Cybersecurity: Is Your Personal Financial Information Protected? (30:27)
We are all impacted by cybersecurity. Many firms spend a great deal of money to protect your data, but are you following steps to protect it too? With the recent data breaches of Facebook, Uber and Equifax, among others, it’s more important than ever to understand cybersecurity and protecting your personally identifiable information. From passwords, to your computer, to wi-fi and much more…this episode covers what you should think about the next time you get online.
Brian Leitner: Welcome to Your Life, Simplified. My name is Brian Leitner, and I’ll be the host of this podcast today. This show is about cybersecurity. The reality is we are all impacted by cybersecurity, so the question becomes what can we do to educate ourselves to make sure that we are taking the best steps to protect ourselves, to protect our own devices, as well as just security transactions? This topic is obviously critical for many of us because cybersecurity and cybercrime in one way or another impacts all of us. There are billions of dollars spent on it by companies across the country. Many firms have to spend a great deal of money to protect your data, and if you just think about in most recent times in 2017, you had the Equifax data breach, as well as Uber and many other companies. So it’s a great conversation to have to be able to educate yourself and protect yourself. And today I’ve invited Chris Cook, the head of IT for Mariner Wealth Advisors, to help educate us and answer some of the questions that you likely have on your mind. Chris, welcome to the show. So Chris, how do you define cybersecurity?
Chris Cook: I would probably define cybersecurity as a habit tactic or method you can use to maintain the security of your identity. Mainly focusing on what we call your personally identifiable information. And that consists of things like your full name, your home address, obviously your Social Security number—data points that could relate your information to yourself.
Brian: So, Chris, thanks for being here. There’s a lot of information out there. What we’ve done is ask our listeners, as well as friends of the podcast, if they had any questions that they would want some answers to as it relates to cybersecurity, whether it be from their professional life or their personal life, in an effort to protect them. So we have sort of the top 10 questions that we wanted to ask you to make sure that we’re all being protected. So if you’re ready for the top 10, I’m ready. So one question that came in was a question about password vaults. Can you explain password vaults? Your thoughts on whether it’s a good or bad idea to leverage these tools?
Chris: Yes, I think it’s a great idea. Historically we’ve been kind of brainwashed that we have to use strong passwords, and by strong passwords, it’s a bunch of characters and digits that don’t really matter. In doing something like that, it makes it very complicated for you to use more than one. And so what makes you the most secure is using a unique password for every site. And in doing so, if something gets compromised, you don’t compromise everything else. And so what does this matter with password vaults is it gives you one password to be able to unlock a vault that contains all of your other unique passwords. So you don’t necessarily have to remember 150 of them, which is I think how many I maintained.
Chris: But you can just remember your master password. A good recommendation for a password is a long sentence, a movie quote, lyrics out of a song, things like that and using full punctuation spaces make a very, very strong password. Data shows that the length of the password matters substantially more than the characters in it. So I would say 20 to 25 characters, if you use a master password like that, you can pretty much guarantee that everything inside that password safe is pretty secure.
Brian: So just to drill down on that a little further, so if no one’s ever used one of these password vaults, you log into the password vault, you put your long password in, maybe it’s that phrase, maybe it’s your favorite song or something of that nature. And once you get in there, is it sort of an Excel spreadsheet that has all of your passwords?
Chris: Yes. I mean, you could relate to that for sure. There’s usually a bunch of pictures of the icons of each company that you’re logging into. And then from there, it allows you to just click on, say your bank or maybe your favorite streaming service or something like that. If you just click on the icon, it launches you into the site and then auto fills the username and password for you. It works through a desktop computer on the web. It also works on a mobile app on your phone. So, they’re very convenient to use, and they’re getting easier to use every day.
Brian: We’ve leveraged that here at Mariner. So, thanks for installing that for everybody. So the next question. Phishing: What is that?
