Security Best Practices for 2024

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
ThankYouJack
Posts: 6141
Joined: Wed Oct 08, 2014 7:27 pm

Security Best Practices for 2024

Post by ThankYouJack »

For years I've felt good from a security perspective with my password manager, email locked down, credit is locked, 2FA is set up when possible. But with an increasing number of data breaches and SIM swaps happening, I'm planning to take some time to increase my security for numerous accounts.

What would you recommend for a "cybersecurity self-audit" of sorts, lock things down further and check if my SS# and other personal info is on the "dark web"?
cvoege
Posts: 92
Joined: Wed Dec 18, 2019 10:10 am

Re: Security Best Practices for 2024

Post by cvoege »

[quoted post and reply removed by admin LadyGeek]

I work on cyber security and I'll offer some helpful things I've been stressing with family, friends, and business over the last year or so, in no particular order. Maybe you know them maybe you don't.

1. Set up alerts for all transactions on all your cards and bank accounts. It can be a bit annoying but if a fraudulent transaction happens you'll know quickly and can act.
2. Use a password manager with a solid 4 word passphrase generating long passwords with special characters.
3. Do not ever give out any financial information of any sort on a phome call you receive. Yes even if it's your mother on the other line. Voice deep fakes are getting crazy good. Hang up and call a trusted number, either the number you have in your contacts or on the company website.
4. You probably already have credit alerts on, but make sure you do with all three bureaus
5. The "online data scrubbing" services seem to me to be pretty scam adjacent themselves. I wouldn't bother with them.
6. Use an authenticator app where possible over text/email 2FA.
7. Your SSN probably is leaked and there's probably not much you can do about it beyond freezing your credit and setting up 2FA on all three bureaus.

That's what's off the top of my head.
41% VTSAX, 35% VTIAX, 4% VSIAX, 20% VSIGX. 80/20 S/B, 57/43 US/INT, 10% of US holdings allocated to small-cap value. All bonds are US treasuries.
bobn60014
Posts: 235
Joined: Tue May 21, 2024 6:59 pm

Re: Security Best Practices for 2024

Post by bobn60014 »

cvoege wrote: Sun Sep 01, 2024 9:15 pm [quoted post and reply removed by admin LadyGeek]

I work on cyber security and I'll offer some helpful things I've been stressing with family, friends, and business over the last year or so, in no particular order. Maybe you know them maybe you don't.

1. Set up alerts for all transactions on all your cards and bank accounts. It can be a bit annoying but if a fraudulent transaction happens you'll know quickly and can act.
2. Use a password manager with a solid 4 word passphrase generating long passwords with special characters.
3. Do not ever give out any financial information of any sort on a phome call you receive. Yes even if it's your mother on the other line. Voice deep fakes are getting crazy good. Hang up and call a trusted number, either the number you have in your contacts or on the company website.
4. You probably already have credit alerts on, but make sure you do with all three bureaus
5. The "online data scrubbing" services seem to me to be pretty scam adjacent themselves. I wouldn't bother with them.
6. Use an authenticator app where possible over text/email 2FA.
7. Your SSN probably is leaked and there's probably not much you can do about it beyond freezing your credit and setting up 2FA on all three bureaus.

That's what's off the top of my head.
You just made my case. Everything stated gets rehashed on a daily basis.
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

cvoege wrote: Sun Sep 01, 2024 9:15 pm [quoted post and reply removed by admin LadyGeek]

1. Set up alerts for all transactions on all your cards and bank accounts. It can be a bit annoying but if a fraudulent transaction happens you'll know quickly and can act.
2. Use a password manager with a solid 4 word passphrase generating long passwords with special characters.
3. Do not ever give out any financial information of any sort on a phome call you receive. Yes even if it's your mother on the other line. Voice deep fakes are getting crazy good. Hang up and call a trusted number, either the number you have in your contacts or on the company website.
4. You probably already have credit alerts on, but make sure you do with all three bureaus
5. The "online data scrubbing" services seem to me to be pretty scam adjacent themselves. I wouldn't bother with them.
6. Use an authenticator app where possible over text/email 2FA.
7. Your SSN probably is leaked and there's probably not much you can do about it beyond freezing your credit and setting up 2FA on all three bureaus.

