‘Hacking’ Stances

A couple of Saturdays back I discovered that one of my online accounts had been “hacked.” 

The good news is that I “discovered” this via transaction emails confirming what appeared to be purchases—a half dozen of them… for various, small-ish (though not small) amounts… all about 4:00 a.m. on a Saturday morning. And trust me, while the pandemic has certainly fueled my online purchases, both the number and the timing were not normal behaviors (nor was the Chinese text in those emails).

The even better news was that I was able to flag those transactions via the provider—and via my credit card company—almost immediately (apparently the foreign hackers and I were the only ones awake at that hour). Even though there was no damage done by this incursion (aside from some temporary heartburn), it brought home to me again the importance of protecting all of my online accounts.


Like many, perhaps most, of you, I have long found managing the sheer volume of online passwords and varying criteria daunting. Oddly, the ever more complex (and varying) password requirements—different lengths, different combinations of caps, numbers and “special” characters, not to mention forced resetting of those passwords—has, if anything, tended to leave me being more casual than I should be regarding some of the practices I know are important. That said, and while I am far from a cybersecurity expert, I try to stay current on the latest advice from those who are—and trust me, it’s a moving target. 

As it turns out, the Labor Department recently issued a set of guidance on the issue of cybersecurity,[i] and while our more immediate focus here has been on the expectations of plan sponsor/fiduciaries, advisors and recordkeepers (particularly in view of the recent reports of Labor Department audits on these practices), my recent experience reminded me that it’s worth noting—and sharing here—the list of “online security tips” for participants included in that guidance. 

Use Strong And Unique Passwords

The most detailed of the tips is also perhaps the most important. The Labor Department recommends that you “use letters (both upper and lower case), numbers, and special characters”—which is increasingly mandated anyway—and to “use 14 or more characters.” We’re also advised not to use letters and numbers in sequence (like “1234” or “abc”), to change passwords every 120 days (or if there’s a security breach—p.s. you probably won’t hear about it until at least 30 days after it’s been detected), and—despite all these strictures—to not only not write it down, but not to “share, reuse, or repeat passwords.”

This is both the most obvious—and in my experience—most nettlesome of the recommendations. Of course, the more complicated the password, the less likely a hacker is to be able to “hack” it. And, unfortunately, the less likely you are to be able to remember it. I’ve seen suggestions on how best to manage this—most commonly these days (including from the Labor Department) the suggestion to use a password “manager.” 

But for those who find that process intimidating (or inconvenient), what I’ve found most useful is the idea of using phrases that are familiar or meaningful to you, but would amount to gibberish in a password field. Something like (for those who took typing classes in high school) “thequickbrownfoxjumped,” particularly if combined with some kind of numerical reference (perhaps “thequickbrownfoxjumpedh1.” You can also use a random combination of words like “fleetwoodChicago1978” (which happens to be when/where I saw Fleetwood Mac perform), or maybe a random combination of month and year (though avoid birthdates, anniversaries, and such)—perhaps something like “januarY2019” (I try to capitalize something other than the first letter). One other neat trick is to use spellings that may mean something to you, but aren’t in the dictionary—like dixshunary, or Septimber. 

The challenge, of course, will be remembering which (random) combination(s) you used for what. But if that leads you to write it down, keep that in a safe place—and don’t store it on your computer! 

Use Multi-Factor Authentication

The very first thing I did with the account that had been hacked (once I had reestablished control) was to set up multi-factor authentication. I have made a practice of doing this with all my accounts, and can only assume that years back, when I set up the account in question, they either didn’t have it available, or I considered it too much of a hassle to set up. No more.

Basically, this means that when you log on and/or initiate a transaction, the system requires the confirmation of a second credential. The most common set up would be to send you a code via text (to a phone number you’ve established on file) or to an email address. If you don’t have this set up yet on your online accounts—do it right away. It’s a life (and savings) saver. And always, always, always, be sure that you are set up to receive notifications any time your account or account information has been changed! Oh—and it bears noting here that the password to your email account is perhaps the most important—because if they hack your email account as well, they can intercept those confirmation emails, and delete them before you even know it has happened! 

Keep Personal Contact Information Current

Odds are the accounts you access with some frequency have current contact information. The problem is, retirement savings often don’t fall into the “with some frequency” category. Let’s face it, we’ve long been advised that we shouldn’t be constantly checking in on our retirement savings, but there’s nothing that says you can’t look without touching. Particularly if you have left some 401(k) balances “behind” with a prior employer.  

Close Or Delete Unused Accounts

It’s unfortunately not uncommon for folks to use the same password(s) for multiple accounts—but using those same passwords for accounts you don’t use (or perhaps don’t even remember using) and ones with current, and perhaps monetary implications, can leave you exposed. You may have gotten one of those (badly spelled) emails from individuals who claim to have accessed your webcam and/or planted some kind of “trojan horse” on your PC, and by way of proof—show you the password that they’ve stolen. While those kind of intrusions are certainly possible, odds are what they did instead was tap into your email—and password—from an old blogging account or such that you simply walked away from years ago. 

There are a couple of easy ways to check out your potential vulnerability—https://haveibeenpwned.com/ or https://monitor.firefox.com/

One the DOL ‘Missed’

Now, for all the value in the tips provided, there is some irony in one they missed—the importance of logging on to your 401(k) account(s) regularly. 

If you have an online account—and these days you may have more than one—and particularly following a change in recordkeepers (and with the recent wave of consolidation there’s been a lot of that[ii]), it is imperative to log on ASAP, and not only establish the unique password noted above, but also set up the multi-factor authentication, provide answers to key security questions, and make sure that you are set up for electronic notifications of any changes to your account. Did I say ASAP? I mean now

After all, if you don’t lay claim to that account—quickly—it’s all the easier for a hacker to do so.   

- Nevin E. Adams, JD


[i] It’s worth acknowledging here that recently there have been numerous situations where plan fiduciaries have been sued for various account intrusions, including participant accounts at Abbott Laboratories (Split Decisions in 401(k) Theft Suit for Plan Sponsor, RK), Estee Lauder (Recordkeeper, Plan Sponsor Charged in 401(k) Account Theft), MandMarblestone Group (Court Backs TPA Counterclaim on Plan Sponsor in 401(k) Cyber Theft Case) and Boeing (Man Charged with Retirement Account Thefts).

[ii] As an additional note of caution, I have now had two of my 401(k) accounts converted (by and from different providers) without the beneficiary information. Now, sooner or later, should it become necessary, the paperwork I submitted once upon a time will surely suffice (and since my spouse is my beneficiary, it shouldn’t matter)—but it’s a good idea to double check such things while you are setting up that password, etc.

Comments

Popular posts from this blog

Do Roth and 401(k) Pre-Tax Holders Really Spend Differently?

Is the 401(k) Really a ‘Horrible’ Retirement Plan?

The Biggest 401(k) Rollover Mistake