I often write about using various online and computer-based tools and services to help simplify and manage your personal and financial life.
These can very helpful and convenient, but they also carry the risk of being compromised in some way. Even mishandling physical documents, such as account statements you receive in the mail, can lead to problems.
I have a friend who was recently the victim of identity theft. He started receiving credit cards in the mail that he did not sign up for. He doesn't know exactly how, but presumably as a result of a hack of an online merchant or other entity that he had a relationship with.
Fortunately, he caught it soon enough to avoid serious damage, but it will still take a fair amount of time and effort to sort things out.
Given the prevalence of this kind of thing, I thought an article about physical and digital asset security and how I handle that for my own stuff (that's a technical term for passwords, important documents, account information, backup files, online information managed by others, etc.) might be helpful.
This article may get a little detailed, but I have tried to simplify things as much as possible to help you determine what actions you may need to take to better protect yourself. My friend's experience has actually caused me to think more about this and also to reevaluate a few things.
This is important stuff
This is a very important topic. Most of us manage a lot of our financial affairs online. In fact, a 2013 study by the Pew Research Center found that 85% of adults in the U.S. use the Internet, and of those, 61% bank online.
You are probably a lot like me. I use Quicken for online bill-pay and to manage my various bank accounts. I use USAA's online brokerage service to manage my IRA. I have online access to my 401k at work. I use some of my bank's online services, such as transferring money to a family member. I use PayPal to make and receive online payments. I use Amazon to order "stuff." My church even offers "online giving", although I still prefer giving by check. The list goes on and on.
The percentage using online banking is probably even higher now due to increased smartphone usage and mobile banking capabilities. In fact, a 2014 study by the Federal Reserve found that 39 percent of adults with both mobile phones and bank accounts reported using mobile banking — a 33 percent increase in usage from 2013.
So, a lot of us bank, shop, and communicate using a variety of devices and networks. I don't know about you, but it's hard to imagine life without these things. But with these new capabilities and conveniences comes increased risk.
As adoption and usage have increased, so has the number and severity of security breaches. Findings from another survey by the Pew Research Center show that:
- 18% of online adults have had important personal information stolen such as their Social Security Number, credit card, or bank account information. That's an increase from the 11% who reported personal information theft in July 2013.
- 21% of online adults said they had an email or social networking account compromised or taken over without their permission.The same number reported this experience in a July 2013 survey.
According to a 2016 Identity Fraud Study, $15 billion was stolen from 13.1 million U.S. consumers in 2015, compared with $16 billion and 12.7 million victims a year earlier. In the past six years, identity thieves have stolen $112 billion!
This all means that we must focus on doing all we can to protect our physical and digital assets, especially in what I will call two main "areas of concern."
Areas of concern
For individuals and families, there are two major areas of concern. I will discuss the first in this article and the second in a follow-up article (Part 2).
- The physical (paper) and digital (electronic) assets (passwords, files, etc.) that you manage and control in physical files or electronically on your own personal devices (computers, tablets, smartphones, etc.).
- The personal information (name, address, phone numbers, account numbers, card numbers, etc.) that you have shared with others (mainly online entities) that you do not directly manage or control.
Both of these are vulnerable to being stolen or hacked, which can result in identity theft and other fraudulent activities. You obviously have more control over the first area than you do the second, but there are things you can do to protect yourself in both.
Assets you directly control
Currently, other than basic computer security and backups, I have three major things that I give special attention to: my IDs/passwords, my Quicken file, and a few financial and legal documents, both paper and electronic, that I want to keep private and safe. You may have some similar things or others.
I use a fire/water safe for physical storage and three major software components for digital security and storage: LastPass, OS X Disk Utility (for encryption), iCloud, and to a lesser extent, DropBox. (I have other online, cloud-based services that I use, such as Evernote and Google Drive, but I do not keep sensitive or private content there – I use them more as productivity and content management tools.)
