Subscribe
Share
Share
Embed
As a business and community focused bank working all day, every day with business leaders, we discuss what's effective in highly successful businesses today. Each episode features an interview discussing business practices on topics such as: company culture, fraud prevention, change management, economic data, wealth management tips, and more.
You can find more content like this on our website: https://www.nw.bank/newsroom/education/podcasts
Northwest Bank. Equal Housing Lender. Member FDIC.
00;00;08;01 - 00;00;48;24
Unknown
Welcome. Thank you for joining us. I'm Luther Lampert, director of digital banking Strategies with Northwest Bank. We're kicking off our very first Q&A session with easy tips to keep your personal and financial information secure. January 21st through the 27th is Data Privacy Week, and our goal is to spread awareness about online privacy among individuals and organizations. The goal is twofold fold to help consumers understand that they have the power to manage their data and to help organizations understand why it's important that they respect their users data.
00;00;48;27 - 00;01;18;23
Unknown
With me today is Jamie Saker, chief information security officer with Northwest Bank, formerly the head of I.T. and Enterprise Risk for a global financial processor. Jamie has been a cybersecurity and technology risk leader for over 25 years. In addition to his cybersecurity leadership, Jamie is active in design, cybernetics research, travels with his rescue pup and resides on a farm in rural southwest Iowa.
00;01;18;25 - 00;01;45;14
Unknown
Jamie. Data privacy and security is a huge topic and one I'm sure that you could discuss at length. But today I want to focus on account access and more specifically, the usernames and passwords we use to log into each of our accounts. Now we all manage so many different log ins, our phone, our watches, Facebook, personal email, Amazon, online banking.
00;01;45;16 - 00;02;10;22
Unknown
Then when you get to work, we've got our work computer and credentials and all the different programs we rely on to do our jobs. So with so many different username and password combinations, why is it important that I make the effort to make different username and password combinations for each of my logins? Yeah, really good question, Luther. And let's talk about why it's absolutely imperative.
00;02;10;24 - 00;02;35;10
Unknown
Really, one of the foundational things you want to do is to have a unique password with every one of your accounts that you use, that that's exposed online. A really great way to explain that is in a typical scenario that we see the attackers go through, that really goes through about four stages. Know the first stage an attacker is going to go through is is there they're going to try to compromise a Web site some place.
00;02;35;10 - 00;03;01;28
Unknown
Let's say I'm a small business with with my office. 365 is my email account that I use with my company. I've got banking accounts, credit card accounts. I've got a lot of, you know, other services out there. And I've got personal things I do like maybe I've got a gym membership. And, you know, recently we've seen several national gyms undergo hacking attacks where the bad guys get in and go through this first stage of what we call a credential harvesting attack.
00;03;02;00 - 00;03;24;04
Unknown
These are professional hackers that are simply out there trying to steal usernames and passwords and anything else that they can get out of those databases. So the bad guys go in, they get into that that database for your gym membership. They download the entire database. And what's what's going to be in that database? You're going to have things like your first name, last name, your address, maybe you've got some payment information.
00;03;24;04 - 00;03;45;01
Unknown
Sometimes that's not even necessary. They have a credit card on file. Hopefully that's not going to be in there. But you're going to have things like your your email address, your your password that you used to log into the gym is going to be in there and maybe some other really interesting stuff like your age and so on that can really lead to to some problems and in the subsequent stages.
00;03;45;03 - 00;04;08;04
Unknown
So the bad guys take that information, they packaged it up and they listed for sale on a Darkweb online marketplace. And that's really the end of that first stage that that's all those those credential harvesters do. That's a business for them. They get paid when someone comes along and says, You know what, I'm going to buy up a database of people, I'm going to grab all that information and I'm going to run it through my tools on the next stage of the hacker.
00;04;08;07 - 00;04;42;01
Unknown
And I'm going to do things like what we call password spraying. So I'm going to have a list of maybe 200 different websites out there on the Internet, a couple hundred different websites in the Internet and things like Google, Facebook, Bank of, you know, large national banks, credit card companies, even things like Intuit, QuickBooks logins, all of those are going to be out there and they know the services that require a username, which is typically around perhaps the email address.
00;04;42;02 - 00;05;00;24
Unknown
So my office 365 email is my username and if I reused that password, they're going to be able to either quickly get into that or see that they are super close to getting into that. They might have one more step to do so. So back to our scenario now. The bad guys have identified some potential sites to walk into.
