If You Know All Your Passwords…

If you know all your passwords, your cybersecurity can be breached. Why? Anything that’s easy for you to remember follows a logical pattern that AI is getting better at picking up. A strong password has no logic. You must have a password manager, and you must let it generate a password for each online account.

You all know the drill by now. A strong password combines upper and lower case letters, numbers, and special characters in strings that generally are 12 to 16 characters long. We won’t say it’s impossible for a human being to create and remember 100 or more strong passwords. But it’s highly unlikely.

The best part of a password manager is that you only need to remember one strong master password. The downside is that if you lose or forget the password, you may not be able to access the app, or you’ll need to jump through a lot of hoops to gain access.

AI is making passwords weaker and weaker. Remember that at its core, AI is massive computing power. Anyone who tries to crack passwords can run an untold number of scenarios for as long as they need to crack a code or give up – momentarily. If you have a password that follows some kind of publicly available personal information and/or a pattern, the hacker’s computer will eventually pick it. The computer-generated password from a password manager doesn’t use any of that information, and it’s not readily machine readable.

In addition to giving you a strong password, a password manager does away with any need to reuse a password. There’s a tendency to reuse a password because you can remember it, especially if we fear it may be difficult to access the password manager. This can be true with a smartphone, where you can only view one screen at a time. However, you can copy a password from your password manager app and paste it into your smartphone’s browser.

As you all know, reusing passwords poses a significant risk if a password is cracked at one site. Again, using AI, the hacker can quickly apply the password to every website they know you access, and chances are good that they’ll get a hit and get in.

Just about any top-rated password manager works across all platforms and should give you the option to choose a family/friends subscription for personal use and a corporate subscription. It should be mandatory for everyone in your family and for all employees using corporate online accounts to have and – more important – use the password manager.

We can help you select a password manager that meets your needs and make sure that everyone in the program is properly set up. We can also make sure that everyone knows how to download their passwords and make a hard copy, which protects everyone if they lose or forget their password or if you want to change password managers. Call us – 973-433-6676 – or email us for an appointment.

It’s Time to be Authentic

Getting a text (SMS) code to verify your access to a website is becoming increasingly vulnerable because of SIM swapping. It’s essentially a way for a hacker to “borrow” your mobile phone number without you ever knowing it – until you suffer the consequences. It’s time to use a better authentication method.

One of our clients was victimized by SIM swapping. We suspected a problem when none of their cellular devices worked. They used a family member’s phone to call us about the problem. We told them to get to the Apple Store immediately to buy new devices and bring them directly to us – without opening any boxes. Using special tools, we were able to set up all their devices securely, but the damage had been done.

How does SIM swapping work? It requires a fraudster to convince a mobile carrier to transfer your phone number to a SIM card they control. With your phone number, the attacker can intercept one-time passcodes and two-factor authentication (2FA) codes sent via text message, allowing them to gain access to bank accounts, which they can quickly drain, and social media and other sensitive online services.

The SIM swappers usually get your information through phishing expeditions, which are designed to trick you into revealing details like birthdates, full names, and addresses. Then, they pretend to be the account holder and claim their SIM card is lost or damaged, and they request to have your number “ported” to a new SIM card, which they have in their phone. Conceivably, they can access your bank account if your 2FA is a text message, clean you out, and wipe the SIM from their phone. You’ll only notice it when your phone doesn’t work – at which point you’ll contact your carrier, who will issue you a new SIM card.

You can prevent SIM swapping by not using SMS or text as an authentication method. Our recommendation is to use an authenticator app, such as Microsoft Authenticator or Google Authenticator. If you are signing into a website from your computer, the authenticator will send a code to your phone, and you’ll enter the code from your computer.

This is one area we strongly urge you to avoid shortcuts. There are a lot of authenticator apps available, but Microsoft and Google have a lot at stake in your security. Both have huge customer bases and publish a lot of apps.

An alternative to an authenticator app is a biometric, such as facial recognition (iPhones and other Apple devices) or a thumbprint (Android phones). As with an authenticator app, these measures are device-specific.

We can help you set up both an authenticator app and biometric authentication to replace an SMS message. Call us – 973-433-6676 – or email us to talk about it.

Not All Cloud Storage is a Backup

We tend to use the terms data storage and data backup interchangeably. It can be a costly mistake.

Cloud storage is all about easy access to files. It’s not only your access, but also collaborative access that allows teams of people to work on projects together without the need to email various versions. Cloud storage servers such as Microsoft OneDrive, Google Drive, and Dropbox allow team members to be online at the same time and see changes to files in real time. They also allow a single user to access files from anywhere in the world where you can get an internet connection.

Stored files typically are not encrypted or protected with any special technology, and that makes them vulnerable to theft and ransomware attacks. If just one team member has lax security, such as an easily cracked password or uses an unsecured public network, all those stored files are exposed. Further, it could open someone up to SIM swapping.

How should you store your data? We like Microsoft’s Conditional Access, an access management solution that enforces security policies by bringing together real-time signals from users, devices, locations, and applications to block, allow, or require additional verification steps to access resources.

It works on a granular level. For example, you can set limits on which countries someone can log into your system. You can limit IP addresses. Steps like these can provide extremely useful insurance against worldwide hacker organizations that take advantage of local weaknesses in our global networks.

Installing and configuring the right access limits for your needs is not something you should attempt by yourself. There are myriad variables to the conditions that limit access, and if you make a mistake, you could lock out access to people who need it. If that happens, you’ll need an IT professional to undo the problems and reconfigure your system.

How should you back up your data? The short answer is to use specific backup technology. It makes a copy of files in storage and then encrypts them for protection. In the event of a cyberattack, a system outage or some other disaster, the encrypted files are used to restore the files to your system.

We can help you set up and configure both Microsoft Conditional Access and a backup program to keep you safely up and running. We can also provide the training needed to maintain both systems. Call us – 973-433-6676 – or email us to set up an appointment to design a coordinated plan that best meets your needs.