Cybersecurity and the Avalanche of Logins

We received a letter yesterday notifying us of a breach in cybersecurity at a financial institution with which we do business. While our assets are intact, the thieves secured our names, social security numbers, dates of birth, and account numbers. Apparently, this institution was one of many effected by a defect in the security application they use. Oh, joy!

I covered the topic several years ago in a post entitled How to Protect Against Cybercrime. All the advice I offered still holds true. In sum: Use cybersecurity protection on all your electronic devices. Be fastidious with password management and use two-factor authentication on consequential accounts. Manage email with care. Never provide personal information to unknown parties. Check credit reports periodically and/or put a freeze on them. Minimize accounts that store your credit card information. Reconcile individual credit card slips against the monthly bill. Of course, this good advice does come at a cost.

log inWhile preparing for relocation and (finally) getting rid of our landline, I realize what a royal pain it is to have so many login credentials. The sad reality is that businesses like to interact with their consumers via on-line accounts, so it’s easy to rack up a gaggle of them. At last count, our household laid claim to 150+ login credentials. While I instituted nasty long passwords on the ones we rarely use (and can’t delete!), I still included them in a blanket review to make sure all of our accounts contain up-to-date contact information. So, I spent the weekend slogging through the accounts to make the necessary changes. It is a really tedious exercise that still remains only partially complete. Ugh!

Many sites actively push two-factor authentication – i.e., they place a phone call or send a text to your designated number to make sure that it’s really you trying to gain access to the account. It might seem like a no-brainer to add this feature to all your accounts. A few words of caution:

  • One institution uses an authentication application that is separate from its database to perform that security check. When we updated the phone number in the institution’s database, it did not update the number in the authentication application. If we hadn’t logged back into that account for a subsequent update, we would not have discovered that little quirk. We’d have been locked out of the account upon cancelling the landline.
  • A close friend beefed up her cybersecurity protection on one of her social media accounts and then forgot how to use it. Multiple attempts to gain support from the service provider have proven unsuccessful. Apparently, they aren’t interested in helping subscribers who enjoy their service for free. She is effectively locked out of her account and all of the groups that she once managed.

I’m still a fan of complex passwords with or without two-factor authentication. Highly consequential accounts (e.g., financial institutions, social security, medical records) call for changing those passwords periodically.

I will continue to resist adding login credentials to my ridiculously long list of access codes. Where possible, I’ll refrain from sharing my address on the ones I can’t avoid and make a notation in my records that such accounts don’t need to be updated with a move. On inconsequential accounts, I’ll let credentials for another app provide access so I’ll have one less UserID/Password combo to track.