Opinions are my own...
If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, Plaid, Yodlee, YNAB and others to surveil and drain consumer accounts online.
Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.
In a nutshell, if you use a crappy password, even though your bank may require 2 Factor Authentication (2FA), the hackers can use a program which mimics a program like Quicken and get into your account via the API (the software method the program uses to communicate with your bank's computers). The APIs usually completely bypass any 2FA requirement.
- Use tough password (get a password manager to keep track of them)
- Never use the same password on more than one site. Otherwise, when site X is hacked they now have the password for all of your other accounts.
- For your banking and official matters (anything that involves money like shopping sites or government accounts, but NO social media accounts), I suggest a separate email account other than the one you use for your day to day BS, and not one of the free ones where they scan your data to sell you things (gmail, hotmail, outlook, etc). Suggest https://protonmail.com ; you can even buy your own domain name and set it up to use with protonmail (requires the paid service). Then, be vigilant; don't get lazy and mix your important email with your day to day account. Get your own domain name here: https://domains.google/#/ Pay for several years in advance if you're serious about keeping and using it.