- Jun 24, 2016
- 636
How to protect your financial apps from getting hacked:
There's been no shortage of high-profile hacks over the last few years — think Target, Sony and Ashley Madison — but one sector that hasn't made as much news for breaches is financial. According to the Identify Theft Resource Center, out of the 781 data breaches tracked in the United States in 2015, just 71 were banking-related.
[…]
Read the fine print
It's unlikely you'll find a company that says it has no security, so it's up to the user to make sure the company is protected.
Start by reading the company's security and privacy disclosures, which should be somewhere on their site, said Westby. You want to be able to get a sense of how they're managing their security and privacy programs and what kind of responsibility they're willing to take if a breach occurs.
The next step is to look at the company's security certifications. A payments card company, for instance, should have the PCI certification, which is given out by a Qualified Security Assessor under the PCI Security Standards Council program.
Other financial institutions might be audited and certified under the Federal Financial Institutions Examination Council (FFEIC). Mint, the personal finance app, is certified through the TRUSTe Privacy Seal Program, which is another popular data privacy management company.
Finally, make sure the company's privacy and security programs have been validated by a third party. The big four accounting firms do this, said Westby, as do businesses like Trustwave, Verizon and Coalfire.
"You don't want the company to just say, 'We're secure. Trust us,'" said Westby. "You want someone to validate that they're actually doing it."
Embrace the longer logins
The companies that do have proper security measures will be encrypting all your sensitive data — they convert information into a complex code that's difficult to decipher — but for privacy experts, that's not enough. Companies should also use two-factor authentication for customer logins, according to Adam Levin, chairman and founder of IDT911, a Montreal-based security solutions company, and author of "Swiped."
When a site doesn't recognize the device you're using, it should ask you a series of questions to verify that you are the user of the account. It may also send a code to a trusted device, like an email address or mobile phone. Essentially, it's adding another layer of authentication beyond a login and password.
Many companies still don't do this — it can be an annoyance for customers, he noted — but it will soon become standard procedure. And users should embrace it, he explains. One extra step goes a long way in keeping your information secure.
Protect yourself
Most financial breaches don't actually happen at the company level, said Levin. Since security is generally strong, hackers tend to hoodwink customers into handing over login passwords or sensitive data.
One way they do this is through phishing. That's when a hacker sends an email to users that looks nearly identical to something a bank or another company might send out to a user. Either the user clicks on a file that installs data-collecting malware onto a computer or they click a link that takes them to a page where they're then asked to enter their account information.
If you ever get an email from a financial company asking for information, don't click the link, says Levin. "The minute you authenticate yourself, you're not in control of the situation anymore," he said. "If you didn't initiate the contact, then delete the email."
It's also a good idea to have different passwords for your money-related apps and sites. Hackers often steal information from non-financial sites that don't have strong security and then use that password to get into a financial application, since most people use the same login information for every site they visit, said Levin..
Continue reading this article at the link at the top of the page
There's been no shortage of high-profile hacks over the last few years — think Target, Sony and Ashley Madison — but one sector that hasn't made as much news for breaches is financial. According to the Identify Theft Resource Center, out of the 781 data breaches tracked in the United States in 2015, just 71 were banking-related.
[…]
Read the fine print
It's unlikely you'll find a company that says it has no security, so it's up to the user to make sure the company is protected.
Start by reading the company's security and privacy disclosures, which should be somewhere on their site, said Westby. You want to be able to get a sense of how they're managing their security and privacy programs and what kind of responsibility they're willing to take if a breach occurs.
The next step is to look at the company's security certifications. A payments card company, for instance, should have the PCI certification, which is given out by a Qualified Security Assessor under the PCI Security Standards Council program.
Other financial institutions might be audited and certified under the Federal Financial Institutions Examination Council (FFEIC). Mint, the personal finance app, is certified through the TRUSTe Privacy Seal Program, which is another popular data privacy management company.
Finally, make sure the company's privacy and security programs have been validated by a third party. The big four accounting firms do this, said Westby, as do businesses like Trustwave, Verizon and Coalfire.
"You don't want the company to just say, 'We're secure. Trust us,'" said Westby. "You want someone to validate that they're actually doing it."
Embrace the longer logins
The companies that do have proper security measures will be encrypting all your sensitive data — they convert information into a complex code that's difficult to decipher — but for privacy experts, that's not enough. Companies should also use two-factor authentication for customer logins, according to Adam Levin, chairman and founder of IDT911, a Montreal-based security solutions company, and author of "Swiped."
When a site doesn't recognize the device you're using, it should ask you a series of questions to verify that you are the user of the account. It may also send a code to a trusted device, like an email address or mobile phone. Essentially, it's adding another layer of authentication beyond a login and password.
Many companies still don't do this — it can be an annoyance for customers, he noted — but it will soon become standard procedure. And users should embrace it, he explains. One extra step goes a long way in keeping your information secure.
Protect yourself
Most financial breaches don't actually happen at the company level, said Levin. Since security is generally strong, hackers tend to hoodwink customers into handing over login passwords or sensitive data.
One way they do this is through phishing. That's when a hacker sends an email to users that looks nearly identical to something a bank or another company might send out to a user. Either the user clicks on a file that installs data-collecting malware onto a computer or they click a link that takes them to a page where they're then asked to enter their account information.
If you ever get an email from a financial company asking for information, don't click the link, says Levin. "The minute you authenticate yourself, you're not in control of the situation anymore," he said. "If you didn't initiate the contact, then delete the email."
It's also a good idea to have different passwords for your money-related apps and sites. Hackers often steal information from non-financial sites that don't have strong security and then use that password to get into a financial application, since most people use the same login information for every site they visit, said Levin..
Continue reading this article at the link at the top of the page
Last edited by a moderator: