus only after the checks had been cancelled and reissued. We regretfully began picking the payroll up in person rather than risk a repeat. Now everyone has chosen to use direct deposit - only those waiting for a live check were inconvenienced by the lost payroll. Thus we can simply download pay stubs and print in house; no more picking up in person.

Even more recently, a business CC payment went AWOL in the mail, and hasn't surfaced. It hit at a particularly bad time - somewhere in the shuffle of a switch in directors, on top of several days of closings due to extreme weather (windstorm one week, followed by snowstorm the next week, followed by flooding a few weeks later).

User avatar
nedsaid
Posts: 10644
Joined: Fri Nov 23, 2012 12:33 pm

Re: Risks of electronic access

Post by nedsaid » Sun May 21, 2017 9:09 pm

A couple things that I do, first I monitor accounts with electronic access at least on a weekly basis. I also will call my providers from time to time.

I have a mutual fund IRA and since July 2013 have a lot of transactions from rebalancing and de-risking as I get older. I call the fund company a couple times a year, tell them what I am doing and why I am doing it. That way, they know I am not going crazy in my old age. The conversations are recorded and I think they take notes on the conversations. Sort of a "know your customer" type of thing.

I also have a brokerage account IRA and I call the broker once a month. He knows me pretty well.

When a former workplace plan discontinued some investment options, I moved some funds around to the brokerage window within the plan. I called the company and asked them for advice on the best way to execute the changes I wanted to make. They assured me that I could execute the trades myself and to call them if I needed assistance. Again, they can see the trades as they are being executed and I want to reassure them that it is really me making the trades, that I have a plan, and that I am not going crazy.

I just think it is good practice to pick up the phone and call your money from time to time. That and constant monitoring on the investment company websites.
A fool and his money are good for business.

User avatar
pondering
Posts: 1010
Joined: Fri Jan 30, 2015 11:04 pm
Location: 412-977-3526, originally 718-273-2422

Re: Risks of electronic access

Post by pondering » Sun May 21, 2017 9:13 pm

There is a certain amount of complacency in the way accounts are managed by the vendors.

All vendors should provide a second login to the account that has read only access.

All vendors should provide a log of at least 1000 login attempts or 3 days of attempts to login to all their users financial accounts.

Neither suggestion has made it to the mainstream. These are not expensive ways to provide additional security.
--Robert Sterbal | 412-977-3526 call/text

Dottie57
Posts: 4774
Joined: Thu May 19, 2016 5:43 pm

Re: Risks of electronic access

Post by Dottie57 » Sun May 21, 2017 9:22 pm

I will be managing my debit card differently after last friday. My bank called and said there were suspicious transactions. We went through recent ones and two were places I have not shopped for months. The debit card is canceled. I will not use thevreplacement for anything other than bank ATM. My BOA cc. card is for internet transactions. Fidelity will become my in person card. I will start carrying more cash for incidentals.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Risks of electronic access

Post by azurekep » Sun May 21, 2017 9:59 pm

This is the sort of thing that can give one nightmares:

https://www.wired.com/2017/04/hackers-h ... operation/

A Brazilian bank's entire online operation was hacked through a DNS registration exploit.
Researchers at the security firm Kaspersky on Tuesday described an unprecedented case of wholesale bank fraud, one that essentially hijacked a bank’s entire internet footprint. At 1 pm on October 22 of last year, the researchers say, hackers changed the Domain Name System registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites. In practice, that meant the hackers could steal login credentials at sites hosted at the bank’s legitimate web addresses. Kaspersky researchers believe the hackers may have even simultaneously redirected all transactions at ATMs or point-of-sale systems to their own servers, collecting the credit card details of anyone who used their card that Saturday afternoon.
With that domain hijacking in place, anyone visiting the bank’s website URLs were redirected to lookalike sites. And those sites even had valid HTTPS certificates issued in the name of the bank, so that visitors’ browsers would show a green lock and the bank’s name, just as they would with the real sites. Kaspersky found that the certificates had been issued six months earlier by Let’s Encrypt, the non-profit certificate authority that’s made obtaining an HTTPS certificate easier in the hopes of increasing HTTPS adoption.
Not sure how we're supposed to guard against this. It's not a matter of clicking on an email attachment. It's a matter of logging into a compromised bank that for all practical purposes looks legit.

User avatar
Doom&Gloom
Posts: 2335
Joined: Thu May 08, 2014 3:36 pm

Re: Risks of electronic access

Post by Doom&Gloom » Sun May 21, 2017 10:06 pm

electronic >> snail mail

imho

IMO
Posts: 267
Joined: Fri May 05, 2017 6:01 pm

Re: Risks of electronic access

Post by IMO » Sun May 21, 2017 11:35 pm

I too have concerns about electronic access. It really seems so easy on most of our electronic accounts to have the password reset to one's email or cell phone. Seems like emails are frequently hacked, so I can see an email getting hacked, a lost username/password request being made, and someone has access to an account. You may not even know if it happened. I won't be surprised if hacker's can figure out how to temporarily intercept a given phone number's text messages so they can use that on the password reset.

