Monday, May 2, 2022

WHOOO ARE YOOOO? How many factors are enough?

HALLIE EPHRON: There was a time, not all that long ago, when it seemed like every time I turned around, one of my passwords or my credit card was getting hacked. Huge pain in the butt getting that sorted.


These days, so many accounts are requiring two-factor authentication. For the longest time I resisted. I don’t always have a phone with me for verification and I don’t want to risk getting locked out. I wonder, what about people who don’t have access to computers or cell phones, never mind both?

I’ve been succumbing to two-factor authentication and I suppose it must be working because I haven’t had a security hiccough in months.

Then upping the ante, I had to pass a photo ID test in order to get an account so I could see my tax history. This involves having my computer take a picture of me and a picture of my photo ID. Which I did. But apparently I’ve outgrown my passport photo since the match failed. Not once, but several times.

So I had to call them (only 15 minutes on hold) and spoke to a very nice woman who eyeballed  my face and my passport over what I hope was a secure camera line (Yeeks!) and confirmed that I'm me.

All of this in the name of protecting my privacy. Am I the only one who sees some irony here?

Have any of you had to struggle to prove you’re you lately?

HANK PHILLIPPI RYAN: It’s the good news and the bad news, right? We want to be protected, but it’s difficult. And then to prove yourself, you have to hand over all kinds of personal information.

And for me, it can be triple complicated. Because my legal name is different from my writer name, if someone asks me “What’s your name?”, sometimes I have to reply “Why?” Or sometimes I’ll make a hotel reservation for Hank Phillippi Ryan, and the agent will ask: What day does he want to arrive?

And, I guess I can tell you, the cable people will only talk on the phone to the person whose name is on the account. So when I call, they say: Who am I speaking with? And I say my husband’s name. They say–YOU’RE Jonathan? And I say: Yes. (With a tone like–you gonna question me about that? It always works.)

JENN McKINLAY: I live in a state that doesn’t require you to renew your license for 30 years. My ID is from the week after I was married and back from my honeymoon. There will never be an ID photo of me that is this good and I’m not renewing it until it expires in seven more years.

I’ve had my credit card taken but not my identity - praise be - and I find two-factor identification very annoying but I suppose you can’t be too careful. When paying the hooligans’ tuition, I have to have two-factor ID and all I can think is “Hey, if anyone else wants to pay this bill, be my guest.” LOL.

DEBORAH CROMBIE: A few years ago I had to renew my driver's license in person and it was a huge pain. Birth certificate, passport, etc. etc. And I've had my debit card skimmed, but have not had my identity stolen, thank goodness.

The confusion in our house comes from the fact that, while my writing name is also my legal name, it's not my husband's name. So he is on some accounts and I am on others and I'm always having to explain. Not to mention that he hates being called "Mr. Crombie…."

JULIA SPENCER-FLEMING: Like most of you, my legal name (Ross’s last name) is different from my writing name (my maiden name,) which causes confusion and last-minute frantic updates if a new assistant publicist is making reservations and isn’t up on what my credit cards and drivers license say.

I’ve never been hacked, but my cell phone number has gotten out there, and I get spam texts occasionally which make me roll my eyes. Fortunately, my phone has one-touch reporting; I hit the ‘spam’ button and the message disappears and the number is blocked.

I actually like the two-factor authentication; I’ve gotten used to it and it does make me feel more secure. What drives me nuts are the aggressive security measures my card issuer uses to prevent fraud - they stop payment and text/ call me to confirm.

The first time this happened was when I was spending $$$ getting Youngest a Macbook Air for high school. We’re in the Genius Bar, trying to navigate the purchase, warranty, etc, and my card is refused! Then while I’m asking the very helpful Specialist to run it again, my phone started blowing up with a number I didn’t recognize. I was utterly stumped until after we were back in the car, sans Macbook, and I listened to my voicemail.

It’s happened to me a few times since then, but it’s always infrequent enough so I never think of my card security until I’m already flustered and trying to sort out what’s wrong with the salesperson/hotel clerk/reservation agent. Who I am sure thinks I’m just some deadbeat on the brink of bouncing a check.

RHYS BOWEN: Another victim of two names here. I have to remember to remind my publicity team that I have to check in using the name on my driver’s license. And this time there were problems at both hotels because the publicists had booked a room for Rhys Bowen and charged the other to MY credit card.