00;05;00;24 - 00;05;38;18
Unknown
I've got a bank that seems to be responding to the the email address, some shared password. I've got a LinkedIn account. I've got obviously the office 365 So that takes them to the next stage. And now we're into the third stage really kind of curating the compromised intelligence that they have on on on their targets. So in a third stage, the bad guys are going to come along and they may be missing a piece, like maybe they have to have a semester text, maybe they have to reset a password or or have something else to to allow them to get in.
00;05;38;25 - 00;05;55;18
Unknown
We see in that third stage a lot of cases where if you have shared the same password with, say, your mobile provider, your Verizon account or T-Mobile, they log in there and they're able to say, Hey, I just bought a new phone. I want to copy all my stuff to this new phone that's in my hands and turn off the other phone.
00;05;55;20 - 00;06;15;00
Unknown
And that's where now they can get your SMS messages as well, complete that log in process that brings them to the fourth stage, which is really what we call on the cyber side of things, actions on objectives. They're in your banking accounts, your credit card accounts, whatever they have that they can then start to move money around and drain your wallet.
00;06;15;02 - 00;06;39;03
Unknown
So by not sharing that password immediately, you're going to be so much more secure because they can't do that, reuse that that we see so commonly. Okay, so now how do I go about actually maintaining different usernames and passwords for you know, dozens, if not hundreds of different logins that we have? Are there tools that are available and reliable to help me do that?
00;06;39;05 - 00;07;00;25
Unknown
You're absolutely right. You know, I looked the other day at how many passwords I try to maintain, and it's got to be north of 500 with all the different, you know, personal things, work things. It seems like every different cybersecurity solution we have is requires a different login. So you got to keep those organized. And I really recommend that everyone should have at least two kinds of tools in their arsenal.
00;07;00;27 - 00;07;20;07
Unknown
The first tool is going to be a password manager. Some some people call them password vaults. They're functionally the same thing. It's it's an application that that either is on your mobile device sometimes can also be shared in a cloud. We're going to talk about that in a second. But it allows you to securely store your passwords in that application.
00;07;20;10 - 00;07;39;22
Unknown
Now, there are a couple of ones I like to work with. One is called one password. Another one is called keeper. There are a lot of other ones out there. And rather than recommend a specific brand of of a password vault, I really encourage people to think about the kind of use they want to have. There are password managers that keep everything just on your device.
00;07;39;24 - 00;07;54;26
Unknown
Now, as long as you're backing up your device, say, to the Apple cloud or Google Cloud or whatever, you're going to be fine if something happens to your device. But it could be a little bit inconveniencing if you're you have to go a couple of days before you've got a replacement phone and you've got that backup restored, etc..
00;07;54;26 - 00;08;16;29
Unknown
That could be pretty impactful. I like to use password managers that also store things in a secure encrypted cloud and allows me to log in through a web browser to that same cloud. So I use the same password manager to maintain my web passwords. So I'm logging on to my my personal banking account. I've got access to that information there as well.
00;08;17;01 - 00;08;42;02
Unknown
Those kind of past remote natures are really cool to use. You know, looking at what kind of cloud storage you want to have versus or on your device only. And then a lot of them have some extra features, things like they will help recommend passwords for you too. Those are typically built into these recommending secure passwords. That's one way that we can go about generating a secure password in those applications.
00;08;42;04 - 00;09;05;16
Unknown
The other tool I think you're going to want to have in your arsenal is a multifactor authenticator. There is a good variety of them out there. Google's got a great one. Microsoft has a really good one. There is other ones, I think cheaper and some other other brands of authenticators are out there. These are the applications that you install on your mobile device and you open them up.
00;09;05;16 - 00;09;29;12
Unknown
Sometimes they'll ask you for a biometric like your thumbprint. Very important to have your your your password manager and your multi-factor authenticator using a biometric when you log into those, that's going to allow you to set up that multifactor exchange between the sites that you're using and your device. So we really have multiple multi factors occurring. In that case.
00;09;29;12 - 00;09;47;08
Unknown
We have a password that's very secure that we've we've used and then we have the multifactor authentication, but we also have our biometric and the fact that it's our device and we know it's our device really makes that's a lot more secure. Those are really the two most important things I think are necessary for setting up an account.
00;09;47;08 - 00;10;17;03
Unknown
But the last part really is applying those two pieces together. You know, I would go to every single website, every service I have out there, Facebook, Google, Gmail, everything, and turn on that multi-factor authentication. Even with Twitter, we saw the other day that the Securities and Exchange Commission had their Twitter account compromised and there was some really interesting activity around Bitcoin trading that that occurred because a bad guy got in and made an announcement that looked like it was official.
