Liz and Geoffrey take a closer look at the security of checks and bank account numbers - a timely topic after a fraudster attempted to steal thousands of dollars from Liz with a counterfeit check - and also at mobile banking, cash transfer apps, and a bit more about credit cards. Plus, better encryption for Android, a major FaceTime bug, and practical lessons from Wells Fargo's day-long outage.
- 1:36 - Security news: Apple's FaceTime had an eavesdropping bug
- 2:33 - Security news: Apple revoked Facebook and Google Enterprise Certificates for distributing apps beyond just employees, and they happen to be spying on their users
- 5:25 - Security news: Google's Password Checkup for Chrome
- 8:26 - Security news: FamilyTreeDNA gave genetic data to the FBI
- 9:28 - Security news: Wells Fargo consumer banking outage
- 10:33 - Security news: Adiantum, a new encryption feature for Android
- 12:37 - Credit card updater services and expirations
- 16:49 - 3-D Secure (e.g. Verified by Visa, Mastercard SecureCode)
- 19:35 - Checks and bank account numbers
- 23:54 - Bank account transaction notifications
- 24:31 - Fraudulent, altered, and counterfeit checks & some tips to prevent alteration
- 28:38 - Check clearing delay
- 30:50 - Mobile check deposits
- 32:33 - Online banking accounts
- 36:25 - Cash transfer apps
- 45:39 - Third party access to bank accounts and budgeting software
Show notes & further reading
We reference topics from some past episodes in this one. If you've just tuned into the podcast, you might also want to check out these older episodes:
- "Securing your online account passwords" and "Two-factor authentication and account recovery", for keeping your online banking accounts safe
- "Securing your phone" and "Comparing Android and iOS security", for keeping your mobile banking apps and payment apps safe
- "Keeping your web browsing private", for safely accessing your bank's website using HTTPS
Credit card updater services allow merchants to keep charging your credit card, even after the number expires or changes. CreditCards.com fielded a question from a reader unhappy about an annual subscription being renewed even after the original card had expired. To get an idea of how this looks like from the merchants' side, see Visa's fact sheet on their service. They say, "Card information updates can result from account closures, cards reported lost or stolen, expiration date changes, product upgrades, and portfolio conversions between Visa issuers or from MasterCard, American Express, or Discover to Visa conversions." If a merchant has your card on file, they can likely keep charging your card even after any of these changes.
Jason Pearce, director of information systems at an Indiana hospital, has a blog post discussing the problems with Verified by Visa and how it's indistinguishable from a phishing attack.
Checks & bank account numbers
Jeremy Clarkson, the former host of BBC's Top Gear, once responded to a UK data breach of banking data by calling it a "storm in a teacup," and attempted to prove his point by publishing his bank details in a newspaper and claiming it would be hard to use the information against him. Unfortunately, someone managed to get a British charity to debit £500 from his account. While it's hard to forge a physical check in the UK, and most payments are initiated by the payer, well-known organizations can go through their bank to initiate a direct debit from another account. Apparently this charity let people sign up to be donors but did not verify their identity. (Also, while checks are rare in Europe, they are not unknown, so while sharing your bank account number is significantly less risky than in the US, we still wouldn't call it safe.)
Check clearing and scams
The US Office of the Comptroller of the Currency has a good FAQ on recent changes to check processing, mostly as a result of the 2004 Check 21 Act, which made electronic check processing legal in all cases. Note the timelines: while money from a deposit is required to be available within days (and on the other side, money might be withdrawn from your account almost instantly!), there are still at least 40-60 days to dispute payments, so "cleared" checks can still get reversed.
The Balance talks about the confusion between the multiple definitions of "clear", and in particular how "clear" generally means the money is available even if the check isn't confirmed good.
The Federal Trade Commission has several posts on scams involving "cleared" checks - where the money appears to be available - being reversed later. "Don't bank on that check", "Fake Checks", and "Anatomy of a fake check scam" all describe a common class of scams, where a scammer gives you a check that seems good and asks for the money back in some way. Even the FTC seems to use the term "clear" inconsistently: the first post says money can be reversed "even after it seemed to clear," the second claims the check hasn't cleared yet, and the third claims the check has cleared but ends up not being good. Whatever you call it, don't fall for any sort of scheme that relies on believing that a deposited check is good just because it's showing up in your balance. link to Check 21 perhaps
Cash transfer apps
"Public by Default" is a 2018 project from Hang Do Thi Duc, at the time a Media Fellow at the Mozilla Foundation, with reconstructed lives of five groups of Venmo users. Take a look - the amount of public data is quite frightening. The site has instructions on how to change the setting in your Venmo app and also ensure that past transactions are private, too. (So does Venmo's official help site.)
A web search for 'paypal frozen accounts' will show no end of unhappy PayPal users. PayPal says they freeze or limit accounts for many reasons, including suspicions of fraud, violations of their terms, or even just starting to sell something new in volume. Most affected users say that PayPal has held the money in their account - even from previous, completed transactions - for 180 days before paying out. PayPal has acknowledged the problems in the past but complaints still continue.
The Verge has additional reporting on the Google/Mastercard deal for access to in-person transaction data to improve online advertising, and specifically connects it to Google's previously-mysterious claim to have access to 70% of credit and debit card transactions in the US, which advertisers could use for targeting.
Many users on the Apple forums report that their credit card companies are treating Apple Pay Cash transfers from those cards as cash advances, with hefty fees and charges from the credit card - on top of the 3% fee for using a credit card from the Apple Pay Cash terms and conditions. Other payment apps may or may not do the same thing - it's best to check around about the specific payment app and how it sends transactions to your credit card, if you choose to back it by a credit card instead of a bank account.
Third-party bank account access
Reuters wrote in 2015 that major banks were warning users not to share their credentials with third parties and that this would affect Mint and other personal finance "aggregator" services. We generally agree with that advice - but if you do want to use a service like Mint, your options are limited. Mint has a help page about connections to certain banks - which as of this episode was just Chase Bank, Bank of America, and Capital One - that supported a more secure option than just giving your password directly to Mint. These banks have a third-party login system very similar to the "login with Google" or "login with Facebook" option you may have seen around the web, where the login itself takes place on the bank's own website, and limited information is being sent back.
