There’s been no shortage of high-profile hacks over the last few years — think Target, Sony and Ashley Madison — but one sector that hasn’t made as much news for breaches is financial. According to the Identify Theft Resource Center, out of the 781 data breaches tracked in the United States in 2015, just 71 were banking-related.
While that may be welcome news to the millions of people who use financial websites and apps, that number is rising, jumping by about 50 percent from the year before. And with more people using everything from personal finance applications and robo-advisor sites to fraud-detection programs and mobile wallet software, we’ll likely see more hacks in the future.
“There’s a huge amount of benefit to leveraging technology to bring insights to your account, but there’s always a risk when you start to consolidate all of that information into one program,” said Kennet Westby, co-founder and president of Coalfire, a Westminster, Colorado-based cybersecurity advisory that has a number of financial clients.
Generally, apps and websites from banks and other well-known financial institutions are considered fairly safe from intrusion, in part because they have the money to spend on security. Reportedly, Bank of America will spend $400 million in security this year alone, while other banks are also spending copious amounts of money to keep their virtual walls secure.
However, even big security budgets can’t always prevent a major hack. In 2014, JPMorgan Chase was the target of one of the largest breaches in American history. Hackers broke into its network and stole data — names, email addresses and phone numbers — from 83 million customers. Not surprisingly, the company has increased its cybersecurity budget this year, from a reported $250 million to $500 million.
Of course, not all financial companies have such big security budgets. Many start-up companies don’t have the resources to throw at security nor the many decades of history in trying to keep client money safe, said Westby.
For instance, in 2010, Blippy, a social-media-meets-financial site that allowed people to share credit card purchases with other users, was found to have accidentally leaked some of its customers’ credit card information on Google. The company shut down a year later.
While Westby thinks that consumers should use financial apps and sites, they also need to be aware of what they’re using and what kind of information they’re sharing online.
Read the fine print
It’s unlikely you’ll find a company that says it has no security, so it’s up to the user to make sure the company is protected.
Start by reading the company’s security and privacy disclosures, which should be somewhere on their site, said Westby. You want to be able to get a sense of how they’re managing their security and privacy programs and what kind of responsibility they’re willing to take if a breach occurs.
The next step is to look at the company’s security certifications. A payments card company, for instance, should have the PCI certification, which is given out by a Qualified Security Assessor under the PCI Security Standards Council program.
Other financial institutions might be audited and certified under the Federal Financial Institutions Examination Council (FFEIC). Mint, the personal finance app, is certified through the TRUSTe Privacy Seal Program, which is another popular data privacy management company.
Finally, make sure the company’s privacy and security programs have been validated by a third party. The big four accounting firms do this, said Westby, as do businesses like Trustwave, Verizon and Coalfire.
“You don’t want the company to just say, ‘We’re secure. Trust us,'” said Westby. “You want someone to validate that they’re actually doing it.”
Embrace the longer logins
The companies that do have proper security measures will be encrypting all your sensitive data — they convert information into a complex code that’s difficult to decipher — but for privacy experts, that’s not enough. Companies should also use two-factor authentication for customer logins, according to Adam Levin, chairman and founder of IDT911, a Montreal-based security solutions company, and author of “Swiped.”
When a site doesn’t recognize the device you’re using, it should ask you a series of questions to verify that you are the user of the account. It may also send a code to a trusted device, like an email address or mobile phone. Essentially, it’s adding another layer of authentication beyond a login and password.
Many companies still don’t do this — it can be an annoyance for customers, he noted — but it will soon become standard procedure. And users should embrace it, he explains. One extra step goes a long way in keeping your information secure.
Most financial breaches don’t actually happen at the company level, said Levin. Since security is generally strong, hackers tend to hoodwink customers into handing over login passwords or sensitive data.
Read more about it here: http://cnb.cx/2b96EC8
The Family Law Guru is dedicated to providing aggressive, compassionate as well as being cost effective representation in the area of Family Law. For more information please call me at (909) 481-5350 or visit my website https://thefamilylawguru.com/