Chris: So phishing comes usually in the form of an email and can also be a phone call, but typically email. It tries to get your attention as being something important, something impactful to your life. Something happened with the security of your bank account. There’s an issue with a payment somewhere. They want you to claim a shipment of something. It’s usually something to entice you to click on a link in an email. That is trying to either harvest your credentials or compromise the computer you’re on. They come in many shapes and forms, and, no matter how secure or how much email you go through, some of them seem to get through. So, I would recommend reading the “from” address, hovering over the links to see exactly which website they’re trying to take you to before you really click anything in email these days.
Brian: So some of the typical ones that you might get is a name of a company that you know. You’ve seen the logo before. You’re very familiar with it, but there’s something just not right about it if you take the time to actually look at every piece of that logo or what’s in that email. So, for example, like Amazon be a good example when instead of spelling it “zon” towards the end, it’s “zin” or something like that. Is that a typical example?
Chris: Yes, absolutely. We’ve seen many shipping companies, retail companies where they’re actually taking the order confirmation page that looks exactly like what you would get if you were to buy something, send that to you maliciously with links that then lead you to log into a site that looks like an Amazon to where you put in your username and password, and they’re just then saving it and then logging into the real Amazon with it.
Brian: Within our organization, something that you guys do, is that you run these phishing tests across the organization to see who you could actually trick into clicking on a link and just making sure that we’re all on top of things and making sure that we’re not getting phished ourselves. Based on some of that preliminary data that you guys do, how many people are falling for some of the stuff you put out there?
Chris: We started 24 months ago. It was very common for someone to click on it. I would say the our best one that we sent out, got a hundred people to click on it. Not necessarily to fill in all their information, but it’s through training and through multiple simulations. We’re all getting better at this and understanding what the risks are, understanding that it kind of ties to everybody being vigilant in reading their email and reading what they’re clicking on. Now we’re within like just a few percent every time we send one even get opened and maybe just a couple of clicks. And so then when that kind of thing happens, we do targeted training. We reach out to them. We really educate them at the time that it happens, which is very, very powerful.
Brian: I’ve got to imagine, all of us, whether it’s this organization or anybody listening to the show, gets a ton of email. It’s easy to just scroll through, click through without paying attention. This looks about right. So it’s a great tip. Thank you very much. So, number three, do I need to pay for antivirus, malware or anti spyware software? What do I really need these things on my computer?
Chris: You definitely need them on your computer. To clarify what the differences are, a virus is something that’s typically trying to do damage to your computer. Ransomware’s something that you hear a lot of. It’s a pretty common virus, and that just tries to destroy data on your computer, so that then they can hold you ransom. You pay X amount of dollars, they free up your data, so it’s not destroyed anymore. And what that antivirus does is basically protect against those things in real time. What spyware does is, it infects your computer by living next to all of your good data and watches things you’re clicking on. It could be logging the keys that you’re typing in. So that if it detects you go to your bank website, it’s copying down exactly what you type in your user name, type in your password, ultimately just trying to get enough credentials harvested that it can then reuse them against you. And so, there are two different things depending on which product you download. They usually have an overlap of both of them now. But in this day and age, it’s such a problem that all of these are just what we call free ware. And so, most of the good ones that are out there right now offer a free variant for home. Most of the paid services are all the legacy type antiviruses that are still around. But there’s a ton of free options that are really, really good that don’t require you to have to remember to renew them.
Brian: So no excuse. There are good, free options out there. So number four, someone told me that using a separate computer just for your financial accounts might be a great way to protect yourself, your financial identity just in case something does get infected. Your thoughts on that?
Chris: Yes, I think if the hassle’s worth it and just for all the reasons that I just mentioned from antivirus and cybersecurity and spyware where it’s mainly surrounding, getting all of that information and taking all of the information from applications that are, installing your computer, you don’t know. So the viruses, the spyware that’s installed, it’s trying to steal your credentials. If you only access financial websites on a separate computer, and you’re still running antivirus and spyware on that one, but you’re not going to all of your not Google searches. You’re not looking at photos. You’re not doing any of that kind of stuff on that computer, it really lowers your, what we call the attack surface, because there’s not a lot of ways for them to infect you. So, like I said, email and phishing are a big way to infect a computer. If you’re not checking your email on that computer, you’re removing that attack.