00;10;17;06 - 00;10;41;23
Unknown
Good chance that multi-factor authentication was not being used in that case. And you can see why even an account like Twitter could could really be something you want to control closely, especially with your business. Okay. So now whether I'm managing my own passwords or I'm using a password manager to help me do that, what are some of the things I need to know to make sure that the passwords and usernames I'm creating are strong and actually going to help keep me protected?
00;10;41;26 - 00;11;07;21
Unknown
Yeah, there's some really interesting math around the ability for a hacker to to crack open a password, you know, with with the acceleration of what are called GPUs or graphical processing units that that are used to to use some very strong cryptographic computational processes that guys can break into simple passwords in a matter of seconds to minutes to maybe in the worst possible case days.
00;11;07;23 - 00;11;34;24
Unknown
Well, now what do I mean by a simple password as a seven or eight character password? This is just lowercase. That's going to take literally seconds, 2 minutes to brute force, all potential possibilities there and get in a lot of times even faster than that. Now, if we go to, say, a 12 character password that's got numbers and lowercase letters, we're talking about months to maybe years to break into it, depending on, you know, some complexities there.
00;11;34;26 - 00;12;05;03
Unknown
What you really want to have is a password that's got lowercase uppercase, numerical numbers and special characters, and that that can sound like a lot, especially if you don't have your your password manager with you to create the password. But there's a little, little cheat that I like to do. And it's it's kind of coming from old school cybersecurity practices where we had a way to to notate things that we call leet speak li l33t We like to spell words in a hacker style.
00;12;05;03 - 00;12;29;17
Unknown
You might see this on TV shows like Mr. Robot, where we're replacing letters with a special characters in numbers, for instance. And so I like to make a password. It's like peanut butter. Taylor Swift And that's going to be my password basis, but I'm going to put that through that lead speak process. So we're going to substitute out the the words like peanut with a combination of the numbers and the letters.
00;12;29;17 - 00;13;04;28
Unknown
So I'm going to have an uppercase P. The three is my E, I'm going to replace my A with an at sign in u T, And there I've got already just in a couple of letters, a little bit more complicated of a word to crack open. I might put a dash between each of my words so peanut dash butter tat by Dash Taylor Swift and by replacing substituting those those special characters in numbers for any of the symbols, you know, an E becomes a three and A becomes an S nine, etc. Suddenly I've got a really secure password that 1620 characters long.
00;13;05;00 - 00;13;23;18
Unknown
And yet all I remember is it's something very simple. So that's one way if we have to go create a password when we're not using a password manager to, to do that. Now obviously, you know, we're going to want to put those passwords in the password manager anyway. So sometimes the best, best practice is just to use that password.
00;13;23;18 - 00;13;46;21
Unknown
Manager in the first place. Well, it's great to know that there are several different options out there to help me manage my passwords and make sure that my information stays secure. But Jamie, in lieu of doing all that, what is one simple thing that you see people not doing that they should be doing to keep their information safe?
00;13;46;24 - 00;14;08;19
Unknown
Probably the best thing that's not commonly put out there is, is to have a practice of password management hygiene, go go back from time to time and take a look at when you're resetting passwords. Not all all services are going to tell you you need to reset a password and passwords become stale. Just think of it kind of like stuff sitting in your refrigerator.
00;14;08;19 - 00;14;37;23
Unknown
You know, it's been in the back of the refrigerator for a year and a half, and that's probably something I want to think about, because if a website like a gyms that I ate or some other, you know, I signed up for for a grocery store discount card, they never ask me to reset my password. Those are the same kind of places that are going to see those databases compromised on a more frequent basis because they're just not seen as as more important to secure than, say, like a bank or credit card company that has all sorts of regulations around protecting their websites.
00;14;37;26 - 00;14;59;27
Unknown
Now, a grocery store discount website giving you coupons and such just probably isn't going to have the same level security. And so you're going to want to go through and just, you know, keep, you know, eyeball from time to time the passwords that you have in there and just go out and reset them. It's that's especially concerning when you're sharing the same email address to that point.
00;14;59;28 - 00;15;22;13
Unknown
One other thought, too, is to set up and use a different email address for the non-essential things. The more insecure things. Not only do you control your email so it doesn't come into your work or personal account, it goes to your junk account. But then if the bad guys compromised that gym membership website and they only email account they're going to get, there is that junk account.
00;15;22;13 - 00;15;48;23
Unknown
They're not going to even know how to log into your bank or your credit card with the proper email account that you are using for that. Unfortunately, regardless of these steps and proactive measures being taken, it's still possible that your information becomes compromised. And Jamie, in that case, what's the best way to be prepared and know what to do if you believe your information has fallen into a fraudsters hands?
