With increased awareness and understanding of scams and data breaches, people are increasingly concerned about protecting their data. 

We've seen an increasing number of people, some well-educated and working in financial services, being taken for large amounts of cash through unwitting scams or just plain fraud.

If the people who should know better are getting taken in on these things, what chance do you have?

If you haven't read my earlier article on preventing payment fraud and increasing your account security to minimise any financial losses, go read that and then come back. That article may help more with financial transactions than this one will.

What I want to talk about here is managing your online security.

There are plenty of resources; you don't have to be a computer scientist to understand them.

Broadly speaking, there are three aspects you want to manage:

1. Protecting your online accounts
2. Protecting your identity and privacy
3. Minimising your online visibility.

Protecting your online accounts:

Before we get too carried away, let's face the elephant in the room everyone overlooks: Your email account.

Your email account

Irrespective of the measures you take with what follows, if you do not lock down access to your email account, everything else is a waste of time!

What do I mean by this? Your email account is the lock that every key has to work in. If someone can easily access it, they can access everything. 

"No, they can't", you say; however, every account you use has one common factor: your email address is sent the password reset request.

If there is one thing you need to do, it is secure your email account with a long secure password and turn on two-factor authentication. 

• If your provider does not have two-factor authentication, you should consider moving your email account to a provider that does.

A secondary option here is to have a different secured email address for all of your online accounts, something like This email address is being protected from spambots. You need JavaScript enabled to view it.

This means your publicly shared email address will not be the same one you use to reset your account passwords. 

• Also, with Gmail accounts, if you add + to the email address on sites, you can track which ones are selling your data and spamming you ;)
• For example, This email address is being protected from spambots. You need JavaScript enabled to view it. would highlight any spam caused by NZME. 
  • I'm not picking on them; just picking a media company out of the air.

Additionally, while it's convenient to have a joint email account for household use, don't have a personal account that others have access to.

• If you need to have a household one with your partner, have a household one and load it as a second account in your email app/client.

email account action points:

• Don't share email accounts.
• Set strong passwords.
• Setup Two Factor Authentication.

Now that I have covered that, let's discuss securing things and locking everything down. 

Passwords: Yes, this is the message you have been told for years. 

Use good, strong, different passwords, and don't write them down. 

• and yet, you're still using the same easy-to-remember password, and it's on a postie note on your monitor. 
• Yes, if you feel you are being called out, you are being called out!

The simple answer is to bite the bullet and get a password manager.

The advantage of a good password manager is you only have to remember one password to access the password manager app.

• One that runs on all of your devices
• It has a "cloud" security and sync model
• It's paid for. Yes, you need to pay for one. How much is your identity worth to you? What about your financial security? Just pay for the damn thing! :D

If it is free, then you are the product. Frankly, you're far more likely to have a breach because the developers need more money to run adequate security on their product.

• LastPass is the most recent example of this; it was the most preferred "Free" password manager at that point.

This Wired Magazine article discusses password managers and the best-paid options available currently.

• My preference is 1 Password
• Stay away from LastPass as they had severe data breaches.

Plenty of strategies have been discussed regarding passwords. The fundamental point is that they need to be long and have mixed characters, numbers, and symbols. The longer, the better. 

• With current computer technology, an 11-character upper and lower case password (TheQuickFox) could be broken in 4 minutes.
• An 11-character password with numbers added (Th3Qu1ckF0x) is more secure at a whole 33 minutes
• A 10-character password with symbols added (Th3-Qu1ck,) becomes 7 hours
• And 11 characters (!Th3-Qu1ck,)becomes 29 hours.

Password Monster is a good place to play with ideas on what's a strong password and what's not.

As you may have gathered, the mixed-up phrase is more robust than a simple word with numbers that many people use.