Brian: Sure. So, it sounds like it’s a decent amount of legwork to only check your financial accounts on that one computer, but at the same time, should your data be compromised, you’ll be glad you did if you decide to go that route.
Chris: Yeah, and there’s an additional spend obviously, but I wouldn’t necessarily imagine this is another desktop computer sitting on a desk. This can be a separate tablet, like an iPad or something like that, that you only use for financial accounts. It doesn’t necessarily have to be a traditional type desktop computer.
Brian: Thank you. Okay. So, question number five is, as it relates to two-factor authentication, what is it and who uses it?
Chris: Two-factor authentication is used on a lot of different websites that are really trying to understand that you, the person, are on the other side of the computer that’s trying to connect to them. And so, what happens in two-factor authentication is, you type in your username, your password typically, and then it prompts you for another number. That number comes to you via text message, sometimes email, sometimes phone call, however you want to do it. But what it’s trying to do is say that, right now, in this captive moment, the person that typed in the username and password is also the one that is able to receive, then type in that passcode. It’s very common in financial accounts and very common in the banking industry. I would recommend setting up email for that. Here at Mariner, we use what we call multifactor authentication. And we have up to 10 different methods to validate an identity from a push button application on a phone, from text message, from phone calls or email, etc.
Brian: I think I get that every time I log into my brokerage account or my bank account. It’s terrific. Makes me feel good. I know it’s an extra step, but it’s pretty neat. Hey, just a quick note to our listeners, if you have a topic that you want to hear on this podcast or you have a question about your own personal financial situation, please don’t hesitate. Go ahead and send us an email at [email protected], and we’ll have an advisor reach out to you directly. And now back to the episode.
Brian: Number six. How do I protect my mobile applications? So many of us today would spend more time on mobile than we do our traditional desktops, right? So how do we protect ourselves on our iPhones and our androids and everything else that’s out there?
Chris: We definitely do, even here, we’re pushing to become more and more mobile, because it allows us to be anywhere at any time, with access to anything. It’s very convenient and really frees up a lot of time that we traditionally have to be here in the office. But how do you go about keeping that safe? There are a few different things to think about. One of them is know which apps you are installing. If you’re like most people, you click on an app at launch or something, you click, either get or install it, there’s a whole page of information that we typically don’t read, right? We accept, it installs. We really don’t know what information it’s taking from you, and you don’t know where it’s sharing it. And I think that’s probably the biggest risk to installing mobile apps. What’s different than computer apps are there are two entities, Apple and Google, that are looking through these stores that are diligently looking through the applications and certifying them before they publish them to make sure there’s no malicious things happening. But from a non-malicious standpoint, it’s a pretty not well-known thing that your data is sold everywhere for everything to market to you to understand demographics, to make products and services better. Really understanding that when you log into a mobile app or you sign up for a new service and you use, say your Google account, anything that’s stored in your Google account typically gets shared with that other app.
Chris: It could be as much as your name or your date of birth. It could be all of the demographics around you and your interests. All of those kinds of things. A common one, Facebook, does it all the time. You can log in with your Facebook, it shares your basic profile information, maybe where you live, things like that. And so if you think that you’re just putting that information into one application, they have made very easy to use your login for another site. You’re passing that information around to multiple companies.
Brian: I continue to get targeted from banner ads to other types of marketing material that fill up my screen or my inbox.
Chris: It’s a huge business, and they typically make the least the path of least resistance, the one that transfers your information from company to company.
Brian: Okay. So, bottom line, anytime you’re going to download anything on your mobile device, make sure that you’re reading exactly what you’re accepting. I know many of us don’t, but it’s critical if you want to protect your data security.