In the news
BuzzFeed News has an in-depth analysis of the FBI's access to DNA databases, in the context of a study from last year looking at a public DNA library. They estimate that over half of Americans, and especially those of Northern European ancestry, have at least a third cousin in the database, which is enough to start tracing DNA matches to potential suspects.
An anonymous poster on Reddit was the first to give details of the Wells Fargo outage - that a fire suppression system at a data center was accidentally activated, which caused computers to shut down. The commenter claimed that "some failovers did not work as expected." Many news sites, such as NBC News, had additional reporting on the incident.
Liz Denys (LD): Hey Geoffrey, today's episode of Loose Leaf Security is pretty timely - I had a pretty unfortunate coincidence last week that's making this topic entirely too relevant to me.
Geoffrey Thomas (GT): Oh no, Liz, what happened? Did your PayPal account get frozen? Or did your mobile payments stop working or something?
LD: Worse. Someone counterfeited checks for my checking account and managed to get a couple thousand dollars out.
GT: Oh, yikes!
LD: Yeah, I got the money back - eventually. My whole account was frozen for several days.
GT: So they literally just made checks with your account number and a fake signature and deposited them?
LD: Apparently so, I generally pay pretty close attention to transactions and go to online banking a lot. And then I found the check images there, and it kinda looks like one of my actual checks except everything is subtly wrong - except the account number.
GT: Checks are surprisingly insecure, but they're still very popular in the US. We'll talk about all of these risks and how to keep yourself safe, but the short answer is that you should probably prefer some other form of payment if you can.
LD: Although many of the popular mobile payment apps have their own risks that are worth being aware of. Stay tuned for this and more in the second half of our series on securing your personal finances.
Intro music plays.
LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,
GT: and I'm Geoffrey Thomas, and we're your hosts.
LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.
GT: In every episode, we tackle a typical security concern or walk you through a recent incident.
Intro music fades out.
GT: It's pretty troubling that someone could just listen in on you by calling you. Apple has released a fix, so if this is the first time you're hearing about it, you don't need to go remove FaceTime from your phone to prevent someone from eavesdropping, just make sure you're up to date with those software updates.
LD: Though, if you never use FaceTime like I don't, it's best to remove the app from your phone. You can always reinstall FaceTime later if you want to use it, but you won't be vulnerable to possible bugs like this with an app you don't use. This isn't really a FaceTime specific recommendation - despite this recent bug being pretty bad, this could happen with anything on your phone - but after I heard about the bug, I went to make sure I didn't have FaceTime and realized I already uninstalled it.
GT: Yeah, it's worth going through your phone and looking at apps that came pre-installed and honestly all of your apps and thinking about whether or not you use them. If you don't think you'll need them soon, you're safer not having them.
LD: A couple of very big tech companies found themselves on the wrong end of Apple's kill switch last week - and for good reason. First, Apple revoked Facebook's Enterprise Certificate because Facebook's Research VPN app violates their policies.
GT: Facebook's Research VPN app was distributed outside of the app store, using Apple's program for "enterprise applications" under the guise of beta testing. Those applications can potentially have additional permissions that aren't allowed to apps on the app store, and they don't go through App Store review, but they're intended to be used only by a company's own employees. Facebook was using their certificate to distribute the app to people outside the company, and the app was marked with a special permission to let it get complete access to all network traffic on the phone - which is generally something you should be really careful about allowing.
LD: Yeah, I'd say generally you shouldn't give any app this level of access, but certainly not something you don't have incredibly strong reason to trust - and Facebook, a company that has had multiple scandals about mishandling user data and whose entire business model is selling your data, that just doesn't meet that level of trust for me. However, it's unclear how much people who were installing Facebook Research were really thinking about that though - Facebook has been paying users between the ages of 13 and 35 to install Research and hand over all their network traffic.
GT: Paying anyone, but especially teenagers, for their network traffic is... pretty creepy. Anyway, that level of access violates Apple's policies - which is almost certainly why they were distributing the app via this beta testing approach instead of trying to get it into the App Store.
LD: There are legitimate reasons why a company might not want their apps on the App Store - for instance, if it's an app to access internal services, or an app that they're using beta test but they don't want to be fully public yet. Apple allows companies to have signing certificates for apps for limited purposes like these, but there are rules around how you get to use them, including not using it to distribute apps to the general public or as a way to get around the review process. Facebook's Research app definitely fell outside these categories: they were marketing it to people outside of Facebook employees, and it wasn't for beta testing or anything: it's just a real app that wouldn't have made it through the review process at all.
GT: Apple restored Facebook's certificate later, but Research isn't available anymore for iOS, in part because these certificates are only supposed to be used to distribute apps to employees, not consumers.
LD: Facebook's Research program is still running on Android, and it's maybe worth thinking twice if you want to be giving that level of data about you and your habits to a company that is collecting it to sell it to advertisers. Also, be wary generally about giving broad access to any sort of app, particularly ones that haven't gone through the App Store or Play Store's vetting.
GT: Oh, and maybe talk to your elected officials if this sort of dealing in targeting teenagers for their data in exchange for money rubs you the wrong way.
LD: Google was also distributing a similar app called Screenwise Meter with its Enterprise Certificate to more than just employees. Google disabled the app, and Apple also revoked their developer certificates. In other Google news, Google released a new extension for Chrome called Password Checkup. If you add it to Chrome, it says it will let you know when you're logging in if that password you're using is in a breach.
GT: The extension says it handles your data properly - Google claims it only reports stats and keeps everything private - but the extension itself needs access to every site you're on to check every password you type.
LD: Right, as we discuss in our episode "Web security continued: cookies, plugins, and extensions", you should be careful which extensions you give that level of access to. It sounds like they're being thoughtful about what data is sent back to their service, so that's a good sign.
LD: Also, I'm not sure exactly how useful this kind of service is - personally, I'd rather be notified of breaches when they happen, not when I happen to try to next use those credentials to log in.
GT: The sooner you hear about the breach and change your password, the better. That's why we've recommended the more proactive breach notifications provided by HaveIBeenPwned.com's email service before. If you subscribe to HaveIBeenPwned.com's email alerts, you'll get an email when that address has been found in a breach. You might also get HaveIBeenPwned.com breach integration through something like your password manager, such as 1Password's Watchtower.
LD: Right, but 1Password's Watchtower is something you have to go to check in on periodically, so even though I have that I'm still subscribed to HaveIBeenPwned.com's email notifications. When you get one of those notifications, you should proactively change your password for that site and anywhere else where you might have reused that password.
