By JONATHAN HOLLOW
In my first article for this series, I made the point that scams and fraud could pose as big a threat to investors as sub-optimal investments. This is because their audacity, credibility and size keep on growing, and threaten even the savviest of investors.
But a fraudster will prefer straightforward theft to the complex art of persuasion, any day. If they can unlock the digital “safe” that keeps your assets secure, they can simply help themselves to your savings.
Digital security should therefore be a top priority for every investor. In this article, I’ll set out some useful hints and tips.
Two-factor authentication strengthens your passwords
I’ll talk about passwords and password manager safety below. But before that, my first recommendation is to turn on two-factor authentication for every money product you use.
“Two-factor” means that you not only present a password, but it must be strengthened by a further form of authentication. This can take various forms:
- The most common (and irritating) is an SMS code sent to your mobile.
- Increasingly common is linking your login to biometric identification performed by your phone – fingerprint or Face ID.
- A third form is the use of an authenticator app that provides a code.
All of these are good. Biometric is extremely good because it’s very difficult, if not impossible, to fake – and it’s instant. So choose biometric, whenever you have a choice.
Be aware that two-factor authentication via SMS messages depends on the security of your mobile phone provider. There have been “SIM-swap” scams. In these, fraudsters have persuaded a mobile network to transfer somebody else’s number to the SIM on the fraudster’s phone, without the true number-owner being involved or warned. Once this is done, lots of other accounts can be unlocked and plundered.
So an important tip is to call your network, or at least examine their procedures on their website, to make sure that such a swap can’t be done without your approval. Any swap should involve notifying the current SIM linked to the number — your SIM card, on your phone.
Passwords are unavoidable — but are password managers safe?
Whether or not you have two-factor authentication, passwords cannot be avoided. And what a pain they are in our daily lives. There are so many contradictory requirements for the contents of a password, and so many different ways of torturing the whole word, or part of it, out of us.
A simple workaround for this is to subscribe to a commercial password manager. This will generate and fill in very complex, random, but compliant passwords for all the sites and services you use. The best ones will link to the biometrics on your phone, so you can activate them with your fingerprint. Essentially, you end up needing to remember only the password for the password manager service (and you will rarely need that if you use biometric activation).
I have to confess that I don’t use a password manager, although I have been contemplating switching for a while. My reason was simple: my fear of putting all my eggs in one digital basket, then finding out one day that that basket has also been plundered. Are password managers safe? Because they need to be very, very safe for us to trust them.
However, my fear is probably unfounded. The New York Times recently published an excellent guide to password managers, which put into plain English some of the security principles used by their top picks. I won’t make a fool of myself by trying to explain these here. Very few ordinary people (and I’m not one of them) can fully understand these security and encryption principles. But I am now more convinced that the risk is low, and password managers are worth it, provided you choose one of the subscription services that allows outsiders to regularly audit its security.
In passing, advice I read also states that using a browser to store your passwords, although free, is many times less secure. For your money websites at least, this is not worth the risk.
How secure is my password? A guide to strengthening it
If you don’t want to use a password manager, my tips for secure passwords are:
- Most serious sites require at least 10 characters for secure passwords, and a combination of numbers and special characters. Longer, much longer, always creates a more secure password. (But no matter what length and combination you choose, you must expect to find the odd site that requires a new approach.)
- The system I’m proposing here helps you to generate random-looking (so more secure) passwords that you can always remember. To do this, find lines from songs, or poetry, or book titles, that you can always remember, and so never write down. They should be at least 10 words long. You use these to generate a “core” for your password system.
- You will need several such memorable lines. You shouldn’t rely on using the same one each time. But you don’t need one for every site. What about associating a Pop song with your Pension accounts, a Book title with your Banks, a Musical with your Mortgage, and so on?
- Choose a consistent way of generating the core of your secure password – by taking a letter from each word in your phrase. For example, you could choose the first letter of each word, but it could be the second, or the last. You’ll also need to choose an easy and memorable way of swapping at least one number and special character for two of the letters. This done, you have your password’s “DNA”.
- You now need to choose a consistent way of wrapping some details of the site whose password it is around – or within – your core. For example, if you bank with HSBC and Marcus, you could remember the phrases “HSBC does banking”, “Marcus does banking”, and put the first and last letter of the phrase at the beginning and end of your password “core”. Or right in the middle. This way you have a unique password for every site.
- Together these will create a system that only you know (I have mine, and it’s different from all the above). It will generate an easy-to-remember, but random-looking, password. And under this system, only one letter in your password is derived from the brand name/site that the scammer wants to crack.
The way to get the benefit out of this secure password system is to implement it across all your accounts at once. If you criss-cross this system with previous passwords, it can get very confusing and you will probably feel that life has got worse!
Sign up for scam alerts
A big problem with passwords is the growing number of authentic-looking sites that trick you into entering your hard-kept secrets. It’s no good spending a lot of time asking “how secure is my password?” if you then accidentally give it away!
So my final tip is to sign up to a scam alerts newsletter. In the UK, I recommend the Which? scam alerts newsletter. In the USA, the Federal Trade Commission has a similar free newsletter.
Both of these will help you you spot the latest fakes that could threaten your digital security. But they will also help you keep in touch with the issues raised in my first article — the widening range of even more sophisticated frauds and scams.
JONATHAN HOLLOW worked for the UK Government’s Money and Pensions Service and is a writer and commentator on consumer education and protection.
WHAT TO READ NEXT
Here are some other recent TEBI posts we think you will enjoy:
© The Evidence-Based Investor MMXXII