Brian: So number seven, Chris, this actually came from a client of ours. At our firm, we leverage a part of our platform called MarinerGPS, and it’s a digital place where folks can store all of their digital documents, track their expenses, and see their living balance sheet. And the question becomes ultimately, is that safe? Is that a safe application?
Chris: I would say it’s as safe as it can be. It’s tough for me to say that anything’s 100 percent safe that’s connected to the internet. But at the same time, in situations in which we choose where any of our client information and, honestly, where our information is going to be stored, we do a very, very long due diligence process. We sit down with our engineers. We understand where they’re storing the data, how they’re storing the data, what encryption they’re using, not only where the data’s stored, but then how it’s transferred back and forth between the website and the client, the website and us, things like that. And so, we worked with them a long time on MarinerGPS. It was a couple months process to really understand and to get us comfortable with how everything was being stored. But we do that for almost every application. It’s good practice to understand what are attack surface would be where someone would potentially try to look into that. So, I would say, it’s definitely a safe as it can be.
Brian: All right. So, I feel better about having my tax returns, my estate planning documents and all my pictures on my MarinerGPS.
Chris: And like you said it, it does have a two-factor authentication capability built into it. So that you can’t have username or login with a pin. Which then takes away the ability for them to know you’re using a common password. And so, for those of you that have used MarinerGPS, where it says, you can just put in a pin code, don’t make that four digits, make that six or eight digits. Something that’s is unique to you. But that that definitely enhances the safety.
Brian: So Chris, number eight. I think some of us have experienced this. We may have been hacked in some fashion, whether it’s a Facebook account, an email account, your suggestion on what’s the first thing you should really do once you figure that out?
Chris: So, the first thing that always comes to my mind is, where else did I use this username and password? And for me personally, that is nowhere because I use unique ones using the password safe. Like we mentioned before, realistically I know that it’s very common to reuse usernames and passwords. We see it every day. And the first thing you need to understand is, where else can this information be used? Beyond that, reaching out to the vendors to let them know if they haven’t shut off your account already, to freeze your access.
Chris: First understanding if you’ve used that same username and password on Amazon or bank, the first thing I would do is notified those companies as well. Mainly because if they’ve taken that password, they can really log into anything as you. We see it happen very, very quickly where they don’t necessarily know your Amazon login, but they’ll know your email address username and password. So they’ll go to Amazon.com, they’ll type in the email that they hit reset password, it sends an email to their email address, they login, they set a new password, and now they have access to your Amazon account. So all of that happens very, very, very quickly. And so knowing where you’ve reused passwords or potentially what can be used against you, is very powerful.
Brian: I appreciate that, Chris. As much and as often as everyone knows that they should change up their passwords on a regular basis, not use the same one for every site, people get lazy about it, because there’s so many logins that we don’t have. We are an internet-based society at this point. So, to your point, leveraging the password vault just makes all the sense in the world, and there’s a good handful out there to choose from.
Chris: It’s also worth mentioning, I would start in the order of what could be damaging to the most, so starting at your bank, starting at your financial accounts or brokerage accounts, things that have a lot of impact to be transferred away from you with no ability to reverse is really where I would start contacting all of those freezing cards, all of that stuff.
Chris: And the next thing I would say is, is your primary email address that you use as your username, and it really other website mainly because like I mentioned, it can be used against you very, very quickly to reset all of the passwords to everything else that you’ve been trying to keep secure. So even if they’re unique and you’ve done all of that, if you have a really weak primary email password, which is one that we tend to type in a lot, the same kind of situation happens.
Brian: So, question nine, we’ve had this question come up multiple times. It continues to come up, and we have a lot of folks here who travel, and when they travel, they need to get onto the wifi at the hotel they’re in. You’ve come out before in trainings and lectures and letting people know that hotel wifi may not be secure and generally it’s not. So, then the question becomes how do you protect yourself logging on the internet while you’re on the road?