00;15;48;25 - 00;16;14;00
Unknown
One of the one of the things we practice at the bank is is simulating and playing the bad event happening. I think a tremendous practice for password management. Account management is to actually role play. What am I doing today? If I just learned that I've had some of my email accounts, my passwords compromised, I'm seeing activity of it in different places.
00;16;14;00 - 00;16;39;25
Unknown
What am I doing? If you think about, you know, you're you're over in France, you're walking through Charles de Gaulle Airport and suddenly you discover your wallet has been taken from you. What are you going to do if you don't even remember which credit cards, which identity artifacts that your driver's licenses, etc., that were even in there, You had you have no real recollection other than I'm pretty sure these three or four things were in there, but I probably had 17 other things in there.
00;16;40;02 - 00;16;58;03
Unknown
That's not where we want to be. So this is another reason that password manager or the password manager is really going to be your best friend, because that is your vault, that's your inventory of identities that you are maintaining. You can go to that vault in some of the some of the password managers allow you to to tag different things.
00;16;58;03 - 00;17;27;12
Unknown
Like these are my financial accounts, these are my social accounts, etc.. Really great practice to tag them because then you can know immediately you log into the website because my my credentials have been somehow stolen someplace, which are the most important things in my vault that I need to start acting on. What does that look like? Obviously, some of the first things we want to be doing are are calling our financial management partners, our banks, our credit card partners, etc..
00;17;27;15 - 00;17;47;01
Unknown
But we also want to think about some other things. You know, we we do we have an exposure in our if we have our email compromised, what about our accountants, other people that our trust relationship partners with us in the way that we do business? And I want to put that out there for a reason. We are seeing such a tremendous uptick in what's called synthetic fraud.
00;17;47;03 - 00;18;09;29
Unknown
We had a recent case of an Iowa business that was had their Office 365 account compromised. It was a case where they were using just their password without multifactor authentication, and then they were sharing that password with lots of other different websites. So the Russians in this case actually got into the the Office 365 account and they started looking around who does this business do do work with?
00;18;09;29 - 00;18;40;15
Unknown
Well, here's their bank, here's their insurance provider, here's their their accountant, you know, here's their their TurboTax or their their QuickBooks account. All of this stuff is is just stored there for the bad guys to talk to, to pick through and determine how they're going to attack. I mentioned synthetic identity attacks in in cases like this. Russians, Chinese and other threat actors love to create a synthetic identity that really looks completely legitimate down to actual picture is stolen from linked in.
00;18;40;18 - 00;19;06;15
Unknown
They create driver's licenses, passports, whatever that look very legitimate. And they use those to posit that they are a partner to this business that has been brought into a trust relationship like with a bank. And so recently we've seen cases of this that we've shared with federal intelligence that a business was asking to have a brand new account and brought in to help them with doing things like wire transfers.
00;19;06;17 - 00;19;32;23
Unknown
Fortunately, you know, we were able to detect to detect that and help protect that their bank customer. But again, if you you have no awareness of what credentials you're trying to manage, you don't even know where to start and you might not be quick enough to respond to the threat when it when it occurs. So I really recommend going back to that principle of simulate in place, simulate what the bad scenario would look like, and then rehearse it, play it through.
00;19;32;26 - 00;19;50;24
Unknown
You're going to find things to really kind of tighten up your practices. You're going to do a better job inventorying things and you're even going to tag things. So. So when the bad day eventually does happen, you're going to be faster than the bad guys that are trying to attack you. That's great advice, Jamie, thank you so much for joining us today.
00;19;50;26 - 00;20;31;15
Unknown
Thank you. I really appreciate it. And to quickly recap, here are some ways to keep your account information secure. Make sure to use different usernames and passwords to each individual login that you have. Use a password manager to help you keep track of your various login credentials. Use strong, complex passwords on each account to protect your information. Make sure you change your passwords periodically and have a playbook of what to do in the event that your personal information is compromised to monitor your Northwest Bank login information.
00;20;31;22 - 00;21;03;00
Unknown
Northwest Bank offers account alerts so that you can be notified any time anyone attempts to log into your online banking account. If you aren't already enrolled in account alerts, you can set these notifications up by clicking manage alerts the next time you log in to Northwest Banks online or mobile banking. Thanks for listening today. Keep checking our website and dot bank for more conversation like these and to stay up to date on financial best practices from Northwest Bank.