As other's have said, the risk for a particular financial institution being hacked, or some other large data base being hacked is always a concern. In fact there have been numerous examples of that already.

Mail service is not the answer. I also have little faith in the mail service. We have had mail lost, and regularly get the wrong mail. There are documented break in's of entire neighborhood mailbox stations (Those silver local boxes in many neighborhoods).

Your social security number has to be given to so many institutions with the potential for easy theft, if it already hasn't been stolen.

Sounds like a major conspiracy theory....

But here's what I suggest:
1. Use a dedicated laptop or similar for financials. These are cheap ($250), you don't need things like significant memory. Password protect it, and as these are small, store it somewhere that would be extremely unlikely a home burglary would find it. Virus protect this.
2. Use a separate email account from you day to day account with a very strong password. For elderly parents who have enough ability to actually get online/email this is an even bigger issue (fake emails that look real, etc)
3. Check all accounts for any notifications that are provided, for example, your checking account/credit card/etc may have options to notify you via email/text for any account change (such as pending account deposits/withdrawals).
4. Ask or check online on if you can have maximums set on accounts that cannot be exceeded.
4. Never get a debit card on any account.
5. Keep a copy of the account statement printed online on a regular basis and store is a similar type of less than obvious area of your house. You'll want some record of an account should an institutions data get completely wiped out (I think that's always a possibility).
6. Get a credit monitoring service.
7. Have your credit "frozen" so that no one can simply open new credit cards "instantly."
8. Always take a sharpie and blacken out the 3 digit credit card security code on the back. It's too easy for someone to have your credit card (i.e. wait staff) and simply take a phone picture front/back of your card to use online. (Do you really think it's not hard to find someone's physical or billing address online?)
9. For those occasions you must use a check or have something electronically debited from a checking account, set up an account specifically associated with those checks that has only a minimal amount of funds as you deem necessary.
10. DON"T use mail for accounts. You won't even know if your account information is already in someone's hand.
11. Cancel land lines if you can. Most are 100% cell phones, but if you have elderly parents, they will get fraudulent calls trying to get their information or constant cold calls (worse than your cell phone).

We live in a world/society where on a day to day basis your identify/funds are constantly being attacked. There is essentially no practical law enforcement accountability on ID theft, and financial institutions simply write off loses without the slightest attempt to track down the ID theft. The victim of these incessant crimes is left to deal with the aftermath.

As someone has mentioned reasonable suggestions seem to often be lacking to provide more protections (i.e. your medicare and social security numbers being the same).

The problem is worse when it comes to the elderly.

If you haven't yet been a victim, it's only a matter of time. You'll be shocked where/how/how much cash was stolen from an account, and you're the only one who cares.

Lafder
Posts: 3843
Joined: Sat Aug 03, 2013 7:56 pm
Location: East of the Rio Grande

Re: Risks of electronic access

Post by Lafder » Sun May 21, 2017 11:47 pm

If you use mail and monthly statements, it could take an entire month to discover fraudulent account access.

With online access you can check every day.

As long as you do not give anyone your password, all financial institutions have some type of fraud protection if your account is accessed or scammed.

I trust online access much more than mail. Mail can be more easily intercepted with no trace, as well as stolen from your home.

Note if you have not at least made an online account for each holding, it is easy for someone to create an account with a few details that can get ahold of. SO even if you decide not to use electronic access, make online accounts with secure passwords that will be harder to hack that the few details needed to open the online accounts for the first time.

Call me a risk taker (I am not!) but I use one computer (not my smart phone) for all of my needs and do not have a dedicated computer for financial dealings.

lafder

carolinaman
Posts: 3329
Joined: Wed Dec 28, 2011 9:56 am
Location: North Carolina

Re: Risks of electronic access

Post by carolinaman » Mon May 22, 2017 7:10 am

The safest approach is to do all transactions in person at local bank and investment firm. That is often impossible or very inconvenient. Hence, the need for some form of electronic transactions.

I think you are placing too great a confidence in US mail. My wife mailed two pieces of mail at the post office last year. The items were stolen and a check for $75 was altered to $850 and the funds were withdrawn from our account. We were able to get that straightened out, but in talking with bank and police, this is a common occurrence in our modern world.

You have been given good advice on how to conduct online finances, especially a dedicated computer with up to date virus protection. I think that is the best way to handle your transactions.

