I recently went to visit a friend in a secure building. He didn’t answer his phone when I called from the front door to let me in, but the building had a keypad entrance system. After a few repeated attempts, I was able to find the correct key code and let myself into the building. When I got to his front door, he was a bit upset that I was able to “hack” into his building. I said it’s pretty easy to figure out PIN codes and passwords because people pick easy to remember numbers, words and patterns. Most of the time you just try the most obvious options first, and you can guess the security code.
In research done by DataGenetics.com in 2012, of the 3.4 million accounts they looked at 11% of people had the PIN code 1234. Over 6% had 1111 and almost 2% had 0000. Given that knowledge trying only 3 PIN codes gives me about a 20% chance of guessing someone’s personal PIN code.
Passwords for computers, emails, and online accounts are not much different. Every year hackers post online usernames and passwords they have harvested. SplashData, a password management company, compiles a list of the most common passwords of the year. In 2013 the top three passwords were 123456, password and 12345678. Other common passwords included phrases like amazon, adobe, password1 and one of my favorites: trustno1.
Since most sites require usernames and passwords for access, and our brains are not designed to hold 50 different complex unreadable passwords, many of us opted to make them easy to remember. Unfortunately, an easy password to remember is an easy password to hack. Below are a couple of things to consider when you create pin codes and passwords to help make them more secure.
Select PIN codes that are random and have no association to you. For example a PIN code of 3976 is much better than a birth year of say 1960. If I know the year you were born, I would make that a PIN code to try.
Select a PIN code that is not an easy visual pattern on a keypad. DataGenetics found 2580 was the 22nd most popular PIN code because it is the numbers down the center of the keypad on your phone. The code 1397 is an easy guess as well because it is the corners for the phone keypad going clockwise.
Avoid using any part of your login or the site name in your password. If your login to amazon.com is firstname.lastname@example.org don’t make your password joe123 or Amazon1.
Have a different password for every site. I know this can be a big pain, but if a hacker steals your password at one site, they won’t be able to use it at a different site. Imagine if your password was compromised at some site you used three years ago once, and you only use one password. How many sites do you have to update? How much of your data would be at risk (banking, shopping, investment, email)? With a unique password at each site you can reduce your risk.
Try to use a random password. A password like Fj%9cX44 is much better than F00tballs. While F00tballs has the normal 8 character limit with numbers and upper/lower case letters, hackers are getting smarter and computers are getting faster so simple character substitutions are still risky.
Use an uncommon phrase. For a while, people suggested using a simple phrase such as “ILikeSchool.” However, as the hacking has improved, many security experts now recommend that you use non-sensical sentences as passwords. A phrase such as “eat_baseball_Yards” or “doughnuts around circles” is more difficult to breach.
Try using unique logins for various accounts. If possible, I like to have a login that is unique at each site. Also, if it requires an email address, I like to have a few email accounts I can use for different sites. You can easily sign up for multiple Gmail, Hotmail or Yahoo email accounts.
Use a password management program. If it is really hard to remember all those passwords, there are several programs out there that will securely store your passwords. These programs will store you username and passwords and log you into the website automatically. A quick search for Password Manager in Google or Bing will get you on your way.
As I said above, I don’t think we were meant to remember so many sites, logins and passwords stored in our brains. Writing it down on a piece of paper is just asking for trouble. And storing them in an Excel spreadsheet isn’t any better. There is hope on the horizon. As we work with biometric systems for voice and visual recognition we soon might be able to have our image and voice as our PIN code. We might be able to use a fingerprint and say our name to get in our email. No longer will we need to store all these random phrases, we will only need to remember our name. Oh, and the code to my friend’s building was 2468.
It seems like every year thieves become more creative in finding new ways to steal. A disturbing new trend is directly targeting financial advisors and their clients. Financial institutions are seeing a noticeable increase in attempts at fraudulent wire transfers by email “spoofing,” where an email request appears to be sent from the client, but is actually from a fake-but-similar email account (or sometimes it’s the client’s actual account).
