Email Demands Two-Way Vigilance

Hackers are not always the brightest bulbs in the box. Their success depends more on you making mistakes than almost anything else. When they hack or spoof an email account, you’re dependent on your friends and associates to tip you off. Then, it’s up to you to resolve the problem as soon as you can. Here’s how our client handled their issue and how we handled one of our own.

Our client’s hack of their Comcast email started off simply enough. Hackers got their address book and sent an email to everyone asking if they used Amazon. That’s a normal start to a scam. Our client and spouse got tipped off when both got text messages from recipients – and the spouse got emails – suggesting that one of their email accounts might have been hacked.

Both of them were out of the house when they got word of the problem, but one of them was able to get home and start looking into the problem. The first thing they did was to change the password and the secondary email address used for notifications from Comcast. They also set up two-factor authentication (2FA) to the client’s cell phone number and changed the password again.

Those were two good steps to take, but there were two more surprises. First, they discovered that the hackers had set up an email address that they tied to the Comcast account. Our clients checked through all their accounts but didn’t see an email address that corresponded to the one set up by the hackers. They thought they were in the clear, but they hadn’t found the second surprise.

Later in the day, the client noticed they hadn’t been getting any emails on their Comcast account. They could send messages. Suspecting that a forwarding rule had been inserted by the hackers, they contacted Xfinity by telephone and after a few branches on the phone tree, they were able to speak to a security specialist. After an exhaustive security check, the specialist was able to remove the forwarding rule, securing the account.

They were fortunate that no emails involved responding to financial or healthcare websites. Had that happened, they could have been compromised. They did the right thing by changing the password, setting up 2FA, resetting the secondary email address and changing the password a second time. Those are things you can do immediately. They should have contacted Xfinity immediately after to see about any other changes and had them resolved right then and there.

Those are steps you can take if your email is hacked.

Our hack involved our QuickBooks address, and it’s typical of the problems small businesses can face. I noticed an email that looked like junk mail, so I didn’t pay much attention to it. But soon after, I took a closer look because the email address was sales@sterlingrose.com. It still didn’t seem that urgent, but it began to bother me.

So, I called QuickBooks (remember, we always urge people to pick up the phone if a problem seems bad enough) and explained what was going on. We have a merchant account. They said that hackers had set up an invalid account using the bogus email and an invalid tax ID number. It was a bare, basic account, but it was enough to raise a white-risk flag at QuickBooks. Our phone call put it on their radar screen.

This story should be on your radar screen, too. As small businesses – and even as consumers – we constantly get emails that we’ve been “approved” for something or other. We also get a lot of fake invoices that look like they’re coming from companies we do business with.

We need to be on guard against these. It’s easy to impersonate a business, and if the recipient isn’t careful, they might make a real payment to a real bank account that’s not tied to the legitimate vendor account they thought it was. As a business owner, we likely have no responsibilities or liabilities to the company or person that paid the fake invoice. HOWEVER, this is not a discussion I want to have with anybody.

At the end of the day, small businesses remain a huge target for hackers and cyber thieves. We need to depend on our own vigilance and the help of people we do business with to monitor anything that seems out of the ordinary and let someone know. I want you to let me know you got something odd from me – just like our client was tipped off about the bogus email. Any of these breaches can have serious consequences.

If you’ve been hacked in some way, take immediate steps to secure your accounts, including multiple password changes built around other security measures that you can take. Then, you can call us – 973-433-6676 – to let us know about the breach. We can help you investigate if any further damage was done and help mitigate the consequences as best as possible. If you have security questions, you can call or email us to discuss them.

No-Fear Password Management

Many people are scared off from installing and using a password manager because they fear making a mistake somewhere and forever losing access to websites that are linked to their well-being. The password manager companies don’t help because they use too much jargon and dance around the issues that concern customers.

One of our clients decided to take the plunge, making sure we were in the water with them until they were confident they could swim safely.

The two password issues they wanted to solve were: 1.) they needed to remember or have written access to more than 100 website accounts, and 2.) they were concerned they were reusing too many passwords or combinations of passwords for expediency (or convenience). All the descriptions from password manager sales sites claimed they were easy to use, but our client never felt comfortable with how the steps to set up and use the manager would give them easy, secure access.

In this case, we helped them set up Dashlane, which they are keeping after a 30-day trial. The process involved creating an account with Dashlane and using Microsoft Authenticator to make sure all the information they were adding would be secure. For this client, it involved using the computer to create the account and the Authenticator app on the cell phone. It also involved setting up the Dashlane extension through their web browser. On a computer, Dashlane installs as an extension of your web browser, and you can activate it at any time by clicking its icon. They installed the Dashlane app on their cell phone, where it essentially self-activates when you start the login for a website.

The first part of the setup involved creating the master password to reach their own “vault,” which is the general term for the place where you store your username and password for each site you visit. Our client created one that had upper- and lower-case letters as well as numbers and special characters. It was special enough to remember and not too laborious to type on a keyboard or mobile device. They were also prompted to create a PIN that will be used as part of an access-recovery process if it’s ever needed. They wrote the info on a piece of paper and put it in a safe place.