I’ve also been through the embarrassment of having a card denied when trying to make a big purchase–last time it was booking a river cruise. So by the time I had called Chase I had to go through the whole booking process again. I do like that they are looking out for me, but really,can’t they see that I’ve booked a river cruise before?

And my cards have been hacked many times which is a real pain as I have most of my bills on auto pay and have to give them all a new card. Another small annoyance. My phone has facial recognition which it can’t do with a mask on. I understand the latest upgrade can add this feature but I haven’t had time to explore it yet.

LUCY BURDETTE: First of all, about ID photos, you may or may not remember that I lost my passport while traveling a couple of years ago--in India! Here's the whole story if you want groan, gasps, and giggles. The point is, I had to get a new passport, with a new photo, taken at a little open air shop on the streets of Delhi. I was not allowed to smile or wear my glasses. It is the worst photo ever, but I was just so grateful to have it!

Like Rhys, it seems I have an account hacked at least once a year. So very frustrating. Do you all belong to Credit Karma? It's a free app that tracks your credit reports and credit card balances etc. So at least you can get an alert if something fishy is going on.

HALLIE: I don't belong to Credit Karma, but I have my credit card account set to ping me with a text message whenever my card gets charged. It sets my mind at rest--at least I know the minute any charge hits that I didn't make. It's also good for alerting me to any repeating service charges that I authorized once up on a time and no longer need.

So are you welcoming two-factor identification or resorting to wearing garlic to ward off marauders?

73 comments:

  1. So far, I’ve not run into any issues proving I am me. And while two-factor authentication is a bit of a pain, I think it helps keep my account secure, so I don’t mind too much. [The whole photo ID test thing is new to me . . . I’m crossing my fingers that I never run into that one. And I have to say, I really despise the pictures on my driver’s license and my passport . . . .]

    ReplyDelete
    Replies
    1. Ditto for me on my drivers license and passport photos. Ick, who IS that, I ask when I inadvertently take a peek.

      Delete
  2. I still can't pass the photo part of this super-ID thing now required for tax info, but they email me every week to come back and try again.

    ReplyDelete
    Replies
    1. Try the phone number they provide - for me it was easy peasy once they picked up.

      Delete
  3. I like the two-factor authentication. It does give me a peace of mind.

    ReplyDelete
  4. I'm garlic all the way if I can get away with it, and am lucky my credit cards or ID haven't been hacked. That said, I recently glanced at my retirement accounts (hint - DON'T glance at your retirement accounts when the market is tanking...), and all three wanted to send me a text or email confirmation number. That's fine, truly, same as when my bank wants to. But handing over my cell number to Facebook or Amazon? No thanks.

    I don't run into the author name issue, since it would never occur to me to use Maddie Day for reservations.

    I haven't run into photo ID confirmation yet, but passport pictures are a whole nother post. The last time Hugh and I got ours taken, we both looked like escaped felons. No glasses, no smile, glaring lighting up close? Ack!

    ReplyDelete
    Replies
    1. Edith, because you make your own reservations, you control whose name is used. I think Rhys had some helpful publicist make her reservations who did not realize that Rhys Bowen is her nom de plume.

      Delete
    2. Oh boy do I look forward to the days when a publicist makes reservations for me to go... anywhere.

      Delete
  5. So far, I have not had my credit card or passwords hacked. But I have received emails from major hotel chains that their system was hacked and that my personal information COULD be among those stolen. One chain (MGM Resorts in Las Vegas) offered me a free year of EQUIFAX premium to scan for any unusual activity. No weird transactions occurred and I cancelled the service last year.

    I use two-factor authentication that i use is for both Amazon accounts (.ca and .com). A bit of the PITA but the random number authenticator app is on my smartphone. And my Paypal and CRA (Canadian income tax) accounts send a one-time code to my email/smartphone each time I log on.

    ReplyDelete
    Replies
    1. I got free equifax for one of the password hacks a few years back... never did figure out how to use it.

      Delete
    2. Well, I already had a free basic Equifax account to check my credit rating each year, so it was just accepting the upgrade option that MGM provided. I have memberships with most major hotel chains (Marriott, Hyatt, Hilton etc.) and they only send an email recommending you change your account password after their systems were hacked. Only MGM Resorts offered the free Equifax protection for a year.

