首页 / 法律问答 / 网络安全关乎你的钱袋子！保护好你的账号密码，小心钓鱼邮件和诈骗短信，定期检查银行账单，安装靠谱的安全软件，别在公共网络上进行敏感操作。

网络安全关乎你的钱袋子！保护好你的账号密码，小心钓鱼邮件和诈骗短信，定期检查银行账单，安装靠谱的安全软件，别在公共网络上进行敏感操作。

商业律师 5 回答

Okay, here's that cybersecurity advice, re-written in a more conversational tone and streamlined for clarity: Hey everyone, cybersecurity is super important for your financial health, but it doesn't get talked about enough. I'm not going to pretend there's one perfect way to do this, but here's what I've learned. Keep in mind, this is mostly to keep everyday hackers out, not some super-targeted attack. Basically, you need to prevent getting hacked in the first place, and monitor things so you know *if* you get hacked. A common way hackers get in is through website data breaches. They steal your info, like passwords or credit card details, and then use it against you. You can check if your email's been compromised. But honestly, assume your info is already out there – that's the safest way to think. **Passwords:** The big problem? People reuse the same passwords *everywhere*. You need a unique, strong password for *every* site. Since remembering those is impossible, use a password manager like Lastpass. It'll create and store those passwords for you. The *only* passwords you should memorize are for Lastpass itself, your email(s), and your computer. What if Lastpass gets hacked? Don't worry, your data is generally safe because they don't hold the key to decrypt it, you do (your main password). Experts agree that using a password manager is safer than not using one, *even* with potential risks. Just do it. **Two-Factor Authentication (2FA):** 2FA makes it way harder for someone to hack your account if they only have your password. But the usual 2FA methods (email, text) can be tricked. Scammers might call pretending to be your bank and get you to read them the code sent to your phone, then use it to steal your money. Or, they could do a "SIM swap," convincing your phone company to switch your number to their phone. The best solution? Security keys, like Yubikeys or Google's Titan keys. These are physical devices that generate a code. They work with Google, Facebook, Vanguard, Reddit, Lastpass, and tons more. Unfortunately, a lot of banks don't support them yet. Security keys are super secure, as someone needs to physically steal the key. Get two, in case you lose one! If you have Lastpass Premium you can use these security keys for extra security. **Protecting the "Root":** "Root" access means access to *everything.* In this case, think of your email as "root" because you can usually reset passwords from there. I suggest using Gmail with their Advanced Protection Program and security keys. This makes your email almost impossible to hack. If you lose *both* keys, you'll have to wait a few days for Google to verify you. The great part about security keys is that even if a hacker gets into your email, they *still* can't bypass the security key 2FA on other accounts. I also recommend having *two* email addresses: one public, one private. Use the public one for social media, newsletters, job applications, etc. The private one *only* for financial accounts (banks, brokerages, credit cards). Never give it out. This makes it way harder for someone to guess your financial email. Ideally, use a separate, cheap computer only for your financial stuff, but that's getting pretty extreme. Both Gmail accounts should have unique, strong passwords *that you memorize*, not store in a password manager. **Protecting Everything Else:** For all other accounts, use your password manager for a strong password and turn on 2FA (security key if possible). You never know which account might leak info that helps a hacker. Even something like your college account might have tax forms with your social security number. **Financial Information:** Protecting your SSN is almost impossible today. If you've used credit, it's probably out there. If you don't need to use your credit soon, freeze it with all the major credit bureaus. Also, set up credit monitoring so you know if someone opens an account in your name. It's a shame, but there's not much you can do to prevent your SSN from being compromised. For credit cards, *always* use credit cards over debit cards. It's easier to dispute fraudulent credit card charges. Apps like Apple/Google Pay are even better because they use a one-time code that can't be reused if stolen. Ignore the hype about RFID-blocking wallets – there's never been a confirmed case of someone stealing card info by scanning it in public. The most important thing? Monitoring. Set up text alerts for *every* credit card transaction. This helps you spot fraud instantly. Also, see if your bank lets you set up a challenge/response for phone calls. They might have to give you a code to prove they're your bank, or vice versa. This stops social engineers from tricking you or your bank. But be careful with security questions, a lot of them can be easily found on social media. **General Device Security:** Lock your phone with a fingerprint, passcode, or pattern. Do the same for your financial apps, so someone can't access them if they steal your unlocked phone. Only install apps from trusted sources. Chromebooks are the safest computers, period. If you don't need a laptop for gaming or video editing, get a Chromebook. Macs aren't necessarily more secure than Windows, but hackers target them less because they're less common. The sketchier stuff you do online, the more likely you are to get hacked. Regular browsing is usually safe. Adult sites or illegal streaming sites can have malicious pop-ups or ads. Torrenting is more dangerous. The dark web is even worse. If you want to do risky stuff online, use a separate, cheap Chromebook *only* for your finances, and don't access those accounts from any other device. Is saving $20 on a video game worth losing thousands? If you're not using a Chromebook, Bitdefender is a decent antivirus option. I'd avoid security software (like Kaspersky) or devices (like Huawei) from Russian or Chinese companies. They're known to have security vulnerabilities. Public Wi-Fi is risky. HTTPS helps, but there are still vulnerabilities. A VPN *might* help, but most free VPNs are terrible. **Action Plan (Simplified):** 1. Get two security keys (Yubico or similar). 2. Set up a public *and* private Gmail account. Keep the private one secret. 3. Turn on Advanced Protection in both Gmail accounts and link them to your security keys. 4. Get a password manager like Lastpass. If you get Lastpass Premium (recommended), add your security keys for authentication. 5. Generate new passwords using your password manager for all accounts *except* your email, computer, and password manager itself. 6. Associate all financial accounts (credit cards, banks, brokerages) with your *private* email. 7. Turn on 2FA (with security keys where possible) on *all* accounts, plus login alerts. 8. Turn on text/email alerts for any credit card charges or bank transactions, and credit changes. 9. Lock your phone and your financial apps with a password or other method. 10. (Optional) Freeze your credit. 11. (Optional) Get a cheap Chromebook just for financial transactions. 12. (Optional) Encrypt your phone and hard drives. This might sound like a lot, but using a password manager with security keys, 2FA, and Gmail's Advanced Protection is the best way to stay safe online. Monitor your accounts, SSN, and credit cards so you know if anything happens. The goal isn't to be unhackable, but to be a difficult target that hackers will just ignore. Nothing will ruin your finances faster than a good hacker!

