I’m sure we’ve all been there. We’re talking on our phone and need to get into an app on another device while keeping the conversation going.
Continue readingLiving and Growing with Technology
We have kids and grandkids who have never known life without wireless technology, and now we’re moving on to AI. Whether you’re a business or a family with an array of technology comfort zones, there’s an array of paths you can follow to help you keep it all together.
I believe one of our biggest dangers with technology is online shopping. Did you see who had the most ads? According to my observations, it was Temu, the Chinese shopping site. What’s the red flag? There are two: 1.) data collection and 2.) legal recourse.
With every purchase you make, Temu collects a tremendous amount of personal data, including, of course, the credit card number you use to buy stuff. AI, which is really the use of superfast computers that can digest and regurgitate massive amounts of data, makes it possible to analyze every aspect of your shopping preferences. Even if you guard the privacy of your data persistently and diligently, some well-programmed AI can find out things you never knew about you. Conceivably, it helps Temu and similar websites present you with product choices and price points that will generate a purchase.
And because Temu is based in China, it operates under Chinese law, not US law. Not only will you not have the same legal recourse in China to protect you from financial loss, you likely won’t have the same regulatory protection about what data is collected and how it’s protected.
Another convenience we like is setting up automatic payments for products or services that are linked to our credit card or bank account. It’s a convenience for consumers and providers, and you can sometimes get a discount for automatic payments.
I dread the day my payment info gets hacked, and there’s no convenience factor that makes it worth the risk of being hacked. If you agree, there are two critical steps you can take to minimize your risk: 1.) Reset your login credentials for your financial accounts and the sites that draw automatic payments. 2.) Set up two-factor authentication (2FA) for every website account that offers it; biometrics and text messages to a device only you can access are best.
Biometrics can include facial recognition, and it offers the best combination of safety and convenience, especially for phones and tablets. Unless somebody has stolen your device and used your digital passcode to get into your settings and take a picture of themselves to reprogram your facial ID, only you can respond. Using a mobile device for a text is good because you should have the device in your possession for the authentication process. The use of authenticator apps such as Microsoft Authenticator or Google Authenticator is a good step.
Younger people typically take more easily to these new authentication methods, but those who are older or not entirely comfortable with technology should find them easy to use once they’re properly installed and configured.
Staying with the theme of age and technology, we have an elderly client who had some issues with a new computer. We tend to think older people are more comfortable with a computer, but we found the client preferred to have a second iPad. We associate iPad and iPhone use with younger people who can easily adapt to a different way of doing things with really quick thumbs. But there are keyboards for any mobile device, and those who use hearing aids can take advantage of Bluetooth with their devices.
The biggest challenge with using a tablet or phone in place of a computer is setting up ways to download, store, and use files with apps mostly associated with a computer. Multitasking is more difficult with a tablet or phone, but we can accommodate most needs for most people.
With tech playing such a large part of everyone’s business and personal lives, it makes sense to tailor the technology to the person rather than the other way around. If you or someone you know has special technology needs, call us – 973-433-6676 – or email to discuss ways to make technology work.
What’s the Point?
I was with a friend last month when he tried to change a reservation he had made using points from a Hilton account. He thought he had 2 million points.
Continue reading2FA Transitioning from SMS
The banking industry has just caught on to what internet security experts know: SMS –text messaging– is not the most secure way to control access to accounts.
Continue readingManage Your Email to Avoid a Scam
As more businesses are bought and merged, it’s more important than ever to pay attention to email accounts for all the entities involved. We’re finding “sleeper agents” hiding in neglected accounts, and they’re waking up to bite hard.
In a recent case, a client bought a business a few years ago and set up a number of special email accounts to help manage the transition and keep tabs on things going forward. The only problem is that going forward, they did not monitor those emails – and the account – so they didn’t realize their system was compromised.
They did notice irregular financial dealings in a bank account, and they went to the bank to change the account and the associated online password. But the person who had infiltrated their system still had access to all the email notifications, rendering each system fix ineffective. It took some heart-to-heart conversations with our client to get to the root of the problem and then fix it.
We needed strong passwords on every online and email account they had, but with a mole inside the system, that wasn’t enough. There are two more steps you need to take to tighten your system.
The first step is to set up two-factor authentication (2FA) for every account. Yes, it is a pain to wait to complete a secondary step, but it works. We find a text connected to a cell phone is effective because whoever is accessing the account has the cell phone nearby, and you know the verification code is going to the right person. The chances of the text message being intercepted are extremely remote.
The second step is to manage your email more effectively – and that calls for more than just checking it frequently. Whether it’s at the office or home, many email accounts have – or can have – a secondary email associated with each account. Please don’t leave it blank. That’s the door a hacker uses to get in. When you change the password, go into the profile for the user and reset or start using the secondary email account. At the same time, reset the rules for managing each account. The hackers had email forwarded to an account they could monitor, which let them stay up to date on all the changes our client made.
For both online and email accounts, you need to check each user’s profile information regularly. That’s where we can help. We can check or tell you where to look to see if anyone has electronically “jimmied” open a window to your system and help you take more protective measures. As businesses and consumers, we depend more and more on electronic payment systems to pay our bills and have our invoices paid accurately and on a timely basis.
Call us – 973-433-6676 – or email us to talk about your concerns and to schedule an assessment and a remediation plan – if needed. It’s your money, and if a scammer gets it, you likely will never get it back.
