Last week, an article was published in the Globe and an email about a misfortune case of Questrade clients that lost $70,000 after their trading account was hacked.
Megan Tong lost about $70,000 after he fell into one of her self-guided investment accounts, cashed in all of her shares, and briefly bought and sold two Chinese stocks worth tens of thousands of dollars.
But Ms. Tong’s discount brokerage firm Questrade Financial Group Inc. refused to repay most of her losses, saying it was not caused by a violation of its system. Instead, the company described hack as a possible phishing attack, which its online security guarantee is not covered.
Questrade customers lost $70,000 in cybercrime. What happened next shows growing risks for investors, globeandmail.com
This has sparked a lot of anxious emails asking if we are still a safe place to keep money and what we are doing to keep our funds safe.
The short answer is yes, and Questrade has the same online security guarantee as Canada’s top 6 banks. However, if you make a mistake, there is no bank that can guarantee your security.
So, I think this will be a good time to talk about how to keep your online financial account safe.
Because I am a fire blogger and often posting its net worth on the internet, I attract more hackers to try than the average person. Every month, I receive a report on digital breaks for people like Russia, Iran, China, North Korea, etc., usually the numbers for hundreds of people. This site, my bank account and my trading account are constantly being attacked by people trying to steal my fire portfolio. So far, none of them succeeded, and that’s what I did.
Always enter – never click
Questrade’s response cites a phishing attack, which is an email sent to you by an attacker with a link to a fake version of the banking website designed to steal your password when you log in.
You can say that a website is fake because the layout looks weird or there are typos in the text. Modern phishing attacks have become so complex that you can’t speak it visually.
The worst thing about phishing attacks is that if your account is violated, you don’t know. There are no skulls and crossbones that appear, saying “you have been hacked” or anything, the account is just invisible, which is a backdoor created for attackers to exploit at the time or location they choose. After a few months, they choose to use it to steal your money, and by then you won’t know what you’re doing wrong, like the one described in the Global & Post article.
When logging in to anything important, whether it’s email, your bank or your brokerage account, you’ll be accustomed to picking up a new browser tab and manually typing that name every time. I don’t even rely on bookmarks anymore because they can be hacked as well.
Don’t do any finance on public wifi
The public wifi in the cafe is a boon for digital nomads like us, but they are also candied fruits for hackers.
A trade-off router can act as a listening device for internet traffic and can even do all the same things, even if you don’t click on any suspicious links.
If you are tech-savvy enough, a virtual private network (VPN) can be used to keep your connection secure even if the router is monitoring you, but for the average internet user, I would recommend not to log in to any financial website on a public WiFi connection – ever.
Instead, connect your laptop to a hotspot on your phone and connect it using the unit. Also, please wait until you get home to make any transactions. You don’t want the guy sitting behind you to know how much money you have.
Have a unique password
What makes a good password? Is it length? Is this smart? Is it a quote from some obscure songs you liked as a kid?
no. This is a good password.
XI $ JCGRXJ #4YB9D6 and JHB
A 20+ character, random, totally messy letters, numbers and special characters, absolutely nothing to you or anyone else in your life. These are passwords that cannot be guessed and each account you have should have a different password.
Hackers don’t try to steal passwords directly from banks, because banks have budgets and IT personnel to defend against such attacks. They pursue non-financial sites like Reddit or Discord, hoping that the same password might work for your bank if they get the account’s password.
To keep track of all passwords, you need a password manager such as LastPass or 1Password. These services can also process the generation of secure passwords for you and populate them into each site you log in to.
2FA based on hardware tokens
You may be told to activate two-factor authentication (2FA) at some point, and many of you may think it makes your account more secure.
This is a dirty little secret. If you use a phone number to receive text codes as a 2FA method and I find your phone number, I might break down your bank account.
The SMS system has never been designed to enter a bank account. As a result, there are enough safety holes to drive the truck through, and it is crucial that these safety issues are so dispersed across so many infrastructures that they cannot be fixed.
With just your phone number, an attacker can eavesdrop on the phone, read your SMS messages, and even track your location. besides There is absolutely nothing to stop thisbecause the problem is not on your phone. Vulnerability is the backbone of how telecom companies communicate with each other. Here is an article on how this attack fits the technology.
The solution is not to use a 2FA phone number. Instead, I use Yubikey.
Yubikey is a USB-like device that you can buy for $50/$70 CAD. Once set, you lean this key against the back of your phone and generate a 6-bit login code for you. These codes are stored on the key itself, not on your computer or phone, meaning it cannot be stolen by hackers, viruses, or other software-based methods. In order for someone to get my code, they have to get physical access to the key itself.
Not every bank or broker supports Yubikey, but Questrade does. It is usually listed as an “authenticator application” or something similar.
What if my bank does not support hardware tokens?
Of course, this is the biggest problem that most banks only support SMS-based 2FA, which, as we discussed, is not very safe at all.
Worse, many of these banks allow you to reset your password by sending your code to your phone, so if I know your phone number I can intercept your SMS, which means I can reset your password, which means I can break down your account. A friend of a financial blog friend lost over $100,000 and the attacker even tried to blackmail their accounts. The FBI has to be involved, it’s a mess.
So, how to deal with banks that only support SMS 2FA-based?
Simple.
The business I will do with them is very limited. I might have a credit card account, or a checking account for a few hundred dollars so I can use their ATM, but my rule is that if the bank opens their backdoor to the hacker, I won’t trust them with my money.
in conclusion
Security is always a trade-off between security and convenience, and, of course, my approach to cybersecurity is a bit extreme because firecrackers like to remind me because she curses the code she has to come up with when she needs to access our financial accounts. But, even she must admit that hackers will never enter our account. because she It’s almost impossible to get on most days.
But because of who we are, and the size of the fire combination we control, these added safety measures are worth it.
How do you keep your account safe? How much overkill are you considering? Let’s hear it in the comments below.
hello. Thank you for stopping. We use affiliate links to keep this site free, so if you believe in what we are trying to do here, please click to support us! Thanks;)
Build a portfolio like we do: Check out our free investment workshops!
Traveling the world: Get flexible global coverage for just $45.08 per month with Safetywing Nomad Insurance
Multi-currency travel card: Get a multi-currency debit card when traveling to minimize foreign exchange expenses! Read our review here, or click here to start!
Free family exchange: Read our review or click here to start. Please use the sponsor code Kristy-D61E2 To earn 250 bonus points (100 points after completing family profile + 150 after the first stay)!
Source link
