Video: Obermeyer Wood March 2022 Virtual Event - Personal Cybersecurity Workshop
For our March 2022 Obermeyer Wood Virtual Event, we were grateful to host a cybersecurity workshop and panel discussion led by Charlton Rugg, Chief Compliance, Legal, and Technology Officer at Obermeyer Wood. The panel featured senior technology consultants Erin Donham from Charles Schwab & Co. and Jared De Soto of TD Ameritrade Institutional. The event focused on cybersecurity best practices designed to keep users safe in an increasingly complicated digital world, and you can view a recording of the full event by clicking the play button below. Additionally, if you would like to continue your education on personal cybersecurity, check out the resources available at SchwabSafe.
Brian Brady:
It's great to see everyone. My name is Brian Brady. I'm a client advisor and director of marketing at Obermeyer Wood. And welcome to our March virtual event. I think I counted this is our 22nd event since March of 2020. And again, as I said before, happy Saint Patrick's Day. So today's event is going to be a workshop and panel discussion on personal cybersecurity.
Brian Brady:
My colleague Charlton Rugg, our chief compliance legal and technology officer will introduce the panel and event topics in just one moment. And I did want to point out since we are doing a panel with our guests and with Charlton, we've actually pinned their photo or their videos to the top of the screen.
Brian Brady:
It's a little different than what we've done in the past, but we just think it's a better way for you guys to kind of stay focused on the discussion. Thank you to those of you who pre-submitted your questions. We really do appreciate that. It really helps us kind of tailor the discussion to the topics that seem to be most top of mind to you.
Brian Brady:
We will have live Q&A so as questions come up, which I'd imagine they will, feel free to put them in the chat function at the bottom of the screen. We should have about 10 to 15 minutes depending on how long the panel goes. But just also keep in mind if we do get a lot of questions, I'll kind of try to group the questions together and ask a broad question so that we make sure everybody's topic gets covered.
Brian Brady:
One last thing before we start, we are recording this event and it should be up on our website in the coming days. So if you have friends or family that you think would benefit from watching it, it should be up on our website by Monday afternoon. So with that, I would now like to introduce my colleague Charlton Rugg.
Brian Brady:
Charlton directs the legal compliance and technology programs at Obermeyer Wood Investment Council. He has extensive experience in securities regulation and law. And before joining Obermeyer Wood, he founded C. A. Rugg Advisory Services, a Denver-based private law practice.
Brian Brady:
His previous positions include serving as senior council in FINRA's Enforcement Department as an assistant U.S. attorney in the district attorney of New Jersey's U.S. attorney's office, and as an associate at Simpson Thacher & Bartlett in New York City. So Charlton, thanks for hosting the panel today, and I'll let you take it from here.
Charlton Rugg:
Well, thank you, Brian. And thanks to all of you for joining us today. Thanks of course, to Erin and Jared for being with us and being our panelists. I will introduce them a little more in just a sec. Before I do, I wanted to just touch on Obermeyer Woods sort of philosophy and practices around cybersecurity.
Charlton Rugg:
We know that it's important to you as our clients, you trust us to keep your information safe, and we take that responsibility very seriously. We do a number of things that help us in that regard. One is vetting our service providers. We take that vetting process very seriously. We want to see what they are doing to keep your information safe.
Charlton Rugg:
We use best in class service providers like Salesforce for instance, as our CRM. Salesforce spends a lot of time, effort and money to keep the information we trust them with safe. It's an existential risk to Salesforce as a company and they take it very, very seriously. And so when we choose a company like that, we get a lot of comfort from it.
Charlton Rugg:
Obviously, Charles Schwab is our partner tonight in this event and is another leading industry, leading company on cybersecurity and other matters. We also use best practices like using password managers, using forced two factor authentication for the resources we make available to our people and we do all these things in order to keep our clients information safe.
Charlton Rugg:
I believe that our security posture is in a better position than it was when I joined the firm five years ago. I also believe there's always room for improvement and in fact, this event is part of our ongoing efforts to get better. We're presenting this to you tonight.
Charlton Rugg:
And over the next couple of months, we at Obermeyer Wood are going to be working with Erin and Jared to assess our current cybersecurity posture and identify areas for improvement. So I'm really excited to kick off the working relationship here with our panel discussion today. And our other panelists are going to be Erin Donham and Jared De Soto.
Charlton Rugg:
They are both senior technology consultants. Erin is with Charles Schwab & Company, and Jared with TD Ameritrade Institutional, and they work closely with advisors and firms like Obermeyer Wood to improve business operations by providing guidance in the areas of process optimization, technology and cybersecurity.
Charlton Rugg:
We are honored to have them here today, and we thank them for all that they do to promote cybersecurity in our industry and also for helping to keep our clients data, finances, and information safe through their work with our partner, Charles Schwab.
Charlton Rugg:
So Erin I'm going to direct the first question to you. And what I'd love to hear is would you start by describing what you are seeing right now in cybersecurity and what we should be thinking about when it comes to safeguarding information and assets.
Erin Donham:
Yeah, you bet. First before I answer that, thank you Charlton, to you and your team at Obermeyer Wood for inviting us to be here today. So we're so thankful that you recognize this is such an important topic for you and your clients, because as you said, we're better able to protect our data, our privacy, and ultimately our assets when we're more aware.