Let's go more in-depth for each of these things…
Protecting your physical assets
With all the attention being given to electronic asset protection, it would be easy to overlook the paper documents you handle virtually every day. However, they can be the target of identity thieves – in fact, some would argue that we are more at risk because of what is in our mailboxes and trash than from what is stored on our computers or in the cloud.
Snail mail and trash snoops
Many of the pieces of paper that you receive in the mail or discard in the trash present a risk for identity theft. Identity thieves need access to personal information such as names, birthdates, social security numbers, and other account numbers, any of which may be on the paper that you handle. That's why every home probably needs a good paper shredder.
I use a medium-quality/priced shredder made by Fellowes, but there are lots of them out there. Some may prefer a business-quality shredder. I don't shred everything that I throw away, just anything containing what I would consider proprietary information in it – things such as bills, account statements, etc. You should absolutely shred anything with birth dates, account numbers, card numbers, and especially social security numbers.
Another way to help address this problem is to go paperless for as many of your accounts as you can. Paper documents are very easy to steal or lose, depending on how you manage them. Digital documents give you more options. You can easily delete them or electronically file them.
As I write this, the eastern part of the state I live in (NC) is still recovering from the effects of Hurricane Matthew. Flooding has been the biggest problem, and as we all know, water can wreak havoc on both electronic devices and paper documents.
Most of us have things like birth certificates, passports, insurance contracts, vehicle titles, wills, etc., which are all examples of sensitive and important things that you need to manage in or near your home. Yet these items are vulnerable to a number of common threats: fire, flood, theft, and loss.
A popular way to protect these things was to rent a safe deposit box at your local bank. But that isn't necessarily the easiest or most flexible and cost effective way. In addition to the annual cost, you are subject to the bank's rules and timetable for getting access to your documents.
I used to have a safe deposit box (it was free because I worked for a bank), but now, instead, I employ a dual system of hardened home-based storage (a small fire and water safe) plus secure online storage, which I discuss further in the file encryption section below.
I use a small, older, fire and water proof safe from Sentry, which offers a wide range of waterproof and fireproof safes that can provide protection for documents, CDs, memory sticks, and . Some of their older, smaller models have been discontinued, but for a few hundred dollars you can get a safe that can safely store multiple file folders, computer media, and other small items.
But by far the most reliable way to protect your important documents these days is to convert as many of them as possible to digital form and save them in the "cloud."
Digital asset protection
This is more multi-faceted, mainly because we have to think about device, password, and file management, and how to keep all these things safe and secure.
Basic computer/device protection
I currently have 5 different computer devices that I manage: 2 computers (home and work), an iPad, a Google Chrome laptop, and an iPhone. I also have an external drive for back-ups. My wife has 2 devices, so together we have 7. Your family may have more or less, especially if you have children.
That is a lot of devices to look after, but there are some basic things we all should do to secure them and protect your digital identity that are in the category of 'safe' computing: keeping software (especially the OS) updated; using anti-virus and anti-malware protection and running regular scans; not clicking on unknown links on the web and in email; and not responding to requests for personal information, especially from suspicious emails (called "phishing.")
Most of us have multiple online accounts, including financial ones, and one of the biggest security issues that everyone deals with is password security. Ideally, our passwords will be long and complex. They should also be different for every account so that if one is hacked, the others aren't compromised. We should also change them often.
All that sounds great, but it's hard to do in practice. I find it hard to memorize one "long and complex" password, let alone lots of ever changing ones for multiple purposes.
That's where the password management software LastPass comes into play. There is a free version, but I have been using their premium service ($12 per year) for several years now. (You can compare the features of a Free account versus a premium account at https://lastpass.com/features_compare.php. If you use your tablet or smartphone at lot to access secure websites, I recommend the premium version.)
You could use a built-in password vault product like KeyChain (for Mac) that encrypts the information and saves it on iCloud, or the password manager that comes with Microsoft Edge, which is part of Windows 10. With a built-in password manager, you can save your credentials and hen access them from any device to log in to your websites.
