Popular platforms for digital assets like Coinbase (COIN), which just went public this month, and payment platforms like Square's (SQ) Cash App, have attracted hackers along with millions of new users — and some customers say they're never able to get their money back.
What's more, no one is coming to their rescue — not regulators, the U.S. justice system, or platforms, which in some cases don't offer live customer service support over the phone.
“The way these companies make money is through automation,” cybersecurity expert JP Bourget, president of security automation development firm Blue Cycle, told Yahoo Finance. “So to provide customers with non-robotic, real time, customer service is an expense they don't wish to carry. What that’s done is create an opportunity for bad guys.”
Bourget and other cyber security experts say consumers have to protect their accounts themselves. Here’s how they recommend keeping financial assets safe from losses.
The most important takeaway from these tips? “My message is you need to be vigilant,” Bourget said.
Multi-factor authentication
The first way consumers should secure their accounts is by enabling multi-factor authentication, according to Katie Moussouris, founder and CEO of Luta Security.
“And what we mean by that is it's not just secured with a password, but it's also secured with another factor of authentication,” Moussouris said, referring to the minimum standard of two-factor authentication also known as 2FA where once a password is entered, users must verify using a secondary method.
While payment platforms commonly offer to send a text message to your phone as a method of multi-factor authentication, Moussouris calls this the "weakest form" of protection. “If you have no other choice, if the service provider does not provide any other mechanisms for multi factor authentication, the next best thing would be to use a unique phone number that is not your actual phone number, and is tied only one-to-one to that specific account,” she said.
Bourget advised against both phone numbers and email addresses for two-factor identification. “SMS and email two-factor authentication is, like, terrible,” Bourget said. “Literally, the cyber community has been saying it for 10 years, but you should avoid using web apps or products that send you a text because it's easy to spoof. Same with an email."
In lieu of a phone number or email, account holders can download authenticator apps offered by Google (GOOG, GOOGL), Microsoft (MSFT), LastPass, Duo, and others. The apps, known as time-based one-time password (TOTP) managers, work by generating a numerical code that changes based on a time interval, or can be regenerated. Options for Android and iOS can be found in Google Play and Apple stores.
Multi-factor authentication goes especially for mobile accounts, according to NowSecure’s mobile app security expert, Brian Reed, who noted that people are often under the false impression that mobile platforms are safer than the web. Making matters worse, he said, research shows that 90% of security budgets are spent on web security, while just 2% are spent on mobile security.
Password managers
Consumers should also remember not to use low quality passwords, like their birth date or their home address, and they should avoid reusing passwords. Moussouris says consumers can use free password managing services offered by Google's Chrome, Apple's Safari (AAPL), Microsoft's (MSFT) Bing, and other browsers.
“They can generate complex, differentiated passwords for all of your accounts,” Moussouris said. “And they prevent users from reusing passwords from application to application, and can follow from device to device for ease of use.”
Still, Wired cautions that browser-based managers have limitations, because they're not solely focused on managing passwords. Dedicated software can be obtained from companies that specialize in the field, such as 1Password, bitwarden, Dashlane, and others. Costs for the services range from free to around $7 per month, depending on the number of users and passwords.
In addition to managing passwords themselves, experts say consumers need to be careful about the information they share order to retrieve lost passwords — such as the name of your alma mater or your mother's maiden name.
“Try to make sure that you're not choosing security questions that are otherwise available pieces of information,” Moussouris said.
Bank account links
If users connect a bank account to a payment or trading platform, they should connect only bank accounts that have little to no money permanently stored in them and are funded for limited transactions, according to Bourget.
Some of the most challenging attacks for consumers to guard against are SIM swaps.
In a SIM swap, hackers pose as authorized account holders and ask the carrier to port the authentic user’s phone number to a new SIM card. That way, multi-factor SMS authentications go directly to the hacker on the newly activated device.
How do we prevent SIM swapping? Reed’s colleague and founder of NowSecure, Andrew Hoog, said, “Part of that is that humans are the weakest link.” While it’s difficult to prevent, Hoog said companies could better educate their call center support teams to guard against imposters, and consumers can look out for disruptions to their cellular service.
YubiKeys
One of the most effective methods for guarding against account attacks, including SIM swaps, is a physical USB device known as a “YubiKey,” which retails for around $40 to $70, according to ZDNet.
Unfortunately, physical devices have not been widely adopted for consumer use, in part because they require significant management and user support, which both drive up costs.
"Even the big financial institutions of the non cryptocurrency world, the fiat currency world, the reason they don't roll out hardware authentication tokens to everybody is that same exact thing: It increases their user management costs, and their support costs,” Moussouris said.
No matter how consumers go about protecting their financial assets online, the security experts said, 2FA should be a minimum standard.
“One of the big strategies in security is layers of defense,” Hoog said. “I know that I can't stop everything but if I put 17 roadblocks along the way, hackers are like water — they take the easiest path.”
Read more:
Square’s Cash App vulnerable to hackers, customers claim: 'They're completely ghosting you'
Alexis Keenan is a legal reporter for Yahoo Finance and former litigation attorney. Follow Alexis Keenan on Twitter @alexiskweed.
Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, LinkedIn,YouTube, and reddit.