Erin Donham:
We've got wonderful attendance for a Thursday afternoon evening. And we really want to tailor our discussion today to what's top of mind for all of you. So please do use that Q&A, that chat feature that Brian mentioned below. So to address your question Charlton, and to start us off, we're seeing that fraudsters they're more organized, they're more motivated, more sophisticated than ever before.
Erin Donham:
In years past, if a fraudster compromised your email, you'd immediately know about it, because they'd spam out all of your contacts with some unwanted email and somebody would say, hey, you've been hacked and you immediately go in and change your password. Now fraudsters and bad actors are lurking, they're patient, they're waiting for an opportunity.
Erin Donham:
For example, an opportunity of an email conversation between you and your advisor, and they insert themselves in there. They've read your emails, they know your writing style, super sophisticated. They no longer use those red flags like the word kindly or things like that.
Erin Donham:
They will actually match your writing style to the point where your advisor is guarded down, doesn't think to verbally verify with you and they might put that forged form through with a fake check. So that's really what we're seeing, sophistication level is pretty shocking.
Erin Donham:
Ultimately, credential compromise, phishing emails and social engineering scams are continuing to work. They're successful. So now we're seeing entire countries that have industries based on defrauding people.
Charlton Rugg:
Wow. Well, thanks for that. And we here at Obermeyer Wood certainly get our fair share of phishing emails. Our bookkeeper in particular gets an awful lot of requests for money. And we have noticed an increasing sophistication on our end too.
Charlton Rugg:
Jared, when we hear that email is one of the biggest cyber threats, can you explain why that continues to be true and talk a little bit about what we can all do to protect ourselves better?
Jared De Soto:
Yeah. No excellent question. I think it's just when we think about cyber security and we think about these fraudsters, they're looking for the path of least resistance and often email is exactly that, right. Inherently it's insecure and we are still seeing that it is the number one attack vector. Now let's talk about some best practices.
Jared De Soto:
So one best practice is when you get an email from anyone it's always best to double check and make sure that email address. So whatever their name is, @gmail, et cetera, is truly the person who you know it's coming from. Because what we've found is they may add or change a number, a digit, a letter within that email address.
Jared De Soto:
And that can get you to think that, this is the person who I'm normally corresponding with, maybe it's my advisor, double check that always, make sure it's a known sender. When you do find those situations where it's not someone make sure that you go through and report that. Report certainly to Charlton and his team to make sure that they're aware, they can pass that along to us.
Jared De Soto:
We certainly want to know about those types of scenarios, where you're seeing someone, especially when they're talking about your finances, trying to move money, that's really, really important. And when we're talking about why is it the number one attack vector. Well, it's really easy, right? I can receive an email. They have already had trust built in there.
Jared De Soto:
I click on a link and that ultimately takes me to a third party site, which may look very trusting, but is meant to be exactly that and allows them to be able to get in. So just looking at those link, when you see a link, clicking on it, checking where it's actually taking you to.
Jared De Soto:
And more specifically, let's say it's coming from your bank or another institution, go straight to that institution's website and log in. Go straight to Charlton and his team and make sure that indeed they sent this. If it is some sort of request or something seems a little bit off, certainly go straight to that website, that's the best practice.
Jared De Soto:
And I know Erin talked a little bit about the phishing and the social engineering, they're just getting much more sophisticated in how they work. So I guess we should probably just talk about what are some of the common threats out there. So phishing certainly that's when an email comes in, it has that link, tries to take you to another place to enter in your credentials, malware.
Jared De Soto:
Sometimes they'll try and include an attachment in your email and try and get you to click on that. Certainly avoid all attachments and clicking on attachments, unless it's from someone that you truly know, especially true with those added documents, et cetera, because they can have embedded malware within them.
Jared De Soto:
And another thing that we often are seeing are these account email takeovers. Meaning they get your credentials, they're able to log in, they're able to see all of your emails, et cetera, go through. And then as Erin had mentioned earlier, they sit in there, they wait long periods of time. So in the past they wouldn't give it much time, now they'll sit and lurk for long, long periods of time.
Jared De Soto:
So we'll get to that in a little bit. And I think Erin may have some best practices around that, which I think will be really, really helpful. But those are the most common that we're really seeing these days. The new one that's really started to happen is you may have started to get more SMS messages or text messages with links, always avoid those. Again, just go straight to the institution, that's the best way to go about it.
Erin Donham:
Yeah. My rule of thumb is be healthily suspicious of anything that comes into you. And when in doubt, even a smidge of doubt, just delete it. If it's important, it'll come back. But just any incoming text or incoming email, just delete. Microsoft will never call you asking for permission to get onto your computer. That's social engineering.
Charlton Rugg:
Yeah. Great answers here. And thank you both. And that's a really good point. I think we're going to touch a little bit on this later about who will call you and under what circumstances. And this is something that we actually do for our clients, but it's in a very specific circumstance. Before we get to that, Jared, you mentioned credentials compromise.