GT: Another thing I'm confused by is that Google is really vague about what passwords are in the Password Checkup breach database. I mean, obviously, they're not going to release the database itself, but they haven't said what the sources are, or even whether it contains all the data from HaveIBeenPwned.com.
LD: Yeah, so even though I don't really think Password Checkup is a big value add to me, you know, because I want to be notified when the breach is known and I want to be proactive about dealing with it, I was curious if Password Checkup was going to be checking things from a breach against all sites or just the site it was breached on - the language in the extension is really unclear about this. So I installed it in a fresh Chrome profile without my password manager and tried a handful of email/password combinations of mine that I know have been breached, but none of these flagged by Password Checkup as being part of a breach, even on the site they were breached from.
GT: Hmm... so maybe it's a completely different source from HaveIBeenPwned.com's breach database?
LD: Maybe! HaveIBeenPwned.com is a pretty large and respected database but it's not necessarily the only one worth using. Anyway, I guess it's pretty unclear how helpful Password Checkup is.
GT: And if you do think it might be helpful and you trust Google's extension, don't think of it as a replacement for HaveIBeenPwned.com's breach notifications or hearing about breaches in the news.
LD: You should definitely still proactively update your breached passwords and keep paying attention for those breaches.
LD: Apparently, FamilyTreeDNA's marketing information said that unlike competitors, they didn't sell their data to third parties.
GT: But that didn't stop them from just giving it away!
LD: Yep - until there's clear regulation on how data like this can and should be used and shared, it's probably safest to assume that data you share with any company, including your genetics, is shared with others.
GT: It's possible that this was made more clear in their terms of service, but I think very few of us actually read terms of service in detail. Most of them do say they'll give up data if required to by law, and in general that's true whether or not it's in the terms of service - but many companies will also voluntarily assist law enforcement by providing data even without a court order or other legal process.
LD: And data also tends to move when companies get acquired, privacy policies can usually change on a short notice, and so forth. It's a little paranoid, but if you're worried about your data, you should be very careful about who gets it in the first place.
GT: Wells Fargo, one of the large United States banks, recently had a fairly major outage of their consumer banking services. Their mobile app and website was down, and many people reported trouble with ATMs and credit cards from Wells Fargo. Even payroll processing for Wells Fargo's own employees was delayed.
LD: Apparently, in one of the data centers where they kept their servers, a smoke sensor went off, which triggered servers to shut down as part of a fire suppression system. They got everything back online only about a day later.
GT: There's a couple lessons here. One is to keep your money in multiple accounts with multiple banks - make sure that you have at least a bit of emergency money that you can withdraw from one place in case something happens to the other. Even large national banks like Wells Fargo have outages like this.
LD: The other is, don't be like Wells Fargo with your own data. Don't keep it all in one place where a single power outage or fire or lost laptop can completely lose it. If you've got important records in digital format, or even keepsakes like photos that you care about, use some form of backup to keep a second copy somewhere physically separate. Our episode "Backups" from a little while back goes through the tradeoffs of cloud storage and local backups.
LD: Not to be confused with "Adamantium", the metal that makes up Wolverine's claws.
GT: It's a full-disk encryption mode that's based on a popular encryption algorithm, ChaCha20, which has good performance on pretty much any CPU. The current full-disk encryption for Android - and the state of the art for desktops and laptops, too - uses the encryption algorithm AES, which is very fast if you've got special support in your CPU for AES, but not otherwise.
LD: Most desktop and laptop CPUs these days do have CPU instructions for the specific mathematical operations in AES, but it requires special circuitry on the CPU to compute them efficiently. The CPUs used in cheaper Android phones usually don't include this support, so doing encryption with AES would be very slow.
GT: In our episode "Comparing Android and iOS security", we talked briefly about how Google had to turn off full device encryption on lower-end Android devices, because it was making the phones too slow. All iPhones in the last several years have had device encryption available, but they tend to be comparable in price to the more expensive Android devices.
LD: Google's work on Adiantum involved coming up with a way to use the ChaCha20 algorithm for disk encryption, which is a challenge because full-disk encryption doesn't allow the encrypted data to be bigger than the unencrypted version. In most forms of encryption, the algorithm adds extra output data to improve both secrecy and tamper-resistance. There's a fairly well-accepted way to use AES without that extra space, but so far there hasn't been one for ChaCha20.
GT: They have a paper where they set out their security claims, and they're planning to set up Adiantum for all Android devices, which is great news for people who don't have either more expensive Android devices or iPhones. As they say, "Everyone should have privacy and security, regardless of their phone's price tag."
Interlude music plays.
LD: Last episode, we talked about credit and debit card security, primarily looking at how different forms of in-person payments - swiping your card, inserting a chip, tapping your phone - have different levels of security, and also at ways to stay safe with online purchases and with credit monitoring. But there are a handful of other popular payment systems, most notably checks and payment apps. Checks have been around for centuries, but modern technologies have made them both more convenient and more risky.
GT: And there are a few other risks with credit cards, like what happens with online or recurring payments when your card number changes.
LD: Back when it was common for merchants to make an imprint of your credit card or write down the number, if anything changed about it, it was usually hard for them to charge your card after the change. So if your expiration date passed and you got a new one, they'd usually need to ask you for your card number again.
GT: So there's a little bit of a sense that expiring cards is a form of security - and it was, that's mostly the point of expiration dates. Before online systems that let sellers immediately verify whether a credit card is active, it was useful to make credit cards valid for a fixed time, so that they couldn't be used for purchases once they expired.
LD: But now sellers can just check with the credit card company whether a card has been reported lost or stolen. And similarly, it's also easy for them to check whether a card has changed its expiration date or even its number, in case they have it on file for recurring billing.
GT: All of the major credit card networks offer services which let merchants update the credit card information they have on file. Sometimes this is done through what's called "tokenization": now that it's no longer common for merchants to store actual credit card numbers, they just store a token, basically a reference from the credit card company allowing them to charge that card, and that token can stay valid even when the card itself gets renewed. They also have services that let merchants who do store numbers just upload a list of credit card numbers and expiration dates and get the latest version of those credit cards.