That's what's off the top of my head.
That's a good list, Other things to add.
  1. Make sure you do not reuse password. This is easily done by using a password manager.
  2. If the site has security question, see if you can fill them with randomly generated strings and store them in the password manager. Many of these are an avenue for bypass. The worst type of question are "What is your mom's maiden name"?
  3. Call up your wireless phone provider and add a pin to your SIM. This may not completely secure the sim though since there have been case where the service provider is tricked into bypassing the pin, but the PIN will help.
  4. As cvoege already pointed out, a common scam is to call you up and use pressure tactic to get your information. For example, I have gotten a few calls from the "fraud" department asking for info often telling me that there is a fraud in progress pressuring you to do something right away. Hang up and call up your firm's main number and asked to be transferred to the fraud department.
  5. It may be a good idea to turn off the voice print. I feel that this technology doesn't actually increase security. If you fail voice print, you have to talk to a human operator. The voice print is just a way to avoid talking to an operator. Though I have yet to heard of a case where someone use AI voice print to bypass security, the possibility of this happening may not be far off. This is especially true if you are a public speaker and your voice can easily be acquired.
  6. Scam doesn't have to be high tech. My mom constantly gets form that looks like it came from her state requesting info, but is not an actual form. This goes to any form that may ask for info due to unclaimed properties.
Since SSN is stolen a lot these days, i wonder if there are ways to prevent stolen identity refund scams where someone would pose as you and file a tax return early to steal the refund. Not having a refund would be one protection, but I wonder if there are other ways. For example, I notice that each time I file electronically, I can set up a PIN for next year.
User avatar
nps
Posts: 1731
Joined: Thu Dec 04, 2014 9:18 am

Re: Security Best Practices for 2024

Post by nps »

gavinsiu wrote: Sun Sep 01, 2024 11:39 pm Since SSN is stolen a lot these days, i wonder if there are ways to prevent stolen identity refund scams where someone would pose as you and file a tax return early to steal the refund. Not having a refund would be one protection, but I wonder if there are other ways. For example, I notice that each time I file electronically, I can set up a PIN for next year.
Yes, there are other ways. The one you set up yourself each year when e-filing is a self-select PIN that can be used to confirm your identity if your prior year AGI is not known the next time you file.

But there is also the more secure identity protection PIN which prevents filing at all without it. The IRS provides you a new one each year (you don't select it). You need to opt in to receive one, and I don't believe that it's possible to opt out after enrolling.

https://www.irs.gov/identity-theft-frau ... ection-pin
User avatar
LadyGeek
Site Admin
Posts: 98611
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Security Best Practices for 2024

Post by LadyGeek »

I removed an off-topic post. As a reminder, see: General Etiquette
We expect this forum to be a place where people can feel comfortable asking questions and where debates and discussions are conducted in civil tones.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
jebmke
Posts: 28327
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security Best Practices for 2024

Post by jebmke »

We have one credit card that is used for 95% of CC and Apple Pay transactions. The other cards are locked. ATM card locked as well since it is rarely used.
When you discover that you are riding a dead horse, the best strategy is to dismount.
hudson
Posts: 7580
Joined: Fri Apr 06, 2007 9:15 am

BACKUPS

Post by hudson »

For Windows
Plug in a USB hard drive. I use a 1 TB drive
Copy important folders to the drive
Put the drive in a safe deposit box.
I have 5 or 6 drives; some are in a safe deposit box; some are secured locally.

Bottom line: Multiple Backups!
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

nps wrote: Mon Sep 02, 2024 5:36 am Yes, there are other ways. The one you set up yourself each year when e-filing is a self-select PIN that can be used to confirm your identity if your prior year AGI is not known the next time you file.