Charlton Rugg:
Erin, can you talk a little bit about this. I've got a password to get into my email account. How should we be thinking about passwords? Everybody hates them, they're a pain. I've got 200 of them from accounts that I don't even use anymore. Talk to us about best practices here. What should we be doing? How can we make this less painful for people to get in and out of accounts?
Erin Donham:
Totally. I have felt that pain of, okay, what permutation of my password am I going to use on this new login? Ultimately password reuse is how most accounts are compromised, most email accounts. And let me tell you a little bit about that. So when you see all these breaches in the news of databases, generally what they're getting ahold of are databases of username and passwords.
Erin Donham:
And even though the passwords are sometimes hush consulted, ultimately they're able to compare databases and get essentially a file of text based passwords that then they take, they can buy them for pennies on the dollar on the dark web and then they go and try these username and passwords on thousands of different company websites to see if any of them will take.
Erin Donham:
If you reuse a password, that's how they're getting in. So the best way to stop that is to have a long, unique password complex for every login. And that sounds daunting of course, because you're like, how do I do that? And that's where password managers come in. Charlton, I think you mentioned that in the beginning.
Erin Donham:
Password managers, the purpose of them is to help organize all of your passwords into one location. All you have to do is remember the master password that gets into the manager and then you can copy and paste that secure, long, unique password that it creates for every one of your logins into the website that you're getting into.
Erin Donham:
Now making that change it's a pain. I remember spending an eight hour day in 2017 and I was embarrassed that I reused my password over 100 times. So there's some pain involved there in the beginning of changing all of your passwords on all the different sites, but the security that you feel afterwards it's amazing.
Erin Donham:
And two thirds of Americans today still reuse passwords and we've got to get that number much, much lower to having long unique passwords. And then before I get off the topic of passwords, I'd love to talk a little bit about authentication or multifactor authentication or two factor authentication.
Erin Donham:
So this is an additional security measure that you can put on. And nowadays we're recommending you put two factor authentication on your email. It's almost more important than putting it on your banking.
Erin Donham:
And what that means is that when you go to log to something for the first time on a piece of hardware, it'll ask you to give you a number that's from a second device, a second factor, whether that be your phone and getting a text message or whether that be an authenticating device or authenticating app.
Erin Donham:
And what that means is if somebody gets your login in a text based password off the dark web, when they go to try to use it'll say, nope, we're not going to let you in until you give us the special code. And as Jared said, bad actors are opportunists. And they'll say, that one's too hard, they'll move on to the next one in the spreadsheet.
Jared De Soto:
Erin, I would say, if you take nothing else from this entire session, those two things that she just mentioned, write that down, right? Having a unique password for each site, that password manager is a great way of doing that because it can suggest a password for you automatically.
Jared De Soto:
You don't have to figure out what it is. It can be long, unique, it'll save it all for you. And then you add on the multifactor authentication, that really is really powerful. So just wanted to add that.
Erin Donham:
Yeah. And one funny, quick story. We got a one password. We use one password in my family, but there's Dashlane and LastPass, lots of different. If you'd Google best password manager, you'll get good hit. But my brother and I finally got my dad on one password and we're like, yay. So I go over and I'm checking. I'm like, "Dad, it was so great that you're using this password manager."
Erin Donham:
I go look at this computer and I go, wait, what are all these errors? And I'm like, "No, dad, you're not supposed to put your reuse password into every entry, you're supposed to let it create a password for you and then you have to go and change the password." He's like, "But that's so much work." And I was like, "I know, I'm sorry." So it is a bit of work on the front end, but it pays off dividends in the long run.
Charlton Rugg:
Yeah. So great tips from both of you, Erin and Jared. Thank you. And I am personally familiar with the pain of setting up password managers. I have been using one in my personal life for a long time. We here at Obermeyer Wood have an enterprise account with our providers LastPass. But any of the ones that Erin mentioned are just as good.
Charlton Rugg:
And to her point if you just do a quick Google search, ask Google, what are some good password managers? And you can get some good options. It is as Erin and Jared mentioned a little bit of work on the front end, but it doesn't have to be an all day affair.
Charlton Rugg:
You can actually do this sort of one at a time as you log into things, I need something from Amazon, I'm just going to replace my password there. So it is absolutely a great tool. I'm glad that both of you used the word long, because without wanting to get too technical in terms of how computers break passwords.
Charlton Rugg:
The bottom line is a long password is more secure than a short one every time. And that's true, even if you don't add in things like special characters. So an eight character password with special characters or a 24 character password without, take the 24.
Charlton Rugg:
So I'm glad you both mentioned that. The other piece that we hear at Obermeyer Wood use, I think I mentioned this earlier is two factor authentication. We force at on our resources. And so when we are logging into the Schwab platform to manage your accounts, we have two factor authentication.
Charlton Rugg:
When we log into our Salesforce CRM to enter notes about a meeting, we have two factor authentication. And those come in a few different forms as Erin and Jared mentioned that we have apps on our phones. We also have been using actually a physical key, which plugs into a USB port and you press a little button on the key and that is a very secure way of ensuring the two factor is protecting the account. All right.
Charlton Rugg:
So I'm glad to hear that we're doing the two top things you both identify. Now, let's change directions a little bit. Jared, I'd love you to speak about the kind of fraud that Schwab sees based on money movement and fund disbursement requests. We started touching on this earlier. I'd like to circle back and hear from you what you're seeing in that area.