      Delete
  6. Part of life. My checking account was hacked for a nominal sum, the same day 5000 other customers were hacked. I closed the account and opened a new one. And someone used my husband's identity to apply for unemployment benefits. We received a notice in the mail about his new bank account and discovered what had happened. The fraudulent account bank, the police, and the state benefits office were all very helpful. I think fifty people in our village filed police reports about the unemployment benefits scam.

    ReplyDelete
    Replies
    1. Wow. Sounds like you're at ground zero for this, Margaret.

      Delete
  7. I love all the stories and can empathize with the frustration in trying to get stuff fixed. I've been very lucky. My two biggest frustrations have been after FB hacks. In February, someone copied my FB name and picture and started sending Instagram messages to my friends (I don't use Instagram). This account even tried to video call one of them. I tried to report it to FB and they told me I had to submit a picture of myself holding my ID, with the hand holding the ID visible too. I did this 4 times and got an auto response that the information I had submitted did not match with the account. I was so frustrated, I deactivated my FB account and ended up staying off until Easter (Lent started 2 weeks early for me in this case, but I probably don't get extra points for acting out of frustration). I think the problem was that in Oregon, we can't wear glasses for our DMV photos and of course I had to wear my glasses in order to take a picture of myself holding my ID. The photos most likely didn't match. The idea that I couldn't prove I was me to report someone impersonating me when they didn't have to prove anything was very aggravating.

    The only time I lost money (temporarily) through a hack was also on FB. I noticed several fairly small deductions from my checking account that were through FB. I had made several charitable donations for friends' birthdays, but not for months. I did go back and look at the donations on FB, after searching around for a bit, and they didn't match up at all. I reported it to my wonderful credit union and they reversed the charges, but I had to get a new debit card, and go update the stuff that auto-paid there. I went into FB again and after much searching, found the place that my card info was stored. Although by this point it didn't make any difference, I was able to remove it. No more FB fundraisers for me.. sorry friends!

    ReplyDelete
    Replies
    1. I do not ever donate or purchase using Facebook links. Their security is the worst and trolls are constantly on the prowl there.

      Delete
    2. Same here. I never donate to anything through FB. If the charity is something I would really like to support, I'll find another way, usually at the charity's own site.

      Delete
    3. A reminder to everyone: do not use your debit card to pay bills. If it's hacked, the hacker has access to you *bank account*... credit card is much safer.

      Delete
    4. Federal protection laws limit your credit card liability to $50. There are no such protections for debit cards, even if it has a credit card administrator like VISA appearing on it,

      Delete
  8. We call our bank to let them know about travel before we go. Not for Delaware or Massachusetts or New York, but we do it before flying to California or Florida or any other state or country that we visit once in a while. So that takes care of some problems before they happen.

    Julia's MacBook purchase is an example of overzealous security control and that would be humiliating. As for photo id's, all the new facial recognition programs seem to be pretty flighty. I have not had an issue yet, but wonder why something like Hallie's I. D. problem would happen.

    Our first 2 factor i.d. incident occurred last week with XFINITY. Once we figured out what they were doing, and got onto the website, the upgrade they had promised for download speed was nowhere in sight, an hour had passed, and honestly, we did not have any more time to waste on their scheme. Sometimes legitimate companies that you actually do business with, want more information about you and will lure you in to provide it. Bast#@$s!!

    ReplyDelete
    Replies
    1. This is reminding me... I try to ALWAYS check before before I click a link from something that LOOKS like it's Xfinity or Amazon or MasterCard or some service I do use... RIGHT click on the sender name in the email to see what the sender's URL. If it's a user on gmail or yahoo or hotmail or anything but the web site it says it's from you're being snookered into clicking the link. So-called giveaways like free upgrades are ways that hackers lure you into going to a spoofing web site and entering your information.

      Delete
    2. Absolutely, Hallie. I always check. This really was XFINITY. They were legitimately offering us an upgraded speed. Getting to the spot in their system where we could get that was the problem once we had done the 2 step to get on their website. It was aggravating, and time consuming.

      Delete
    3. I also always notify the credit card company of my planned whereabouts when we travel. I learned this the hard way when one of my cards was denied in Europe. Luckily, I'd taken two with me, and the other one worked fine.

