When you hear ‘two-step’, a certain dance move may come to mind. That two-step may be fun, but a different kind of two-step is becoming critical to your account security. Two-step verification, also called two-factor authentication, is becoming widely available for accounts of all kinds from Amazon to Paypal to your email service. It adds a step in the login process beyond the usual username and password to verify you are really who you say you are, and protect your account from hackers and thieves. It requires ‘something you know’ (i.e. a password), plus ‘something you have’ (like your smart phone or a one-time code generator). That way, even if someone guesses or gets a hold of your login information, they won’t be able to log into your account.
Why is this necessary? One good example is an attempted wire fraud that happened to a DWM client recently. The client had received an email with an attachment from someone he knew. When he opened the attachment he unwittingly installed malware (malicious software) that allowed the would-be thief to have full access to his email. You may not realize what kinds of data a thief could mine from your sent and filed emails if they can get into your account. It could be enough for them to steal your identity or guess their way into other accounts, especially if you use the same username and password across websites as many people do. In this case, the thief continued an old email thread to make a wire request, and used the client’s signature block and writing style (including correct spelling and punctuation) to look very legitimate. Fortunately, Schwab instituted a verbal verification protocol a few years ago because these kinds of fraudulent wire requests by email were sharply on the rise, and many attempts had been successful. Furthermore, DWM is familiar with most of our clients’ money movement habits, which adds another layer of security. Anything out of the ordinary sends up a potential red flag and warrants additional verification and scrutiny. We called the client and found out he had not sent the request and wasn’t aware his email account had been hijacked. He immediately reset all his passwords, activating two-factor authentication so the thief couldn’t get into other accounts, scanned his computer for malware, and is fortunate he didn’t sustain a financial loss or spend countless hours to repair his credit or other accounts.
Another example, of someone who wasn’t so lucky, is Mat Honan. He’s a technology writer who had his whole digital life wiped out in less than an hour by hackers who did it just for fun. With a little social engineering and information that was available on the internet, his laptop and phone were remotely wiped (including irreplaceable family pictures), he lost his online document storage, his social media accounts, his email history, you name it. If the hackers had been financially motivated they could have easily ordered things through his Amazon or Apple account linked to his credit card, or worse. (You can see the full story here, but I don’t recommend reading it before bed- it may give you nightmares.)
Based on the above examples, you can see how two-factor authentication has become a necessity. And it’s really not that difficult, although there are several ways websites achieve the ‘something you have’ step:
If you log in from a phone, tablet, or computer that you haven’t previously verified, they may text you a single use code to log in.
Other sites use an app like Authy or Google Authenticator (free for smart phones), which creates a new code every 30 seconds.
A few sites, such as Schwab, use a physical code generator that looks like a small key fob, which generates a new 6 digit code every time you log in. To request a free security token, simply call 800-435-4000. Besides the protocols in place to prevent fraudulent wires, Schwab has a security guarantee which covers 100% of any losses from a Schwab account due to unauthorized activity.
A list with links that will take you to the right place for each website can be found here: https://twofactorauth.org/. As I started this process myself, I was shocked by how many websites I use were on the list that I hadn’t even thought of.
Putting this extra layer of security in place may be a small inconvenience, but it’s nothing compared to the inconvenience of losing your digital life or identity.