Jared De Soto:
Yeah. No, that's a wonderful question. I'll tell you what we see most frequently kind of going back to that email is someone who has an email that's compromised and then this fraudster is lurking and waiting for the right opportunity. So they will look and they'll see you're getting ready to buy a home, you're getting ready to purchase a car and you need a money movement.
Jared De Soto:
And with a home buying situation, then you're generally having to wire funds to the title company. And what they'll do is they may wait for that moment. They see you're having this email correspondence back and forth, and they'll wait till that moment until often the end user, yourselves, the client that instead of using that original email and the instructions that we gave you, please use this new one because we are using a different account for the final part of the process.
Jared De Soto:
And unfortunately we see that happen more frequently than we would like. The other type of scam that we're often seeing are some of these romance scams where people will come and ask for funds. It starts a little bit of it at a time. And unfortunately this happened to someone close to me.
Jared De Soto:
They start working with someone and they get lured in by the prospect and then before they know it, all of a sudden it may start with $20 and then it goes on up from there. So that's certainly something I would be aware of and think about.
Jared De Soto:
But what we're seeing on our side is primarily those money movements where they're trying to jump in the middle and change those instructions on you. So what are some best practices about that? One best practices whenever there is a fund movement like that always call your advisor and make sure that you communicate when that's going to occur.
Jared De Soto:
I know often clients will not like the fact that, why is my advisor reaching out to me, it's for the security, because we want to make sure we verbally hear over the phone that you made this request, that we verified it with the title company.
Jared De Soto:
So if next time your advisor reaches out and says, hey, we got this request for the money movement for the new home, let's go ahead and call the title company together to verify those instructions. And that's the best way to stay secure is always have that verbal conversation and try and avoid that through email as much as possible.
Erin Donham:
And to add on to that some little tips when you're verbally verifying with the title company, call a known number that you can Google. Don't call the number that's on an email, because the email is from a fraudster so of course they're going to put a false number on there.
Erin Donham:
And ultimately piling onto what Jared said. Every fraud that we're seeing over the last six months is a combination of email compromise, whether that be client or advisor, combined with a lack of verbal verification of the instructions, whether that be client or advisor, those two things together, boom result in that successful fraud.
Charlton Rugg:
Yeah. So that dovetails very nicely with what we do here at Obermeyer Wood. And for any of you clients who have had a home purchase that involved the wire transfer, you probably got a phone call from somebody on your client service team, asking you to verify. And Erin, what you just said about the telephone numbers really important and that's our guidance internally here.
Charlton Rugg:
When we get those wire instructions, we go to the web and we look up land title company and pull the number out of their webpage. We don't rely on that, the phone number that's in the email. And it goes back to that healthy skepticism that you had mentioned before Erin, about the email that comes in that says, sorry, for the last minute change, here are the new wire instructions and please call me at this number to verify, right?
Charlton Rugg:
So we look up the phone number for the title company, we look up the phone numbers for our clients and then we make those calls out to verify. Now, I want to touch on that just a little bit, because one of the things that you mentioned earlier was be suspicious of somebody who calls and asks you for information.
Charlton Rugg:
And then we say, we're going to call you to verify. So Erin, can you just touch on the difference there. If I'm getting this phone call, how do I know what's legit and what's not?
Erin Donham:
Yeah. Absolutely. So what you're describing Charlton is social engineering. Social engineering it's definitely on the rise. It's when fraudsters will call, and this is how Robinhood got hacked. Is ultimately a fraudster called one of the customer service reps said, this is your IT department, I need to get into your computer to fix the problem. And the customer service said, sure, no problem.
Erin Donham:
Here, let me give you access. So that's the main difference is that fraudsters in social engineering will be seeking information in a way that you verifying information you've already received. If you get a call saying, we got this from you, is this really what you want to be doing? These are the numbers, the account number that I want to verify with you that we're sending this wire. It should be a meeting of the mind.
Erin Donham:
It'll feel exactly right, because you've already initiated the contact, you know it's coming so you're aware of it. If it's out of the blue and somebody says, this is Microsoft, we noticed there's something wrong with your computer we need to get in there and check it out and solve it for you, that is where that healthy suspicion comes back in.
Erin Donham:
That you should not be letting anybody that you don't expect or that you haven't reached out to yourself into either screen share or into your computer with any sort of access or give them any information over the phone.
Erin Donham:
Charlton, will never ask you for your social security number or your birthdays, or any of these pieces of information. And that's really the point in which you're like, no, no healthy suspicion hang up. If it's important, it'll come back.
Charlton Rugg:
So thank you. And that's a really important distinction is, am I calling you and saying, I already know this information, I want you to tell me I'm right, versus I need your social security number and account number so that I can do X, Y, Z. Because X, Y, Z here is always going to be steal your money. All right.
Charlton Rugg:
Thank you for that. Jared, let's assume that we're talking about somebody who is not on this webinar and something happens to their account. What does Schwab do to protect client accounts if there is a breach? And how do you handle that client count is compromised with fraudulent activity, what is the response? How does that work?