But LastPass (and similar systems, such as KneePass) will memorize any passwords you enter, and it can also randomly generate those long, complex passwords for you and store them so that you can look them up when you need them. Using LastPass, you don't need to remember them, so making them unique for each account and changing them frequently isn't really a problem.
I use a LastPass "plug-in" for the Google Chrome browser on all of my devices, and it will automatically fill in my login information for me, even if I have forgotten the password. I have to be logged in to LastPass for it to function.
You will need to make sure that your LastPass "master password" isn't easily hackable and also that you can remember it so that can login to LastPass to look up others.
Your LastPass password is the key to your password kingdom, so you need to make it as safe as possible. Make it long – at least 12 characters. Some experts say that a long word phrase is harder to hack, but you may want to include upper and lower case characters, a few special characters, and some numbers. To make mine easy to remember, I base it off of a memorable phrase. To make it harder to crack with a dictionary attack, you may want to misspell some of the words in the phrase.
You can use the LastPass database for more than just passwords. You can store bank card numbers, driver's license numbers, social security numbers, frequent flyer program IDS, insurance IDs, critical phone numbers, and other identifiers.
As long as I have access to my LastPass database, I can get to any information I store there. But this means that I have to keep my LastPass password extremely safe – long, complex, and changed frequently. I never share it with anyone or write it down anywhere, except in my "Final Letter", which my family would need in case I'm incapacitated or deceased.
I keep that document in an encrypted and password-protected file on my computer and also stored in iCloud, as well as a paper copy locked in a fire safe in my house along with my will and other documents.
File encryption and backup
After password security, the next step in my information security process is to encrypt select files (e.g., Quicken files, financial and legal documents, etc.). This one is a little trickier.
If you are a Windows PC user, you will need to purchase a file encryption program unless you are running Windows 10 Professional. A good option used to be a free open source product, TrueCrypt, but it is no longer supported. But there are alternatives, such as two freeware products based on the TrueCrypt code, VeraCrypt, and CipherShed, as well as quite a few other commercial and open-source products.
If you are a Mac user, then you are in luck. OS X software comes with built-in file encryption software. The OS X Disk Utility can encrypt drives and volumes, and can easily be done by right-clicking a file, series of files, or a folder and selecting "Compress." Or, you can create a new encrypted image with password protection. That is the method I use for two encrypted files on my Mac that I also save to iCloud. One is a file where I store all my Quicken and TurboTax files. The other is one where I store any documents that I want to keep private.
You may be thinking, "gee, if I use something like LastPass and VeraCrypt, my security problems will be solved." But what if you need access to any of those files encrypted files when you are away from your computer. Or what if my computer hard drive is destroyed? The answer to that is to use a public cloud storage service, in my case Apple's iCloud.
iCloud is, of course, Apple's cloud drive and synchronization service. There are others, such as Google Drive, Amazon, and DropBox. I have iCloud loaded on all my Apple devices. (It can also be installed on a Windows PC.) iCloud and the others use varying levels of encryption while synchronizing data across your devices and where it is stored on their servers, so there is a level of protection built-in.
One big concern is what if something happens to both me and my wife since I have all those important files password encrypted? To mitigate that, I back up the encrypted files to an unencrypted thumb drive that is stored in a safe place. Those files include a lot of sensitive information like old Turbotax tax returns, but they don't include passwords that could be used to access my accounts. Those are only stored in encrypted form in LastPass.
Finally, you may want to consider a identify theft monitoring service, such as LifeLock, or an identity theft insurance policy like the one offered by Zander Insurance (also recommended by Dave Ramsey). I have the latter because the focus is on the very difficult task of cleaning up after an identity theft has occurred.
No matter what you do, the threats will remain, and it is impossible to protect yourself against every one of them. But by doing some basic things, and doing them consistently, you can better position yourself and your family against them.