How to Keep Your TSP Account Secure in the Era of COVID-19

OSORIOartist/Shutterstock.com

Scammers and fraudsters are taking advantage of the novel coronavirus pandemic to target online financial accounts. 

The first Thursday of each May marks “World Password Day.” While not terribly noteworthy in years past, this year scammers and fraudsters are using the novel coronavirus pandemic as an additional means to target our online accounts and financial lives during the national lockdown and expanded work-at-home policies. Password security is just one element to consider when thinking about holistic online security practices.

Financial accounts in particular are being targeted during the pandemic. According to the Financial Services Information Sharing and Analysis Center, scammers and fraudsters set up an average of 66 financially themed COVID-19 fraudulent domains per day in late March. While most have been proactively taken down, the organization estimated in its mid-April report that hundreds were still active. The FBI similarly reported a spike in reports to its Internet Crime Complaint Center in March and April, many of which were related to COVID-19 fraudulent activity.

Fortunately for participants, TSP administrators have taken proactive measures to reduce the threat to account holders. The most important change came in December 2019, when administrators made “two-factor authentication” mandatory for all participants to access their online accounts. Also in late 2019, administrators quietly contracted with a brand monitoring firm to actively watch for fraudulent online activity targeting TSP participants. This was a prescient move in light of increased fraudulent activity during the pandemic. 

However, account security is a shared effort: In addition to the efforts TSP administrators undertake to protect account holders, there are proactive measures TSP participants can take to further enhance the security of their personal TSP accounts. 

First, use unique and strong passwords across all personal and work accounts. This would seem to be an obvious precaution, but studies show that a surprising number of people continue to use the same or similar passwords. For example, according to an April “Psychology of Passwords Report,” published by the password manager LastPass, 44% of respondents to a survey said they use the same or similar passwords for their online accounts. 

Reusing passwords is a particular security weakness because leaked or stolen user ID and password combinations are posted, shared and sold on the dark web and elsewhere. Given the many high-profile leaks and breaches over the years, hundreds of millions of user ID and password combinations are available. Using this data, hackers and bots can try out a variety of known user ID and password combinations in what is called “credential stuffing” to attempt to gain access to a given site. Apart from representing a potential attack vector against one’s TSP and other financial accounts, reuse of the same or similar passwords creates a multifaceted security problem in one’s personal digital life: An attacker could also get access to email, cable, social media, or other accounts that could in turn be used to gain access to financial accounts. 

A password manager can help individuals create, use and monitor strong and unique passwords. Password managers can help in three major ways: They can generate long and truly random passwords; most password managers proactively monitor the billions of leaked user IDs and passwords that might match those in your account; and, when integrated into your browser, they can differentiate an authentic account URL from a fake website that is part of a phishing attempt.  

Next, use two-factor authentication on every account you own that offers it, in addition to sensitive accounts where it is mandatory. Also, be sure to control access to your social media accounts to guard your personal information. This way attackers can’t gain access to less-protected sites that might still have sensitive personal data that could be used in a social engineering attack against better-protected accounts. In essence, the attacker tries to gather as much information about you as possible to try to trick a customer service representative into thinking he or she is you. 

Unfortunately, using an SMS/cell-based second factor has vulnerabilities as well. While text message authentication is better than no second factor at all, attackers can use what are variously called “SIM swap” or “SIM hijacking” scams to steal or otherwise gain access to a user’s phone number and text messages to reset other accounts. There are a variety of approaches an attacker can take, including insider access at a telecom company or the use of social engineering in claiming to be the “victim” of cell phone theft. In 2019, Twitter founder Jack Dorsey had one of his text-to-tweet accounts hijacked reportedly due to SIM swapping, for example.  

Thus, maintaining the security of your email and cell phone accounts and associated SIM cards is critical for enhanced TSP account security. At a minimum, in addition to having a strong and unique password for your cell phone account, users should enable pass codes for their cell phone accounts and for individual SIM cards. These are different than the passcodes used to gain physical access to your phone. If you ever use your account passcode when engaging with telecom customer service personnel, change the passcode immediately afterward. 

For increased protection, use non-SMS second factors or even “universal second factor” authentication on all accounts where this is allowed. You can use an authenticator app such as Google Authenticator or Authy associated with your account that generate one-time passcodes as a second factor instead of SMS-based texts. For even more secure accounts, you can use physical keys such as Yubico’s Yubikey, Google’s Titan, or Purism’s Librem Key to protect your accounts that allow universal second factor-based authentication. When secured this way, most accounts allow users to remove their cell numbers as a second factor, thus denying attackers the ability to reset account access using SIM swapping or other means of requesting an account reset via SMS. 

Some services allow users to activate recovery codes for their accounts. This enhances the security of one’s account and decreases the possibility that attackers can use social engineering to gain control over your account. Apple and Microsoft are two such services that provide users with recovery codes. But beware: Use multiple universal second factor keys and/or authenticators and keep recovery codes in a safe place, because if you lose access to your non-SMS second factor and recovery code, you could be locked out of your accounts for an extended amount of time. 

For further protection of accounts that rely on SMS-based texts as a second factor, participants can use a non-SIM-based cell number. There are an increasing number of digital services that provide non-SIM-based numbers for calls and texting, such as Google Voice numbers. This way SIM-swapping becomes a moot attack vector. Just be sure that that account, as well as any email accounts tied to it, are secured by strong passwords and second factors that are not in turn associated with a SIM-based cell phone number. 

Lastly, take care to secure both the physical devices and networks you use to access sensitive accounts. This includes maintaining the latest security and software updates on your devices and networks and using devices and networks that you trust. If you must use a public network or one over which you have little control, you should also consider using a virtual private network (VPN) to keep your network activity safe from prying eyes.  

Ultimately, just as we try to reduce the risk of catching or transmitting coronavirus via social distancing and other measures, so too can we proactively take the above steps—as well as monitoring one’s credit and signing up for ID theft insurance—to mitigate the risk of becoming a victim of fraud or phishing, both during the pandemic and after. 

W. Lee Radcliffe is the author of “TSP Investing Strategies, 2nd Edition,” from which this article was excerpted. The views expressed in the article are his own. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.