• The,Quick*Brown!Fox, which is 19 characters, is a more respectable two years to get through. It's easier because it is a well-known phrase, and more simple dictionary attacks are tried first. 
• Adding a number Th3,Quick*Brown!Fox increases this to 6 years .
• This 18-character password I-live5In+Auckland becomes 22 years because it is a random collection of words.
• Taking it a bit further, Blue,water-sailing23 takes security on the password to 3 thousand years. 
• And Blu3,w4ter-sa1ling23 is 34 thousand years.
• But common names mixed up like this r1ch4rd=fr3d-J@m3s is back to 1 hour 

It's not hard to make passwords more difficult; you just need to be creative while being mindful of things that make them weak.  

This is where a password manager becomes invaluable. It stores multiple long, complex passwords you have no hope of remembering.

• This is an example from a password manager: evvQfcBM2o4qphH6sRMaUBsEvsAfixkX6gzXkH3RkacZdqfZ7N. It is 50 characters of gibberish and has a security of 200 trillion trillion trillion trillion trillion trillion years.
• A good password manager will also give you an indication of how strong a selected password is.

Yes, that's a bit extreme, but it makes my point.

Password action points:

• Get a good password manager and use it.
• Set passwords that are greater than 20 characters and meets a security test of better than ok.
• Do not reuse passwords.

Two Factor Authentication

The second aspect of password security is two-factor authentication, commonly called 2FA.

This is where you have your username and password and an additional "factor". 

The extra factor is primarily a code but could be a device. 

• Many banks and tech companies with apps use their app on your phone as a second-factor confirmation.

1. You log in with your username and password
2. The site or app challenges you with a code or app confirmation.
3. You confirm the code or app confirmation, and the site/app lets you in.

Banking apps and tech companies may push a login request to your device. You must log into their phone app and confirm the login to proceed.

• I have seen Google do what appears to be both sometimes; they trigger a push to the phone app and show a number on the screen you are attempting to log into.
• You confirm the login in the Google App and verify in the phone app the number from the login page to get in. This process is more of a PassKey than 2FA, which I discuss soon.

This one from Google is not only checking your authorised device that you approve the login. 

• It also ensures you aren't just pushing the button for an unauthorised login. 
• It does this by confirming you know the login is happening with information from the screen being logged in. 

You need to have an app separate from your password manager for two-factor authentication. 

• Some password managers also include one-time password (2FA) management. 
• However, if your 2FA code is also accessible with your username and password in your password manager, you haven't achieved the level of security needed if your password manager is compromised. Ie. Refer to comments about LastPass. 

Most will look to Google Authenticator or Microsoft's version. The challenges with these apps are they only reside on a single device, they cannot be backed up, and if you lose your phone, you'll get locked out of everything. 

• I prefer Authy because it's developed by a blockchain security company. They also provide access to multiple devices and secure backup.

Two Factor Action Points:

• Setup an app for two-factor codes
• Progressively set up and turn on two-factor authentication on ALL of your accounts. 
  • Your password manager should highlight accounts that have 2FA available.

Is this getting too complex for most? Yes, it is. 

This is why standards have been developed to remove passwords entirely and replace them with device-based biometrics and security tokens.

• All stuff you don't have to understand to use, but you do need to enable as you go.
• You can only use the new tech with a good password manager.

This new development is called Passwordless authentication and is referred to as PassKeys.

• This article from the people behind Okta Speedtest covers it well.

Your current Android or iPhone device already supports this, and you can start using it today.  

This is relatively simple to implement with sites that have it available:

• You enter your account email address to set up an account.
• They send you a verification email
• You click through and confirm.

Biometric PassKey

• The site then sends your device a token to save as your PassKey
• When you log into that site in the future, you will be prompted to log in to your device and confirm your identity. This happens locally and is primarily your phone lock pin, FaceID or TouchID.
• Your device then confirms to the site authorisation of your token, and you get logged in.

Magic Link: 

Another approach is to have an email sent to your email address where you click through from that to log in.

• This is why you must ensure your email account is secure.

SMS 2 Factor

Another way may be to send you a one-time code by SMS that you then use, no password, just the code delivered to you through a different or disconnected pathway.

• For the paranoid, this has its vulnerabilities with phone cloning, which I also discussed in the transaction fraud article I referenced.

