More and more of your financial life happens right on your smartphone—and not just buying stuff on Amazon and elsewhere. Banking and brokerage apps let you check accounts…move money…pay bills…manage investments. Payment apps let you pay with your phone at stores. And then there is the financial information that could be mined from your e-mails, texts, downloaded documents and contact list. Is it all secure? 

It probably isn’t. Eva Velasquez, who runs the Identity Theft Resource Center, a nonprofit that helps victims of identity theft, knows the mistakes that can compromise smartphone security and make a user’s financial information vulnerable. Bottom Line Personal asked Velasquez how our readers can improve the security of their smartphones, and she shared her best ideas…


With all the convenience we enjoy by having our finances on our phones, we should—and indeed, we must—accept some responsibility for improving the security. As you add apps, you add layers of vulnerability. So you should also take advantage of some added layers of protection.

I work with victims of identity theft, and I can tell you that people often don’t know how their information was compromised. It could have been a computer virus…a data breach at a company you did business with…or even someone who snooped directly on your phone transmissions. No computer—and your smartphone is a computer—will ever be impenetrable. But there are many things you can do to make yourself safer.

Steps that smartphone users should take to protect themselves…

• Create better passwords. The front-line protection for your digital life is your password or, more accurately, the collection of passwords that you use across the Internet. This is where better security must begin. Make your passwords stronger. You want a longer string of characters, with symbols, numerals and upper- and lower-case letters—not the usual passwords made from the name of a pet or your child’s birth date. And then you must vary your passwords—don’t use the same one for multiple sites. That way if a password is compromised, it’s less useful to hackers and thieves.

Of course, if you’re good about varying your passwords, you will soon face a sizable challenge in remembering all of them. Keeping a list on your laptop or your phone or a yellow sticky on your computer monitor is not OK! I use a system that’s going to sound complicated as I explain it—but isn’t hard once you get the hang of it. Start with a phrase you’ll remember but that isn’t terribly common—“The dude abides,” for example, from the movie The Big Lebowski. Capitalize each word, and substitute a symbol such as the % sign for the spaces. This is your core password phrase—in this example, The%Dude%Abides. Then you can vary your core password according to a rule that you set, such as using the first two letters of the website as a prefix and the season and year as a suffix, so you can change it multiple times a year. By this system, your password for Chase Bank could be chThe%Dude%AbidesSP2019. No one’s going to break that password, and if you keep the rules of your system consistent, it’s really not hard at all to keep track of it.

That said, a password manager—a phone app to store all your passwords safely—can be a good alternative. (See the article “You Can Escape Password Overload”) If you really can’t master my memory system or the technology of a password manager app, and you resort to pen and paper, keep your password list in a locked drawer, not in an easily accessible place such as your wallet or purse.

• Avoid public Wi-Fi. There was a time when I would have told you to be careful and limit your activities when you use public Internet access in cafés, hotels, buses, planes and so on. But at this point, such networks are just too fraught with potential for your personal data and financial information to be stolen. My advice now: Don’t use public Wi-Fi without also using your own virtual private network (explained below). You should be particularly wary when public Wi-Fi doesn’t require a password, but even networks that require a hotel room number or other credential are likely to have very weak security. Accessing the Internet through your cell-phone service is a much safer option.

• Avoid public charging stations. I’m talking about the charging stations, usually plastered with advertising, that are proliferating at airports and convention sites and that provide the USB or Apple Lightning connector to plug into your phone. That’s not just a charging cable—it also can be a two-way street for data. Security experts have demonstrated that public charging stations might be used to collect passwords and other information from users’ phones. If you plug your own charging cable into a wall-type power outlet, you’re almost certainly safe. Or buy a rechargeable external battery pack, and use that to charge your phone when you are on the go.

• Use a virtual private network (VPN). Many people will first encounter a VPN on devices issued by their employers for their work, but this is an option for individual consumers now, too. A VPN is a way of creating a safer network that still operates over a public Wi-Fi connection. With encryption and some other technical tricks, the VPN makes it much harder for a snoop to intercept data as it moves across the Internet. To get a VPN on your phone, sign up for a service and download an app on Google Play for Android phones and in the App Store for Apple devices. A VPN is especially important if you use your smartphone on an airplane, where cell-phone service is unavailable and public Wi-Fi is the only option. While there are free VPN services, it is best to go with one that charges a small monthly fee.

• Update your software. Keep your phone’s operating system and individual apps up-to-date. One of the things that happens in software updates is that ­security flaws get fixed!

• Choose two-factor authentication. This is a way of authenticating your identity when you log into sensitive apps, such as for banking or brokerage accounts. It adds an extra step in which, typically, a code is texted to your phone or e-mailed and must be used in addition to your password as you log in. This adds an extra layer of security because a hacker would need to access both your password and your phone to obtain the code. Not every financial institution offers two-factor ­authentication, but when it’s available, go for it.

• Sign up for account activity notifications. A growing number of banks and other financial companies have systems to notify you by text, e-mail or a phone call about activity on your account. This helps you keep track of routine things, such as automated bill payments, and allows the bank to flag suspicious activity, such as a big online purchase or a withdrawal from an ATM in an unusual city. You have to sign up for some of these notifications. Then you also have to pay attention. The point of getting messages about routine transactions is that someday one of them might be something not routine, something unauthorized, perhaps the start of a fraud. And one more thing—make sure that you keep your contact information up-to-date at all the financial companies that might legitimately need to reach you.

• Make yourself phishing-proof. You have no doubt heard of phishing scams—e-mails or texts that pretend to be from legitimate companies but that try to get you to follow dangerous links and reveal private information. And you can try to identify and selectively ignore them. But there’s an even better way to avoid ever being the victim of phishing. Even when a communication from a company doesn’t seem suspicious, my best advice is, don’t click—go to the source. You already know how to reach your bank or brokerage or insurance company. If you get an e-mail or text that purports to be a warning about a problem with your account or any other matter, contact the purported sender the way you normally would. That is, go to the app or website you always use for that financial institution, or call the phone number on your credit card or statement.

Phishing scams are ever more sophisticated. I used to tell people they might spot one with visual clues such as a funky logo or bad spelling or grammar. But such tips aren’t that useful anymore and can provide a false sense of security. Many texts and e-mails do a good job of looking like real communications from companies you do business with.

Related Articles