I have one caution with that approach, and that is be careful about how "connected" all of your accounts are. We are retired and do very few transactions with our investment accounts nowadays. Also, it is very rare for us to transfer funds between our investment accounts and bank accounts. Therefore, I do not have those accounts connected. If I need to transfer money between the accounts, I can always temporarily establish a connection. In a similar vein, we have a HELOC with $150k credit line. The bank set that up so that funds could be transferred online between checking and HELOC online. IMO, that was too risky. So I had the bank disconnect it. This means if I want to transfer funds from HELOC to checking, I have to go to the bank and do it in person. That is a minor inconvenience and much more preferable than having the exposure for a hacker to transfer money from HELOC.

I am probably a little paranoid, perhaps because we have had 3 hacks over the years. We were able to recover our funds in each instance, but it makes us realize this stuff really does happen. The keys are to practice safe computing and to be vigilant about your accounts. If you do that, you should be fine.

User avatar
pondering
Posts: 1010
Joined: Fri Jan 30, 2015 11:04 pm
Location: 412-977-3526, originally 718-273-2422

Re: Risks of electronic access

Post by pondering » Mon May 22, 2017 7:18 am

Are their any organizations that publish detailed statistics on the risks?
--Robert Sterbal | 412-977-3526 call/text

User avatar
Ged
Posts: 3632
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Risks of electronic access

Post by Ged » Mon May 22, 2017 8:42 am

A good alternative to a dedicated computer is using a boot DVD loaded with an operating system. This guarantees returning to a known starting point after each session, something not necessarily true for a dedicated computer.

User avatar
mrc
Posts: 1239
Joined: Sun Jan 10, 2016 6:39 am

Re: Risks of electronic access

Post by mrc » Mon May 22, 2017 8:55 am

student wrote:If this concerns you and you have substantial assets, you can buy a chromebook ($300) or a macbook ($1000) and use it exclusively for accessing your accounts. Save all the websites as your bookmarks and only access them via bookmarks. (So you don't mistype and go to a different site.) I suggested chromebook or macbook because there are less viruses for them due to the relatively smaller installed base. Then there is almost no chance for your computer to get infected.
The bookmarked site idea is a perk of using 1Password. I search it for "Citi" or "Chase" or "Vanguard" and up pops access to an "open and fill" URL. This prevents my typing in the site wrong. Also, if you were daydreaming and clicked on an urgent like to update your info at citihack.com, the 1Password search won't match that URL and, denied easy access to your login credentials, you'll have a last chance to stop. Last: I always set "fill" but not "submit" for all 1Password entries. I don't send anything to a website blindly.
If it’s not long term it’s small talk

michaeljc70
Posts: 3870
Joined: Thu Oct 15, 2015 3:53 pm

Re: Risks of electronic access

Post by michaeljc70 » Mon May 22, 2017 8:58 am

I wouldn't worry about it if you take adequate precautions. 2 factor authentication is important, especially on brokerage accounts or accounts with big balances.

I had fraudulent charges on a credit card last weekend. I still have the card. Who knows how they got the number. Could be from a site I ordered something from being hacked (high tech)or could be someone at a store or restaurant that just copied the number down (low tech).

User avatar
midareff
Posts: 5852
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Risks of electronic access

Post by midareff » Mon May 22, 2017 9:52 am

All credit cards I know of in this country (USA) have fraud protection so I have zero concern about them although I do check them a couple times a month. I do zero financial transaction by smartphone. Don't even have their apps on my phone. I use long strong passwords (14-16 aLpHa numeric) character that are unique for each financial site and any site I might use a credit card on. Financial sites do notify when any changes to account are requested so that is a second check and that is done before anything is performed, such as adding a bank or a payee or such. I use LastPass as a password manager and it is country restricted and device restricted to my desktop computer. I live in a gated secure building with full time security and hall cameras. All my data is backed up twice locally and a third copy into a safe. My computer is protected real time with Malwarebytes Premium and Malwarebytes Anti-Exploit besides Windows Defender. Software is kept up to date and I don't open links in emails or e-boards regardless of the alleged source. Try and remember, you aren't paranoid unless they really are out to get you.

michaeljc70
Posts: 3870
Joined: Thu Oct 15, 2015 3:53 pm

Re: Risks of electronic access

Post by michaeljc70 » Mon May 22, 2017 11:31 am

midareff wrote:All credit cards I know of in this country (USA) have fraud protection so I have zero concern about them although I do check them a couple times a month. I do zero financial transaction by smartphone. Don't even have their apps on my phone. I use long strong passwords (14-16 aLpHa numeric) character that are unique for each financial site and any site I might use a credit card on. Financial sites do notify when any changes to account are requested so that is a second check and that is done before anything is performed, such as adding a bank or a payee or such. I use LastPass as a password manager and it is country restricted and device restricted to my desktop computer. I live in a gated secure building with full time security and hall cameras. All my data is backed up twice locally and a third copy into a safe. My computer is protected real time with Malwarebytes Premium and Malwarebytes Anti-Exploit besides Windows Defender. Software is kept up to date and I don't open links in emails or e-boards regardless of the alleged source. Try and remember, you aren't paranoid unless they really are out to get you.
I also rely on the email notifications to tell me of any pending transactions or changes to my account. I think for anything really bad to happen, they would have to gain access to my financial account and my email. That is certainly possible, but a lot less likely. This assumes they aren't doing an instant wire out of my account which would be difficult since almost all the money is invested.

