Upgrade for Security

Should you upgrade to Windows 11 and get a new computer? Microsoft and an increasingly aggressive, more sophisticated hacking environment are calling the question. For a number of reasons, our answer is a resounding “yes.”

We’ve discussed this before, but we have an increased sense of urgency about upgrading technology to improve your security. Microsoft reports that in 2015, they were detecting around 115 password attacks per second. In 2024, that number has surged 3,378% to more than 4,000 password attacks per second. We need stronger, more comprehensive security approaches than ever before, and we need them across all devices and technologies we use in our lives, both at home and at work.

Microsoft and its hardware partners developed an array of software solutions to harden your security. These solutions rely on brute power to process massive amounts of security protocols and tools to keep out bad actors. Many of these tools use artificial intelligence (AI) to find and implement security measures that require nimble, changing movements, much like you find if you’re a gamer. They also power increasingly sophisticated passkeys (such as facial recognition or other biometrics) or two-factor authentication (2FA).

Windows 11 has the software tools, but they’re either useless or toothless without the hardware to power them. To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements:

  • Processor: 1 gigahertz (GHz) or faster with two or more cores on a compatible 64-bit processor or system on a chip (SoC).
  • Memory: 4 gigabytes (GB) or greater.
  • Storage: 64 GB or greater available disk space.
  • Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
  • System firmware: UEFI, Secure Boot capable.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Display: High definition (720p) display, 9″ or greater monitor, 8 bits per color channel.
  • Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. Windows 11 Home Edition also requires a Microsoft Account to complete device setup on first use.

These are the minimum requirements, and they can change at any time.

Is your computer compatible? If it’s more than three years old, it’s unlikely. Three years has become the lifespan for many machines because the technology changes so quickly and extensively. We recently replaced the personal computers in our family so that we could all take advantage of new computer capabilities. For personal computers, it will be a crapshoot as to how much longer you can safely go online.

For businesses, it can be to your advantage to upgrade your computers before the end of the year – though your tax advisors can give you more precise information. We can only tell you that you need to balance the cost of a new computer against the possible costs of a security breach.

We can help you in several ways.

  • We can evaluate your hardware, especially if you are still running Windows 10, and help you determine if new hardware will be cost-effective for running Windows 11.
  • We can help you select and buy computers and other systems that fit your budgets, and business needs as best as possible.
  • We can configure your new computers and systems to make sure you have the best balance of security and performance.

Call us – 973-433-6676 – or email us for an appointment.

Hacked SSNs: What, Me Worry?

With apologies to Alfred E. Neuman, yes, you should worry. But you don’t need to panic, especially if you have Windows 11, a computer with a later-generation chipset and a lot of common sense.

New reports say the hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, FL. The breach was believed to have happened in or around April, according to the lawsuit. A class-action law firm said the stolen file includes 277.1 gigabytes of data and includes names, address histories, relatives, and Social Security numbers dating back at least three decades. A post from a cybersecurity expert on X claims the records for citizens of the U.S., U.K., and Canada were sold on the dark web for $3.5 million.

Yes, that’s scary. But it’s not as dire as you think. Security breaches happen all the time because thieves find vulnerabilities in large systems and exploit them. Some thieves steal simply because they can. If they don’t try to use stolen information, you don’t have a problem. But if they do try to use stolen data, they need to know how to defeat whatever aggressive defenses exist at, say, a bank. Often, they fail.

They may try to sell the data, but if there’s no market, the stolen information languishes. If they do sell it, the data might turn out to be outdated. Finally, the buyers may be state actors. If you’re not a likely target of blackmail or in possession of interesting secrets, they may have the goods on you but not want to use them.

All you can do is harden your defenses as best you can.

Set up two-factor authentication for every online account that offers it, or use an authentication app, such as Microsoft Authenticator to secure your online accounts. If thieves haven’t intercepted your email, text messages, or phone, it’s going to be hard for them to break in.

Sign up for account alerts. Depending on your bank or card company, you can set them up for many things, including any charge outside your home country, any (or all) ATM withdrawals, or transactions over a certain amount.

