This is some general notes and a suggested checklist on Information Security and Privacy as they relate to financial information you as an investor, should consider. It came from a general discussion between investors about “How much of your financial information do you allow on the cloud”
TL;DR
- Require 2FA on your Bank and eMail accounts
- Use a Password Manager tool, follow the recommendations
Background.
Data that is truly secure is data that is inaccessible to anyone, you included. The internet is all about accessing information easily. You may notice these things are opposites.
You can of course go far more extreme and attempt to keep your finances offline entirely, this is however exchanging one set of risks for another.
Your financial information is stored in many places. Keeping that information private is an exercise in risk management, not risk elimination.
Your information is not totally private today. Large retail conglomerates already know much about you and track you between their stores.
Who has copies of at least some of your financial records / behaviors today –
- Retailers – anywhere you shop
- Bank / Credit Card companies
- Govt Tax Office
- Employer
- Brokers / Agents / Where-ever they store their data and backups
- Accountants / Lawyers / Where-ever they store their data and backups
- Lands Offices / Local Government
- Property Information Companies
- Utilities – Water, Electricity, Council etc.
- Loyalty cards / Frequent Flyer programs
- Google / Facebook
- Financial aggregators
This is mostly thinking about how to
a) Keep your financial accounts from being misused
b) Keep some information moderately confidential.
This is not about identity theft, which is a larger more complex topic.
Financial Account Access
If it is important – then a password alone is insufficient protection.
You MUST have 2FA (Two Factor Authentication) on these accounts at a minimum.
- Banking / Brokerage
- email address used for Banking or Banking Recovery
- Google or Apple account for your Phone
- Cloud storage used for financial records / data
- Password Manager – Lastpass, Onepass etc.
Many products rely on your primary email address to contact you for password resets. This means if your mailbox is compromised, someone could reset your financial passwords. This is why 2FA is needed on the email account you use for this function.
The problem with 2FA is it works. Recovery from losing your token can be difficult or even impossible. Sorry, security nearly always makes things harder for everyone, attackers and users.
I would recommend planning for account recovery before you need it. It’s much more difficult after things have gone wrong. This will also show you where you might have weaknesses.
Account | Password Recovery | 2FA Auth | 2FA Recovery Method |
me@somewhere.com | Google Authenticator | ||
bank 1 | me@somewhere.com | YubiKey Token | Contact Bank |
This space is relatively new and still developing.
If you have no choice other than a password, follow these rules
- Use a random password generator w/ >16 characters
- Use a password manager tool
- Use a separate password for each application / website
If you have an option to turn on alerts for transactions / logins, so you get and SMS or email, this can help to reduce fraud.
Consider all places where you have things of financial value or credit stored, including Frequent Flyer accounts, Superannuation etc.
Stored Data
Nothing can be kept entirely confidential.If it’s connected to any network, at any time, it is at risk.
I do not consider “the cloud” to be of significantly different overall risk than any other data. Whilst some risk areas are increased, others are decreased, resulting in a net overall equal or potentially reduced net risk.
The largest risk driver I see today is not location of storage, but ease of connectivity. If data is more accessible to you, then it is likely more accessible to bad guys. If you take lots of backups to prevent data loss, those extra copies increase the likely hood of someone accessing your information.
If you do the following steps, you will reduce your overall net risk. Every action you take introduces potential new risks, the trick is to reduce overall exposure.
You should –
- PC / Mac
- Run the Latest Operating System, All patches and Updates. Don’t be cheap here.
- 3rd Party Anti-malware / security tools are not recommended – stick with the builtin tools from your OS vendor.
- Encrypt your Backups. Be careful where you store the key.
- Encrypt your Computer. Be careful where you store the key.
- Be careful with storing data on USB disks
- Cloud storage is generally as secure as the account used to access it
- Use 2FA and strong passwords
- Use a separate password for every website
- Use a password manager tool
- Use well known providers and stay aware of risks
- Read up on the vendors security options
- Phone / Tablet devices are often quite secure from factory. For average users, Apple devices tend to be more secure than Android.
- Enable find my device
- Enable backups
FYI – Bio-metrics are surprisingly insecure. They are not secret (eg. You leave your fingerprints everywhere. They cannot be changed when stolen (well, you will run out of fingers to cut off after 9). They work well only in very specific circumstances. Do not consider bio-metrics a replacement for passwords.
The reason bio-metrics are effective with your phone, is that the device is the second (2) factor authenicator. You cannot use your fingerprint with Apple, only with that device.