User avatar
telemark
Posts: 2328
Joined: Sat Aug 11, 2012 6:35 am

Re: Risks of electronic access

Post by telemark » Mon May 22, 2017 1:19 pm

Once a year I write a check to my old university and put it in the mail; this the only financial dealing I have with them. They recently sent me a letter saying they had discovered a data breach and that my bank information may have been compromised. The first thing I did was sign in to my bank and see if anything looked out of the ordinary.

easyliving
Posts: 4
Joined: Sun May 21, 2017 10:13 am

Re: Risks of electronic access

Post by easyliving » Mon May 22, 2017 6:06 pm

Thank you all for the advice.

We can imagine how mail service poses risk also. I am horrified just thinking about the quantity of financial statements we have been receiving to our mailbox!

I definitely think it is time to start unlinking our accounts (bank to brokerage, bank to credit card, bank to insurance : all from the same bank account. - Not too smart).

We also have accounts linked to regular Yahoo email, again one account.

Does anyone have knowledge of a secure and private Email service?

Thanks again.

blueman457
Posts: 411
Joined: Sun Jul 26, 2015 12:19 pm

Re: Risks of electronic access

Post by blueman457 » Mon May 22, 2017 8:08 pm

There are a few private email options, I use fastmail which costs me $40/year. No ads. There is a free version.

In terms of SECURE email options for individuals; there's probably only proton mail. Your inbox is encrypted, so if you forget your password, they can't help you either.

Blue Man

EricBackus
Posts: 19
Joined: Wed Jul 15, 2015 10:30 am

Re: Risks of electronic access

Post by EricBackus » Mon May 22, 2017 8:43 pm

Ged wrote:A good alternative to a dedicated computer is using a boot DVD loaded with an operating system. This guarantees returning to a known starting point after each session, something not necessarily true for a dedicated computer.
I have to disagree on this one. It sounds good until you think about all the software updates your operating system and browser get. To be secure you need to keep up with these updates, so you'd probably find yourself burning a new DVD more than once a month.

whomever
Posts: 784
Joined: Sat Apr 21, 2012 5:21 pm

Re: Risks of electronic access

Post by whomever » Mon May 22, 2017 10:12 pm

I have to disagree on this one. It sounds good until you think about all the software updates your operating system and browser get. To be secure you need to keep up with these updates, so you'd probably find yourself burning a new DVD more than once a month.
Just a comment: if you boot and only go to vanguard.com or treasurydirect.gov or whatever, you're avoiding a lot of possible attack vectors. You miss most of the ones that require going to a compromised site(1), or clicking on a compromised email, etc. You're not invulnerable, to be sure - you still could get bit by a DNS compromise, etc, but not having the latest browser updates is less likely to be a problem.


(1)Unless vanguard.com is the compromised site, which is a different problem.

User avatar
whodidntante
Posts: 4304
Joined: Thu Jan 21, 2016 11:11 pm

Re: Risks of electronic access

Post by whodidntante » Tue May 23, 2017 12:45 am

Electronic access is an attack vector, but it is not only that. You also get information from it that can be used to thwart an attack, and information that is useful for other purposes.

I found two bank errors this year using the bank's own website. OK, so this is not fraud but it would have hurt me like fraud.

Two years ago I detected credit card fraud within minutes by getting SMS transaction alerts on my phone. I immediately disabled the card.

I can view the status of payments I make. For example, right now I know that the county has not cashed my property tax check for some reason. This information might help me avoid a late payment penalty/collections.

You change the threats you are exposed to by disconnecting, but you do not become immune to threats or better off IMO.

DetroitRick
Posts: 595
Joined: Wed Mar 23, 2016 9:28 am

Re: Risks of electronic access

Post by DetroitRick » Tue May 23, 2017 2:02 pm

My conclusions are pretty similar to what "whodidntante" posted. Disconnecting doesn't eliminate the risks. Accounts can be hacked without your individual web access. The web is just a point of entry. I'd rather have the early warnings and instant visibility of an online presence than wait for statements to show problems.