But there is also the more secure identity protection PIN which prevents filing at all without it. The IRS provides you a new one each year (you don't select it). You need to opt in to receive one, and I don't believe that it's possible to opt out after enrolling.

https://www.irs.gov/identity-theft-frau ... ection-pin
Thanks, that's what I do now, but what prevents an attacker from filing a Paper return to counter that?
jebmke
Posts: 28327
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security Best Practices for 2024

Post by jebmke »

gavinsiu wrote: Mon Sep 02, 2024 7:30 am
nps wrote: Mon Sep 02, 2024 5:36 am Yes, there are other ways. The one you set up yourself each year when e-filing is a self-select PIN that can be used to confirm your identity if your prior year AGI is not known the next time you file.

But there is also the more secure identity protection PIN which prevents filing at all without it. The IRS provides you a new one each year (you don't select it). You need to opt in to receive one, and I don't believe that it's possible to opt out after enrolling.

https://www.irs.gov/identity-theft-frau ... ection-pin
Thanks, that's what I do now, but what prevents an attacker from filing a Paper return to counter that?
if will get held without the IP PIN
When you discover that you are riding a dead horse, the best strategy is to dismount.
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

jebmke wrote: Mon Sep 02, 2024 7:31 am if will get held without the IP PIN
That's good to know. I haven't file a paper return in ages. I imagine IRS will send a letter requesting you to send the pin or login to enter the PIN?
jebmke
Posts: 28327
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security Best Practices for 2024

Post by jebmke »

I don't know. I don't do paper returns unless the IRS requires it; none of my clients have needed it.
When you discover that you are riding a dead horse, the best strategy is to dismount.
JayB
Posts: 736
Joined: Sat May 28, 2022 9:57 am

Re: Security Best Practices for 2024

Post by JayB »

gavinsiu wrote: Mon Sep 02, 2024 7:34 am
jebmke wrote: Mon Sep 02, 2024 7:31 am if will get held without the IP PIN
That's good to know. I haven't file a paper return in ages. I imagine IRS will send a letter requesting you to send the pin or login to enter the PIN?
According to the IRS:
"If you file your return without your IRS-assigned IP PIN:
We'll reject your electronic return, and you won't be able to e-file.
We'll subject your paper return to additional screenings to validate your identity, delaying any refund you may be due."
User avatar
nps
Posts: 1731
Joined: Thu Dec 04, 2014 9:18 am

Re: Security Best Practices for 2024

Post by nps »

gavinsiu wrote: Mon Sep 02, 2024 7:30 am
nps wrote: Mon Sep 02, 2024 5:36 am Yes, there are other ways. The one you set up yourself each year when e-filing is a self-select PIN that can be used to confirm your identity if your prior year AGI is not known the next time you file.

But there is also the more secure identity protection PIN which prevents filing at all without it. The IRS provides you a new one each year (you don't select it). You need to opt in to receive one, and I don't believe that it's possible to opt out after enrolling.

https://www.irs.gov/identity-theft-frau ... ection-pin
Thanks, that's what I do now, but what prevents an attacker from filing a Paper return to counter that?
To counter the self-select PIN? Nothing. That's the reason to use the IP PIN
User avatar
SmileyFace
Posts: 10003
Joined: Wed Feb 19, 2014 9:11 am

Re: Security Best Practices for 2024

Post by SmileyFace »

JayB wrote: Mon Sep 02, 2024 7:48 am
gavinsiu wrote: Mon Sep 02, 2024 7:34 am
jebmke wrote: Mon Sep 02, 2024 7:31 am if will get held without the IP PIN
That's good to know. I haven't file a paper return in ages. I imagine IRS will send a letter requesting you to send the pin or login to enter the PIN?
According to the IRS:
"If you file your return without your IRS-assigned IP PIN:
We'll reject your electronic return, and you won't be able to e-file.
We'll subject your paper return to additional screenings to validate your identity, delaying any refund you may be due."
If you file with TurboTax and start with last years return it carries the PIN forward and auto fills it when filing. It shows it on the screen but if someone is clicking thru quickly they may not realize they are filing with a PIN.
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

nps wrote: Mon Sep 02, 2024 7:58 am
To counter the self-select PIN? Nothing. That's the reason to use the IP PIN
What I meant was that I was under the mistaken impression that the pin only applies when you file electronically but not by paper.
LookinAround
Posts: 1010
Joined: Tue Mar 27, 2018 5:41 am

Re: Security Best Practices for 2024

Post by LookinAround »

Title fraud remains a problem. A growing number of County Recorders across the US are offering free property fraud alerts. Typically, you simply register your property index or address with your email address. If anything (e.g. title, lien, etc) is filed against your property you'll be notified by email. This allows you to report and stop it ASAP.

