Changing passwords isn’t enough to stop them

Recent news that Russian hackers had stolen more than 1.2 billion passwords from 420,000 websites sent shudders through computer users. But what dangers do you really face as a result of these kinds of increasingly common data breaches?

Unfortunately, the risks can be far greater than most people realize. Stolen passwords can result in financial devastation…or even medical disaster. The risks vary greatly depending on the type of account involved. Here’s a look at the real dangers you face when criminals steal your online IDs and what you can do to reduce those risks…

Financial institutions generally provide investors with some sort of written security guarantee—but these guarantees are designed primarily to protect the institution’s interests rather than yours. They typically promise to refund stolen money only if the investor has followed a list of Internet security precautions—it can be difficult for most people to understand these lawyer-crafted high-tech requirements, much less follow them. And an investment company could, in theory, still decide not to make good on the losses, knowing that it would be very expensive for an individual investor to challenge a big financial company in court.


Firms generally—though not always—have compensated investors who have had money stolen by cybercriminals, but that’s often because they conclude that it’s better to compensate a few investors for losses than risk losing the confidence of thousands—a ­decision that may not apply in all ­situations.

What to do: Set up “two-factor authorization,” also known as “multifactor authentication,” with your investment companies so that they send a code to your cell phone via text or voice message whenever you or someone else tries to log into your account. You must enter this code into the website to gain access. (Three-factor authorization, which also uses a fingerprint or voice scan to confirm identities, is becoming available.)

Of course, always read account statements carefully and contact the financial institution immediately if you spot any activity that you don’t recognize.


There’s a major gap in the federal laws that restrict your potential losses if ­cybercriminals run up fraudulent charges on your credit cards or drain money from checking or savings accounts at a bank or credit union-business bank accounts are not covered. The rules…

With personal and business credit cards, your out-of-pocket losses are limited by federal law to no more than $50. Many card issuers now have zero-­liability policies and do not make cardholders responsible even for this $50.

With personal bank savings and checking accounts—and the debit cards linked to them—you generally are not liable for unauthorized debits stemming from cybercrime as long as you report the debits within 60 days of the date on the first bank statement that lists the unauthorized transactions. Fail to report the unauthorized transactions within 60 days, however, and you could be responsible for all of the losses.

Note: Your liability is slightly different if someone is able to steal money from your bank account by getting your physical debit card. If that occurs, you are liable for as much as $50 if you report the loss of the card to the bank within two days…up to $500 if you report it within three to 60 days…or potentially for all of your losses if you report it after 60 days. Some debit card issuers offer zero-liability policies—that is, they will cover any cardholder losses to fraud even if federal law says that the cardholder could be liable for some portion of them—but these generally do not cover ATM and PIN-based trans­actions. However, MasterCard is extending its zero-liability policy to ­include these.

With business bank accounts, you could be saddled with all of the losses. Cybertheft from bank accounts has driven some small businesses out of business. Your bank is likely to be held liable for business account losses only if it failed to offer “commercially reasonable” security procedures. What to do…

• Monitor bank and credit card accounts closely for unauthorized activity.

• Update your account passwords in the wake of the recent data breach.

• If you have a business bank account, keep the number of employees who have access to the account information to a minimum. Make sure that you have a password that you can use when making transactions over the phone in addition to Internet passwords. And ask your bank if it can recommend additional security procedures to maximize the account’s security. Example: It might be possible to restrict anyone from making sizable online withdrawals or transfers out of the account from any computer other than the one that you normally use.

• Ask your insurance agent if your coverage protects you against cybertheft from your business bank accounts or if such coverage is available.


Few people give much thought to the security of their health insurance policies—but this can be a matter of life and death. If a cybercriminal gets hold of your health insurance account ­information, he/she could sell a replica of your insurance ID card to someone in need of medical services. Bills for the uncovered portion of these medical treatments would then be sent to you.

You would not be legally liable for these bills, but convincing health-care providers and insurance companies that the bills are not yours could be a long and frustrating process.

The greater danger is that someone else’s medical information could be added to your medical files. If the person who poses as you has a different blood type than you, for example, you might be given the wrong blood type if you need a transfusion.

What to do: Read all “explanation of benefits” statements that you receive from your insurer to make sure that you really used those benefits. If you suddenly stop receiving statements and other mailings from your health insurer, call to make sure that the mailing address on your policy hasn’t been altered.


A cybercriminal who learns your e-mail account’s user name and password could parlay this information into access to your financial accounts.

Example: This criminal might search through your e-mails for messages from financial companies that you work with, then send you e-mails that appear to be from these companies. If you click a link in one of these e-mails, you’ll be routed to what appears to be the financial company’s site—but if you enter your user name and password into this page as prompted, you actually will ­divulge your private account information to the criminal.

What to do: If you get an e-mail with what appears to be a link from your financial institution, do not click this link. Instead, go to the institution’s website as you normally would. If you cannot find the page related to the e-mail on the website, call the investment company and ask for directions—and confirmation that the e-mail was ­genuine.

For advice on how to create the most secure passwords, see “How to Create the Best Password“.

And for more information about cards with embedded chips, click here.

Related Articles