I use a slew of habits and processes to mitigate the risk on both PC and Android (and I do access many of my accounts via Android). None of these are either time-consuming or difficult.
- Good security practices - careful web surfing, decent anti-virus anti-malware and firewall
- Constant, and where possible, automatic updating of all software (especially Windows 10)
- Retire operating systems when they are no longer current
- Separation of some accounts - not every bank and brokerage is linked to every other one
- Active use of a password manager
- Securing my android AND having an instant link available at home (or with me when traveling) to track or wipe the phone if lost
- Daily instant monitoring of all financial accounts via Quicken
- Never use my debit/atm card except for cash withdrawals from my bank's atm's
- 2-factor id on most critical accounts
- Security questions where answers are not available on social media
- Text warnings from all financial accounts
- Monitor text and email for notifications of transfers, withdrawals or trades (don't just set this stuff up, actually USE it)
- Using Android Pay in lieu of handing over a credit card when I can
- Be extremely careful in access email links and only use my own links to go to financial sites
- Credit monitoring

When all is said and done, it's a highly individual decision and all my precautions are not guarantees. But other than considering one more change - using a private email service vs. gmail for this stuff - I'm comfortable with my risk exposure. I assume sometime, somewhere, I will experience online fraud. Knowing who to contact, and doing so quickly, is important. Still, the single biggest fraud risk I'm taking is handing my credit card over to somebody (and I'm protected from that loss anyway). I've been lucky - two cases of attempted fraud ever - and one of those detected from online sources (neither originated from online exposure). To me, the convenience and access is worth the risk.

One of the biggest fears a lot of people have is having their brokerage accounts hacked and stolen. I'm comfortable in that specific arena as well. Nothing happens instantaneously, I get notification of trade orders and withdrawals (and I read them), I have a security token in use and I trust my broker. Anyway, just one more perspective....

User avatar
Ged
Posts: 3632
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Risks of electronic access

Post by Ged » Tue May 23, 2017 5:14 pm

EricBackus wrote:
Ged wrote:A good alternative to a dedicated computer is using a boot DVD loaded with an operating system. This guarantees returning to a known starting point after each session, something not necessarily true for a dedicated computer.
I have to disagree on this one. It sounds good until you think about all the software updates your operating system and browser get. To be secure you need to keep up with these updates, so you'd probably find yourself burning a new DVD more than once a month.
It often takes much longer than a month for an OS vendor to locate and fix a security flaw. The WannaCry exploit used a bug that was years old.

There are other benefits to using a boot CD as well. See the following:

https://krebsonsecurity.com/2012/07/ban ... a-live-cd/

Yossarian
Posts: 139
Joined: Thu May 31, 2007 6:19 pm

Re: Risks of electronic access

Post by Yossarian » Tue May 23, 2017 5:33 pm

I think I found this link through bogleheads. Your phone number might be the weak leak in online security.

https://www.forbes.com/sites/laurashin/ ... bebc95360f

michaeljc70
Posts: 3870
Joined: Thu Oct 15, 2015 3:53 pm

Re: Risks of electronic access

Post by michaeljc70 » Tue May 23, 2017 5:37 pm

This to me is like saying you aren't going to drive because the risks are too great. Just be careful. As other posters said, things can go wrong (on the vendors side) even if you take every precaution you can.

EricBackus
Posts: 19
Joined: Wed Jul 15, 2015 10:30 am

Re: Risks of electronic access

Post by EricBackus » Tue May 23, 2017 7:55 pm

Ged wrote:
EricBackus wrote:
Ged wrote:A good alternative to a dedicated computer is using a boot DVD loaded with an operating system. This guarantees returning to a known starting point after each session, something not necessarily true for a dedicated computer.
I have to disagree on this one. It sounds good until you think about all the software updates your operating system and browser get. To be secure you need to keep up with these updates, so you'd probably find yourself burning a new DVD more than once a month.
It often takes much longer than a month for an OS vendor to locate and fix a security flaw. The WannaCry exploit used a bug that was years old.

There are other benefits to using a boot CD as well. See the following:

https://krebsonsecurity.com/2012/07/ban ... a-live-cd/
I wouldn't want to argue security with somebody like Brian Krebs... But it still sounds impractical to me. Microsoft has security updates on "patch Tuesday" every month (sometimes twice a month I believe). I think Linux updates are just as frequent. Maybe you could argue that you don't need all of these, but how do you know which ones you do need? Even with a non-writable DVD, you're still potentially vulnerable to DNS issues, rogue ads on your banking websites, and probably lots of other things I haven't thought of.

User avatar
Ged
Posts: 3632
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Risks of electronic access

Post by Ged » Wed May 24, 2017 2:33 pm

EricBackus wrote: I wouldn't want to argue security with somebody like Brian Krebs... But it still sounds impractical to me. Microsoft has security updates on "patch Tuesday" every month (sometimes twice a month I believe). I think Linux updates are just as frequent. Maybe you could argue that you don't need all of these, but how do you know which ones you do need? Even with a non-writable DVD, you're still potentially vulnerable to DNS issues, rogue ads on your banking websites, and probably lots of other things I haven't thought of.
No end user computer product is going to protect you against DNS pirates, rogue ads on banking sites and so on because they are attacks on the bank's software infrastructure rather than on the end user's system.