LD: This is pretty common with routine expirations, and it makes monthly or annual billing a lot more reliable for merchants. But if you signed up for a service and expected them to stop charging when your credit card expired, that isn't going to work. You actually have to cancel your subscription with the company directly.
GT: And it turns out this doesn't just happen with expired cards - it also happens if they change your card number. I actually saw this first-hand the other day - remember how my credit card number got stolen and they had to replace it?
LD: Yeah. So your recurring payments kept getting charged, right?
GT: Yep, most of my online payments moved over. I guess since it was the physical card that was stolen, my card company figured out that any merchant who already had my card number was trustworthy, and it was okay for them to keep billing me.
LD: I guess that made it a lot easier for you to deal with the card getting stolen.
GT: It was mostly smooth - but I couldn't use my cell phone to make payments with that card either until I received and activated the replacement physical card. I guess those systems are tied together in some way. So I had to use a backup card for a while.
LD: Did all your online payments keep working?
GT: Almost all of them. There were a couple of recurring payments, mostly recurring donations, that I did have to manually update for some reason. Also, I was a little surprised that some of my irregular online accounts got the update, too. For instance, I haven't bought anything with my PlayStation account for a long while, but when I decided to buy Katamari Damacy last week because it's a really old game and it was cheap, the payment just went through with my saved credit card details from many months ago.
LD: Visa's account updater service, for instance, allows merchants to get updates if they, quote, "have a card-on-file or a recurring payment relationship" with you. And in the list of changes they support, they specifically say that lost and stolen cards will get updates.
GT: One of the things I found really helpful in this process was transaction notifications - it let me see that things were still being charged to my card. We talked about this a bit last episode; I have the mobile app from my credit card's bank, which sends me push notifications pretty quickly.
LD: It's a good idea to keep track of recurring or automatic payments yourself, especially if you don't have transaction notifications, but honestly, even if you do. Whenever you save a credit card number with a website or tell a company to bill that credit card, make a note of it, both so you can check that your payments are still going through after the change, and so that if you ever need to cancel payments, you've got a list of who can still charge your card.
GT: If the reason you're changing your credit card number is that a merchant is being dishonest and charging you, you need to call your credit card company and and tell them to put a stop payment for that merchant - changing the number is probably not going to be enough.
LD: There's one other pretty new thing with credit cards - for some online transactions, there's a system called "3-D Secure" that redirects you to a separate web page to prove your identity when you make a purchase. It goes by brand names like "Verified by Visa" or "Mastercard SecureCode," and it's intended to prevent stolen credit cards from being used online.
GT: Unfortunately there are a number of issues with this system, not least of which is that it's prone to phishing attacks. For some reason, the site it redirects you to isn't run by your credit card company directly - it's generally run by the third-party company that offers the 3-D Secure service. So you're probably sent to this page that's asking you for information, while having no idea who they are.
LD: I have one card that uses 3-D Secure, but it has never prompted me for anything - it just thinks for a bit and then sends me on the way, without asking me for more information. Or it's denied my transaction, and I've just had to call up my credit card company and verify my identity and that I wanted to have that transaction there and then reprocess it, just like anything that was flagged as fraud.
GT: I used to get it in exactly one place - my domain registrar used a payment processor in France, which somehow ended up using 3-D Secure. It did prompt me for information, but nothing very secret, I think just my birthdate or something.
LD: You should be very cautious if you're asked to enter in anything secret, especially an existing PIN number or your bank's login credentials. Since you didn't go to the bank's site on your own by typing in its URL with https in the front of it, it's hard to verify that you're on a real site and not a phishing page. And the domains they choose tend to be very unclear in their affiliation with your actual credit card issuer.
GT: You usually don't have an option to skip it, but if you do, that might be the best choice. My domain registrar also lets me process the payment with PayPal, which is also a third party, but at least I know that paypal.com is legitimate.
LD: If you have to use it and start using a new PIN or password with it, the best thing to do is save it in your password manager, because your password manager can also remember the website and make sure you're not on a phishing page. The first time you use it, try to figure out if the domain is legitimate, and if possible, set it up through your credit card's website instead of while in the middle of making a purchase.
GT: We're not really sure that 3-D Secure adds much - most credit card fraud tends to be with in-person purchases, not online transactions. Online shopping sounds scary, but as we talked about last episode, there are a lot more risks to your card with in-person transactions, especially at places like restaurants where the card goes out of your sight.
LD: It would be pretty cool if there was some sort of second-factor authentication for all your purchases. But 3-D Secure isn't really a separate factor, it's just something else you have besides your credit card number. And it doesn't apply to in-person purchases at all.
GT: Well, that's enough about credit cards. Let's talk about a shockingly insecure but common form of payments: checks.
LD: After a quick break!
Interlude music plays.
LD: So we've talked a lot about credit and debit cards - and how it can be really disruptive when someone gets your credit card number - but someone getting your bank account number is practically radioactive. And unfortunately, whenever you write a check, you're giving the recipient your bank account number.
GT: Despite most modern checks having "security features" like watermarks or holograms and the like, a check is essentially just a piece of paper with your bank's routing number and your checking account number.
LD: Your bank's routing number is essentially public information - it's really easy to find out with a quick web search if you know what bank someone's account is at.
GT: When paying by check, the payer gives the bank's routing number and your account number to the recipient, along with the amount it's for and a signature, and then the recipient gives that to their bank. Usually the recipient's identity is verified in some way, generally by providing your ID or the PIN for the account it's being deposited into if you go to a bank to deposit or your account's password if you're depositing on your phone.
LD: But the payer's identity and ownership over that really sensitive account number - the account number the check's recipient now has - doesn't exactly get verified.
GT: There's some level of fraud checking that every bank will do, but fraud checking isn't perfect.
LD: In some other parts of the world, particularly Europe, checks are barely used because their banking system happened to develop into relying on other ways of transferring money. The main European money transfer system is known as giro.
GT: Instead of giving the payer's bank information to the recipient, the payer goes to their bank and gives the bank the recipient's information to start the transfer.
LD: The main difference from checks is that with checks the recipient is the person going to the bank, but with giro, the payer goes to the bank, and then the bank is likely verifying their identity before the transaction goes through.
GT: It's kind of weird that in the US, having the check writer's account number and the right bank routing number is essentially enough for the recipient's bank to believe it's a real transaction. It makes a lot more sense for the payer to be verified than the recipient - which I think is why Europeans are more willing to give out their account numbers.
