Aviv Raff knows a thing or two about cybersecurity. He’s chief technology officer at Seculert, which specializes in helping companies detect and stop sophisticated cyber attacks. In the wake of recent megabreaches such as the one at JPMorgan Chase, where hackers compromised personal information of some 76 million households, or Home Depot, where the digital intruders got at about 56 million credit and debit card numbers, Raff says no one can afford to be complacent about digital safety. “Awareness is definitely rising, but there are people out there who still think it might not happen to them,” he says. “Everyone is at risk of being compromised.”
Raff says the best thing you can do to protect yourself is monitor your accounts closely. “I usually take time once a week or once every couple of weeks to go through the transactions just to make sure that I am familiar with them,” he says. He uses an app called BillGuard that collects all his account statements so he doesn’t have to log in to a lot of different sites to see them. BillGuard also alerts you when a store where you’ve shopped announces a data breach.
Credit and debit card fraud affected 4.6 percent of U.S. consumers in 2013, with $11 billion in total losses, according to Javelin Strategy & Research, which specializes in financial services. Large breaches also added to an increase in account takeovers by fraudsters, which hit 0.86 percent of consumers last year and caused $5 billion in damages. Javelin in October released a ranking of 50 U.S. banks based on the measures they have in place to prevent fraud, detect it, and limit the damage from it. Bank of America topped the list for the ninth year in a row; JPMorgan came in at No. 14. (The bank says “there is no evidence” that account information such as user IDs, passwords, or Social Security numbers was compromised in the recent attack.)
Many banks allow customers to monitor their accounts in real time via e-mails or text messages sent when certain transactions occur. The leaders in this area, such as Bank of America, allow customers to set up notifications for a wide variety of activities, including wire transfers, new-account setups, foreign transactions, and changes in bill payee information, according to Al Pascual, who wrote the Javelin study. JPMorgan is one of seven banks in the survey that allow customers to respond to an alert text to indicate whether an activity is fraudulent.
Raff also recommends using “two- factor authentication” whenever possible. That requires not just a user name and password to access an account but also some additional verification—often a one-time code sent via e-mail or phone. You can protect Gmail and Facebook accounts this way, and many banks require it when you log on from an unfamiliar computer. One in five financial institutions now require additional authentication during an online banking session for money transfers and other high-risk transactions, according to Javelin. Bank of America, for example, has a program that customers can enable called SafePass, in which sensitive online banking transactions require a single-use password sent to your phone or to a special card. The website twofactorauth.org keeps track of which companies offer two-factor access.
While you can’t do anything to prevent cyber attacks on financial institutions, you can make your personal information safer on your own computer. Shuman Ghosemajumder, who is vice president for strategy at Shape Security, recommends using one machine for nothing but financial transactions. That eliminates the risk that you’ll pick up malicious software that infects your computer when you click on phishing messages or visit a website that has hackers’ code planted on it. For a dedicated device, Ghosemajumder suggests using a Chromebook developed by Google. The simplest version is advertised online for $199; more important, Chromebooks run a less common operating system (Chrome OS), making them less likely to be targeted by cybercriminals spreading malware, according to Ghosemajumder. And they’re designed only to connect to the Internet, so you can’t install software on them, effectively sidelining malware.
Ghosemajumder says too many people don’t bother with the most basic precaution: creating a unique password for sensitive accounts. Cybercriminals test credentials stolen from one site to see if they also unlock your bank account, he says, often using a botnet—a network of infected computers that they control—that makes them appear to be legitimate users. A unique, complex password that includes numbers and upper and lowercase letters is a must.
Alex Lanstein of computer security company FireEye does his online banking on a dedicated computer—an old Dell laptop with nothing but Windows on it. He takes advantage of the free credit monitoring that companies offer after breaches—as Home Depot is doing now—and he never uses a debit card to make purchases. His reason: If a cyberthief gets your debit card PIN and drains your account, the money is gone and it can take time to get it back. When you contest a fraudulent credit card charge, payment is withheld. Lanstein doesn’t take chances with credit cards, either. Every few months he asks his bank for a replacement—with a new account number, expiration date, and security code—in case someone has gotten hold of his information, even if he hasn’t seen any fraudulent activity. “It’s going to get taken, it’s just the reality,” he says. “I’m on my ninth Chase Sapphire.”