Push App

I discussed the last version of Passwordless access with the one above with the Google app. In this version, the site pushes the confirmation through a trusted device or app, and you have to confirm a code presented with the login.

These are infinitely better than the traditional username and password alone. However, you are also being protected with the assumption that your email account has not been compromised. That could be a big assumption!

As we move toward a more paperless digital world, your email address will be tied directly to your identity, meaning that anyone able to access your email account could masquerade as you.

For now, we are in the transition stage from username & password with 2FA to Passwordless access management, and we have to have a foot in both camps for now.

Passkey Action Points:

• Not much, and this is the point, between the account provider and your device there's not a lot extra you have to do. This is the appeal of this new approach.

Single Device Risk

One of the risks with all of this is for people with a single device. If you only have a phone enabled with all of this and you lose it, or it is damaged and inaccessible, you won't have a fun time.

The other risk is that, in setting everything up securely, you may forget or misplace your one-access password.

There are a few ways to manage this:

• Many of the two-factor authentication tools produce additional backup codes. 
  • Print them and keep them in a safe place (i.e. a safe that is not next to the computer)
• Applications like 1 Password and Tech apps have a "paper" or manual recovery document they produce. 
  • If you get so stuck that you have to start with the piece of paper, it has all of the links and codes on it that you can manually type in and use.
    • Again, store these in a safe that is not next to the computer

Secure Recovery Setup

Unless you are in a high-profile position or a target for some other reason, your typical risk on the above will not be physical or in your home. It is an online and digital problem.

This means keeping appropriate paper documents in a safe file at home is not an unreasonable approach to critical access information.

Most of this is about taking reasonable precautions to make it hard for scammers and hackers to access your information, and they move on to other people and leave you alone. 

If you are a high-profile target and they are coming for you specifically, then you need more help than I'm going to provide here.

Once you understand this and implement it, it is reasonably easy to manage and maintain. 

• You have probably been doing what is needed to manage this when you run into trouble, such as hitting the forgot password link.

Remember, when you update a password, use your tools to create secure passwords and save them in your password manager.

What about password and account recovery?

Oh, you mean where you went to school? What's your favourite colour? What's mum's maiden name? etc.

In simple terms, lie about these. It is not hard for someone to figure these things out, especially if you have lived in the same area all your life.

• Make them up and make notes of them in your password manager so you can recover your account if you do get stuck. 

Where did you grow up? Japan

Where did you go to school? Colorado

What was your mother's maiden name? Harry Styles

What was your dog's name? Six hundred and forty-two

The answer doesn't matter; the system asking the question is only looking for the answer to match what you set up when you set up the account.

• And clearly, I'm not using these examples, and nor are you!

The other one that gets asked for is your date of birth. Again, unless it is needed for government ID or contract purposes like life cover, lie about it.

• When were you born? 1/1/1990 

Close enough to when you're born while being completely useless for identity theft purposes. 

• Even better if you use the same DOB for all of your accounts, confirming to scammers the wrong DOB and thus preventing them from matching your credit records and official ID documents if they try and have a go.

Again, make notes as you go in your Password Manager or secured documents so you don't lock yourself out by being too clever. 

Password & Account Recovery Action Points:

• Understand and store appropriately what your account recovery requirements and procedures are
• Store backup codes securely.
• Update your recovery questions to untraceable to your answers.

VPNs -  virtual private networks

Last but not least, VPNs and virtual private networks protecting your traffic and accounts. 

People will question; are these necessary? 

You're probably ok if you're not doing something dodgy or illegal most of the time. 

Today's web browser technology uses HTTPS for communications, where the connection from your web browser to the website is secured with strong encryption and difficult to intercept and view.

However, those with physical access to network equipment still could access things. The intermediate equipment is part of the security negotiation for HTTPS to work, which means they can potentially access traffic without encryption.

This is where using a VPN becomes useful. It establishes a secure tunnel from you to a server network that "hides" your traffic in an encrypted system.

• This is achieved with public key encryption. You can encrypt traffic, but you can't decode what you have encrypted, and no one else can if they intercept your transmitted data.
• Your web browser then creates a secure connection to the server you are using, and you can operate from there. 
• Your telco provider cannot then view your encrypted traffic because it's in the VPN tunnel that has been established.

