A couple of recent posts on identity theft, card readers on gas pumps, and break-ins to the computer systems of large companies has prompted me to finish writing up my thoughts on how you can increase the security of your credit cards and on-line transactions.
Summary for those who don’t have time to read the whole thing. Crackers are not targeting you. They are looking for the low-hanging fruit and it’s not that hard to make it not worth their time to mess with your accounts.
1. Change your password on your email and all bank accounts, brokerage, phone plans, etc. to have at least 13 characters—upper, lowercase, at least a few numbers, and few special characters.
2. Use a different email address for your financial accounts than you use for general email.
3. Do not ever re-use the same password. It’s not as hard as you might think to have a different password for each site. For example, I have a generic password for sites that don’t have any financial information and I just prefix it with the first two letters of the site. Since lots of sites have two word site names, I use the first letter of each word. So BeachTalk is BTbazmarle! The ‘word’ in the middle isn’t a dictionary word (or words) or something that pops up on Google. Make the password 9 letters or more.
Here’s a simplified version of what crackers are doing. Crackers sometimes break into sites and steal the entire password file. If the site has even rudimentary security the passwords are encrypted—but surprisingly enough not all sites do this. But even if they are encrypted, computers are fast enough now that they can compare the encrypted passwords to a ‘rainbow table’ of encrypted passwords and decrypt them. Basically, they can compare the password to all possible combinations of letters, numbers, and symbols. At the moment rainbow tables are easy to construct for 8 character passwords. It’s basically impossible to construct rainbow tables for 13 characters. Longer passwords are still subject to dictionary attacks, so you don’t want to make a password by combining two dictionary words.
The first thing they’ll do when the get the passwords is try to use them to log in to banks, Amazon, Best Buy, etc. Many people use the same email and password for all their logins, so they get a lot of logins for places they care about from small sites that aren’t secure. My server gets thousands of break-in attempts every day and I don’t have anything worth stealing. I can’t even imagine how many attempts that sites with millions of users get.
Unless you are someone famous, you don’t have to worry about using things that you know as your password. So you can use the initials of your family for the first four letters, JMJD, then append one or two made-up words that you can remember—maybe you fly a TSIO Bonanza, tsiobonan, your street address is 874 and your the special characters corresponding to your birth year are %&. So your easy to remember password is JMJDtsiobonan874%&
If you use a laptop, don’t let the computer remember your passwords for financial sites. You should write them down, but don’t keep them in your wallet.
Now, here’s why you want a separate email address for your financial accounts. I have a different one for each of my accounts. If I get an email sent to john@LF about my bank account being overdrawn, or a shipment has been made, I know it’s a fishing attack. If I get an email to BofAJohn@LF then I am fairly confident that it’s legit. But that’s not the main reason I use a different email. Most sites will let you change your password if you forgot yours by requesting a new one with an email. Once someone has your email address and can log in to your account, they’ll start requesting a password reset everywhere they can think of. Banks are getting better at requiring another authentification factor, like your favorite candy, but not every site does this. If your bank has an email address that you only use for them, crackers won’t be able to reset the password.
Spammers will pay for cracked accounts. I’ve gotten spam from people who have had their Yahoo, Hotmail, or Facebook accounts hacked. Outright thieves will pay for other accounts. Cracked iTunes accounts are worth $8, AT&T and Verizon accounts are worth $4 and Twitter and Facebook are worth $2.50.
These techniques won’t stop the NSA, Rupert Murdoch, or someone who is targeting you specifically, but will make it less likely that some random cracker will get your info.