A bombshell $16 million fraud charge this week against baseball star Shohei Ohtani’s former interpreter offers a stark illustration of what can happen when your online accounts aren’t properly secured.
The interpreter, a longtime friend of Ohtani’s named Ippei Mizuhara, allegedly stole vast sums of money from a bank account established in Ohtani’s name. US prosecutors on Thursday accused Mizuhara of impersonating his boss in multiple attempts to make fraudulent wire transfers to pay off gambling debts.
According to court documents, Mizuhara abused his access to Ohtani’s online account and posed as Ohtani in several phone calls to the bank, at one point even using knowledge of Ohtani’s biographical information to persuade the bank to unfreeze the account when it was flagged for suspicious activity.
Mizuhara had unique access to Ohtani’s bank account, authorities say, because it was he who helped Ohtani create it in the first place in 2018 — which put him in a privileged position to take advantage of his client. Most bank users aren’t likely to find themselves in exactly this situation. Still, it’s a reminder of the typically simple steps you can take to protect yourself from online fraud and identity theft.
Start with a password manager
If you aren’t using one already, sign up for a password manager such as 1Password or Bitwarden. Taking this initial, simple step creates the foundation for securing your entire digital life in a convenient way.
Password managers help you generate and keep track of complex, secure passwords that aren’t easily guessed or cracked. This also helps you avoid using the same password across websites — a major security no-no.
Using unique passwords for each site means that if someone steals the keys to your Amazon account, it won’t mean they now have the tools to log into your Gmail and Facebook accounts, too.
The most trusted password managers on the market are also the most transparent: They either publish their security designs as white papers or their code is open-source, meaning independent security experts can freely review and audit their approach.
Use multi-factor authentication
Most major websites now support multi-factor or two-step authentication, which requires not only a username and password but additional assurances that a user is the rightful account holder. Very often, a multi-factor authentication (MFA) challenge comes in the form of an app notification or message delivered to a separate device you own that contains a numerical code to be entered into the website for extra security.
Some of the most secure ways to use MFA include using specialized apps such as Google Authenticator to generate one-time-use codes or physical security keys. Many password managers support the creation of MFA codes. You can also commonly receive MFA codes via text message on your phone; it’s better than nothing, but this method is generally regarded as less secure than the others.
MFA works on the theory that it’s unlikely a hacker halfway around the world will have access to both your login credentials and your mobile phone at the same time. It’s not foolproof, but nothing in security ever is. And it’s a great way to upgrade your security at very little cost to yourself.
Try passkeys
Increasingly, security experts are recommending the use of passkeys, which eliminate the need for passwords altogether. You can think of passkeys as an upgraded form of MFA, or as a combination of passwords and MFA — relying on biometric information like a fingerprint or a facial scan to help secure your accounts.
As security professionals have said: If logging in with passwords is based on something you know, and logging in with MFA involves something you have, passkey logins are generally based on something you are — which is both something you always have with you and that bad people can’t generally know or easily obtain for themselves.
Passkeys are considered the cutting-edge in security because they cut out the use of credentials that could be stolen and misused, such as a password or one-time MFA code. They’re more convenient and more secure, a rarity in the security space where you typically pay for greater security with more hassle.
Passkeys are automatically unique to every website where you have an account. And all the authentication happens directly on your device — you’re not sending credentials over the internet where they could be intercepted or entrusting your credentials to a website that could fall victim to a data breach.
Passkeys are supported now by major tech companies including Apple, Google and Microsoft, making it seamless to use with existing software and hardware features such as FaceID and fingerprint sensors. And many password managers are also transitioning to support passkeys.
Upgrade your security questions
Many websites offer backup security questions to protect user accounts. This is another area where password managers can come in handy.
When setting up those questions and answers for the first time, consider using your password manager to generate nonsense answers that don’t involve sharing your personal biographical information.
Then, when your bank or other provider prompts you to supply the correct response, refer to your password manager.
It’s a simple yet powerful way to throw bad actors off the trail who may be inclined to try providing your mother’s real maiden name.