I gave you a reference to what some consider best practice. Whether or not you choose to follow it is your decision.

need403bhelp
Posts: 608
Joined: Thu May 28, 2015 6:25 pm

Re: Risks of electronic access

Post by need403bhelp » Wed May 24, 2017 3:01 pm

Ged wrote:
EricBackus wrote: I wouldn't want to argue security with somebody like Brian Krebs... But it still sounds impractical to me. Microsoft has security updates on "patch Tuesday" every month (sometimes twice a month I believe). I think Linux updates are just as frequent. Maybe you could argue that you don't need all of these, but how do you know which ones you do need? Even with a non-writable DVD, you're still potentially vulnerable to DNS issues, rogue ads on your banking websites, and probably lots of other things I haven't thought of.
No end user computer product is going to protect you against DNS pirates, rogue ads on banking sites and so on because they are attacks on the bank's software infrastructure rather than on the end user's system.

I gave you a reference to what some consider best practice. Whether or not you choose to follow it is your decision.
FYI, my read of Krebs' article per below is:

1. Don't use Windows for banking
2. Here's the easiest way to use your system with Windows installed on it for banking - burn a Linux LiveCD

My read is that he would, for example, be ok with someone installing Linux on their computer and using that for banking, or even having a dedicated computer running Linux for banking.

Of course, Live CD has some advantages - usually posted Live CDs are fairly up to date, as long as you burn a new live cd every few months. One disadvantage is that potentially if lots of people do this, I would just need to hack the puppy Linux download hosting account and upload my own compromised live cd. Then I just wait and let the banking credentials roll in. Also, a lot of new computers don't come with CD drives. A live USB would be different (you get persistence unless it runs off a RAM drive).

The quote:

"I said this nearly three years ago, and it remains true: The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online. All of the malware used in the attacks I’ve written about is built for Windows. That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. Right now, there are no indications that they are doing this.

The quickest way to temporarily convert your Windows PC into a Linux system is to use a Live CD. This involves burning an downloadable image file to a CD, inserting the disc into your computer, and rebooting. If this sounds difficult, don’t worry, it’s not."

EricBackus
Posts: 19
Joined: Wed Jul 15, 2015 10:30 am

Re: Risks of electronic access

Post by EricBackus » Wed May 24, 2017 4:05 pm

Ged wrote: No end user computer product is going to protect you against DNS pirates, rogue ads on banking sites and so on because they are attacks on the bank's software infrastructure rather than on the end user's system.
Rogue ads can easily be attacks on the end user's system. You would hope that banks are smart enough to avoid serving ads from other companies, but it's hard to have much confidence in anything on the internet these days.
Ged wrote: I gave you a reference to what some consider best practice. Whether or not you choose to follow it is your decision.
Fair enough, and thanks for the reference which I hadn't seen before.

User avatar
Ged
Posts: 3632
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Risks of electronic access

Post by Ged » Wed May 24, 2017 7:16 pm

need403bhelp wrote:
FYI, my read of Krebs' article per below is:

1. Don't use Windows for banking
2. Here's the easiest way to use your system with Windows installed on it for banking - burn a Linux LiveCD

My read is that he would, for example, be ok with someone installing Linux on their computer and using that for banking, or even having a dedicated computer running Linux for banking.

Of course, Live CD has some advantages - usually posted Live CDs are fairly up to date, as long as you burn a new live cd every few months. One disadvantage is that potentially if lots of people do this, I would just need to hack the puppy Linux download hosting account and upload my own compromised live cd. Then I just wait and let the banking credentials roll in. Also, a lot of new computers don't come with CD drives. A live USB would be different (you get persistence unless it runs off a RAM drive).
I agree that using Linux over Windows for online banking is a huge improvement, for the reason Krebs states. It's not fully appreciated but there has never been a widespread virus infection of Linux end user systems, only large scale attacks on IoT systems like security cameras etc. However there have been some small scale incidents, which is why some of the comments on Kreb's article refer to additional advantages of a read-only system.

Also -

Many USB drives have a hardware read-only switch. One of those would be ideal if you don't have a CD drive.

Hacking the Puppy site and uploading compromised isos seems unlikely to be successful if you use the checksum integrity test Linux distros support.

