or How to Protect Your App-Based Financial Accounts
You’ve probably read, heard, or seen all the media coverage over the last few weeks about over 2000 Robinhood accounts being breached. There’s no doubt that Robinhood’s widespread popularity mixed with it’s less than stellar focus on security is not a great combination for users. That being said, I love Robinhood and wouldn’t close my account over a one-time incident like that.
But since that story broke, I’ve seen a ton of articles online talking about how to help secure your Robinhood account. Some are written by non-infosec or technology people and aren’t very helpful. So I decided to make this definitive list to help you secure your RH account or any other app-based financial account like Venmo, PayPal, Cash App, or crypto app.
We have to start with your email. Your email is your key to everything. Go to Have I Been PWNED or Agency and do a free check on your email address to see if your password is available on the dark web. If your email address has been compromised, change the password. Choose a strong, unique password, and never use your old password anywhere, ever again.
Activate Multi-factor authentication for your email. You can search your email providers help settings to quickly find how to do that; if you use Gmail you can do that HERE. There are several ways you can choose to do this; via an authenticator app, via SMS, or with a physical security key. They all have pros and cons, so choose the one that is most convenient. If you’ve got a substantial sum of money or are at a higher risk for being attacked, go for the physical key. (Yubikey)
Activate 2 Factor Authentication on Robinhood (or the account you want to protect). Most other guides start with this step, but this is really only part of the process. You can access it from their website or within their app.
Lock your phone number from being transferred from your phone company. Your phone number is directly tied to most of your online accounts and identity. Because text message-based two-factor authentication is often used as the primary method for security on many sites and often used as a backup in case you lose access to your accounts, attackers frequently try to gain access to your private accounts by stealing your number. Every major US phone carrier allows you to create a PIN or passcode to lock your account. Verizon lets you do this online; TMobile requires you to do it over the phone. Just contact your phone company and lock your account right away.
Finally, you’ll need some type of cyber insurance or ID theft protection that covers loss of funds for investment accounts for additional confidence and peace of mind. Be careful when shopping around for this. Many say they’ve got $1M of protection but actually only have $25K of loss of funds coverage (I’m looking at you, Lifelock). Many companies offer this; shop around for the best price from a reputable company. At Achilleion, our focus is on cybersecurity and privacy technology, so we partnered with a major insurance company to offer our member’s coverage at no additional cost, including a full $1M in loss of funds coverage.
Stay safe. Invest your money with confidence!