To check your county, simply do an internet search on

[Name of your county] property fraud
evestor
Posts: 195
Joined: Sat Feb 21, 2015 4:37 pm

Re: Security Best Practices for 2024

Post by evestor »

The thread is doing a nice job covering a lot of the technical stuff to do to protect yourself in 2024.
I'll come at this with 2 very different suggestions, both of which I believe help.

First, think about who the weak links are in your personal ecosystem. Is your spouse properly secured? Your kids? Your parents? Do you have an aunt or uncle that can wreak havoc in some odd way? Help them too. Whatever you do for yourself, help them with those same things too. They probably need the help and might already be worried about it, they just don't know how to channel that worry.

Second, I would advise in writing reaching out to your key financial institutions and asking them for written guidance of what to do. Ask "your gal/your guy" at your FI, or the contact you have at the bank, or whatever, "I am very worried about security threats against my account, including <thing you're worried about> in particular, what does your firm recommend I do to protect myself?"
Take their list and make sure to do everything on it. And i would ask this every year or two.
I suggest this because this way if something terrible does happen (and I hope it never does!) you can ask them to make you whole because you did follow all of their guidance. It's a liability thing.
For good measure, express displeasure (but only a pinch) there is not more you can do, and ask them to invest more energy into making this great. Or maybe it's just me who does this. ;)

Good luck!
mark_in_denver
Posts: 595
Joined: Thu Feb 26, 2015 7:36 pm

Re: Security Best Practices for 2024

Post by mark_in_denver »

But a lot of this is rehash from years ago, what's new for 2024 that we can employ to help secure our financial info? I'm always looking for better security even if it's less convenient. Is Windows 11 more secure then 10? I still don't really know and I consider myself it'ish. Seems like browser password managers are better then 5 years ago but is it better then a dedicated PW manager? Android has a SIM lock now, but I still don't understand exactly what that is.
mptfan
Posts: 7243
Joined: Mon Mar 05, 2007 8:58 am

Re: Security Best Practices for 2024

Post by mptfan »

Lots of great suggestions, but here is something that is a potential weak link... password resets.

Imagine that you (or someone pretending to be you) wants to reset your password at any of your critical sites (banking, investing etc)... how would they do that? What information would they need?
mark_in_denver
Posts: 595
Joined: Thu Feb 26, 2015 7:36 pm

Re: Security Best Practices for 2024

Post by mark_in_denver »

mptfan wrote: Mon Sep 02, 2024 12:22 pm Lots of great suggestions, but here is something that is a potential weak link... password resets.

Imagine that you (or someone pretending to be you) wants to reset your password at any of your critical sites (banking, investing etc)... how would they do that? What information would they need?
My friend had to reset his 2fa and password at id.me, he said he had to send them a pic of his id, or license, front and back. Apparently it was painless, which I'm not sure if that's good.
cvoege
Posts: 92
Joined: Wed Dec 18, 2019 10:10 am

Re: Security Best Practices for 2024

Post by cvoege »

mptfan wrote: Mon Sep 02, 2024 12:22 pm Lots of great suggestions, but here is something that is a potential weak link... password resets.

Imagine that you (or someone pretending to be you) wants to reset your password at any of your critical sites (banking, investing etc)... how would they do that? What information would they need?
Password resets almost always send you an email. Thus your email is the primary central point of failure you'll have. Make sure it has an extremely strong password.
41% VTSAX, 35% VTIAX, 4% VSIAX, 20% VSIGX. 80/20 S/B, 57/43 US/INT, 10% of US holdings allocated to small-cap value. All bonds are US treasuries.
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

evestor wrote: Mon Sep 02, 2024 11:50 am The thread is doing a nice job covering a lot of the technical stuff to do to protect yourself in 2024.
I'll come at this with 2 very different suggestions, both of which I believe help.

