editione1.0.0
Updated October 9, 2023The value of your money to an attacker is straightforward—there is literal financial value assigned to your bank accounts, credit cards, cash apps, physical cards, and cash. An attacker’s goal would be to try to funnel that money out of your account.
List the apps and accounts that you use to access things that have monetary value to you. If there are any risks you’re worried about, put them down too.
exampleTo get us started, here are some common scenarios involving access to your money. Included here are risks that you may not have thought of at first—but that we’ll have to protect:
Scenario: You access your banking and credit cards mostly online.
Accounts: Your bank’s and your credit card’s online payment systems.
Risks: These accounts could be compromised or data leaked, and an attacker could transfer money.
Scenario: You use SMS messages on your phone to log into your financial accounts or to approve transfers. Your bank uses text messages and email to confirm your identity before giving access to your bank account.
Accounts: Your online account with your cell phone carrier.
Risks: Even if you have strong authentication with your bank, an attacker might trick your telephone provider into transferring your service to a different phone (with a different SIM card) and gain full access to a financial account.
Scenario: You have a few devices that you use for financial services.
Accounts: Everything you use on your phone(s), tablets, and laptops.
Risks: You access and stay logged into these accounts from a device that you let your family and friends use. You or your family may take a device to school or other public places, and they may be lost or stolen.
Scenario: You send cash to friends using cash and payment apps that are linked to your bank account or credit cards.
Accounts: PayPal, Venmo, iMessage (Apple), etc.
Risks: If your PayPal or Venmo account isn’t secured, your money isn’t safe either. Your password could be guessed, or you may lose your phone and someone can use the app to make payments from your bank account.
Scenario: You have online accounts where you manage financial assets, like retirement, investments, stock, or cryptocurrency.
Accounts: Retirement and investment accounts like Vanguard, Fidelity, Carta, and Coinbase.
Risks: Each of these accounts could get compromised and financial assets could be sold or transferred. Especially for unregulated markets like cryptocurrency, it may not be possible to get these assets back once they are gone.
Scenario: Your salary is deposited directly into your bank account. You manage your pay slips and salary data online through your business’s online HR system.
Accounts: Your company’s HR system, like Gusto or Paychex.
Risks: Each of these accounts could get compromised, which could result in your direct deposit information being changed or your personal information getting leaked. These changes can go unnoticed if the business doesn’t verify them with you in person, or if they are tricked by a phishing message. These accounts also often hold tax information that could be used for tax fraud. If you are an administrator, this risk extends to all the employees you manage.
Scenario: You have physical debit or credit cards with chips that allow you to pay effortlessly in person. You have a phone that also works for contactless payment (NFC).
Accounts: Major credit cards, Apple Pay, your smart watch.
Risks: You may forget these or they may be stolen, and you’ll need to disable them and get replacements. Multiple transactions could be made under the limit that requires a PIN.
Scenario: The passwords for all these services are in four or five different places.
Accounts: Some passwords are in Google Chrome on your laptop, some in Apple Keychain and iCloud on your phone, and a few on Post-its by your desk.
Risks: It’s hard to remember where each password is, so you’re afraid to update them. A few are not in secure locations and if the file is compromised, the consequences could be dire. Some passwords are used for multiple accounts, so if one is compromised an attacker could get into the others.
If the list of examples above looks scary—well, it is. But don’t panic. It’s these risks that this part of the book is here to help you with.
Your devices carry an inherent security risk themselves. That risk can also change depending on their environment. Risk is like a temperature scale. For example, if you are logging into your PayPal account to check your recent incoming payments, the risk goes from cold to hot in these situations:
Using your desktop computer at home (cold, lowest risk)
Using your mobile device on a partially full train (cool, low risk)