Jared De Soto:
Yeah. No, that's an excellent question. So whenever you suspect there is a breach, first thing you want to do is contact Charlton and his team. Let them know that you think you've been breached. Because the next step for them is they will immediately contact us, we'll want to know a little bit more about the situation, what's happening that way we can help to put your accounts on notice, to be able to watch for those extra scenarios.
Jared De Soto:
We can help you change passwords and help you go down that path as far as we need. But ultimately that's the important thing is contacting your team so everyone can be on the lookout. And then from there, I know Charlton and his team will give you some best practices. Like, hey, if it's the email compromise, let's go ahead and go into that a little bit further.
Jared De Soto:
Here's how we want to go ahead and change our password. Do you have that multifactor authentication set up because it's really, really important to do that and make sure that you're protected in that scenario. And we also have an address, which is our Schwab safe site, and we'll give you information of how to get to that, but that goes into even more depth about our practices and how we handle all that. So good question.
Erin Donham:
Yeah. And I'd like to talk just a little bit about, this isn't exactly the question you asked. But things to watch out for, things to look for that if you're suspicious that your computer might be compromised in any way, look in your email client for auto rules that are set up.
Erin Donham:
Auto delete or auto forward, look in your sent mail regularly to see if anything looks suspicious, these are things that fraudsters often will do if they've compromised your email is they'll go in and set up those types of rules that they can get copies of everything that you're being sent. So that's just something to note, to be aware of.
Erin Donham:
And when in doubt, just change your password to a different long, unique password. And then we can start going down the road of seeing if there's a key logger on your computer. And that's what gets into the malware that Jared was mentioning of doing a sweep of your computer and that you might need some help and IT help on.
Charlton Rugg:
Great. Thank you both. One thing that occurs to me here is, how did my email get compromised? How did my computer get compromised? And we hear a lot about information being compromised while working on unsecured networks. So Erin, can you talk about this a little bit. Public Wi-Fi, encryption, VPNs, what are these things, how do they work and what should we be thinking about?
Erin Donham:
Yeah. Generally we recommend staying away from any public Wi-Fi. And what that means is any Wi-Fi that doesn't have a password or an unknown Wi-Fi where you might have the password, but a lot of other people are on it. And the reason for that is when you all are using the same network, bad actors can sniff out the packets, they can basically get a hold of the data that you're sending back and forth.
Erin Donham:
And so as a general policy, I know for Jared and myself, we don't use any hotel, any airport, any Starbucks, any of those types of networks. When in doubt, tether to your phone, I know it's a little bit slower and some things you can't do, like when you forgot to download that Netflix movie onto your phone for the flight and it says you can't do it without Wi-Fi, and you think, should I connect to the airport Wi-Fi? No, just don't, just go without the movie.
Erin Donham:
And in some ways if you are going to connect to a public Wi-Fi, hopefully not, but if you do, then we recommend using a VPN or virtual private network that at least encrypts the traffic between you to make it a little more difficult to be able to sidejack.
Charlton Rugg:
Okay. Thank you. Yeah. And that's consistent again with sort of our practice here at Obermeyer Wood. We've been hotspotting our phones, today we just got in, and this is fairly new as we're starting to travel again, post pandemic and people are actually going out to conferences I think.
Charlton Rugg:
We got some portable hotspots, these Verizon Jetpack, or MiFi that are about the size of a hockey puck and it connects to the cell network, but it's your own private Wi-Fi network that you can travel with. And so we have those available for people who are traveling to check out and take with them in order to be sure of what network we're connecting to and the security of it.
Erin Donham:
Yep. I have one too. And the beauty of those hotpots is that they are a quad antenna so they're four times stronger than tethering to your phone. I love it.
Charlton Rugg:
All right. Yeah. We have a few questions that came in before the webinar started, that folks have pre-submitted and then I see we've got a few coming in through the chat. Brian, do you want to handle the ones that came in or you want me to go ahead and work through the questions we got before we started here?
Brian Brady:
I've got the pre-submitted ones. You just want me to kind of take it from the top?
Charlton Rugg:
I think some of these actually dovetail nicely with some of the topics we've already touched on, but let's work through folks questions. I saw a few come into the chat and we'll see if anymore come in.
Brian Brady:
All right. Well, that sounds good. Well, the first one which I think is really important is, are services like Zelle and Venmo safe? Jared, do you have an opinion on these, a kind of policy that you guys like to tell people?
Jared De Soto:
Yeah. No wonderful question. Personally, I have used Zelle and our family uses it. It's a great way to send money back and forth. The great thing is it's all between your institutions and you have that known address, email address. The only thing is just making sure that when you're getting a request for money or when you're sending money, it's going to the proper place.
Jared De Soto:
So verifying that with the person on the other side. And you may receive an email, and I know that feels inherently unsafe. They shouldn't provide any detailed information, right? They shouldn't tell you how much it's for, or any of that, I wouldn't suspect.
Jared De Soto:
But what it will likely look like is there may be a link in there and you go, my goodness, we've talked about links this entire time, why are they sending links? Right. And the real answer there is that there's always this balance, right? What is safe and also what's convenient for you as the end user.
Jared De Soto:
And there's always that balance that they're trying to do. So they may include a link, I would say, just disregard the link, delete the email, log into your bank, and then go into that Zelle portion of the site in order to be able to verify it. And Venmo, much the same way.