First, think about who the weak links are in your personal ecosystem. Is your spouse properly secured? Your kids? Your parents? Do you have an aunt or uncle that can wreak havoc in some odd way? Help them too. Whatever you do for yourself, help them with those same things too. They probably need the help and might already be worried about it, they just don't know how to channel that worry.

Second, I would advise in writing reaching out to your key financial institutions and asking them for written guidance of what to do. Ask "your gal/your guy" at your FI, or the contact you have at the bank, or whatever, "I am very worried about security threats against my account, including <thing you're worried about> in particular, what does your firm recommend I do to protect myself?"
Take their list and make sure to do everything on it. And i would ask this every year or two.
I suggest this because this way if something terrible does happen (and I hope it never does!) you can ask them to make you whole because you did follow all of their guidance. It's a liability thing.
For good measure, express displeasure (but only a pinch) there is not more you can do, and ask them to invest more energy into making this great. Or maybe it's just me who does this. ;)

Good luck!
I have tried doing this in the past. For years I contact Vanguard telling. them that they should remove the SMS fallback since hackers will just attack the SMS. Most rep frustratingly have no idea what I am talking about and then escalate into nothinginess.

I raise a similar issue with Fidelity a while back bout the possibility of voice software getting good enough to replicate a person's voice to hack voice print. Their response is that Voice Print is foolproof.
syc
Posts: 177
Joined: Sat Feb 17, 2024 1:11 am

Re: Security Best Practices for 2024

Post by syc »

ThankYouJack wrote: Sun Sep 01, 2024 7:56 pm For years I've felt good from a security perspective with my password manager, email locked down, credit is locked, 2FA is set up when possible. But with an increasing number of data breaches and SIM swaps happening, I'm planning to take some time to increase my security for numerous accounts.

What would you recommend for a "cybersecurity self-audit" of sorts, lock things down further and check if my SS# and other personal info is on the "dark web"?
From the technical perspective:

use Linux
use a VPN
use a dedicated password manager, not your browser. Linux's native password manager is called pass
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

syc wrote: Mon Sep 02, 2024 9:53 pm From the technical perspective:

use Linux
use a VPN
use a dedicated password manager, not your browser. Linux's native password manager is called pass
Linux is not really more secure than Windows or MacOS. However malware targeting specific OS will probably go with the one with the highest market share.

VPN does not protect you from being hacks. It only blocks your ISP from seeing your traffic.

A dedicated password manager in my opinion is better than the one from a browser, but many of the browsers have made good progress.
PersonalFinanceJam
Posts: 894
Joined: Tue Aug 24, 2021 8:32 am

Re: Security Best Practices for 2024

Post by PersonalFinanceJam »

Presumably this question is being asked to reduce the chance of a bad actor defrauding or otherwise gaining access to your accounts and running off with your money. Many things you say you are already doing but I didn't see my #1 on your list:

Stop answering the phone for anyone not already in your personal contacts!
Aceso
Posts: 13
Joined: Sun Jan 15, 2023 8:29 am

Re: Security Best Practices for 2024

Post by Aceso »

gavinsiu wrote: Mon Sep 02, 2024 10:03 pm
syc wrote: Mon Sep 02, 2024 9:53 pm From the technical perspective:

use Linux
use a VPN
use a dedicated password manager, not your browser. Linux's native password manager is called pass
Linux is not really more secure than Windows or MacOS. However malware targeting specific OS will probably go with the one with the highest market share.

VPN does not protect you from being hacks. It only blocks your ISP from seeing your traffic.