#数据泄露 #密码管理 #双重验证 #信用冻结 #欺诈警报

回答次数 (5)

Rodriguez

# 5

Regarding

As a result, I strongly recommend that if you want to engage in unsafe behavior (i.e. torrenting) on the internet, at least keep a separate $200 Chromebook only for all your finances, and don’t access those accounts from any other device.

I'd argue that with that logic, you shouldn't even be putting that chromebook on the same local network as your other devices. However, VLANs or separate internet pipes aren't exactly simple or cost effective.

One thing you could do though would be to log in to your modem, change the admin password to something strong, disable the wireless features (if it has it), then (if has at least 2 Ethernet ports on it), connect 2 wireless routers, one (can be a super cheap one) for your chromebook with a strong WPA2-AES or better password and its own unique/random SSID (this might be the only time disabling broadcast could be beneficial, interestingly enough), and the other for everything else (still use a strong WPA2+ password, and change the default passwords on both routers to something strong and different from each other, the modem, and anything/everything else). If you only have 1 Ethernet on the back of the modem, a cheap router can easily give you more ports to plug the other two into.

I'll fully admit that it's maybe a bit paranoid, but if you have extra/old routers lying around, could be a nice way to put them to use...

Taylor

# 4

This is really long winded imo but good nonetheless.

1,3,7) These are essentially the same thing. But not everyone wants a security key. Just enable 2FA where possible and enable the best one that is offered in this order (security key, OTP, app notification, email, sms). Unfortunately a lot of services do only SMS still. :P I would recommend NOT to use Google Authenticator as there is no backup/export option say for when you get a new phone or lose it. Something like Authy, Duo, MS Authenticator. Then keep that backed up.

2.) If you use gmail, take advantage of their aliases even if you have a private account. bobbysecure+bank1@gmail, bobbysecure+bank2@gmail, etc. This email goes to bobbysecure@gmail but you know the exact account that is compromised.