Erin Donham:
Yeah. The only other thing I'll add to that is, all of these sites are relatively safe, but we come back to having a long, unique password and hopefully two factors set up and so I know that we're going to talk about that a lot, but we just come back to that is making sure that your logins are protected in that way to each of these sites.
Charlton Rugg:
Jared, I love that you mentioned this sort of balancing act between convenience and safety, right? And it's something that I so certainly think about when I'm thinking about security, right? If I put some data on a USB stick and encrypt it and put it in a lockbox and throw it in a lake, that's really, really secure and it's incredibly inconvenient.
Charlton Rugg:
If I have a whole bunch of data on a public facing website, it's really convenient and it's really insecure. So there's a sliding scale here of thinking about how much do I need to protect this? And what inconvenience am I willing to put up in the service of that protection? And so for instance, for our clients, when we send you an email that says, your statement is ready and waiting in your portal, there's a link in it.
Charlton Rugg:
We do that for convenience. You don't have to click it. You can use a saved bookmark. You can go directly to our website. You don't have to trust that link. So there are times when you will receive a link and it's legitimate and it's safe. And there are times when it's not.
Charlton Rugg:
And so there's a little bit of attention tension there, as you mentioned, but I'm really glad that you brought up that attention between convenience and safety, because it's something that I encourage all of you to keep in mind as you are navigating the online world, it's a constant tension. And there are times when it is better to air on the side of safety and there are times when convenience is okay.
Brian Brady:
All right. The next question I think is important. Some of these are follow ups, the things we've already discussed. So the first topic is around password managers. So Erin, this person asks, are you saying that if password manager creates a password to go in and change it?
Erin Donham:
That's right. That's exactly the way a password manager should be used is for example, in my case, one password, you create the entry for let's say Amazon, you have your username, put that in and then you have it generate a password and usually defaults to 24 or greater, you know those passwords that just look like gibberish.
Erin Donham:
And then you go into, on the other side, into Amazon's website, you go into security and you say, change my password. It might ask you, are you sure you want to do this and send another verification, let me text you first. And then you copy that password out of your password manager and paste it into the website to update, to change your password.
Erin Donham:
Again, might be a little painful, because then you also have to change that password maybe on a mobile device or somewhere else if you used to ordering from Amazon off your phone all the time. But again, it's letting the password manager itself generate that super secured password. Did that answer it?
Brian Brady:
Yeah. I think it did.
Charlton Rugg:
Can I ask a couple follows here, Erin. One is once I've used the password manager to generate and change all these passwords, how often should I change them in the sure? I've been hearing forever that I should change my password every 60 days, every three months, every six months. And there are some websites that they'll still actually make you do that. Should I be doing that or not?
Erin Donham:
It's interesting. The studies now show that the rate of how often you change your password, isn't as important as the long unique password for every site. So they're no longer recommending the 30 days, or the 60 days. Now, if you want to make it as a matter of course, if you notice something unusual in your email, change your email password.
Erin Donham:
Occasionally if I see a breach go out, a T-Mobile breach, I'll go in and change my T-Mobile password. So occasionally I'd say, what we're hearing people is between 12 and 24 months roughly, they go in and change their passwords. But not as a whole day of doing just like what you were describing, but more like a one Z two Z, but the studies are no longer backing up that every 30 days change your password thing.
Charlton Rugg:
And the other thing that occurs to me is, I probably have a password to get into my password manager, that should probably not be password. It should probably not be-
Erin Donham:
AP3.
Charlton Rugg:
... my pet's name and the street I lived on. Will you give us some tips on how to come up with the key that unlocks all my passwords and make sure that's safe.
Erin Donham:
Yeah. Jared, I think you've got.
Jared De Soto:
Yeah, I know. Hey, I think one thing to do, we've started to move to this idea of passphrases where you know this phrase, one that you would know, no one else would know, maybe it's I like to go on a walk every other Sunday. I don't know what it may be, right. But a nice long passphrase, because that will be difficult to crack.
Jared De Soto:
And I think when we're talking about these passwords, if I'm thinking of what's most important, it's making sure that it's unique for each and every site. So the great thing about having that one unique password to log into your password manager is that you have the one to remember, the password manager does all the rest so that you can truly have a different password for all of the others.
Jared De Soto:
Otherwise, what we found as Erin was saying is, when you try and just have this process of repeating passwords and changing them every 60 days is you end up with the same password using it over and over again, with slight differences and that's really where that password reuse comes into play.
Jared De Soto:
And instead utilizing a password manager can ensure that you defend against that. But in addition to the unique password, I would say, using two [inaudible] authentication with that password manager as well, that way you're really covering all your bases really, really important.
Brian Brady:
Well, we just got a really interesting question from the chat. Should we be concerned about a password manager being a target for hacking and then having everything exposed? What do we know kind of about their security situations that should make us feel comfortable?
Erin Donham:
Yeah. It's a great question. Ultimately, in the same way that Microsoft has entire teams based on cyber security so do these generally well known password managers. So what we come back to is when you're choosing a password manager, make sure it's reputable, try to make sure it's based in the U.S., and this is their business.