LD: But even in Europe, it's still possible that someone could use your account numbers to potentially write the rather uncommon check or jump through a few more hoops and make a direct debit.
GT: Here in the US, we still rely heavily on checks, and if your checking account number ending up in the wrong hands, it means someone could try, and possibly succeed, at taking some of your money. So it's really important to keep your checkbooks safe and try to only write checks to people you trust to keep them secure.
LD: And definitely don't post photos of checks, yours or anyone else's, to social media.
GT: So, Donald Knuth, a mathematician and computer scientist famous for his series "The Art of Computer Programming", used to write checks to people who found errors in those books, but apparently only a small number of people actually cashed them. Instead, proud bug finders would frame and display them or post them on social media. And apparently his checking accounts have been compromised enough times that his bankers have strongly requested he stop handing out checks because they don't want to keep locking down his account and changing account numbers for him.
LD: If you're paying someone you don't trust, it's better to prefer other forms of payment, so that they don't do something careless with the sensitive information on your checks. Credit cards, payment apps, or even cash is safer.
GT: Yeah, we'll talk more about mobile payment apps later in this episode, but generally a good payment app will be a lot safer than a check.
LD: And when we we say you should only pay someone you trust with checks, that includes being careful with paying even businesses you trust by check because it only takes one employee copying down that account number to potentially get access to your funds.
GT: Yeah, you should also be really careful whenever anyone asks you for that account number - either by check or online for an e-check. Sometimes, there will be lower fees associated with a check payment or bank transfer than with credit card payments: often whoever you're paying will essentially pass on the credit card networks merchant's fees, which are generally in the 2-3% range. Or if it's a donation, they might say that the effective amount donated ends up reduced because of those fees if you pay by card. You should decide carefully whether you think it's worth the increased risk from giving your bank account details to avoid that increased charged.
LD: And think about whether you trust the entity you're giving money to to be organizationally competent generally and keeping up with good web security practices if it's an online check. Definitely don't give your account information over web pages that aren't fully using that secure HTTPS protocol.
GT: Wait, so, is it okay to give a cancelled check to your employer for direct deposits?
LD: I'd say yes, you can probably trust your employer not to mishandle this, particularly because it could pretty easily be tracked back to their getting a voided check for handling your direct deposits, but being me, I'd also be a little paranoid and make sure I didn't see any unexpected withdrawals for a bit.
GT: Yeah that makes sense. I would, too, but I monitor my bank account activity pretty closely anyway. Just like with credit cards, transaction notifications are really helpful with bank accounts.
LD: Transaction notifications don't seem quite as fully functioned for bank accounts as with credit cards - there's not as many options about what kind of notifications you can get - but it's still worth checking what's available and turning those on.
GT: As I mentioned last episode, one of my bank accounts doesn't have a lot of options for what types of transaction notifications are available - I can't tell it to notify me for each transaction, but I can tell it to notify me when the balance goes below a certain point, and since it's my emergency account, I just set that point to the current balance.
LD: If someone successfully withdraws money from your account with an altered or counterfeit check, it can be a pretty slow and frustrating process to get your money back, even if you notice it pretty quickly. A bit over a week ago, someone had actually made counterfeit checks for one of my checking accounts and cashed two of those checks. It sadly got completely process before my bank's fraud department caught it and for some unknown reason, I didn't get a transaction notification until after the fraud department caught it and called me.
GT: Oof, they should really be checking for fraud, like credit cards, before they withdraw from accounts.
LD: Yeah that surprised me, though since this did eventually resolve, I at least have some small amount of faith that if I caught a fraudulent check through a transaction notification, even if it was after it fully processed, I could hopefully get my money back.
GT: Makes sense.
LD: Anyway, I'm also not sure where this check counterfeiter got my account number - I don't write many checks and didn't recognize the name they were made out to at all - but somehow, they got my account number and made some pretty inaccurate looking checks - none of the modern security features, the bank's logo was in the wrong places, my last name had two N's in it instead of the one, and the signature looked nothing like mine.
GT: Do banks usually check signatures against the one they have on file?
LD: I'm not totally sure - my signature changed a lot since I first got a bank account probably fifteen or so years ago and I still have that bank account, but that's the only bank that's ever called to verify my signature and that was only once.
GT: Yeah, I've never had a bank refuse a check because of the quality of the signature - and I actually write checks pretty frequently and my signature doesn't always come out the same way.
LD: Anyway, eventually I did get the money this counterfeiter withdrew back, but it took about a week and my entire checking account - not just the money this counterfeiter took - was locked down during the investigation.
LD: Yeah, I'm lucky that I didn't need to access that money at that time and have other funds available in another account.
GT: Yeah, this isn't a financial advice podcast, but I want to make a plug for having a second account if you can so that in the event you get locked out of your main checking account - because of a fraud investigation like Liz was dealing with or because your bank's systems were down like the Wells Fargo story or whatever it might be - you will still be able to access enough funds to be able to take care of your day to day for a while.
LD: Right - availability is a really important security concern. How you want to split money between accounts and how much of an emergency fund you need is a financial planning question, but one way or another you should aim to have multiple routes to enough money.
GT: I still do most of my banking with my college's credit union, but one time, I ended up getting a large physical check to deposit and decided it would be worth opening an account with a large national bank. So in unusual circumstances and especially if I'm traveling, I can probably find a way to get to that backup account, even if it's after hours for my main account or I can't find an affiliated credit union or whatever it might be.
LD: When my primary bank account got frozen, it was also really helpful that I maintained a list of all the services that were linked to that bank account - everything from autopays for credit cards, insurance, and utilities to mobile payment apps that could either take from or deposit into it - because I actually also got locked out of being able to see my transactions online for this account during the investigation. So I could quickly change those over to a different account instead of having payments fall through and getting late fees or worse. Anyway, when I was at my local branch to open a new checking account because obviously, my old number was compromised, the banker helping me wasn't surprised by this issue at all - apparently it's pretty common for them to help clients fill out the dispute form saying that a check was cashed that wasn't actually legitimate.
GT: So Liz was dealing with a check counterfeiter - someone who made completely new checks with Liz's account information on it - but altered checks are an even more common way checking account holders are defrauded. Sometimes, people change who the check's written out to or increase the amount the check's written for.
