How to Keep Your Money Safe From Hackers – Millennial Revolution

Last week, an article appeared on The Globe And Mail about an unfortunate case of an customer of Questrade who lost $70,000 after her trading accounts got hacked.

In early January, Megan Tong lost around $70,000 after hackers logged into one of her self-directed investment accounts, cashed in all her holdings and briefly bought and sold tens of thousands of dollars worth of two Chinese stocks.

But Ms. Tong’s discount brokerage, Questrade Financial Group Inc., has declined to reimburse her for most of the loss, saying it didn’t result from a breach of its system. Instead, the company has described the hack as a likely phishing attack, which isn’t covered by its online security guarantee.

A Questrade client lost $70,000 in a cyber crime. What happened next shows a growing risk for investors, TheGlobeAndMail.com

This prompted a flood of anxious emails asking us whether Questrade was still a safe place to keep their money, and what we were doing to keep our money safe.

The short answer is yes, Questrade has the same online security guarantees as any other Big 6 Canadian bank. However, no bank can guarantee your security if you make a mistake that gives an attacker the keys to your vault.

So I thought this would be a good time to talk about how to keep your online financial accounts safe.

Because I’m a FIRE blogger that regularly posts their net worth on the internet, I attract more hacking attempts than the average person. Every month I get a report of all the digital break in attempts from hackers in Russia, Iran, China, North Korea, etc, usually numbering in the hundreds. This site, my bank accounts, and my trading accounts are constantly under assault by people trying to steal my FIRE portfolio. So far, none have succeeded, and here’s how I do it.

Always Type – Never Click

Questrade’s response referenced a phishing attack, which is when an attacker sends you an email with a link to a fake version of your bank’s website designed to steal your password when you log into it.

Gone are the days where you could tell that a website was fake because the layout looked weird, or the text had typos in it. Modern phishing attacks have gotten so sophisticated that you can’t visually tell anymore.

And the worst thing about a phishing attack is that if your account gets breached, you don’t know. There’s no skull-and-crossbones that comes up and say “YOU’VE BEEN HACKED” or anything, the account is just invisibly compromised, a backdoor created for an attacker to exploit later at a time or place of their choosing. It could be months later that they choose to use it to steal your money, and by then you will have no idea what you did wrong, like the person featured in the Globe & Mail article describes.

When it comes to logging into anything important, whether it’s email, your bank, or your brokerage account, get into the habit of pulling up a new browser tab and typing the name manually, every time. I don’t even rely on bookmarks anymore, because those can be hacked too.

Don’t Do Anything Financial on Public Wifi

Public Wifi at cafes have been a boon to digital nomads like us, but they’re also honeypots for hackers.

A compromised router can act as a listening device to your internet traffic, and can even do all the same things a phishing attack can do even if you don’t click any suspicious links.

If you’re tech savvy enough, a Virtual Private Network (VPN) can be used to ensure your connection is secure even if the router is spying on you, but for the average internet user, I would recommend simply not logging into any financial site on a public Wifi connection – ever.

Instead, connect your laptop to the hotspot on your phone and use your cell connection. Alternatively, wait until you’re back home to do any trading. You don’t want the dude sitting behind you to know how much money you have anyway.

Have Unique Passwords

What makes a good password? Is it the length? Is it it’s cleverness? Is it a reference to some obscure song that you loved as a kid?

No. This is what a good password looks like.

xi$jcGrXJ#4YB9D6&jHb

A 20+ character, random, completely garbled string of letters, numbers, and special characters that means absolutely nothing to you or anyone else in your life. These are the passwords that can’t be guessed, and each account you have should have a different password.

Hackers don’t try to steal passwords directly from banks that often because banks have the budgets and IT staff to defend against such attacks. They go after non-financial sites like Reddit or Discord, hoping that if they get the password to that account, the same password might work for your bank.

In order to keep track of all your passwords, you’ll need a password manager like LastPass or 1Password. These services also handle generating secure passwords for you, as well as filling them into each site you log into.

Hardware Token Based 2FA

You’ve probably been told to activate two-factor authentication (2FA) at some point, and many of you likely have thinking that it makes your account more secure.

Here’s a dirty little secret. If you’re using your phone number to receive text codes as your 2FA method, and I find out your phone number, I can probably break into your bank account.

The text message system was never designed to be used to get into bank accounts. As a result, there are security holes large enough to drive a truck through, and crucially, those security issues are so dispersed over so much infrastructure that there’s no way to fix them.

With just your phone number, an attacker can eavesdrop on your phone calls, read your SMS messages, and even track your location. And there’s absolutely nothing you can do to prevent this, because the issue isn’t on your phone. The vulnerability is in the backbone of how telecom companies communicate with each other. Here’s a writeup of how this attack works for the tech-savvy.

The solution is to not use phone numbers for 2FA. Instead, I use a Yubikey.

A Yubikey is a USB stick-like device that you can buy for about $50USD/$70 CAD. After setting it up, you tap this key against the back of your phone and it generates a 6-digit login code for you. The codes are stored on the key itself rather than your computer or your phone, meaning it can’t be stolen via hacking, a virus or other software-based method. In order for someone to get my code, they’d have to gain physical access to the key itself.

Not every bank or brokerage supports a Yubikey, but Questrade does. It’s often listed as “Authenticator app” or something similar.

What If My Bank Doesn’t Support Hardware Tokens?

Of course, the big problem with this is that most banks only support SMS-based 2FA, which as we’ve discussed aren’t very secure at all.

Even worse, many of these banks allow you to reset your password by sending you a code to your phone, so if I know your phone number, I can intercept your SMS, which means I can reset your password, which means I can break into your account. A fellow finance blogger friend lost over $100k like this, and the attacker even tried to blackmail them afterwards to get their accounts back. The FBI had to get involved and it was a mess.

So how do I deal with banks that only support SMS-based 2FA?

Simple.

I keep the business I do with them extremely limited. I might have a credit card account with them, or a checking account with a few hundred bucks so I can use their ATMs, but my rule is that if a bank leaves their backdoor open to hackers, I’m not trusting them with my money.

Conclusion

Security is always a trade-off between safety and convenience, and admittedly, my approach to cyber security is a bit extreme, as FIRECracker likes to remind me as she curses the gauntlet of codes she has to put in whenever she needs to access our financial accounts. But even she has to admit that there’s no way a hacker is getting into our accounts. Because she can barely get in most days.

But because of who we are, and the size of the FIRE portfolio we control, for us these added security measures are worth it.

How do you keep your accounts safe? How much do you consider overkill? Let’s hear it in the comments below.