Erin Donham:
I think Charlton, you mentioned earlier, if you're not able to keep your business secure then you've lost your entire business. So they are highly motivated to stay on top of the cybersecurity world out there. And so that's the main advice coming from us is make sure you choose a password manager wisely and make sure it's not some random sidebar click that you clicked on an ad.
Jared De Soto:
I love that idea Erin, because that just reminded me of something that recently happened, which is there was an app that was sitting in the Google Play Store that not just was a two factor authentication, but it also was a password manager. So literally by using this tool you're giving your entire keys to the kingdom and it was a fraudulent app.
Jared De Soto:
So there were people that were affected by that, right? So using a well known and reputable service is paramount when we're talking about this. So certainly go out to CNET or others that will talk about what are some good password managers. I know Charlton and team, they've talked about LastPass, I'm a LastPass user.
Jared De Soto:
I will tell you going back to that original question, is it safe? I wrestled with that exact same question because I had my passwords and I had them written down and it just became such a pain. You have so many websites that eventually you realize you know what?
Jared De Soto:
There's always, again, we talk about convenience, there's that convenience and the security and making sure that this one place that you're going to put all of your information is a safe location, that's the main thing.
Jared De Soto:
They have all of this secured encrypted. And depending on that vendor, some are going to be more safe than others. So do your due diligence. And that is really, really helpful to understand that entire environment.
Brian Brady:
Well, I'm glad you touched on that Jared, because we've gotten two questions about the browser built in password managers on Google Chrome or on Safari on Mac systems. Do you guys have an opinion on those? Are those safe enough? Should people be looking at other vendors like LastPass and 1Password?
Jared De Soto:
You want to start us off Erin? I do have a tangent on this one, so I'll jump in after.
Erin Donham:
Okay. I'll let you finish up. Yeah. So I do not use browsers, but we have a colleague who uses Apple Keychain. The reason I don't is not necessarily from a cybersecurity, although I worry about browser security level, it's more because I want more control. So I have multiple vaults. I share those vaults with family members.
Erin Donham:
And so my one password allows me to have ultimate control over who sees which passwords I have. Both my kids, my 12 year old and my 16 year olds, they have their own vaults that I have access to and I'm able to help manage, whereas the browser, I just don't have enough control over it for me to feel safe.
Jared De Soto:
Yeah. So I'll add on to the Chrome browser half of it, I am a Google user so it's one thing that I always considered, how safe is this? And here's the question that came in my mind is as an Android user, when I save my passwords with Android, it actually just goes into my account, it goes into the Chrome environment.
Jared De Soto:
So when I log into my computer, it's readily accessible. Anyone who happens to be able to get into my computer would then have access to all my passwords. So that was my real moment of deciding, you know what?
Jared De Soto:
I think I should really use an outside password manager where it's going to ask me for a password each and every time and the two-factor authentication that way even if someone gets access to my computer, because they happen to be noticing my login when I log in and I get in, but then they wouldn't have access to my passwords because they would have to know or be able to access the two-factor authentication and that additional password. So there's some additional layers of security that I like about having that password manager.
Brian Brady:
Yeah. And then it brings up a good point, kind of one of the last questions we've gotten on passwords, and then we're going to move on to some of the other topics. Erin, I would ask you this. And I think this is a great question.
Brian Brady:
This person recently read an ARP Magazine that it may be best to keep passwords in an actual paper notebook safely stored at home. What do you guys think of that? And do you kind of have a general opinion? I think I know your general opinion, but I'd love to hear it.
Erin Donham:
Yeah. I touched back on what Charleston said is that line between convenience and security. And I have gone to the convenience aspect of having a password manager, because I literally have over 250 entries in my password manager and it finally gets to be so many.
Erin Donham:
And ultimately even in your little piece of paper, you're using permutations of existing password managers and then not the long unique gibberish that a password manager creates.
Erin Donham:
That being said, one of our senior fraud folks at Schwab when we asked her what she uses and this is the person who said every single money movement needs to be verbally verified, end of story, and she said, I use pen and paper. So I do not, but I have heard it said.
Charlton Rugg:
Just don't put it on a post-it note stuck under your keyboard on your desk please.
Brian Brady:
All right. So I think the next best place to go here would be related to public Wi-Fi and also just general sharing of information like over text message. So Jared, the first question relates to public Wi-Fi.
Brian Brady:
Is it okay to use public Wi-Fi like at hospitals or airports if you're not doing sensitive business, meaning going on your banking apps or if all you're really doing is Googling things, is that safe or would you rather still people not go on those networks?
Jared De Soto:
I would say wherever you can avoid it, certainly avoid it. Again, we go back to that convenience factor, right? Sometimes we want to do that. But just being aware that, hey, this is an area where it's unsecure, someone else that's on that network could be waiting and watching, is it a high probability? Probably not. Right.
Jared De Soto:
There's probably not a hacker sitting in each and every Starbucks waiting for you to log in, but it is something to be aware of and to think about. And if you are going to do that, maybe having a VPN that you subscribe to.
Jared De Soto:
Again, we're going down the route of, if you're going to go with a VPN, look for a trusted one, because then all of your data is going direct to that provider and you have to trust them as much as you would trust AT&T or Spectrum or whoever your internet provider is. So making sure you do your due diligence there, there are some good names out there as well.