      Delete
  9. I haven't had the experience yet of proving my ID online with my driver's license photo. When it happens I will probably be in trouble because it looks nothing at all like me. I can't believe I even looked that good years ago when it was taken. On the other hand, my passport photo looks more like my grandmother than it does me! Yes, I do know what that means.

    ReplyDelete
  10. Ah, MFA. What a joy.

    I've been lucky in that my card has never been hacked, but I have lost it resulting in the whole, dispute/reimburse/close card/issue new card hassle. I have also gotten the "Is this you?" notifications on purchases, usually in time to say, "Yes, it's me" and things go through. I did have a purchase at the Apple store declined last week because I typed my email address wrong. Seriously? I could be using any address. But hey, sure.

    One of the benefits I get through work is a subscription to AllState's InfoArmor, which monitors my online presence, including notifying me when credit checks are run or when new accounts are opened. I just go into the app and say whether or not it was me.

    I do sometimes find all the MFA annoying, especially since I try not to walk around with my phone. But I get messages on my MacBook and iPad as well, so there is always something at hand.

    Work is the true crazy. 3M is very security conscious. I have a little dongle for a code to log into the network, but there are two other systems, both of which use different apps for MFA. So during the workday, my phone is never far from me just in case.

    I love FaceID. But yes, it doesn't work with a mask and my phone won't support it. Oh, and I have the legal name/author name thing, but I never make reservations using my author name and at least conferences are good about asking, "What's the name you want to have on your badge?" so I haven't had a problem there. No helpful publicists. LOL

    ReplyDelete
    Replies
    1. InfoArmor - that's a new one for me. Going to check it out. A dongle? Boy that really is multifactor ID.

      Delete
    2. It's a way of getting a code. I could have had the system send me a text, but I didn't want to deal with always needing to have my phone near me. Little did I know...

      Delete
  11. I have reduced my credit card #’s used. I don’t use a debit card at all. No shopping of any sort via Fb evah! But the last two years have given me some insight into dealing with spouse accounts when memory impairment rears it’s ugly head. All I’ll say is it took me 6 months to move his pension from bank A which I was trying to close, to Bank B, and it was the companies fault. So for you all who have legal partners, take a careful look at how you can simplify this part of your joint life. I’m not too happy with Blogger either as I can’t work out how to get on and post as me on JRW. Enough said, Happy Monday from Celia

    ReplyDelete
    Replies
    1. Oh, Celia - I second third and fourth that recommendation! Consolidating accounts has been a nightmare. Wouldabeen so much more straightforward if we'd done it before.

      Delete
    2. Celia - Hallie, I send you loads of sympathy. So much worse for you. I hope it’s nearly done. Having made everything joint at the advice of our attorney, I’m now considering what might be involved in separating it all to protect assets. SIGH! Who knew? 95 is a great age to attain.

      Delete
  12. We already have four pages, single-spaced, 9-point type, of passwords. Many crossed out with new ones to the side. It's enough to make a preacher cuss, as my mother used to say.

    Because I have all kinds of cyber security on my computer, every time I open a financial site's pages my browser goes into privacy mode (no cookies). Which means the site I'm logging in to doesn't recognize my login, and I'm usually required to do the second authentication. It's a pain, but so far, so good.

    We routinely had credit card data stolen until we switched banks. And then one time during the pandemic someone started charging small amounts, identical to the amount I paid for an order from DSW, in the name of "dswo", lower case. Because I'd returned a pair of shoes (both shoes were for the same foot) and exchanged them at the store, there were multiple transactions, and it took me months to notice the fake ones. But the bank straightened it out right away, and sent a new card.

    ReplyDelete
    Replies
    1. That's similar to my experience... small amounts charged. easy to fly under the radar.

      Delete
  13. To those having trouble with Blogger, do you stay logged in to your Google account, or whichever account you post from? I have not had any problem with it, and am thinking it's because I'm always logged into Google from all devices.

    If not, then it's still a mystery!

    ReplyDelete
    Replies
    1. That's how I've managed it, too - but then I get confused: is being logged into Google the same as being logged into Gmail?

      Delete
    2. KAREN: Yes, I have been logged onto Google so I don't have problems posting as me (not as anonymous). But yesterday's weird Blogger problem had the JRW banner at the bottom of the page totally covering the comments field so I could not post on my PC. So weird.