A dedicated password manager in my opinion is better than the one from a browser, but many of the browsers have made good progress.
Agreed. Operating system security is hard to cover in depth here, but in general, if you were ultra-paranoid, higher net-worth, and don't like mucking around with computers much I would recommend having a dedicated up-to-date iPad you only use to manage financial accounts. Keep all the passwords on the iPad in a password management app with some secured backups in a safe deposit box & elsewhere. iOS is much harder to attack than a standard desktop for almost every user for many reasons beyond the scope of this forum, and as a bonus it's quite easy to learn.

Again, that's only if you're quite paranoid as that setup costs some money.

https://www.privacyguides.org/en/ is worth reading through if you're a technical user and you want advice on software, operating system settings, web service recommendations, and so on. Focused on privacy but many of the recommendations are good for security as well.
Topic Author
ThankYouJack
Posts: 6141
Joined: Wed Oct 08, 2014 7:27 pm

Re: Security Best Practices for 2024

Post by ThankYouJack »

Thanks all. Great suggestions, I'll start going through some of them that I haven't already implemented.
User avatar
Tycoon
Posts: 1723
Joined: Wed Mar 28, 2012 7:06 pm

Re: Security Best Practices for 2024

Post by Tycoon »

gavinsiu wrote: Mon Sep 02, 2024 10:03 pm Linux is not really more secure than Windows or MacOS.
As a seasoned 30 year Linux user I disagree.
Emotionless, prognostication free investing. Ignoring the noise and economists since 1979. Getting rich off of "smart people's" behavioral mistakes.
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

Tycoon wrote: Tue Sep 03, 2024 7:24 am As a seasoned 30 year Linux user I disagree.
I used a linux machine as a daily driver, too. I started out with Slackware back in the 90's. If we return to the Windows XP days, this was definitely the case. Over the years, Windows OS has gotten better. Hacks and attacks are now relatively rare because due to hacks the OS is more harden and exploits are quickly patched. Linux desktop in general are in the single digit in percentage, so malware targeting it is going to be low. On the flip side, Linux shows up on tons of servers, so there may be malware targeting them.

The important thing is to be vigilant. Just because your OS is more secure does not mean you can relax and there will be no hacks. Phishing and other attack are not dependent on OS.
User avatar
mapleosb
Posts: 275
Joined: Tue Feb 20, 2007 9:48 pm
Location: Connecticut

Re: Security Best Practices for 2024

Post by mapleosb »

SmileyFace wrote: Mon Sep 02, 2024 8:04 am If you file with TurboTax and start with last years return it carries the PIN forward and auto fills it when filing. It shows it on the screen but if someone is clicking thru quickly they may not realize they are filing with a PIN.
Be very careful, with that. The PIN that TurboTax carries forward is the "electronic signing PIN" not the IRS IP PIN. You need to get a new one each year.
User avatar
SmileyFace
Posts: 10003
Joined: Wed Feb 19, 2014 9:11 am

Re: Security Best Practices for 2024

Post by SmileyFace »

mapleosb wrote: Tue Sep 03, 2024 8:30 am
SmileyFace wrote: Mon Sep 02, 2024 8:04 am If you file with TurboTax and start with last years return it carries the PIN forward and auto fills it when filing. It shows it on the screen but if someone is clicking thru quickly they may not realize they are filing with a PIN.
Be very careful, with that. The PIN that TurboTax carries forward is the "electronic signing PIN" not the IRS IP PIN. You need to get a new one each year.
Okay - I clearly don't understand the difference.
I also don't understand what a prior poster was stating either then. The statement was you won't be able to file electrically without an "IRS IP PIN" and yet I filed 4 tax returns this year with only an "electronic signing pin" only.