Chris: Good question. We still talk about this one a lot mainly because people don’t really understand the risks of it. I would say hotels, along with any restaurant you’re at, or Starbucks is a big one that we see, that offers free wifi as a convenience—people spend a lot of time there working. The main reason you wouldn’t want to use one of those services to check your finances or anything like that is because it’s not making you an anonymous person on that network. And so it’s not necessarily that it’s not secure and that you’re not going to be able to access it, it’s that there’s a whole bunch of other people sitting there next to you who can see who you are from a network perspective in the open.
Chris: And so they’re able to see that you’re running a Windows computer, and they can see that it’s vulnerable to these things. And then if it’s vulnerable to those, then they can inject themselves and potentially compromise your computer sitting right there. You’re asking for trouble. It can happen in seconds. There’s another big thing I won’t get too far down into, but it’s called a replay attack. And what they’ll do is, once they compromise your computer, they will take information. Everybody’s heard of cookies in a web browser that conveniently logged you back in as you visited. So when you’re all there sitting on the same wifi, you’re all using the same IP address to the business you’re connecting to, and, for example, let’s use Facebook again for just a common name.
Chris: They’ll take your login cookie from Facebook, put it on their computer, open Facebook and now they’re logging in as you with no username, no password, all because of that anonymity. And to your point, like Facebook they can do it on your bank accounts. Which is where two-factor comes in. So because that second factor is always going to be asked of you.
Brian: So, you’ve talked to in the past about using your phone as a hotspot to protect yourself. Can you talk a little bit about that?
Chris: Yes. To your point, that’s something that isolates you to your own specific network if you use your personal hotspot. If it’s not using your phone, which is a pretty common capability on everybody’s plan now. Now we have iPads that you can have your own cellular data connection, so you don’t need a wifi anywhere. We also leverage quite a bit of what we call a Myfi, and it’s a little device, kind of like a cell phone, that is made to be a hotspot for your whole family. Something like that, they tend to be like fairly inexpensive. You get them from your wireless carriers, and then you can have it in your car on vacations, so the kids can watch videos in the back seat and things like that at the same time. But you’re also keeping that very, very small to the people that are connecting to it.
Brian: To your point, the Starbucks and McDonald’s, the hotels, they make it really convenient to log on, but at the same time, I don’t know that everyone truly understands that they’re putting themselves at risk on regular basis. So I appreciate that information. And so, question number 10, we’ve made it to number 10, and the question is, how secure are online storage services, like Google Docs, Box, Dropbox, etc.? I know they’re convenient, but are they secure?
Chris: I would say that you could make a case that all of them are secure. I think a lot of the security of each one of these comes to how you leverage it and the practice and the process you’ve put in place around it. From a security diligence practice, like I mentioned, that we did with MarinerGPS. We’ve also done a lot with cloud storage vendors, and so we’re aware of which ones have better capabilities than others. And so it really does matter which one you choose. Understanding which has more certifications and how they position your data, where they’re storing it. Is it staying in the United States? Is it being shipped all over the place? Things like that, you really want to understand.
Chris: But, like I said, strong passwords, two-factor authentication. The data you’re putting up there is the most important part. It’s the same reason you have a fire safe at home. Some of your most important documentation, you store somewhere very, very secure. Maybe that’s a post office box or something. What I’m getting at is, if you sign up for a free account at X storage service, I wouldn’t feel free to store all of your tax returns and their social security numbers and all of that stuff on freely. Mainly because when you’re not paying for the service, you can’t be sure 100% sure that you really own that data. And so you don’t know where that data is being copied to. You don’t know if it’s being destroyed after you don’t use the account anymore. All of those kinds of things.
Brian: Sure. I think that makes sense. I know a lot of people will ask if the cloud is safe. And the reality is, they have a ton of information on their desktop and on their hard drive, and we all know that’s not safe.
Chris: Yeah, it being local, it’s not safe for many reasons, from a compromise perspective, but also from like a house fire perspective, losing that, photos, personal information. Just dropping the computer. It’s irreversible.
