Does your password protect your savings and investments?

Cybercriminals never rest and one of the easiest ways for them to get your money is by getting past your password and into your account.

Typically, they try to get you to reveal your password to them in phishing, vishing and spear phishing attacks.

But even if you are alive to these tactics and avoid falling prey to them, as we are increasingly using digital devices in all sorts of locations to do our banking, saving, investing and disinvesting, we have to ensure our accounts are well protected from hackers with strong passwords and good digital safety practices.

Last year, ASISA reported that losses from fraudulent disinvestments and withdrawals almost doubled from the year before to R40.5 million and the amounts involved in cases that were prevented was also up by more than R100 million to R287.6 million.

How to set good passwords and remember them

So how do you set good passwords and remember them without writing them on a piece of paper that you keep by your desk or carry around in your wallet.

Linda Morris, managing director of information technology company, Smart Technology Centre, says industry best practice is to use a combination of upper and lower-case letters, numbers and special characters. “Avoid using easily guessable information like birthdays or common words or dates,” she adds.

Morris recommends you ensure that their passwords are at least 12-15 characters long, while “passphrases” are highly recommended for enhancing your security profile, using a combination of random words that are easy to remember but equally hard to guess, for example Avo1dComm0nP@tternsInP@ssword$!

Although both the Chrome and Edge browsers offer built-in password managers, it's generally better to use a dedicated password manager, Morris says. “You should also avoid storing passwords in plain text on your computer; instead, use encrypted storage solutions, such as a password manager to bolster your security profile.”

Some examples of password vaults include: 1Password, Bitwarden, Keeper, Dashlane, NordPass, RoboForm, Proton Pass and Passbolt.

Multi-factor authentication

Banks may prevent your browser from storing your password and offer other ways of protecting you. For example, your bank may require an online transaction to be approved by you on your banking app.

“Many institutions prevent browsers like Google Chrome from storing or auto-filling banking passwords to reduce the risk of unauthorised access. They also enforce strong password requirements, ensuring you use secure credentials,” Beatrix van der Spuy, consultant attorney at Thomson Wilks Attorneys, explains.

Absa told Smart About Money that multi-factor authentication (MFA) is one of the most effective methods, as it requires you to verify your identity by way of an additional step beyond a password. The additional step may be to input a one-time pin (OTP) or use biometric verification.

Morris explains that MFA adds an extra layer of protection, making it much harder for unauthorised users to gain access to your account, even if they have the password. “MFA ensures that the attacker would still need the other factors to access the account, which makes it much less likely to be hacked by a data break or phishing attack,” she notes.

Van der Spuy says you can set up MFA in the security settings for your account. Look for the option to set up MFA or two-factor authentication (2FA). Most providers allow you to enable it using an authentication app (such as Google Authenticator), SMS codes or biometric verification. Check your provider’s security settings on your email account too – most major service providers support MFA on their email services – such as Google and Microsoft in the case of Gmail or Outlook, she adds.

“For investment accounts, MFA availability depends on the provider. Many financial institutions offer it, but if yours doesn’t, consider additional security measures like strong, unique passwords and account alerts. Always enable MFA wherever possible for maximum protection,” Van der Spuy adds.

Your thumbprint as a login method

While you can’t use biometrics to log into your desktop PC, this has become commonplace for banking apps on touchscreen devices. “Biometric authentication, such as fingerprint and facial recognition, further strengthens security by making it harder for unauthorised individuals to gain access,” according to Absa.

While it is convenient and secure, it’s not always foolproof, Van der Spuy says. Issues arise, for example, if you have wet or worn skin, thumb prints may be unreadable on some devices.

Facial recognition can be affected by changes in appearance, such as glasses, makeup, or lighting conditions, Van der Spuy adds. She also notes that not all devices recognise biometrics equally well, and biometrics cannot be changed if compromised.

“Biometrics are a useful tool, but they work best when combined with other security measures for a more reliable and secure login experience,” Van der Spuy says.

AI fraud detection tools

Banks and other financial institutions use machine learning and artificial intelligence to monitor your transactions and detect unusual activity, flagging and blocking suspicious behaviour before fraud occurs,” Van der Spuy explains.

But while you can take some comfort in this, you should be keeping your own beady eye on your statements and enable real-time transaction alerts to detect fraudulent activity as early as possible, Absa says.

If you pick up any fraudulent transactions, inform your bank or investment house immediately.

Good software matters

All internet-connected devices, including PCs, laptops and smartphones, should have antivirus or malware protection, Van der Spuy says. Morris advocates ensuring that all devices are protected with anti-virus software, and any software patches or updates have been installed.

Morris says cell phones are increasingly targeted by malware, and, while some come with built-in security features, additional antivirus software can provide enhanced protection.

If you have a reliable IT service provider ask them about the best solution, focussing specifically on antivirus software and a malware detector.

Creating a “password puzzle”

Rather than storing passwords on your computer or writing them down, Van der Spuy suggests using the Password Puzzle Method to create unique, unguessable passwords that follow a logic only you understand:

1. Start with the first and last letter of the application. For example, for Facebook, take F and K.
   
   
2. Convert them into numbers. Use their position in the alphabet: F = 6, K = 11.
   
   
3. Add your personal base password. This could be a word or phrase only you know, like "Sunset!92".
   
   
4. Mix in a unique pattern.
   
   
5. For example, insert your number sequence between parts of your base password.

Final password for Facebook: S6unse11t!92