4.) There is more out there than LastPass. People have been leaving for services like 1Password and Bitwarden for various reasons. Bitwarden is a free good alternative or just $10/yr. 1Password still offers local vaults for a flat price of $50. If one rather avoid the cloud, but make sure to backup your vault!

https://1password.onfastspring.com/1password-7-for-windows

https://1password.onfastspring.com/1password-7-for-mac

9.) Don't ever bank on your phone. period. The only thing related to banking that should be used is Google Pay, Samsung Pay, Apply Pay. Nothing else. I have spoken.

10.) Not optionally, do it. It's free, easy to do and it's easy to thaw when you need it. https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

To kinda go a long with maybe 5) is do not store 2FA backup codes in your password manager. Do not use your password manager as your OTP.

For AV, on Windows just use the built in Microsoft Defender. It is free and it is an excellent product. On Mac, please go buy one.

https://www.av-test.org/en/

Whatever device you do use to do banking, leave that 100% just for that task.

Jones2

# 3

Posting in Personalfinance was a brilliant idea. Thank you. For most of those who subscribe here, our biggest risk is financial. Compared to that, Google tracking us is just an annoyance.

Some thoughts - but I could be wrong - what do you think:

Apps: financial only from (developed by) your financial provider, e.g., bank or broker and only via the trusted app store. When mobile always use the app provided by your financial providers rather than a browser.
Avoid most of the financial services not provided directly by your own bank/broker provider. That means you-are-the-product free like Mint. Better a bank or broker that can provide similar aggregation as an additional service.
OS: never do anything financial on Android. It's a dangerous platform. Too many cases of highly sophisticated nonfinancial malware apps.
some financial providers have biometric security, such as voice recognition for calls. If it works, it's a terrific feature.
have a set of phone numbers for all your financial providers in your contact list. Same with other financial focused organizations like the IRS, Medicare and Social Security. Whenever one of them contacts you via text, email, phone, USPS always deal with it by initiating a call from that list - even when receiving a call that appears to be from the same number. Or use your app or bookmarked login.
email: some financial providers have their own secure email channels that they prefer you to use, e.g., to your assigned broker. When they send emails to you, they also send a notification to your designated public email account. Great feature, but don't access via clicking on that notification email.
when mobile and away from trusted networks, turn off wifi at least when accessing your financial apps. Cell might not be perfect but is less risky than untrusted wifi and VPN is (opinion) a waste for security purposes, often worse than no VPN.
freezing credit should be required minimal protection. It's not that difficult to put into place and to deal with when necessary. Also, do not let the credit company trick you into a "credit lock" or any of their paid services. A freeze is better protection because it is required by law and is free. This from Consumers Reports.

GustWind

# 2

Beautiful write up and contribution that drastically reduces risk. There is one more critical component - indemnification in the case of loss. This post looks at awesome preventative steps. Even with that said, losses happen. More below.

Scams have become more efficient and social engineering is helping to get around 2FA. Artificial intelligence is now being used to run scams. Personal bank account scams are becoming more common against individuals along with cell phone providers and quite a few other angles.

The number one cause of loss for cyber claims? Human error. That does not need to be on YOUR END.

What happened during the Equifax breach? People that were not even utilizing the provider had their information breached, so there's proof positive that the compromise does not even need to come on your end. The government isn't stepping in to protect individuals as the FCC has been neutered and is run by an ex-telecom exec. (Personal opinion). The EU and California are at least trying to get data under control. Plenty of other states have legislation pending.

https://haveibeenpwned.com/ runs a search against known data dumps on the darknet or web and if your email is listed in their database, will let you know it's been compromised.

Personal lines policies now have riders/endorsements that can be added to protect against these risks. Things like funds transfer fraud by computer, phone, and mail. Social engineering/phishing where one voluntarily relinquishes money to a third party usually by business/personal email compromise or phone scams.

We are usually talking $100-200 of premium annually for $100,000-$200,000 limits. Protection that costs 1-2% of the assets you are lrotectint is a BUY.

Risk management is a major component to my profession. Claims have grown 100-300%+ (depending on the source) over the last year and several thousand percent over the last 5 years. I work in commercial lines so I have zero financial interest to share this info. I see the claims reports and both the cyber security industries statistics and the insurance industries statistics. The market for both commercial lines and personal lines is still very "soft" meaning user adoption is still low and that insurers are fighting to get market share so that the law of large numbers can apply. Until insurers reach critical mass where their risk is significantly diversified, it's going to be a buyers market. Right now insurers can't command enough premium because they're trying to buy market share so the strategy has been to continue to improve coverage with makes this a buyer's market.