If you get an alert you didn’t expect — or even one you did — don’t click links or call phone numbers in the alert. Instead, log into the account in question and find a contact number there. That will keep thieves from redirecting you to their own operations.

We can answer questions about 2FA, and we can help you set up Microsoft Authenticator. A proper set-up will prevent problems down the line. Call us – 973-433-6676 – or email us for an appointment.

Bring on the Passkeys

Passwords are porous, and so are some forms of two-factor authentication (2FA), such as those numeric codes sent to your phone or email to verify your identity. Known as one-time passwords (OTPs), they’re relatively safe, but hackers are getting better at breaching that defense. Passkeys are coming into their own as a stronger cybersecurity tool.

OTPs are typically provided in a text message, which is vulnerable to attacks in several ways. A hacker who intercepts the text to your phone might not get the password directly, but they could launch a smishing attack (it’s like an email phishing attack) and wait for you to make a mistake (responding to the text) to get into your account. More sophisticated hackers engage in SIM swapping or a more effective means of message interception to take over your phone and account. With those latter two forms of intrusion, it may take a while for you to discover the hack. Even if it’s less than an hour, it could be too late.

Risky as they are, OTPs by text are likely to remain in use for a while. Some companies are reluctant to change because they fear it will cost them customers who are not tech-savvy enough to adapt to more sophisticated verification tools. Most of you can reduce the risk somewhat by using a password manager. Reputable providers keep your master password secure – sometimes allowing you to bypass using it (as you’ll read shortly) – and add a strong layer of protection by generating long, complex passwords that are hard to crack.

As a smartphone and password manager user, you’re likely to be using a passkey already. For iPhone users, it’s facial recognition. For Android users, it’s a fingerprint. These and other passkeys work in the background to assemble a mathematical puzzle. The numbers are always changing, and they are not tied to anything that’s unique to you as a person. It doesn’t care about your mother’s maiden name or your first-grade teacher.

Most password managers use biometrics to authenticate you and your device, and you don’t need to be a tech wizard to set up and use it. For facial recognition, you just need to let the authentication app see several views of your face. For fingerprints, you just need to roll a finger over a sensor. In most cases, when using your smartphone, tapping on the app for a website automatically starts the authentication sequence.

Authenticator apps such as Microsoft Authenticator and Google Authenticator can work with website visits from a computer or mobile device. We like to set up our Microsoft OneDrive clients using Microsoft Authenticator to access files securely from any device from any internet connection.

For mobile devices, you can use a mobile app push for even more security. It works with mobile apps on your phone. When you log in to a website, you get a notification in the corresponding app on your phone that prompts you to verify your identity through that notification. This verification method is independent of the device you are logging in on and better than SMS or authenticator OTPs. However, you still need to pay attention. A hacker could repeatedly try to log in to your account using a stolen password, and you would get multiple messages on your phone to verify. If you click to verify, you could give the hacker account access.

We can help you move to a stronger authentication process. Call us – 973-433-6676 – or email us to see what authentication could work best for you. We can help you install and configure the necessary software and get you started on using it.

Passkeys Not There…Yet

Passkeys hold a lot of promise in eliminating passwords. They rely on an electronic handshake to allow your device to access a secure website, and many password managers claim to link to passkeys. They’re getting there, but they’re not there yet.

A major hurdle right now is that not all websites recognize the passkeys from password managers. Sometimes, recognition depends on the device. Since most of us have fairly new cell phones, our phones usually have the ability to work with facial recognition, which is a form of a passkey. Older devices may not have the ability to work with this type of technology.

We suspect the move to newer computers – especially as Microsoft ends support for Windows 11 – and the need for better security will speed the drive to make more devices capable of using passkeys.

Why are passkeys secure? They eliminate the need to enter usernames and passwords, both of which are stored on the website you’re trying to access. We know the problems with usernames and passwords: they can be stolen by hackers from the website or your device, they can be forgotten, and we can make them less effective by using simple passwords multiple times so we don’t forget them.