Brian: So Chris, thanks for coming in. Thanks for answering the top 10 questions. I really appreciate it. I just have one more question for you. That question is the same question we ask all of our guests. What is the worst financial decision you’ve ever made?
Chris: I have a couple of these I can pick from, but the one that sticks out to me the most is being a computer guy, I wanted the newest and greatest laptop. They were hard to come by because they only released a few of them. I was 14 or 15 years old. You can’t just go to somewhere and pay cash for this laptop, so I had to go buy it online. I think I used eBay or something like that to find this laptop. It looked exactly like I wanted, had all the information that I needed, looked like it came from reputable seller. I spent the next week talking my dad into, “Hey, let me have your credit card so I can put it into this website to buy this laptop to ship it to me.”
Chris: And he let me do it. He learned his lesson at the same time. What ended up happening is, they didn’t just not take my money and leave, they actually processed the shipment of something that weighed the same amount. It was a couple of textbooks that weighed the same amount in a box and had shipped to me. It was slow shipping back then. We didn’t have any kind of next day Amazon Prime. It was like seven to 10 days to get to me. Here I am, waiting, have so much excitement to open this thing. I open it up, and it’s a couple of books.
Chris: And so I call my dad, and my dad calls the credit card company. We reach out to eBay and say like, “Hey, this is all happening.” Well the guy had already taken the money and closed the account. We ended up getting the money back from the credit card. They gave it back to us because, working with eBay, it was a noticeable fraud of exactly what happened. I had to take pictures back then take, like real pictures, and send them in an envelope to the credit card company. It’s was a four-month long process to get the money back. So it was very painful and I learned my lesson. Be very, very vigilant of everything that you’re reading and everything you’re putting in to connect it to the internet.
Brian: It’s a great lesson, although a tough one. So where are you with buying your next computer?
Chris: The internet’s a lot safer place now than it used to be, so right back on the horse.
Brian: Chris, thank you very much for your time today. Okay guys. There you have it. Your top 10 questions as it relates to cybersecurity. I hope after listening to this podcast, you’ll be able to make decisions that will protect yourself from cybersecurity attacks, so you don’t become a victim of the cybercrime that’s out there. As always, if you have questions, email them to [email protected] if you have feedback, if you have a topic that you’d like to hear about, please don’t hesitate. Go ahead and email, us at [email protected]. Thanks for listening, and if you don’t mind, leave a rating on the podcast wherever you listen to the podcast and share your feedback. We know that your time is incredibly valuable, and we hope you find this podcast a worthwhile investment of your time. Thank you for listening.
The views expressed are for commentary purposes only and do not take into account any individual personal, financial, or tax considerations. It is not intended to be personal legal or investment advice or a solicitation to buy or sell any security or engage in a particular investment strategy.
The views expressed are for commentary purposes only and do not take into account any individual personal, financial, legal or tax considerations. As such, the information contained herein is not intended to be personal legal, investment or tax advice. Nothing herein should be relied upon as such, and there is no guarantee that any claims made will come to pass. The opinions are based on information and sources of information deemed to be reliable, but Mariner Wealth Advisors does not warrant the accuracy of the information that this opinion and forecast is based upon.
Mariner Wealth Advisors (“MWA”), is an SEC registered investment adviser with its principal place of business in the State of Kansas. Registration of an investment adviser does not imply a certain level of skill or training. MWA is in compliance with the current notice filing requirements imposed upon registered investment advisers by those states in which MWA maintains clients. MWA may only transact business in those states in which it is notice filed or qualifies for an exemption or exclusion from notice filing requirements. Any subsequent, direct communication by MWA with a prospective client shall be conducted by a representative that is either registered or qualifies for an exemption or exclusion from registration in the state where the prospective client resides. For additional information about MWA, including fees and services, please contact MWA or refer to the Investment Adviser Public Disclosure website. Please read the disclosure statement carefully before you invest or send money.