by P.J. DiNuzzo August 8th, 2014
Russian Cyber Gang Computer Hackers & 6 Steps for Stronger & More Secure Passwords
As an SEC Registered Investment Adviser, DiNuzzo Index Advisors, Inc. is subject to federal laws requiring it to protect non-public information about its clients. We also have clients in numerous states subjecting us to various state privacy laws. We take our obligations under federal and state privacy laws very seriously.
As you may be aware, it has recently been announced that a Russian group of hackers has successfully collected upwards of 4.5 billion records, consisting of usernames and passwords for email accounts, banking accounts and various other third-party websites. These records were not necessarily taken directly from individuals, but were likely stolen from service providers whom individuals entrusted with that information.
We have no reason to believe that our systems or server have been effected at this time. However, as a client of ours we do want to make you aware of this situation and provide you with advice to protect yourself and your assets at this time.
Protecting
You should use a different password for each account that you use. Try to avoid passwords that contain personal information, such as your name, date of birth, etc. The longer your passwords are, the more secure they generally are against hacking. You should regularly change your passwords (i.e., every 90 days) for accounts that contain important information or have access to your assets. In addition, you should regularly change your passwords for email addresses that are on record with your bank and custodian. Lastly, to remember all these passwords, consider using a password manager such as LastPass, Dashlane or F-Secure.
Monitoring
Under Federal law, you are able to view two free reports from each Credit Reporting Agency per year. The best way to catch identity theft early is to frequently view your credit report. Get your free credit report through the federal Fair Credit Reporting Act by going to www.annualcreditreport.com, or by calling 1-877-322-8228.
In addition to reviewing your credit report, you should regularly review all of your account statements and balances from your credit card companies, banks, and custodians.
Victim
If you believe that you are victim of identity theft, you should immediately place a fraud alert on your credit report and request a copy of your credit report. Call one of the three credit reporting agencies to place a fraud alert on your credit report, and request a free copy of your credit report. A fraud alert lasts 90 days, after which you can renew it by calling the Credit Reporting Agency again. A Credit Reporting Agency is required by law to notify the other two when a fraud alert is placed on your credit report. Look for any new accounts that you did not open, especially anything in collections. Many times your credit report is the only way to detect fraudulently opened accounts.
After placing a fraud alert on your report, you should report the identity theft to your local police department. In addition, you should contact the Federal Trade Commission by calling 1-877-438-4338 or go online to www.ftc.gov/idtheft. Lastly, you may want to place a security freeze on your credit reports
Password Protection
Security threats have long been part of online life, but the increased attention on them makes now a good time to review ways to protect your-self.
If there’s a reason to believe any of your passwords might have been compromised, change them immediately. One of the best things you can do is to make sure your passwords are strong.
Here are six ways to fortify them:
1) Make your password long.The recommended minimum is eight characters, but 14 is better and 25 is even better than that.Some services have character limits on passwords, though.
2) Use combinations of letters and numbers, upper and lower case and symbols such as the exclamation mark.Some services won’t let you do all of that, but try to vary it as much as you can.“PaSsWoRd!43 is far better than “password43.”
3) Avoid words that are in dictionaries, even if you add numbers and symbols.There are programs that can crack passwords by going through databases of known words.One trick is to add numbers in the middle of a word – as in “pas123swor456d” instead of “password123456.”Another is to think of a sentence and use just the first letter of each word – as in “tqbfjotld” for “the quick brown fox jumps over the lazy dog.”
4) Substitute characters.For instance, use the number zero instead of the letter O, or replace the S with a dollar sign.
5) Avoid east-to-guess words, even if they aren’t in the dictionary.You shouldn’t use your name, company name or hometown, for instance.Avoid pets and relatives’ names, too.Likewise, avoids things that can be looked up, such as your birthday or ZIP code.But you might use that as part of a complex password.Try reversing your ZIP code or phone number and insert that into a string of letters.As a reminder, you should also avoid “password” as the password, or consecutive keys on the keyboard, such as “1234” or “qwerty.”
6) Never reuse passwords on other accounts – with two exceptions. Over the years, I’ve managed to create hundreds of accounts.Many are for one-time use, such as when a newspaper website requires me to register to read the full story.It’s OK to use simple passwords and repeat them in those types of situations, as long as the password isn’t unlocking features that involve credit cards or posting on a message board.That will let you focus on keeping passwords to the more essential accounts strong.
If you have any questions about this letter or what steps we have taken to protect your information, do not hesitate to contact us.