      And like you, I use a VPN (NordVPN on my PC, Android tablet and phone) and other security apps (Norton 360) to give me more protection when I'm online.

      Delete
    3. Hallie, not quite. You have to sign in to your Google account via a web browser.

      Delete
    4. But once you've logged into your Google account, you can access your Gmail.

      Delete
    5. I was trying to add comments Saturday from my phone - which is a Google Pixel, for crying out loud - and they wouldn't go through. I suspect whatever is clogging Blogger's arteries has to do with the new look of the commenting space.

      Delete
    6. It's just not working on my phone. My laptop seems fine. Weird.

      Delete
  14. I admit that I'm a cynic. I think most two factor authentication protocols are intended to protect the bank, investment app, etc. from liability and the cost of fraud. That they work as some protection for the user is an appealing after effect and good for advertising. After all, corporate decisions are made to protect their earnings, not your assets.

    TD Bank regularly puts a stop on my US $ Visa card when I'm travelling in the States. I don't mind the initial caution, but I do mind that their published means to lift the stop doesn't work.

    By far the most surprising request for authentication came from the Canadian Revenue Agency when they requested a certified paper copy of my marriage certificate and my passport. This to ascertain that I was not trying to scam a seniors' pension program. I've no idea who will see those pieces of paper or what will happen to them when they reach the government offices. No sense of privacy or security for me here, just "protecting the public."

    ReplyDelete
    Replies
    1. I'm sure 2-factor authentication protects the banks... ID theft has to be a huge expense for them, too.

      Delete
    2. You're right about the protection for the financial services provider: because of state laws limiting the amount of loss to the consumer, the credit card company is on the hook for the amount of fraud. The onus is on them to chase down the crook and retrieve the fraudulent amounts, and that costs a LOT of money. We have four friends or acquaintances who work in fraud units at local banks.

      Delete
    3. CD, I've taken to letting the manager of my credit union know when I'm going to travel - she adds something to my file and it dramatically cuts down on those potential-fraud stops. I don't know, however, if you can get the same service from a large bank like TD.

      Delete
    4. Large banks can and do have a way to smooth the way when you are traveling. I'm sure TD can do it.

      Delete
  15. You know, SO funny. When I had to provide info to get a pension from someplace or other, I had to prove I was married.
    NO prob, I thought, but then I couldn't find our marriage certificate. Weird, I thought, and then I was baffled because..somehow I couldn't remember actually ever seeing it. Still no prob, of course, so I hopped over to City Hall to get it. THEY DID NOT HAVE IT.
    Long story, but the rabbi who married us had never filed the certificate of marriage, so according to City Hall, we were not married. AHHHHH. Which apparently is not unheard of, okay, so I jus thad to prove we were married. AND one of the way you can prove it is by an wedding announcement in the paper. Great, we were in the Sunday New York Times, so easy peasy.
    BUT! In a situation that seemed hilarious and unimportant-ish at the time, the Times had gotten the date wrong! It finally got worked out --but we had to have two friends who were at the wedding sign affidavits about it. And the rabbi said he "forgot," and sent it in. It was only 23 years late.

    ReplyDelete
    Replies
    1. You and Jonathan earned this one! Wow.

      Delete
    2. I know, right? SO crazy! But really, it could have been a disaster. If at some point for some reason someone else looked it up and we weren't actually married....

      Delete
    3. Hank, I'm pretty sure I've seen a couple mid fifties comedies with a plot line like yours!

      Delete
    4. What an amazing story! Good thing you caught it because it would have been a disaster down the road if you hadn't. And can I say, annoying! That's practically rabbinnical malpractice.

      Delete
    5. Good thing the Rabbi was still alive! OMG. The perfect word here is "schlemeil !"

      Delete
    6. Yes, I think so, too, Julia! The Awful Truth, or something? And yes, Hallie, all sorts of terrible scenarios, truly. We actually had to look up whether there might even be tax fraud, or something. You know? And yeah, Jenn, what's a couple of decades... :)

      Delete
  16. I haven't run across two factor authorization for any of my personal accounts yet, but I do have to use it for some things at work. It's annoying because, either it means that I'm the only one who can do that part of my job or I have to use my personal cell phone for work. Neither of which makes me very happy.