LD: You should write out the name of the person or institution your check is intended for as completely as possible so it's less ambiguous, though that won't completely stop someone from being able to alter that line.
GT: When you're writing out how much a check is for, make sure to start both the written out and numerical amounts as far left as possible so someone can't put a digit in front of the intended number to increase it and fill in the entire line for the written out amount - that's why people draw those long dashes after the cents portion of the written amounts.
LD: And don't leave big spaces between words - "one" is a pretty short word to add in to the written out amount line, and it's similarly easy to add in just a vertical line in that numerical amount section.
GT: Another thing about checks is that they might take longer than expected to clear.
LD: Wait, Geoffrey, what do you mean by clearing here? When it comes to checks, "clearing" is a highly overloaded word that generally means one of two things: first, a check clearing could mean the money from a check becomes available in your account, and second, it could mean that that check has been verified to be good and that money that went into your account is actually going to stay in your account.
GT: Right, those aren't the same thing anymore. A check clearing used to mean that the check both was verified as good and that the money is available in your account, but nowadays, a US regulation requires that the receiving bank make the money available pretty quickly in your account, even if they're still waiting on the other bank to confirm the check. Since 2010, personal checks generally take 2 days for the funds to become available in your account, unless the bank has a specific reason to be suspicious of the check or of the account.
LD: And government checks like tax refunds and official bank checks like cashier's checks need to have the associated funds be made available a business day after depositing, and because they're drawn directly from a bank or the government, they are pretty trustworthy. But all other checks only have to have the first 200 dollars available on the next business day.
GT: But also that money being available doesn't necessarily mean the check is good - bad checks might get discovered after the check's money has been made available to your account, possibly weeks later.
LD: Yeah, which is why a check "clearing" sadly doesn't mean it's actually "cleared".
GT: They really should have picked different terms for at least one of those things.
LD: Yeah, and unfortunately, it's not always obvious from your account summaries how much of the checks you've deposited is available and when that is available or when a check has been fully verified as good and that the money is actually yours, so if you've cashed a check recently, don't count on that money just because you see that the balance has changed.
GT: There's also a couple of social engineering scams around check clearing taking time. Someone tells you they need cash, and they offer to write you a check for it. Even if you both go to the ATM and see it deposit, you're not yet guaranteed that the check will clear, so you might be giving them money for nothing. Or someone's buying something from you and they write you a check for too much, and they ask you for the difference in cash - but it turns out a few weeks later that the check actually isn't good, and then you've lost all that cash.
LD: This is sort of the flip side of only giving checks to people you trust - you should also only consider believing that the money written out to you on checks is good and real from people you trust.
GT: So a side note on how checks get processed: traditionally, banks would send the actual paper checks around, and so it was normal for checks to take a long while to get processed.
LD: When electronic communications came along, many banks moved from a physical clearing house to an automated clearing house or ACH system, where they'd just send the information on the checks over. ACH continues to power most major bank-to-bank transfers in the US today.
GT: But you still needed paper checks if the two banks didn't have an ACH agreement, until 2004. The Check Clearing in the 21st Century Act, or just Check 21 for short, allows a bank to take a photo of a check and use it as a legal equivalent of a paper check. If the other bank requires a paper check, the first bank could just print the photo - which makes transfers across the long distances much faster.
LD: This is what enabled faster funds availability: by 2010, the various regional check processing centers had just turned into one check processing center for the entire US, and so the regulations no longer needed to allow time to physically send checks across the country. They could expect that checks would get processed in a day or two because they could send around those images.
GT: Check 21 is also what made mobile check deposit universally possible - because your bank can always process a photo of a check, they can just let you take the photo of the check yourself.
LD: So that means it's not very different from what happens if you take the check to a bank or an ATM. And as I learned the hard way, banks don't really do a lot of verification once they're handed the checks.
GT: Right. You might as well use mobile deposit - there aren't any particular concerns with it, beyond just keeping the login information for your bank safe and keeping your phone secure. The only thing you might want to do is hang on to the physical checks for a bit, just in case your bank does decide they want to apply extra scrutiny to the check. But that's usually part of the instructions in your bank's mobile app when you set up mobile deposit.
LD: Speaking of mobile banking apps, you'll need to set up your bank's online account to use them, and it's generally a good idea to sign up for your bank's online services promptly. Even if you don't plan to use the mobile app or do any banking online, you should at least create an account, because then you're protected by the account password.
GT: The signup process typically asks you for personal information, but nothing too secret, like your birthdate and social security number. This is all stuff that regularly comes out in data breaches, so an easy way to protect yourself from identity theft is to make sure you've signed up your accounts before anyone else can.
LD: Of course, make sure to use a strong password and keep it safe - all the things we talked about in our episode "Securing your online account passwords" apply to your bank passwords, too.
GT: When you're setting up online banking, make sure to sign up directly on the bank's authentic website - you'll generally have a URL printed on whatever papers you got from the bank. Make sure to type in the
https:// in the URL so that you're accessing the site securely.
LD: If you set up a bank account in person, don't feel weird asking to go to the site with the representative there. It's a lot more common than you think. I've done this out of paranoia, and despite clearly looking like a millennial, the agent didn't question it.
GT: Once you've done this, one side effect of a good password manager is that it effectively bookmarks the official sites you should visit. Instead of having to search for the bank's name, and possibly ending up at another site or maybe even tricked by a malicious ad, your password manager should have the correct URL saved.
LD: If your debit card gets stolen or flagged for fraud, you definitely don't want to be searching for the bank's website in a hurry to see your transactions or click the "Replace card" button, you want that saved.
GT: It's probably a good idea to download the mobile app promptly, too. While mobile apps generally don't use the origin system used by websites, there is a review process on the major app stores, so it's unlikely a fake or duplicate bank app would get past review. And once you have the app downloaded, it's a reliable and secure channel to the bank. There might be a download link on the bank's website or they might text you a download link when you sign up - as long as it brings you to your device's app store, and it doesn't try to download an app directly, it's another good way to make sure it's authentic.
LD: Since it's a high-value target, most mobile banking apps allow you to set up additional authentication on top the app itself, beyond what you use to unlock the phone. We talked a bit about various options here in our last security stories episode - different things make sense for different people, depending on how you use your phone, so find an option that makes sense for you. As we mentioned in that security stories episode, it's good to see what you need to input in order to access your bank account when your phone is unlocked and when it's locked. If either of those don't seem secure enough, change the authentication needed.