The rest of the setup was straightforward. We advised our client to enable Dashlane to control the storage of usernames and passwords and to disable websites, Google, Microsoft and others from storing that info. It makes Dashlane more efficient. You can save “Remember Me” information.

One other setup item that’s vital to look at is your Password Health Score. You can access it from the menu along the left side of your Dashlane screen; it has a heart rate monitor icon. It will tell you where you are reusing passwords and how many of your sites have the same password. The idea is to get to a score of 100, but you may have reasons to use the same word from some sites, such as shared sites for video streaming. You can change them during setup to use Dashlane-generated passwords, or you can change them later. Our client opted to change them later – after all their sites were put into Dashlane.

One thing our client found early on is that Dashlane-generated passwords are not accepted at all sites. It wasn’t a problem. Dashlane allows you to see the entire generated password, and you have the option to add a character. Most times, that’s all that’s needed.

The tedious part of installing Dashlane is to log in to every website you visit and allow Dashlane to save your username and password. Make sure you’re signed into Dashlane when you log into the site. Our client found it best to make sure their current saved password was working before responding to Dashlane’s request to save the login credentials. While it’s a simple process, they noted that you have to make sure Dashlane saves the email address or username you use for the website you’re saving. By default, Dashlane uses the email address you tied to Dashlane. Your login info will automatically be saved to any other devices you’re using with Dashlane.

As with all password managers, Dashlane allows you to download your login info for each website you have in its system. It’s a good idea to keep the list up to date and stored in a safe place. If you decide to stop using any password manager, you’ll need that list to reenter all your passwords manually. If you change password managers, be sure to take advantage of any capability to transfer your credentials. If not, you’ll have to renter everything.

Dashlane and most password managers have free versions, but they are limited to one device and a specific number of websites. Paid versions typically allow you to store login credentials for a virtually unlimited number of sites across multiple devices – and they have family plans or group plans for multiple users.

Whichever password manager you choose, you’ll upgrade your online security significantly. Call us – 973-433-6676 – or email us to learn more or have us walk you through the initial setup steps.

Living with 2FA

Two-factor authentication has become a necessary part of life for access to critical websites, such as those that deal with your banking and your health. For those of us who are getting older or have parents who are getting older, access to some of those websites could be a life-and-death matter in extreme cases. You may have access to an account or have given someone access to it. But the 2FA is likely still tied to a cell phone, presenting an authentication issue. Workarounds are not easy.

Increasingly, 2FA is a requirement, not an option. If you opt not to use 2FA, you run a security risk. If 2FA is required, many people choose to have a code sent to their cell phone as a text message. The idea behind that is that the user has the device in their hand and is the only one who can see the code. It’s a safe choice. (OK, there’s a chance that someone might be able to intercept the text or that you might be in a kidnap situation. For most of us, the probability is practically nil.)

Fortunately, a cell phone number is not the only method of authentication. Most sites that require 2FA ask you to have an email address on file, too, and you can have that code sent there. If you or someone acting on your behalf has access to that email account, it’s easy to get the code and complete the authentication step.

Those are the easy situations.

Unfortunately, we’re asked to help reactivating and accessing old email addresses and old financial websites. The reasons are varied; helping an elderly parent or spouse or family member is most common. Sometimes, you need access because someone has died. Sometimes, you need access to close up accounts that you forgot about and are no longer using. We find the biggest culprits there are when you open an account somewhere to take advantage of free stuff. You use it for a single transaction and forget about it. Then, all of a sudden, you run into trouble because somebody got into your long-forgotten account. Remember, there’s no such thing as free stuff.

The obvious step to prevent all such problems, of course, is to write down all the login info for all accounts you need for yourself or someone else – even those godforsaken freebies. Equally obvious, close all online accounts or email addresses that you no longer use.

If we need to gain access, it’s a tedious and risky process. We can try to follow all sorts of breadcrumbs from old texts and emails (“to” and “from” addresses, subject lines, dates) to see if there are clues to an access point. We need to be careful at every step along the way because just like in a computer game, one mistake can knock you out. Microsoft, for example, has an automated system that monitors access tries. When the system sees something it doesn’t like, it rejects any future tries. There’s no human intervention involved.

Sometimes, we can help our clients reset a Gmail password; sometimes we can’t.

The key to all this electronic poking around is that you need to know where the pitfalls are in each site’s process for resetting a password. Making the wrong move can strengthen the lockdown. You need to know when you’re jeopardizing the entire reset process.

If you need to deal with resetting login credentials, give us a call – 973-433-6676 – or email us to discuss the problem, process and risks. We want you to be able to make an informed decision on how we can help.

Old Security Habits Never Die; They Should

We still seem to see the same bad security habits we’ve always seen. Now, they involve PINs as well as passwords. Here are some bad habits you need to break.