    ReplyDelete
    Replies
    1. Having it at work sounds like a real PITA, Mark.

      Delete
    2. Very annoying... understandable but annoying.

      Delete
  17. I contributed to this before my trip where I booked my hotel under McKinlay but when asked gave the hotel clerk my married name - enter confusion for both of us. Ugh.

    ReplyDelete
    Replies
    1. It's so hard having multiple personalities, Jenn! LOL

      Delete
  18. For me, the real aggravating factor is either having to remember or look up passwords for an online use and then having legitimate passwords rejected, multiple times. So, I go through the process of setting up a new password, have to record that...over and over. I recently got an email saying a new piecde of computer hardware was being sent and thanks for the roughly $2000 order. It had a link, which made it suspect, but part of me is still worried that one of my credit cards will show a fake purchase this month. Scammers and online crooks are getting smarter all the time, but I'm not!

    ReplyDelete
    Replies
    1. Yeah, me again. Thanks, Google.

      Delete
    2. Having to endlessly update a password - aggravating. And having to cart around my long list of accounts and passwords. I know some people use a password manager app. I'm tempted but then I think, the hackers get into that and they've got the keys to my kingdom!

      Delete
  19. Apparently, Google wants us all to stay safe, since it keeps making so many of us Anonymous.

    ReplyDelete
  20. I can sympathize and empathize here.
    When I married 50 years ago, I did not take my husband's last name, I'd had mine for all my life and it suited me just fine, thank you very much.
    The first year we files taxes as a married couple I got a note from the IRS wanting information: When and where did I get my SS number? How old was I then? etc. (I expected them to ask for my eye color and shoe size!). When I go this same request three more years I filled it in and then added a note: "You have asked for this information four times now. Kindly file it where you can find it next time."
    As if that isn't enough, I am named after my mother. She went by "our" first name and I go by the middle name. That worked fine until the computer age: first name, middle initial, last name.
    It gets challenging to figure out what name they are looking for!

    ReplyDelete
    Replies
    1. I used to resent having such an unusual name... now I embrace it. So far there's just one of me.

      Delete
  21. A recurring nightmare of mine is that I've left my purse unattended and when I realize it, I find that someone has stolen my credit cards from my wallet. I've actually only lost one credit card and has someone make a charge on it, but I was able to fix that quickly. And yet, I have that dream every so often where I look in my wallet after coming back to my purse, and it's been emptied of the cards.

    I probably should be using the two-factor identification, but I just hate multiple steps to access things. My niece had her identity stolen, and it was one hot mess getting that fixed, so I should be more inclined to protect myself. I haven't had a card refused when on vacation or in a different spending locale than usual, but I have gotten notifications that the card is being used in that different location. My husband worries me a bit, as he is forever looking for a misplaced card of his. Maybe I should limit him to carrying cash. Hahaha!

    ReplyDelete
    Replies
    1. Cash! Honestly I've started using it much more, especially when traveling or at a place where I don't regularly spend.

      Delete
  22. I just read that thieves are now lifting bill payment mail from physical mailboxes, taking that check you wrote to the gas company, and altering the payeem and cashing it. So now we need to mail our bills at the post office?

    ReplyDelete
    Replies
    1. We have had a rural mailbox since 1982, and for almost 35 years it was way out on the road where we couldn't see it. I have always taken stuff to the Post Office, if it was important or had money in it.

      Delete
    2. Paying be check in the mail has the highest risk, Post office theft of checks is very frequent, Use some form of electronic payment. Some creditors will no longer take checks as payment,

      Delete
  23. The first time my card information was hacked, it was my own fault. I'd purchased some fabric online without checking to see if the website was secure. I spotted the fraudulent transaction and went to my bank. Had I, the helpful assistant asked, actually purchased stereo equipment in Bulgaria? Major face palm moment.

    ReplyDelete
    Replies
    1. Ha ha ha ha! Though not funny at the time, I'm sure.

      Delete
  24. I don't want to put my passwords in a spreadsheet since the computer may be hacked. However, apparently I can't always read my writing. I had a new password for my credit union but it didn't work. They took forever to send me the code so my session timed out but I finally got a new password so I could check my statement. I tried to order something from Amazon last week, and they didn't take my password. When I tried again, the password was already there (my computer remembers some of them), and Amazon took it. They sure make everything hard!

    ReplyDelete