GT: A few mobile banking apps will implement two-factor authentication by texting you a code every time you open the app. SMS-based two-factor authentication is our least favorite kind because it's both not very secure and cumbersome, but every time I open the Bank of America app I sigh and do it anyway - it's definitely better than not having two-factor auth at all.
LD: And in the latest version of iOS and Android, there are some features to make this less painful. Android will let you copy the code straight out of the notification. And iOS will turn recently-texted six-digit codes into autocomplete suggestions for the keyboard, so you don't even have to leave the app.
GT: We talked about this a bit earlier, but a good reason to have the mobile app is to set up push notifications for fraud alerts or transaction alerts. Since it's through the app, it's a lot more trustworthy than something you get over SMS or email, and it can bring you right back to the app where you can see more details or respond to a fraud alert.
LD: Let's talk a bit about other popular ways of using your mobile phones for payments - namely cash transfer apps - but first, let's take a quick break.
Interlude music plays.
LD: Alright, now let's talk a bit more about cash transfer apps: apps like PayPal, Venmo, Square Cash, and so forth.
GT: Even Google Pay and Apple Pay support person-to-person transfers, and the major US banks have built their own option called Zelle.
LD: They've each got their own quirks about how they work, and there are different tradeoffs with each of them. Though all of them are less terrifying than a wire transfer, where you just have to trust that you got the account numbers right and that whoever puts your wire transfer through doesn't make a typo.
GT: However, there's one major thing that you should probably turn off that just straight up isn't a tradeoff: if you use Venmo, the default behavior for Venmo transactions is that they're public, and you probably want to change this. Venmo says it's because they see it as a social network, and according to them, "it's fun to share with friends in the social world.".
GT: Even if you're the sort of person who wants to share your transactions with friends, they're available to the general public, which might not be what you expect.
LD: Last year, a Mozilla media fellow launched a website tracking the transactions of five anonymous groups of users, including the customers of a corn seller at UCSB and a woman who used Venmo to pay for 280 Cokes in the course of a year. The transactions have real names and usually Facebook profiles linked, as well as amounts and timestamps. She was able to use the data to tell detailed stories about the lives of these complete strangers. We'll link to her site in the show notes - the site also has clear instructions on how to disable this and make all your previous Venmo transactions private.
GT: Oh, that reminds me. One thing to keep in mind about credit card transactions is that the data is generally for sale and used for analytics and marketing purposes. This is super clear with some of the fancier payment terminals you see at coffee shops and other small businesses, where there's a tablet that they ask you to enter an email address for a receipt on. They'll associate that email address with your credit card, which is shared across any store that uses the same brand of terminal, and all these stores can send you marketing emails.
LD: They often use this as a simpler replacement for loyalty cards, which is kind of nice because I don't have to carry punch cards around with me.
GT: Yeah, I have way too many of those for my local coffee shops, so I don't really mind that these terminals are replacing that, but it makes it pretty obvious that I'm being tracked. They'll also generally send receipts to that email without prompting you, once you've signed up with an email.
LD: That actually surprised me once - my partner is an authorized user on one of my credit cards, and I started getting emails for his transactions because I entered my email first at one of these terminals.
GT: There's usually an unsubscribe link at the bottom of these emails, but even without the email address, they're probably correlating data from all your transactions behind the scenes anyway.
LD: One of the other things that bothers me about this is that they don't ask for your email every time or necessarily at least confirm your email if there's already one linked in their system. Someone else could be getting emails about my transactions through these sorts of register systems, and I wouldn't even necessarily know that. All that would take is one time where I walk away after signing but before it asks me if and how I want a receipt and a malicious cashier entering their email after I walked away - maybe because they're bored or maybe because they have unsavory reasons to want to track where else I'm going.
GT: As far as I can tell, there's generally no supported way to unlink your credit card and an email address beyond contacting customer support for that device one way or another. Square, one of the more popular manufacturers, at least has a form to unlink email from a payment card, but it doesn't look particularly easy to fill out if you aren't already getting those email receipts yourself.
LD: Credit card networks often sell transaction data to advertisers directly. For instance, Google wrote in a post to their advertising customers that their "third-party partnerships" allow them to see 70% of credit and debit card transactions in the United States, even if those are perfectly normal in-person credit card transactions that have nothing to do with Google. Bloomberg discovered that Google had made a secret deal with Mastercard for in-person transaction data.
GT: There's not much you can do about this, though, right?
LD: Yeah, unlike turning off public transactions in Venmo, for credit cards this data is just going to get sold. Perhaps just be aware of it and maybe talk to your representatives if you think government regulators should be stepping in here.
GT: So getting back to payment apps: the first big thing to keep in mind, besides privacy, is fees and policies. Many of these apps will let you associate either a credit card or your bank account, but they'll pass on that credit card network fee, usually around 3%, to you.
LD: As we've been talking about, it's a lot safer to give them your credit card number than your bank account information. But usually, you're using a cash transfer app from a major, well-known company, and it's unlikely they'll intentionally do anything bad with your money. It's still definitely worth keeping an eye out on your transaction history with your bank accounts.
GT: A couple of them will try to verify your bank account information by making some small deposits, under a dollar, and asking you to tell them what the amounts of the deposits were.
LD: Confirming the amounts of these small deposits is less insecure than verifying your account by having you log into it or associating it directly with your bank. We'll talk more about this kind of third-party access to your bank accounts, and the security concerns with it, later in this episode.
GT: This method is also meant to prevent those services from being used for fraud themselves, so it's not a bad plan, but it doesn't change the fact that someone else with your account number still has other ways to attack your account like we discussed earlier, such as by printing fake checks. So when you're signing up, you still need to make sure you're using a trustworthy app or a trustworthy website.
LD: And of course, make sure that you secure your login to this app using the most secure option they offer. Because it can make transfers to and from your bank account, it's at least as much of a target as your bank account itself.
GT: If it supports two-factor authentication, you should definitely enable that. I have the same complaint with the PayPal app that I do with Bank of America: they send me a text message each time I open the app, and there's no fingerprint auth option or anything. But I want two-factor auth enabled for logging into PayPal.com through the web, so I just deal with it.
