**Most American Banks' Security Options are Terrible; Here's How I Still Stay Safe**

As a journalist who has been tracking online security for years, it's frustrating to see that some of the most important website accounts often have the worst security options. While I can set a 100-character password on a random forum account, banks commonly limit their passwords to just 20 characters (and sometimes without symbols). My bank's security options are poor compared to many other accounts, but I've managed to configure it to stay safe with some creative thinking.

The first step is to create a unique username that's independent of your email address. Most accounts use your email address as a username, which can be a problem since email addresses are often leaked in breaches. However, my bank (and many others) requires you to set a separate username to log in. Since you have the freedom to choose this username, it becomes an additional authentication step.

Instead of using your real name, online alias, or email address without the domain as your username, I recommend creating a random string. Use letters, numbers, and symbols if possible, just like you would for a password. This won't protect you if the bank's systems are breached, but it removes a layer of association between you and your account.

When security options are limited, every step counts. So, here's how to make the most of the password limit:

  • Push the password requirements to their limits: A 20-character password is still strong enough if you make it hard to guess. Use a password manager to generate and store a random, unique password.
  • Maintain maximum length, avoid repeated characters, dictionary words, and use symbols and numbers: Make sure your password meets the bank's requirements and mix it up with different types of characters.
  • Keep your password manager secure: Store your passwords safely to prevent unauthorized access.

In addition to a strong username and password, consider giving fake answers to security questions. Security questions are a weak form of authentication since they're easy to guess. Social media and public records can reveal information like your mother's maiden name or the school you attended. So, when asked what your favorite subject was in high school, provide an answer like "Anonymous Vengeful Rhinos". Store these answers in your password manager so you don't forget them.

Since banks often only offer SMS-based 2FA, it's essential to enable SIM swapping protection with your carrier. This is because attackers can use social engineering tactics to convince your carrier to port your number to a SIM under their control. All major carriers now offer the option to lock your phone number, which prevents your SIM from being moved unless you authorize turning off this feature.

To take full advantage of SMS 2FA:

  • Enable your carrier's SIM swap protection: This adds an extra layer of security against SIM swapping attacks.
  • Secure your account with your mobile carrier: Make sure you have a strong password and take advantage of any available security options.

Last but not least, turn on alerts in case something happens. This way, you'll instantly know if someone has broken into your account or is attempting to log in from an unfamiliar location:

  • Get email, text, and/or push notifications when someone logs in from a new location: Enable these alerts to stay vigilant.
  • Set up money leaving your account alerts: This way, you can catch potential fraud attempts before it's too late.

While I wish banks would implement modern security options like passkeys or 2FA via authenticator apps, that doesn't seem likely anytime soon. So, take a few minutes to maximize your protection with what banks do provide. Regularly check your account options for new additions or extended password lengths.

Staying ahead of cyber threats requires awareness and vigilance. Be informed about the most common methods used to hack bank accounts, so you can protect yourself from these tricks.