The following describes an instance of the sort of compromise you describe and how to use this integrity check feature:

https://www.howtogeek.com/246332/how-to ... ered-with/

michaeljc70
Posts: 3870
Joined: Thu Oct 15, 2015 3:53 pm

Re: Risks of electronic access

Post by michaeljc70 » Wed May 24, 2017 7:21 pm

I think that telling people that are not that technologically oriented and are thinking about giving up all online access to start using linux or some other convoluted method is not the solution. I work in IT (as a developer) and am not going to start using Linux or whatever to access my financial accounts.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Risks of electronic access

Post by azurekep » Wed May 24, 2017 8:54 pm

michaeljc70 wrote:I think that telling people that are not that technologically oriented and are thinking about giving up all online access to start using linux or some other convoluted method is not the solution. I work in IT (as a developer) and am not going to start using Linux or whatever to access my financial accounts.
What's hard about it? These are the steps:
  • 1. Install Linux on a PC or virtual machine, or use live on removable media.
  • 2. Boot computer.
  • 3. Select Firefox (or Chromium).
  • 4. Go to Vanguard and buy an index fund.
  • 5. Close Firefox, log off computer.
  • 6. Periodically install security updates.
Pretty simple. It's basically just using Firefox.

#1 is really the only potential problem area. If the PC is really old or ultra fancy, it may require a driver update or setting tweak.

No need to use anything else on Linux other than the web browser.

azurekep
Posts: 1179
Joined: Tue Jun 16, 2015 7:16 pm

Re: Risks of electronic access

Post by azurekep » Wed May 24, 2017 9:04 pm

EricBackus wrote:
I wouldn't want to argue security with somebody like Brian Krebs... But it still sounds impractical to me. Microsoft has security updates on "patch Tuesday" every month (sometimes twice a month I believe). I think Linux updates are just as frequent. Maybe you could argue that you don't need all of these, but how do you know which ones you do need?
In Linux, security updates are separate from other updates. There is a short description of each but easiest just to install all of them. On the distro I use (Lubuntu), I just install all without giving it a second thought. On other distros, like Mint, they have the security updates color-coded and tagged with numbers, separating out the more critical from the less critical and things like that.
Even with a non-writable DVD, you're still potentially vulnerable to DNS issues, rogue ads on your banking websites, and probably lots of other things I haven't thought of.
UBlock Origin is a great ad-blocker. Actually, it's called a broad-spectrum blocker. It works great out of the box, but in Advanced mode, the sky is the limit. Blocking third-party frames and third-party scripts is a good default. It rarely breaks a site and adds a great deal of security above and beyond simple ad-blocking and the blocking of known malware sites.

No solution is perfect, but you can't go wrong with Linux plus Ublock Origin.

need403bhelp
Posts: 608
Joined: Thu May 28, 2015 6:25 pm

Re: Risks of electronic access

Post by need403bhelp » Thu May 25, 2017 7:31 pm

Ged wrote:I agree that using Linux over Windows for online banking is a huge improvement, for the reason Krebs states. It's not fully appreciated but there has never been a widespread virus infection of Linux end user systems, only large scale attacks on IoT systems like security cameras etc. However there have been some small scale incidents, which is why some of the comments on Kreb's article refer to additional advantages of a read-only system.

Also -

Many USB drives have a hardware read-only switch. One of those would be ideal if you don't have a CD drive.

Hacking the Puppy site and uploading compromised isos seems unlikely to be successful if you use the checksum integrity test Linux distros support.

The following describes an instance of the sort of compromise you describe and how to use this integrity check feature:

https://www.howtogeek.com/246332/how-to ... ered-with/
Thanks for the interesting info re read only switch for USB drives - will have to check it out. I still have a CD drive on my 2010 MacBook Pro and bought an external one for my wife when we were buying her MacBook Pro. However, I remember the ruckus incoming residents raised when I burned a CD full of useful texts for them - they apparently didn't have a way to read the CDs on their computers.

Also, definitely good to know about checksums. To be honest, even though I am pretty tech savvy, I have not yet checked checksums unless I am downloading something from a shady source. Probably will have to start doing this from now on more often...

Thanks again!

mouses
Posts: 3832
Joined: Sat Oct 24, 2015 12:24 am

Re: Risks of electronic access

Post by mouses » Thu May 25, 2017 7:45 pm

teen persuasion wrote:I no longer trust mail delivery. Years ago we paid our credit card with a check sent snail mail. More than once the check was lost, whether in the mail or internally at the CC company I don't know. Since switching to paying online we've never had an issue with a "lost" payment.

More recently, my employer's payroll packet went AWOL in the mail. It eventually arrived, after nearly 2 weeks, and thus only after the checks had been cancelled and reissued. We regretfully began picking the payroll up in person rather than risk a repeat. Now everyone has chosen to use direct deposit - only those waiting for a live check were inconvenienced by the lost payroll. Thus we can simply download pay stubs and print in house; no more picking up in person.