LD: Another good reason to link your bank account is that, for a couple of services, the fees for using a credit card might be a lot bigger than you expected. For instance, Apple Pay Cash will charge you a 3% fee, but they'll also usually send the transaction to your credit card as a cash advance. That means your credit card will also charge you those cash advance fees - for my cards that's usually another couple of percent, plus they start charging you interest immediately instead of after your monthly balance is due. That's a very bad deal, and you should check your own credit card's terms or ask your credit card company how they handle these apps before using them.
GT: You'll also usually need to link a bank account to "cash out" and deposit any balances you've gotten from other people. Otherwise, you can only use the balance within the app. So for most people you'll probably want to link your bank account anyway at some point.
LD: A few of these services, such as PayPal and Apple Pay, also let you use their app itself for mobile payments as if it were a credit card, which is another way to get your balance out. The details of this are definitely beyond the scope of this podcast in terms of whether it's a good financial option for you, but at least on the technical level, they're very similar to debit cards that support transactions through the credit network. And you usually get all the security benefits of contactless mobile payments that we talked about last episode.
GT: Keep in mind that these apps are generally only meant for cash-like payments, to people you generally trust not to defraud you. There often aren't ways to reverse fraudulent transactions or dispute a payment with a merchant who sold you a bad product, the way there is with a credit card. Usually, no-fee transactions means there's also no built-in insurance for fraud.
LD: Zelle, the mobile transfer app run by the big US banks, has been having lots of problems with fraud. Because it's run by the big banks, it's often easy for scammers to convince victims that they should trust the app. And then you use it to send money to someone on eBay or Craigslist or something, and there's no way to get the money back.
GT: One nice thing about Zelle is that it's often built into your bank's mobile app, which means you might have it already and more importantly the person you're sending to might have it already. The banks are hoping that the convenience will help Zelle get more popular, and it is true that if you have your bank's mobile app already, you have a pretty secure way to log in to Zelle. But they do caution you that you should only send money to people you trust.
LD: PayPal also has options for paying "friends and family" versus paying for goods and services. When you pay for goods and services, the receiver has to pay a fee, but in these friends and family transactions, there is no fee and you won't get coverage from PayPal's own fraud protection mechanisms.
GT: By the way, PayPal in particular has a pretty bad reputation around freezing accounts. There are occasionally horror stories of them freezing accounts for unusual activity, which could be basically any change in the average amount of money used, and in most cases, people couldn't get to the funds for 180 days. If you're receiving money, it's probably a good idea not to hold too much money in the PayPal account and move it into a bank account promptly. And especially if you're conducting business, you should be using PayPal's option for business transactions.
LD: There are lots of apps these days for payment transfers, and it's probably worth taking a good look at the various options out there and how they compare - while it's probably easiest to use the same things your friends already use, you might want something else as a backup or for unusual transactions. And the details vary between them: everything from fraud protection to transfer limits.
GT: And if they prompt you to link your social media accounts to them, think twice.
LD: Yeah, one of these apps recently wanted me to link my Facebook account so that I could get important transaction things via Facebook message, but I don't really want my social media to be a potential point of vulnerability for my finances - if Facebook ever really messed up their security and had a big breach, I definitely don't want people also seeing my transactions.
GT: Let's take a quick break before talking about our last topic for today: third party access to your bank accounts.
Interlude music plays.
GT: One last thing we want to touch on is third party access to your bank accounts. Most of the time, you probably don't even want this, but there are some popular online personal finance tools that work by downloading all the transactions from your bank account. One of the most popular ones is Mint, which is run by a company that's been well known in the personal finance space for many years. That means people are likely to trust them with access to their bank accounts, but they're not a bank themselves and they're another big target for attackers.
LD: Usually these services work by asking you for your bank password. We generally recommend never sharing your passwords with anyone, and that's generally what the banks themselves recommend, too. But if you do want to use these services, that might be the only way.
GT: A small number of banks have options for third-party access that let you avoid giving the third party your password, and also make it clear how much access you're giving them and how to revoke it. That's a lot more secure, especially if you or your password manager can check that you're being sent to your bank's actual website to log in, and you're not giving the password itself to a third party. And the access is restricted to just accessing transaction information: it's not as powerful as having your bank password and being able to make changes.
LD: If you end up giving your password to a third-party site, the only way to revoke their access is to change your password, so when you're keeping track of who has access to your bank accounts for automatic payments, also keep track of who has just login access to your accounts, even if they're not taking money from it.
GT: Hopefully, these sorts of online budgeting software companies are handling their data well: they should be encrypting all of your account information, they should be handling passwords well, they should give you strong two-factor authentication options. If you really want to use an online budgeting tool, check that they provide all of this protection.
LD: Speaking of two-factor - your bank account might not connect to these third parties if it has two-factor enabled, but you really don't want to turn that added protection off for your bank account.
GT: And you'll have to be really careful if that third party aggregating budget software gets breached - make sure to change all of your passwords ASAP and keep an extra eye on all the linked accounts.
LD: Also, if one of those budgeting companies gets breached, an attacker could potentially see all of your transactions - which could enable them to link your bank account to their account on a service that allows verification by confirming the sizes of some small deposits, like PayPal.
GT: Oh yikes, and then they could easily debit your account, even if you had only given read-only access to that bank account. I'd be keeping an eye out for unknown transactions in general, but be aware that even small and fully reversed deposits like that could mean you've lost full control of your account - call up your bank to get a new account as soon as that happens.
LD: A more secure alternative to budgeting software that requires this third party access is budgeting software where you can input your bank and credit card statements yourself. Doing it yourself doesn't necessarily mean inputting every transaction manually, fortunately - a lot of budgeting software will allow you download files from your bank with your transaction records, usually in CSV or OFX format, and just upload those files instead of giving them login access to your bank account.
GT: This model seems more common for software you install on your computer than for online budgeting options, but even online, this is a lot lower risk than giving a third party access to your account itself.
LD: Right, they won't automatically have access to your future transactions, and you have less to worry about in a breach - your past transactions and net worth and such are still worth protecting and could become available, but an attacker who gets that information won't potentially be getting your bank's login credentials or access to your ongoing transactions.
GT: So that wraps up our series on digital security for your personal finances.
LD: Tune in next time, as we share tips and tricks about keeping your passwords and two-factor auths tidy with the help of your password manager!
Outro music plays.
LD: Loose Leaf Security is produced by me, Liz Denys.
GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.
LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.
GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.
Outro music fades out.