Passkey information is stored on the website and in your device. They are not the same info; they rely on the handshake – sort of like two spies who each know what they need to hear in a phrase. On your device, the most common passkey information is a biometric (facial recognition or fingerprint) or a PIN (personal identification number). Because they are device specific, the system relies on you having your device when you log into the website.

When you combine a passkey with some form of 2FA (two factor authentication), you’re using an access method that has proven reliably secure up to now. Many of the leading password manager programs, such as Dashlane, 1 Password and Bitwarden, can create and store passkeys for you, and both Apple and Android can store their passkeys locally and access them using the keychain app on mobile devices.

Even if you can’t use the passkey with your password manager, you’re still ahead. Remember, with a password manager, you only need to remember a single master password. You can let the password manager generate a long, complex password for each website. That password should be immune from guesses based on any of your personal information.

More websites, too, are using passkeys instead of the username/password duo. As the websites use them more, you will have easier access to more websites, but that comes with a caution. The websites will need to tighten their security, too, to prevent more sophisticated hijackers from getting info from their sites. One of their hacks is to hijack cookies. You can help prevent that by not clicking on “Accept” when the cookie dialog box pops up. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.

To expand the conversation about the internet and security, you can apply the same security measures to any device in your office or home that uses the internet or a Wi-Fi network. Printer manufacturers such as HP have created anti-hacking steps, such as entering a PIN, to gain access to the information stored in a printer.

We can help you install and configure password managers and set up effective passkeys and other security measures. Call us – 973-433-6676 – or email us to talk about it.

Living and Growing with Technology

We have kids and grandkids who have never known life without wireless technology, and now we’re moving on to AI. Whether you’re a business or a family with an array of technology comfort zones, there’s an array of paths you can follow to help you keep it all together.

I believe one of our biggest dangers with technology is online shopping. Did you see who had the most ads? According to my observations, it was Temu, the Chinese shopping site. What’s the red flag? There are two: 1.) data collection and 2.) legal recourse.

With every purchase you make, Temu collects a tremendous amount of personal data, including, of course, the credit card number you use to buy stuff. AI, which is really the use of superfast computers that can digest and regurgitate massive amounts of data, makes it possible to analyze every aspect of your shopping preferences. Even if you guard the privacy of your data persistently and diligently, some well-programmed AI can find out things you never knew about you. Conceivably, it helps Temu and similar websites present you with product choices and price points that will generate a purchase.

And because Temu is based in China, it operates under Chinese law, not US law. Not only will you not have the same legal recourse in China to protect you from financial loss, you likely won’t have the same regulatory protection about what data is collected and how it’s protected.

Another convenience we like is setting up automatic payments for products or services that are linked to our credit card or bank account. It’s a convenience for consumers and providers, and you can sometimes get a discount for automatic payments.

I dread the day my payment info gets hacked, and there’s no convenience factor that makes it worth the risk of being hacked. If you agree, there are two critical steps you can take to minimize your risk: 1.) Reset your login credentials for your financial accounts and the sites that draw automatic payments. 2.) Set up two-factor authentication (2FA) for every website account that offers it; biometrics and text messages to a device only you can access are best.

Biometrics can include facial recognition, and it offers the best combination of safety and convenience, especially for phones and tablets. Unless somebody has stolen your device and used your digital passcode to get into your settings and take a picture of themselves to reprogram your facial ID, only you can respond. Using a mobile device for a text is good because you should have the device in your possession for the authentication process. The use of authenticator apps such as Microsoft Authenticator or Google Authenticator is a good step.

Younger people typically take more easily to these new authentication methods, but those who are older or not entirely comfortable with technology should find them easy to use once they’re properly installed and configured.

Staying with the theme of age and technology, we have an elderly client who had some issues with a new computer. We tend to think older people are more comfortable with a computer, but we found the client preferred to have a second iPad. We associate iPad and iPhone use with younger people who can easily adapt to a different way of doing things with really quick thumbs. But there are keyboards for any mobile device, and those who use hearing aids can take advantage of Bluetooth with their devices.