Most of the time, you will be fine with this if you are using your own mobile data or in a trusted environment like your home or workplace.

Where you need to be using a VPN is on any public network, the hotel, airport, cafe, public library, city public Wi-Fi, you get the idea.

The issue with Wi-Fi is that the initial communication from your device may be intercepted by a bad actor, and then they have access to all of your traffic. This is called a man-in-the-middle attack, and it is very easy to do.

VPN Action Points

• If in public, do not connect to Wi-Fi without a VPN
• Turn off all settings for auto-join or auto-reconnect and manually connect to networks to protect your security.

Protecting your identity and privacy?

I've touched on both of these with my comments above. There are specific things you can do to improve your chances of avoiding identity theft.

• Manage who and what systems have your actual Date of Birth.
• Manage who has copies of your identity documents and understand how they store and handle them.
• Protect your physical home address; use a PO Box or mail receiver where the address information may be public. 
• Lock down and protect your primary identity email address, which I covered above.
• Store physical documents in a locked cabinet, safe, or deposit box. (Level of risk and exposure targeting considered)
• Use secured and authorised services to verify identity. Here in New Zealand, we have RealMe, a government-managed digital identity service. 
  • It works with all Government agencies and some private businesses.
  • RealMe was recently included in a Commerce Commission paper on improving digital security for financial services. 
  • If you don't have a fully verified RealMe ID with photo ID, etc., get this done, as it is a foundation for your digital identity verification.
    • If you have this verified and confirmed, a bad actor can't then impersonate you and establish your digital identity instead.
• Monitor your credit score; it's free and enables you to spot and have alerts if there are credit enquiries about you. Clear Score is a provider here 
• Close and shut down accounts you no longer need. 
• Change the information in these accounts too. 
• You don't know what may remain on their system once the account is closed, and you want to avoid having your actual information exposed if they have a data breach.
• Check and use any security reports from your tools.
• 1 Password has something called Watchtower, which highlights potential vulnerabilities and improvements you can take to reduce your risk.
• Other security tools have something similar
• Check vulnerabilities with compromised accounts with https://haveibeenpwned.com/ 
• Install and keep antivirus and malware tools up to date.
• Install them on your mobile devices, too.
• Use a VPN in public places, and only connect through public Wi-Fi and network services once your VPN is up and active.

While nothing is 100% effective, following the above will significantly reduce the risks of you being compromised.

Reducing visibility:

In some ways, this is an effect of doing the above; you have less visibility due to removing or reducing your digital footprint.

If you want to really get serious, you can be quite effective in going "off grid," but it takes significant diligence and discipline to achieve this.

I won't go into disappearing in detail; it's not the scope of what I'm trying to achieve here.

When it comes to online invisibility, the best resource I have found in one place is Kevin Mitnick's book "The Art of Invisibility"

• I enjoyed this as an audiobook. It discusses ways to minimise your visibility, even when the authorities are looking to track you down.  
• No, this isn't just for hackers and criminals avoiding authorities; it is also helpful in helping you evade the attention of hackers and criminals.
• Kevin's book covers many of the concepts above and more, combining them to protect your visibility. 

While Kevin was a hacker and was eventually tracked down and prosecuted by the FBI, he's had a significant career since operating as a white hat security specialist, passing away in 2023 from pancreatic cancer at age 59.

So you've got to the end of this, so why should you listen to me?

While I am a financial adviser with life and medical insurance, I held roles in information technology design, engineering, and management with an interest in security and communication systems before financial services.

Additionally, today's responsibilities of a modern financial services business demand both privacy protection and digital security measures to ensure client information is managed appropriately. 

As the director in charge, I have to consider all of these issues and take effective action on them. As a client, you need to know what we are doing to protect your information and privacy while also taking care of what you have control over. 

I can't protect your privacy outside what we have control over and do.  

If you haven't met the minimum requirements to protect your privacy, you are your own weakest link, and that remains your most significant risk.