Archive for the ‘On-line accounts’ Category

When Your 401K Gets Hacked

Monday, March 11th, 2013

When Bill Foster’s 401K account was emptied and he lost over $40,000 he did what a lot of us might do: he sued the company managing his funds.  But the verdict was rendered a few months ago: the company is not responsible.  It’s his fault since he failed to file a change of address, and someone else used the information she received (by snail mail, at his old address) for accessing his account.

In another case in 2007 a man lost $179,000.  He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company.  Fortunately for him, investigators were able to recover the funds before they were wired out of the country.  Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.

In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts.  His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin.  Bill only discovered she had drained his account the following year.  Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable (more…)

Add Your Own Security – say yes to the “s”

Monday, August 13th, 2012

Here’s a tip I haven’t heard from anyone except my CISSP study-buddy, Amir .  He manages global IT for a big company, so he’s smart about these things.  I tell everyone about it now because it’s very easy, makes you safer, and it’s not obvious.  I hope it won’t be long before it’s not necessary, but right now it’s still a great idea for those of you who engage in on-line banking, or are toying with the idea of adding such an app to your cell phone.

First, you’ve all seen this part of a web page address, whether it’s in an ad or at the top of your browser:


for example,

and you may or may not have noticed that sometimes you get this one instead, and it looks just a little different:


for example,

What’s the difference between these two sequences, kids?  That’s right, the second one has an extra “s”!  And what does that stand for?

Some of you know it has something to do with security, which is good, because when I asked my writer friend Deb she asked, “maybe they ran out of “http” and need to add “https”?

This is not a bad guess.  But, it’s completely wrong.

What the little “s” is telling you is that the site you are accessing is more secure.  It is making sure you are who you say you are by conducting what we call a handshake between the computer you are using and the website.  Part of that includes encrypting the information which flows between the two of you so that no one else along the way can read it.

Doing this makes certain types of attacks much harder to carry out*.  So anytime you are providing data which is at all sensitive, make sure the site you are going to is “https” and not only “http”.

Sounds like a good idea, right?  But how is this done?

Believe it or not, all you have to do is go up to your browser and add in the “s” to the address, and refresh (hit “Enter”).  This will redirect you to the secure version of the site if that company has one.   Many companies maintain both an http and an https version.

Easy, right?  But if more security is better, then why have a non-secure website at all?  The simple answer is that https isn’t free, so if it’s not necessary most sites don’t implement it.  By example google has an http version for the unwashed masses (and the rest of us, when we’re goofing off and checking celebrity gossip) but they will automatically switch you to https when you go to check your gmail account.  Amazon will allow you into their http to browse, but of course when you make a purchase you end up on https.  This is how the majority of sites operate.  They try to protect you, so in most cases you’ll be alright.  But when it’s especially critical, keep an eye out for the s!



* it will protect you unless your system is already infected, so never conduct on-line banking from a public terminal!

Darn Security Questions and the Day I Wished for More Numbers

Tuesday, June 19th, 2012

How many of you have been locked out of an on-line account at least once?  Everyone, right?

It happens after trying too many passwords.  Maybe because SOMEONE was multi-tasking with the caps-lock on.

Of course we can always call and ask the security police to retrieve it.  Two weeks ago I had to do this, and along the way I glimpsed a whole new level of security interrogation.  My experience went something like this:

“Name of your first pet?”

Hmm, I wonder: do I count the Gerry the gerbil, even though he was actually my brother’s?  Or what about the stray tabby we fed every day when we lived in Chevy Chase?  I’m not sure so I settle on “Fritz”, the fluffy French poodle Grandma gave us, who unfortunately only lasted three weeks.  But my security wench with the Indian accent doesn’t like this answer and skips to a question about cars.

“What was your first car?” (more…)