I received an email from a client requesting help regarding a form his bank sent him to fill out because his bank detected a fraudulent attempt to access his account. They explained that the IP address of the failed attempt, which used his actual username, was located in Miami, Florida. My client lives in a town in Nassau County on Long Island.
It took a while before my client realized he had been locked out of his account for safety’s sake because of the fraudulent attempt. I get that. In a “normal world,” you’d ask that the password for the account be reset, you’d provide a new password, and you’d be back to online banking. But not with this bank. Nope, they wanted more — much more! They asked my client to acknowledge having taken one of the following options:
The hard drive of each computer was wiped clean and the operating system, as well as any software the Client utilizes was reinstalled. Thereafter, a scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s computers and no virus or other malicious software was found. [or] Each computer was replaced with a cleaned computer. A scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s replacement computers and no virus or other malicious software was found. [or] Client will access [bank name redacted] from a different computer/device and a scan utilizing proven effective anti-malware/anti-virus software was run on the computer and no virus or other malicious software was found.
The paragraph appearing before these options contained jargon that implied the computer itself had been compromised, thus warranting these extreme measures. But here’s the thing: that wasn’t the case here, and there isn’t any way to accurately determine when – or even if – this computer was the reason someone attempted to access the account.
I’ve written for years that name, email, and password information is readily available to anyone who wants it for nefarious means. Vast troves of data are inexpensive and they can pay off significantly if used maliciously. Anyone can go to https://haveibeenpwned.com to see if their email address is out in the wild. I found this client’s email address was in six data breaches.
With billions (yes with a “b”) of email addresses and passwords that can easily be cracked, less than honorable people miscreants then try to see if they can find other accounts that use the same credentials. Because, after all, most of us are creatures of habit (i.e., lazy) and don’t want to keep track of lots of different passwords.
After several discussions, I learned that my client used a specific construct for a username and password on different sites. It was an easy construct, something like joebob1823. While easily remembered, it is an awful security measure. How many sites was this used as a username? I didn’t ask. How many sites was this used as a password? Again, I don’t know. But if it was more than one, it was way too many.
Why? Because his email is associated with joebob1823, and joebob1823 is associated with a password for one of the compromised websites. Now, go to LinkedIn and see if this works to gain access to his account. Then go to Instagram, and Facebook, and all the social media sites. Next, try some common banks, like Citibank, Chase, or Wells Fargo. Then go after brokerage accounts, like Charles Schwab or Fidelity Investments. You see where this is heading. To a group of bad actors with nearly unlimited computing resources, this is child’s play. They set up scripts to run multiple iterations at various sites until they either gain access or the site stops them because of repeated violations.
What could help this client the most? That would be if his bank offered two-factor authentication (commonly referred to as 2FA). I explained it to him as follows:
You go to your bank’s website, supply your credentials, your username, and password, and click Enter or Next. Then, you must enter a code to continue. The bank can generate that code in several ways. For example, the back will call the phone number associated with your account, and an automated voice recites the numbers, one at a time. Or you can get an email sent to the email address associated with your account. You can then copy and paste that number into the field. Or you can use an app on your phone, such as the Google Authenticator. This app generates a series of random numbers every 45 seconds. Enter that number into the field, and you gain access to your account. The primary reason as to why this is a reasonably successful security measure is that this second form of confirmation is yours and yours alone.
Now there are known ways of spoofing every single one of those 2FA mechanisms. But they require more effort than most bad actors will use to hack an individual’s account. And using 2FA is much better than not having it. Surprisingly, my client’s bank does use 2FA, but it is not required. I am particularly livid about that when you consider what they want him to do to his computer because of the fraud attempt.
What else could help this client? The use of more sophisticated passwords. joebob1823 is not a rigorous or strong password. Using the University of Illinois at Chicago’s Password strength test (https://www.uic.edu/apps/strong-password/), it merits a complexity score of “Good” (although I disagree with that). There are many indicators on the results list that are red or yellow.
I suggested that he use a more complex formula to create a password, essentially using a phrase. For example, he has an adorable dog whose name is Lizzy. So, he could make a more complex password from the words, “Lizzy is a cute dog.” With minimal effort, this becomes Li##yI$@Cut3D06. Checking the complexity score, this received a “Very Strong” rating, and it only picks up some nits for repeating characters and numbers. But a simple dictionary attack is not going to discover this. And if it is used at only one website, then the likelihood of its being compromised is lowered exponentially.
Oh, and before you ask, yes, you can write these down if you are at home. Some of you may ask why I don’t recommend using a third-party product to keep track of passwords. That’s because I have yet to find one that has a sure-fire mechanism of preventing access to your account information if their database is breached.
Takeaway: Ask your financial institutions how to set up 2FA on your accounts, and start to use more sophisticated passwords everywhere.
Thanks, and safe computing!