Even more recently, a business CC payment went AWOL in the mail, and hasn't surfaced. It hit at a particularly bad time - somewhere in the shuffle of a switch in directors, on top of several days of closings due to extreme weather (windstorm one week, followed by snowstorm the next week, followed by flooding a few weeks later).
I used to be a strong defender of the post office, but they have gone downhill recently, in my experience.

I had several checks I mailed never arrive and one came back to me with no stamp on its envelope. A year or so ago I bought a large number of stamps for convenience. When I complained about their coming off envelopes, the post office person asked what did I expect, since they were "old" stamps. What happened to the other envelopes, I have no idea.

This morning (in May) I received a letter I mailed in February, marked no forwarding address.

I still mail some checks, because some people only take checks, like the lawn company.

mouses
Posts: 3832
Joined: Sat Oct 24, 2015 12:24 am

Re: Risks of electronic access

Post by mouses » Thu May 25, 2017 7:47 pm

azurekep wrote:
michaeljc70 wrote:I think that telling people that are not that technologically oriented and are thinking about giving up all online access to start using linux or some other convoluted method is not the solution. I work in IT (as a developer) and am not going to start using Linux or whatever to access my financial accounts.
What's hard about it? These are the steps:
  • 1. Install Linux on a PC or virtual machine, or use live on removable media.
  • 2. Boot computer.
  • 3. Select Firefox (or Chromium).
  • 4. Go to Vanguard and buy an index fund.
  • 5. Close Firefox, log off computer.
  • 6. Periodically install security updates.
Pretty simple. It's basically just using Firefox.

#1 is really the only potential problem area. If the PC is really old or ultra fancy, it may require a driver update or setting tweak.

No need to use anything else on Linux other than the web browser.
I think step 1 is the difficulty. I can only imagine the extent of possible driver problems, etc.

michaeljc70
Posts: 3870
Joined: Thu Oct 15, 2015 3:53 pm

Re: Risks of electronic access

Post by michaeljc70 » Thu May 25, 2017 7:57 pm

azurekep wrote:
michaeljc70 wrote:I think that telling people that are not that technologically oriented and are thinking about giving up all online access to start using linux or some other convoluted method is not the solution. I work in IT (as a developer) and am not going to start using Linux or whatever to access my financial accounts.
What's hard about it? These are the steps:
  • 1. Install Linux on a PC or virtual machine, or use live on removable media.
  • 2. Boot computer.
  • 3. Select Firefox (or Chromium).
  • 4. Go to Vanguard and buy an index fund.
  • 5. Close Firefox, log off computer.
  • 6. Periodically install security updates.
Pretty simple. It's basically just using Firefox.

#1 is really the only potential problem area. If the PC is really old or ultra fancy, it may require a driver update or setting tweak.

No need to use anything else on Linux other than the web browser.
You lost most people at step 1, virtual machine. You think people that barely know Windows are just going to create a bootable DVD/USB drive and know how to use Linux? Come on.

User avatar
LadyGeek
Site Admin
Posts: 49128
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Risks of electronic access

Post by LadyGeek » Thu May 25, 2017 8:25 pm

This thread is now in the Personal Consumer Issues forum (computer security).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

squirm
Posts: 1503
Joined: Sat Mar 19, 2011 11:53 am

Re: Risks of electronic access

Post by squirm » Thu May 25, 2017 8:35 pm

blueblock wrote:Some of this is going to depend on your tech savvy. For example, if you are prone to opening email attachments from people you don't know, or from people you do know but have no reason to be sending you an attachment, or if you fall for emails that look like they're from a company you deal with but may be spoofed, and click on the links anyway, then yes, you should be concerned.

Me, I've been accessing my banking, brokerage, credit card and other financial accounts for over 20 years and have never had a problem. I have been filing my taxes on line for almost as long, also without incident.

One simple "Internet hygiene" tactic is never to click on link given in an email but, rather, go to the site yourself and log in from there.

I, too, am concerned about privacy, and recently switched from Firefox to the Opera browser, which has a free VPN add-on, so that websites I visit cannot know my physical location, and my activity cannot be tracked by my Internet service provider.
Same here twenty years or so... Always used online banking, trading, etc. Just use common sense precaution. Never used a special computer with another OS, or only do transactions in person, etc.

squirm
Posts: 1503
Joined: Sat Mar 19, 2011 11:53 am

Re: Risks of electronic access

Post by squirm » Thu May 25, 2017 8:38 pm

People get hacked cause they use an old OS and/or don't keep their system up to date. My friend still uses XP cause he's too cheap to upgrade.

whomever
Posts: 784
Joined: Sat Apr 21, 2012 5:21 pm

Re: Risks of electronic access

Post by whomever » Thu May 25, 2017 8:44 pm

... rogue ads on banking sites...
If a bank or broker was serving ads, I think I'd find another provider.

Post Reply