The biggest challenge with using a tablet or phone in place of a computer is setting up ways to download, store, and use files with apps mostly associated with a computer. Multitasking is more difficult with a tablet or phone, but we can accommodate most needs for most people.

With tech playing such a large part of everyone’s business and personal lives, it makes sense to tailor the technology to the person rather than the other way around. If you or someone you know has special technology needs, call us – 973-433-6676 – or email to discuss ways to make technology work.

Manage Your Email to Avoid a Scam

As more businesses are bought and merged, it’s more important than ever to pay attention to email accounts for all the entities involved. We’re finding “sleeper agents” hiding in neglected accounts, and they’re waking up to bite hard.

In a recent case, a client bought a business a few years ago and set up a number of special email accounts to help manage the transition and keep tabs on things going forward. The only problem is that going forward, they did not monitor those emails – and the account – so they didn’t realize their system was compromised.

They did notice irregular financial dealings in a bank account, and they went to the bank to change the account and the associated online password. But the person who had infiltrated their system still had access to all the email notifications, rendering each system fix ineffective. It took some heart-to-heart conversations with our client to get to the root of the problem and then fix it.

We needed strong passwords on every online and email account they had, but with a mole inside the system, that wasn’t enough. There are two more steps you need to take to tighten your system.

The first step is to set up two-factor authentication (2FA) for every account. Yes, it is a pain to wait to complete a secondary step, but it works. We find a text connected to a cell phone is effective because whoever is accessing the account has the cell phone nearby, and you know the verification code is going to the right person. The chances of the text message being intercepted are extremely remote.

The second step is to manage your email more effectively – and that calls for more than just checking it frequently. Whether it’s at the office or home, many email accounts have – or can have – a secondary email associated with each account. Please don’t leave it blank. That’s the door a hacker uses to get in. When you change the password, go into the profile for the user and reset or start using the secondary email account. At the same time, reset the rules for managing each account. The hackers had email forwarded to an account they could monitor, which let them stay up to date on all the changes our client made.

For both online and email accounts, you need to check each user’s profile information regularly. That’s where we can help. We can check or tell you where to look to see if anyone has electronically “jimmied” open a window to your system and help you take more protective measures. As businesses and consumers, we depend more and more on electronic payment systems to pay our bills and have our invoices paid accurately and on a timely basis.

Call us – 973-433-6676 – or email us to talk about your concerns and to schedule an assessment and a remediation plan – if needed. It’s your money, and if a scammer gets it, you likely will never get it back.

New Device, Same You, New Problem

You’re still the same person you always were, but when you get a new device, you’re a different person as far as some login procedures are concerned. You need to get back to basics in setting up account access. It’s a more acute problem as we do more work outside the office.

We recently got a call from a client who had trouble logging into a work system through a VPN with two-factor authentication (2FA). Nobody had changed any of the login information, so it was all baffling until the client mentioned they had a new phone.

Another client called because they couldn’t get into their email. Again, they had a new phone.

These incidents highlight the good and the bad of multiple authentication steps. The good is that they’re based on the device being used to verify the right of the person to access an account. That means a hacker halfway around the world can’t use their computer to get in. The bad is that you have to take the time to reconfigure all your access info. (Hey, we’re really sorry for the inconvenience.)

Because both cases involved clients with new cell phones, we had to invalidate their old cell phones. We registered one client as a new user and registered a new cell phone number for the other. These are essential steps everyone needs to remember to take as you get new devices.

And because all the 2FA steps in common use are tied to devices, it’s a good idea to make sure your devices require some extra steps to unlock them. Many people use a four- or six-digit PIN, and more people are going to biometrics. While nothing is impossible, even if someone knows your online login info and has your device, they can’t access your accounts if they can’t unlock the device.

If you or your employees are getting new devices, we can help you make sure that they have access to email and online accounts and protect them from unauthorized users. The process isn’t difficult, but it does involve diligence to check all the boxes in the setup process. Call us – 973-433-6676 – or email us if you have questions or need help in going through the process.