The first bad habit has to do with keeping track of passwords and PINs (Personal Identification Numbers). We’ve discussed passwords ad nauseam, and the problems we find with them are they’re either forgotten, left in places where anyone can see them, used repeatedly, or made so simple that they’re easy to crack.

If you habitually run across any of these problems, you need to seriously think about how you can make your password system stronger. Some of the suggestions we’ve offered include making your passwords long and using a system that lets you vary one or two keystrokes or a word or phrase to keep them different. The system helps you remember your passwords – or at least the ones you use the most or ones you need while away from your computer. In creating your passwords, you’re better off using a longer password instead of a shorter complex one. Longer passwords make it more difficult for hacking software to figure it out.

A related issue is those security questions. Don’t give real answers that involve information in public records. Somebody can easily see where you’ve lived, where you went to school, etc. They can probably find out what your first car was.

PINs are meant to solve most of the issues, but they can run into that “forgetful” problem, too. An additional problem with PINs is that when you change devices, you need to reset the PIN. Again, that can be a real problem if you don’t remember the PIN you used.

Some people use their browser or a feature on their phones to save passwords. The danger there is that those passwords can be easily stolen, especially if you happen to visit a “phishing website,” one that has the look and feel of a legitimate website. When we feel rushed or stressed about things going on in life, we’re more susceptible to clicking one of those links or making a typing mistake. The owners of “phishing websites” typically have website domains related to common typing mistakes – although some companies have those sites, too, to make sure you can reach them. The old habit to break here is to take a deep breath when you’re online to make sure click on a legitimate link or type a domain name correctly.

Rather than use a browser or phone password saver, we recommend you a password manager. Dashlane and Last Pass are two that are well known, but using any manager gives you stronger protection. You’ll need to set aside time to get your password manager properly configured and to enter all the passwords you want to protect. The process includes setting up a master password that gives you access to the electronic vault where all your passwords are stored. The key to success is never, ever forgetting that password or giving it to anyone except one or two trusted people.

Credit card numbers can be hacked, too. A couple of our clients had their numbers stolen, and although they changed passwords, they still wondered what else might be broken in their system.

We can help you with security breaches. We take the time to look closely at your system to see how each change you might make – changing passwords or adding a password manager – will affect you. Our analogy here is to the new kitchen that we’re getting. As we change the room and add things like electrical outlets or lighting fixtures, we have to open holes in our walls and ceiling, and we don’t know what’s there until we get them open. It’s the same with your tech system. Without looking at everything, we can’t tell how one change will affect your system.

Call us – 973-433-6676 – or email us to discuss your needs and do the appropriate patching, including installing and configuring a password manager.

The Great Credit Card Conundrum

We rely on credit cards and other cashless forms of payment as business owners and consumers. As a result, we roll points, cash-back schemes and fee schedules into decisions about what we use and what we accept. We have our thoughts, but what are yours?

Here are ours.

We’re seeing more fees as a business and as a consumer. As a business, we can absorb fees on small amounts, but for large amounts, the fees are too large. In one recent month, we collected $4,300 in credit card sales and paid almost $67 in fees. We realize there’s a convenience factor that makes sense for us to pay the fees. We don’t have to spend time (which has a cost) to stamp checks and then use a mobile banking app to deposit each check. We can take the stamped checks to the bank, but that’s travel time. If you have a business, what role do fees play in your decision about whether to take a credit card?

Of course, if you have a business with walk-in traffic, you can get a break on fees. But that only works up to a point. For example, if you buy a car for $35,000, it would be nice to pay with your credit card and earn points or cash back. But if you’re the car dealer, you’ll absorb fees in the neighborhood of $1,000. Neither party in that deal benefits; only the bank benefits. How do you navigate this as a consumer or business?

Many nonprofits ask you to absorb the fee when you make a donation. Do you check the box to pay the fee?

In your business, do you prefer an alternative to credit cards, such as an ACH or a check? One benefit of taking a credit card is that can streamline your accounting system.

As a consumer, do you sometimes balk at putting your credit card number on the internet when you buy online or over the phone? If you’re afraid of having your credit card info exposed to hacking by entering your card on a website or giving it out by phone, you should know that a transaction in a store or office involves using the internet, and someone in that chain can be hacked.

You should also know that anyone who takes your credit card number by phone is NOT allowed to write down the full card number. They should be entering it on another website that will display only your last four numbers once it’s verified.

We are seeing one advance in using credit cards – or their numbers – in restaurants. We’ve never liked the fact that servers take your card to a location you can’t see to enter your card info. That disappearing act is the most serious threat to your card’s security. Having your server process your card at your table is better, but then your server is standing over you while you decide on the tip. That’s uncomfortable.

A better solution involves the use of your phone. When your server presents your bill electronically, there’s also a QR code you can scan. That puts it all on your phone. If you are set up to pay through your phone, you can add the tip and pay the bill without ever pulling out your physical wallet.

As we move farther into a cashless society, we can help you – as a business or consumer – to set up your technology to be more efficient and secure. And we can answer any questions you may have about how to use what you already have. Give us a call – 973-433-6676 – or email us.