Think, for a minute, about the emails you have sent to your advisor. If your email account was hacked, the hacker would have access to all of those emails in your sent folder. They could easily send an email (from “you”!) to your advisor requesting a fund transfer to a third-party bank account, along with convincingly forged letters of authorization. If you’ve ever emailed a scanned copy of something you’ve signed, they have access to your signature too. Often, by the time someone realizes the request is fraudulent, it is often too late. The money is already gone, the transfer cannot be unwound, and the wire fraud theft is complete.
It is our policy to never accept instructions like this via e-mail, but in response to this increased risk, we have trained our employees to identify warning signs of electronic wire fraud attempts. We have also reviewed and improved our procedures to verify a wire transfer request is legitimate before acting on it, particularly in scenarios where the transfer is going to a third party.
However, it’s important to take steps to make sure your information is secure and avoid the possibility of this type of fraud altogether. We use www.box.com to securely share files with our clients and keep that sensitive information out of your inbox.
Just to be safe, here are some tips on how you can help protect your email accounts from being hacked:
Make sure to use secure complex passwords. We recommend choosing a password with a minimum of 8 characters, including upper & lower case letters, numbers and symbols.
Don’t use the same passwords on multiple accounts. If you get hacked in one, they have access to everything.
Use double authentication if possible. This requires you to enter an extra code when logging in from an unrecognized IP address. Click here to learn more about Google’s 2-step verification.
If you get email on your smart phone, make sure the phone is password protected.
Beware of storing documents in your email that contain your signature, social security number, or other non-public personal identifying information. If your account gets hacked, the thief will have everything they need to steal your identity.
Don’t ignore signs that your email account has been hacked, like finding emails you didn’t send in your ‘sent’ folder, or hearing from your friends that they’ve received spam from your email address.
If you do get hacked, be sure to change your passwords immediately! Also call your financial institutions to make sure your accounts have not been compromised.
If you use email, you are under constant attack. Every ploy imaginable is being used against you in attempts to get you to open an email that has the goal of connecting you with a website to enter your account number and password information. This “phish” email will look very official, be urgent in nature, and connect you to an official-looking website. Don’t take the bait!
One scheme sends you an email stating that your credit card or bank account at Bank XYZ is going to be closed immediately unless you reset your password by clicking on the attached link. The link will take you to a very official looking Bank XYZ website where you are instructed to type in your current account number and password. They now have your login information and can access your real account directly. Keep this in mind: Banks and other financial organizations will not ask you to provide account and password information via an email. Common scams include more than just trying to get your banking information; be on the lookout for wire transfer requests from friends stuck overseas, lottery winnings, investment schemes, fake checks and pretty much anything related to money.
For a long time we thought it was safe to click links and attachments from people we know, but hackers have gotten much more sophisticated and now use your friends’ email names and addresses that have been harvested from social media or malware. By using the email addresses and names of people you know, they increase the chance that you will open those emails. The links and attachments can often lead to software that will attempt to infect your computer with malware or take you to a bad site. So always use extra caution when you get an email asking you to provide any type of personal information.
How do you protect yourself? First, don’t give out personal information that is requested in an email. Also make sure that the address in the browser matches where you think you should be. If you expect to be at www.paypal.com and the browser says you are at www.stealingyourmoney.com you should leave that site immediately. Of course, it’s not always quite so obvious. But if you look closely, you’ll often be able to detect a discrepancy in the web address.
You should always make sure your computer and devices are patched and up-to-date with the latest security updates. Most major software companies update their software on a regular schedule to help keep security issues down, so don’t avoid those update notifications. Use a firewall and anti-virus software, which will do a good job of keeping a lot malicious items at bay. Most Internet browsers have pop-up blockers that can help reduce your risk as well. Finally, if you are unsure if the email is real, call the person who sent it to you and ask them about it.
In the end, you are the last line of defense. Always be skeptical of things that don’t seem quite right. While in the real world it may be admirable to trust the good intentions of others, things are not always what they seem in the online world, and it is best to have your best defenses forward.