Brian Brady:
As a follow up on that Erin, I'm an Xfinity customer and I'm offered that kind of free roving hotspot, but it's password protected. So where do we fall on that? Is that used by other people? Is that safe?
Erin Donham:
That's safe. So the Verizon hotspot we were talking about it is a single cell connection that only those that you allow onto the hotspot using a password are allowed on. So they're password protected.
Brian Brady:
All right. And I thought this next question was really interesting because I think we've all been guilty once or twice of sending a picture of a credit card to a loved one who's in a jam or something like that. Is there a safe way to share sensitive information like that with a trusted party?
Brian Brady:
So when we're thinking about text messages, or if you use WhatsApp to communicate or Facebook Messenger to communicate, what are kind of the dos and don'ts? And Jared, do you have kind of any thoughts on that?
Jared De Soto:
I do. So surprising that I have an opinion, right? So what I will tell you is that tools like the password managers. So for example, my LastPass actually has a feature for you to be able to save a credit card number.
Jared De Soto:
And within LastPass, you can actually share passwords, et cetera, with other members of your family or whomever you determine, and you can control when they do and don't have access to that.
Jared De Soto:
So that's certainly one way of going about it, but if you're sending it through social media, that's where I can get a little bit more hairy. What are your thoughts, Erin?
Erin Donham:
Yeah. Same. I generally if I'm sharing a number like that, I do it verbally. And the reason for that is it's just like the same thing is the old adage, if you don't want to see it printed publicly, don't put it in an email, the same kind of thing digitally.
Erin Donham:
If you snap a photo of that, that photo is being saved on your phone, it's being possibly uploaded to your iCloud. It's you're sending it by text, you don't know if the receipt, you're opening yourself up to possible low chance, but possible bad actor getting ahold of it later.
Jared De Soto:
One thing you just mentioned I just thought of, and I'm sure a lot of people out there may use debit cards, but I would always suggest, hey, if you're going to do that supply a credit card, because there's a different level of liability for credit cards versus debit cards.
Jared De Soto:
I don't know if anyone else out there has used a debit card at a gas station, and then someone's tried to steal that, they take the money. It happens initially, and it can take a long process to try and get that back from the bank if they even determine that they will. So credit cards, I'm not the legal expert, but I will tell you that's the guidance I would certainly give.
Brian Brady:
I think that's really good advice. And we have two to three minutes left and so this is our last question. If there's any other kind of last minute questions, feel free to type it in the chat. But Erin, I'd like to ask about two factor identification.
Brian Brady:
Is it necessary when you're doing it to have two devices in front of you? So if you are trying to get on a website on your computer, do you need to have yourself vice versa or can it all be done on one device?
Erin Donham:
Yeah. It depends on how you set up the multifactor. So for example, let's go back to our Amazon example. If you set up multifactor, it could be an SMS text message to you, then you could log into Amazon on your phone and it'll ask you the text message, and it will come through on your phone. So that's one device.
Erin Donham:
So it depends on how you set it up. Generally, we recommend don't use email as your second factor, because email is so highly compromised generally. So what I mean ism don't say to Amazon, send me an email as my second factor, just in case a fraudster does get access to your email, goes to change your password and then has the second factor come into your email.
Erin Donham:
So you've already been compromised once and now they're able to compromise you left right. Now layers of authentication, they're definitely getting stronger. So a text message, that's the base layer.
Erin Donham:
I think Charlton talked about a key, a physical UB key or something like that you can plug in that's the top layer. There's authenticator apps out there. That's sort of the next level up from text message authentications. It's what type of authentication you set up.
Charlton Rugg:
Erin, I think we're down to our last minute here, but we got a question before the webinar started, pre-submitted question and I'd love to send folks home with some feeling of comfort, having just terrified everybody.
Charlton Rugg:
So if I've got a password manager, I've used it to create unique passwords for all my accounts, I've set up two factor authentication everywhere that offers it. Once I've done that, can I just sort of carry on with my life without carrying around this constant sense of impending doom? What do you think?
Erin Donham:
Yes. That's the short answer.
Charlton Rugg:
Great.
Erin Donham:
Yes, that would protect against 99% of the fraud that we are seeing today.
Charlton Rugg:
Okay.
Jared De Soto:
Short and simple.
Erin Donham:
Short and simple.
Brian Brady:
All right. Well, we've reached time and I just wanted to thank Erin and Jared for joining us today. We really appreciate all that you do, and all the knowledge you've shared with us. And I know that Obermeyer Wood looks forward to continuing working with you guys to help protect our clients.
Brian Brady:
And to everybody who's attended, thanks for joining us. We do have an event scheduled for April, we'll be sending out an invite for that in the next few weeks. And again, this event was recorded. We are going to put it up on our website. We'll also offer some resources that Schwab has shared with us that you can always check out as well.
Brian Brady:
That will be on our website on Monday under our blog section so feel free to check that out. And if you have any follow up questions, feel free to email myself or Charlton. It's just our first name at Obermeyer Wood, and we'll be sure to follow up. So thanks again for joining us and hope you have a happy Saint Patrick's Day.
Erin Donham:
Thanks everyone.