The quoted below IRS statement is false if these PINs are different since I, and 3 other people I filed for, only have the electronic PIN.
JayB wrote: Mon Sep 02, 2024 7:48 am
gavinsiu wrote: Mon Sep 02, 2024 7:34 am
jebmke wrote: Mon Sep 02, 2024 7:31 am if will get held without the IP PIN
That's good to know. I haven't file a paper return in ages. I imagine IRS will send a letter requesting you to send the pin or login to enter the PIN?
According to the IRS:
"If you file your return without your IRS-assigned IP PIN:
We'll reject your electronic return, and you won't be able to e-file.
We'll subject your paper return to additional screenings to validate your identity, delaying any refund you may be due."
Or maybe this means if you have such a PIN - you better use it. (If you don't have one - you will be okay but maybe more prone to fraud)
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

mapleosb wrote: Tue Sep 03, 2024 8:30 am Be very careful, with that. The PIN that TurboTax carries forward is the "electronic signing PIN" not the IRS IP PIN. You need to get a new one each year.
Hmm.. I use HR Block and thought that the PIN was the IRS pin. Is that different for HR Block, too? How do I verify that it is the IRS PIN?
User avatar
mapleosb
Posts: 275
Joined: Tue Feb 20, 2007 9:48 pm
Location: Connecticut

Re: Security Best Practices for 2024

Post by mapleosb »

SmileyFace wrote: Tue Sep 03, 2024 9:04 am Or maybe this means if you have such a PIN - you better use it. (If you don't have one - you will be okay but maybe more prone to fraud)
OK, I see what is happening, I think :happy

Yes, you can file electronically just using a electronic signature PIN, ie, in TurboTax. BUT, so can everyone else. For security, you can request an IRS IP PIN so that no one else can file a return on you without that PIN. However, once you file using an IRS IP PIN, you MUST use one every year thereafter or you cannot file electronically, just by paper.

Clear as mud? Hope that helps
BogleTaxPro
Posts: 754
Joined: Sat Apr 04, 2020 6:08 pm

Re: Security Best Practices for 2024

Post by BogleTaxPro »

gavinsiu wrote: Tue Sep 03, 2024 9:39 am
mapleosb wrote: Tue Sep 03, 2024 8:30 am Be very careful, with that. The PIN that TurboTax carries forward is the "electronic signing PIN" not the IRS IP PIN. You need to get a new one each year.
Hmm.. I use HR Block and thought that the PIN was the IRS pin. Is that different for HR Block, too? How do I verify that it is the IRS PIN?
On HR Block (desktop software, at least) the 6 digit IRS issued IP Pin is on the Federal --> Misc tab. The efiling 5 digit self-selected PIN is entered on the File --> Electronic Filing --> Sign your federal return tab.
gavinsiu
Posts: 5824
Joined: Sun Nov 14, 2021 11:42 am

Re: Security Best Practices for 2024

Post by gavinsiu »

So I attempted to view the PIN on my online IRS account. However, I am told that I recently requested a pin and it will not be available for at least 72 hours. I had submitted my extension return a few days ago, so that is probalbyi won't the PIN isn't available. Once I have it, I can compare it to the one entered on my HR block.
User avatar
SmileyFace
Posts: 10003
Joined: Wed Feb 19, 2014 9:11 am

Re: Security Best Practices for 2024

Post by SmileyFace »

mapleosb wrote: Tue Sep 03, 2024 10:28 am
SmileyFace wrote: Tue Sep 03, 2024 9:04 am Or maybe this means if you have such a PIN - you better use it. (If you don't have one - you will be okay but maybe more prone to fraud)
OK, I see what is happening, I think :happy

Yes, you can file electronically just using a electronic signature PIN, ie, in TurboTax. BUT, so can everyone else. For security, you can request an IRS IP PIN so that no one else can file a return on you without that PIN. However, once you file using an IRS IP PIN, you MUST use one every year thereafter or you cannot file electronically, just by paper.

