Scammers and fraudsters are taking advantage of the novel coronavirus pandemic to target online financial accounts.
The first Thursday of each May marks “World Password Day.” While not terribly noteworthy in years past, this year scammers and fraudsters are using the novel coronavirus pandemic as an additional means to target our online accounts and financial lives during the national lockdown and expanded work-at-home policies. Password security is just one element to consider when thinking about holistic online security practices.
Financial accounts in particular are being targeted during the pandemic. According to the Financial Services Information Sharing and Analysis Center, scammers and fraudsters set up an average of 66 financially themed COVID-19 fraudulent domains per day in late March. While most have been proactively taken down, the organization estimated in its mid-April report that hundreds were still active. The FBI similarly reported a spike in reports to its Internet Crime Complaint Center in March and April, many of which were related to COVID-19 fraudulent activity.
Fortunately for participants, TSP administrators have taken proactive measures to reduce the threat to account holders. The most important change came in December 2019, when administrators made “two-factor authentication” mandatory for all participants to access their online accounts. Also in late 2019, administrators quietly contracted with a brand monitoring firm to actively watch for fraudulent online activity targeting TSP participants. This was a prescient move in light of increased fraudulent activity during the pandemic.
However, account security is a shared effort: In addition to the efforts TSP administrators undertake to protect account holders, there are proactive measures TSP participants can take to further enhance the security of their personal TSP accounts.
First, use unique and strong passwords across all personal and work accounts. This would seem to be an obvious precaution, but studies show that a surprising number of people continue to use the same or similar passwords. For example, according to an April “Psychology of Passwords Report,” published by the password manager LastPass, 44% of respondents to a survey said they use the same or similar passwords for their online accounts.
Reusing passwords is a particular security weakness because leaked or stolen user ID and password combinations are posted, shared and sold on the dark web and elsewhere. Given the many high-profile leaks and breaches over the years, hundreds of millions of user ID and password combinations are available. Using this data, hackers and bots can try out a variety of known user ID and password combinations in what is called “credential stuffing” to attempt to gain access to a given site. Apart from representing a potential attack vector against one’s TSP and other financial accounts, reuse of the same or similar passwords creates a multifaceted security problem in one’s personal digital life: An attacker could also get access to email, cable, social media, or other accounts that could in turn be used to gain access to financial accounts.
A password manager can help individuals create, use and monitor strong and unique passwords. Password managers can help in three major ways: They can generate long and truly random passwords; most password managers proactively monitor the billions of leaked user IDs and passwords that might match those in your account; and, when integrated into your browser, they can differentiate an authentic account URL from a fake website that is part of a phishing attempt.
Next, use two-factor authentication on every account you own that offers it, in addition to sensitive accounts where it is mandatory. Also, be sure to control access to your social media accounts to guard your personal information. This way attackers can’t gain access to less-protected sites that might still have sensitive personal data that could be used in a social engineering attack against better-protected accounts. In essence, the attacker tries to gather as much information about you as possible to try to trick a customer service representative into thinking he or she is you.
Unfortunately, using an SMS/cell-based second factor has vulnerabilities as well. While text message authentication is better than no second factor at all, attackers can use what are variously called “SIM swap” or “SIM hijacking” scams to steal or otherwise gain access to a user’s phone number and text messages to reset other accounts. There are a variety of approaches an attacker can take, including insider access at a telecom company or the use of social engineering in claiming to be the “victim” of cell phone theft. In 2019, Twitter founder Jack Dorsey had one of his text-to-tweet accounts hijacked reportedly due to SIM swapping, for example.
Thus, maintaining the security of your email and cell phone accounts and associated SIM cards is critical for enhanced TSP account security. At a minimum, in addition to having a strong and unique password for your cell phone account, users should enable pass codes for their cell phone accounts and for individual SIM cards. These are different than the passcodes used to gain physical access to your phone. If you ever use your account passcode when engaging with telecom customer service personnel, change the passcode immediately afterward.
For increased protection, use non-SMS second factors or even “universal second factor” authentication on all accounts where this is allowed. You can use an authenticator app such as Google Authenticator or Authy associated with your account that generate one-time passcodes as a second factor instead of SMS-based texts. For even more secure accounts, you can use physical keys such as Yubico’s Yubikey, Google’s Titan, or Purism’s Librem Key to protect your accounts that allow universal second factor-based authentication. When secured this way, most accounts allow users to remove their cell numbers as a second factor, thus denying attackers the ability to reset account access using SIM swapping or other means of requesting an account reset via SMS.
Some services allow users to activate recovery codes for their accounts. This enhances the security of one’s account and decreases the possibility that attackers can use social engineering to gain control over your account. Apple and Microsoft are two such services that provide users with recovery codes. But beware: Use multiple universal second factor keys and/or authenticators and keep recovery codes in a safe place, because if you lose access to your non-SMS second factor and recovery code, you could be locked out of your accounts for an extended amount of time.
For further protection of accounts that rely on SMS-based texts as a second factor, participants can use a non-SIM-based cell number. There are an increasing number of digital services that provide non-SIM-based numbers for calls and texting, such as Google Voice numbers. This way SIM-swapping becomes a moot attack vector. Just be sure that that account, as well as any email accounts tied to it, are secured by strong passwords and second factors that are not in turn associated with a SIM-based cell phone number.
Lastly, take care to secure both the physical devices and networks you use to access sensitive accounts. This includes maintaining the latest security and software updates on your devices and networks and using devices and networks that you trust. If you must use a public network or one over which you have little control, you should also consider using a virtual private network (VPN) to keep your network activity safe from prying eyes.
Ultimately, just as we try to reduce the risk of catching or transmitting coronavirus via social distancing and other measures, so too can we proactively take the above steps—as well as monitoring one’s credit and signing up for ID theft insurance—to mitigate the risk of becoming a victim of fraud or phishing, both during the pandemic and after.
W. Lee Radcliffe is the author of “TSP Investing Strategies, 2nd Edition,” from which this article was excerpted. The views expressed in the article are his own.