Unaffiliated sources that came back after googling "cyber insurance claims"

https://blog.societyinsurance.com/analysis-of-2018-cyber-claims-data/

https://woodruffsawyer.com/cyber-liability/cyber-101-insurance-coverage-2020/

Most pertinent to personal lines. Individual owner operators are being targeted. Why? Because their cyber security is lacking and hackers/bad actors are scanning for known exploits like in MS Office 365 before patches were pushed out last year. It's more about vulnerability and ease of commiting crime than anything else so these steps certainly help but how do you control your data when it's out of your control?
https://www.ttnews.com/articles/trucking-industry-has-become-top-target-ransomware-attacks

Oh and here is what hackers can buy on the darknet for sometimes less than $25.

https://www.komando.com/gadgets/a-hackers-toolkit-shocking-what-you-can-buy-on-dark-web-for-a-few-bucks/426551/

BrightFalcon

# 1

One thing you don't directly address, but which I always recommend:

For security questions/answers, don't focus on the question, focus on having a non-sensical answer. Things like first car model, or town where you met your spouse, or even favourite teacher can be found out. Like, I had 2 teachers in elementary school... it's not actually THAT hard to look up where I went to school, and who was teaching, and take a couple of swings to figure that out.

For every security question, I pick one at random, and then use 1Password to randomly generate a 12 digit alphanumeric string and put that in as the answer. I save this in 1Password as part of the account's settings (1Password has a really nice way to structure this in a Section with Fields). I do 12 digit alphanumeric because a lot of security question fields have length limits and don't accept special characters the way that password fields do. Also, I have on occasion had to provide them over the phone when calling support, and reading out 30 digits of letters, numbers, and symbols is a huge PITA.

I do like the suggestion of having a separate Gmail for sensitive accounts... I wish I had thought of that sooner. I don't particularly fancy going back and switching all those accounts to a new email address, but maybe some boring Saturday I'll get around to it. For now, a strong password + 2FA should do.

If you're still reading /u/ACheetoBandito , I'd love to get more of your thoughts on physical security keys. I've worked in IT for a long time, so they have been on my radar, but they have never truly seemed worth it to me. I was researching them again just last weekend and I can't justify using them. Here are my problems:

They don't actually work with everything, while 1Password + 2FA using my phone (or computer) does.
I would prefer Yubico because they're made in the USA (I don't trust Google's Titan made in China). But then I either have to get USB-C to work with my MacBook and phone, or NFC + USB-A so I can use my desktop and phone more easily. Really, I'd have to get both, and then I'd have to carry both all the time to address my various devices. And also have a third as a backup. PITA.
I already have a physical device (my phone). Let's say someone does digitally swap the SIM, which I think for me is about as likely as someone using an RFID to clone my card, but let's say they do... I'll still get notifications to various secondary accounts of attempted or successful password changes. And since all my passwords are in 1Password, it's not actually enough for them to get my master password, they would also either have to have physical access to my device (and I'm more likely to notice my phone or laptop is missing than to notice a tiny security key is missing), or they would also have to steal my secret key somehow.
That last bullet point hints at my main issue with physical keys: they don't seem to actually provide much more security than 1Password with its master password + secret key approach. It's another layer, sure: an attacker may need 1Password MP + secret key + physical key. But I suspect there's a diminishing return there. The attacker would have already had to steal my phone/laptop (swapping the SIM isn't enough) to access 1Password.

I think the only thing a physical key would improve the security of for me would be my email. It would reduce the chance that someone can get to my email, and then use that to reset passwords. I'm just not sure how vulnerable my email is when I use Google's authentication security with my Pixel phone (I'm not using text 2FA). So I find it hard to justify spending $120 or so for three keys and carrying two of them around all the time, especially because I worry that I might drop or lose one somewhere, or it could potentially be stolen, and because they're tiny I wouldn't necessarily realize it immediately the same way I would immediately know if my phone or laptop was missing.

What do you think? Is there a compelling case to be made for physical security keys?