Clear as mud? Hope that helps
Clear now. Thanks. I see the IRS IP PIN also changes every year. I did not read far enough to know if MFJ filers use 2 PINs or 1.
Seems like it is the same as with many things security related- it might help security wise but will add complexity and potentially other issues.
techbud
Posts: 295
Joined: Thu Dec 22, 2022 6:52 am

Re: Security Best Practices for 2024

Post by techbud »

mark_in_denver wrote: Mon Sep 02, 2024 12:18 pm Is Windows 11 more secure then 10? I still don't really know and I consider myself it'ish.
Lots of info here: Windows 11 Security Book I find it to be an interesting read 8-) but it may bore you to tears. :beer
gavinsiu wrote: Mon Sep 02, 2024 10:03 pm
syc wrote: Mon Sep 02, 2024 9:53 pm From the technical perspective:

use Linux
use a VPN
use a dedicated password manager, not your browser. Linux's native password manager is called pass
Linux is not really more secure than Windows or MacOS. However malware targeting specific OS will probably go with the one with the highest market share.
VPN does not protect you from being hacked. It only blocks your ISP from seeing your traffic.
A dedicated password manager in my opinion is better than the one from a browser, but many of the browsers have made good progress.
I agree 100% with Gavinsiu's points.
User avatar
mapleosb
Posts: 275
Joined: Tue Feb 20, 2007 9:48 pm
Location: Connecticut

Re: Security Best Practices for 2024

Post by mapleosb »

SmileyFace wrote: Tue Sep 03, 2024 11:26 am Clear now. Thanks. I see the IRS IP PIN also changes every year. I did not read far enough to know if MFJ filers use 2 PINs or 1.
Seems like it is the same as with many things security related- it might help security wise but will add complexity and potentially other issues.
You are correct, the IRS IP PIN changes each year and a new one must be gotten, usually after the 3rd week in January on the IRS website.

https://www.irs.gov/identity-theft-frau ... ection-pin


I had only procured one for myself in the past filling jointly. This year we added an IRS IP PIN for my spouse. A little bit more of a pain, but what price the extra security?

Good luck going forward. :sharebeer
zie
Posts: 1283
Joined: Sun Mar 22, 2020 4:35 pm

Re: Security Best Practices for 2024

Post by zie »

Your stuff will be all over the dark web, there is no point in going to look for it. Just assume it's all out there already, as that's a very safe assumption.

I think the biggest thing is just be wary and verify. Generally speaking frauds happen a few different ways(not an exhaustive list):

* Technical breakage(i.e. they "hack" your computer/account and steal) This happens, but it's quite rarely if you keep your software and hardware up to date and under support.

* Manipulation: This is usually trying to get you emotionally invested so your logical brain won't be involved. Think your kid needs $5k for bail TONIGHT or something like that.

* Impersonation: This is where they try to impersonate some authority, like trying to act like your bank's fraud detection group or something like that. Emails that look like they are legit but actually link to their own scam website is a common example. With online AI voice impersonation, they can even make phone calls sound like they are from a loved one.

Learn how to verify stuff as it comes up. If you get a phone call asking for personal information, take down their information and tell them you will call them back. Then go verify that the information they gave you is legit, or instead call back on the publicly listed phone number(for example with banks/brokerages use the number printed on the back of your credit card)

When you start getting emotionally invested in a big financial emergency, take a step back and see if you can do some verification, for the example about bail money, reach out to any publicly listed bail bondsmen in the area of the supposed arrest. They can verify that your kid/grandkid/etc really is in need of bail and can even help facilitate the transaction. They almost always are open 24 hours, so it's not a big deal to even call them at 3AM when you get the emergency phone call.

Also know that they often combine methods, it's not like you will ONLY get hit with 1 of the big 3 categories above, they probably will try some combination. Be wary, verify what you can before you send money anywhere. If you have trusted friends, reach out to them and get their opinion before sending money somewhere.

I always recommend sending $10 or some low amount somewhere first, and verifying it all worked *as planned* before sending over larger amounts, even with new ACH, new account setups, Zelle, etc. At the very least this gives you a few minutes of breathing room to reflect and make sure you are doing the right thing before you send larger amounts of money.

When doing cash or in-person transactions, try to meet at a bank, and let the bank verify the cash. It gives you a handy meeting spot, probably with local security already and if it's a bank one of you are doing business with, they are generally really great and happy to confirm and guarantee the transaction for you. People are generally wary to do illegal things inside a bank.
Whether rich or poor, a young woman should know how a bank account works, understand the composition of mortgages and bonds, and know the value of interest and how it accumulates. -Hetty Green
Post Reply