New Device, Same You, New Problem
You’re still the same person you always were, but when you get a new device, you’re a different person as far as some login procedures are concerned. You need to get back to basics in setting up account access. It’s a more acute problem as we do more work outside the office.
We recently got a call from a client who had trouble logging into a work system through a VPN with two-factor authentication (2FA). Nobody had changed any of the login information, so it was all baffling until the client mentioned they had a new phone.
Another client called because they couldn’t get into their email. Again, they had a new phone.
These incidents highlight the good and the bad of multiple authentication steps. The good is that they’re based on the device being used to verify the right of the person to access an account. That means a hacker halfway around the world can’t use their computer to get in. The bad is that you have to take the time to reconfigure all your access info. (Hey, we’re really sorry for the inconvenience.)
Because both cases involved clients with new cell phones, we had to invalidate their old cell phones. We registered one client as a new user and registered a new cell phone number for the other. These are essential steps everyone needs to remember to take as you get new devices.
And because all the 2FA steps in common use are tied to devices, it’s a good idea to make sure your devices require some extra steps to unlock them. Many people use a four- or six-digit PIN, and more people are going to biometrics. While nothing is impossible, even if someone knows your online login info and has your device, they can’t access your accounts if they can’t unlock the device.
If you or your employees are getting new devices, we can help you make sure that they have access to email and online accounts and protect them from unauthorized users. The process isn’t difficult, but it does involve diligence to check all the boxes in the setup process. Call us – 973-433-6676 – or email us if you have questions or need help in going through the process.
Security and Relationships
May 23 started out like a quiet day, but one phone call created a two-day scramble to quell a crisis. The solution included working around an unresponsive bank, rapidly deploying technology tools, and cashing in the benefits of good working relationships. It was the stuff of a thriller novel.
It had been a couple of very tough weeks. Your special agent/tech guy (me) was at the carwash when the cell phone rang. A client reported $140,000 was missing. It had been wired out of an account that day, and they couldn’t get anyone from their bank to respond to their phone calls.
“Hmm,” the special agent/tech guy thought, “$140,000 can cover the detailing work for several fleets of Corvettes,” but reality took hold. He couldn’t wait for them to clean his car’s interior. He jumped behind the wheel and headed for his client’s office.
With $140,000 missing and nobody at the bank picking up the phone, we found the police already involved in the case. We quickly realized there would be no telephone solution to the problem, and it took us until the early evening to solve this problem. The good news is that we were able to reverse the wire transfer all on our own after trying for hours to get phone support.
Here are the facts – just the facts, ma’am.
Obviously, our client’s system was hacked. It was a complicated case because it involved the email of an employee in the finance department who had just left the company. That’s one reason why the police were involved. There was no criminal activity, but there was a lot of sloppiness.
The hackers got into the former employee’s email account and saw that one password opened up a lot of doors in the company’s financial system. They reset the account’s password, created a new account that they could use to “approve” new transactions, and used it for the $140,000 wire transfer.
However, they made one mistake: They forgot to turn off forwarding in the account they hacked, and that’s how they were discovered. Our client had done the right thing by having the ex-employee’s email forwarded, and they created a special rule so that all the emails went into a separate folder. Several people monitored that folder periodically, and as soon as one of them saw the emails, the alarm went off. In most cases, this kind of wire fraud isn’t discovered for days, and the money is lost.
Our client was able to freeze their account immediately online, but they still had outstanding checks on that account. That matter also needed immediate attention.
So, the special agent/tech guy took advantage of a good relationship with another bank, which is also a client, first thing the next morning. He jumped in his car. The interior was still dirty. He drove to the bank, where he was able to help his other client open a new account and get checks they could print immediately to replace those outstanding in the frozen account.
But his work wasn’t done. The victimized client had resisted instituting multifactor authentication for all financial transactions. So, the rest of the day was spent instituting a two-factor authentication system and training everyone in its use.
We like to think the goodwill we’d built up with both clients helped one client get out of a hole and another gain a new customer. But it all could have been prevented with better passwords and an authentication system. Don’t wait for a disaster to strike. Call us – 973-433-6676 – or email us to discuss your online security and the steps we can take to improve it.
The 2FA Police
Microsoft is enforcing requirements for 2FA (two-factor authentication) for many of its apps. The good news is that it protects your data better. The bad news is that you must use authenticator codes and messages. It’s time to ensure everyone in your office (or family for home users) is up to speed on using authenticators and other 2FA measures.
Microsoft’s Authenticator App gets downloaded onto your iPhone or Android phone and helps to verify it’s you when you log in to an online account using two-step or two-factor verification. It uses a second step, such as a code sent to your phone, to make it harder for others to break into your account. Two-step verification helps you use your accounts more securely because passwords can be forgotten, stolen, or compromised.
One common way to use the Authenticator app is through 2FA, where one of the factors is your password. After you sign in using your username and password, you can either approve a notification or enter a provided verification code. Options include:
- Signing in by phone with a version of two-factor verification that lets you sign in without requiring a password. It uses your username and your mobile device with your fingerprint, face, or PIN.
- Using a code generator for any other accounts that support authenticator apps.
- Using it with any account that uses 2FA and supports the time-based one-time password (TOTP) standards.
Any organization can require using the Authenticator app to sign in and access its data and documents. Even if your username appears in the app, the account isn’t set up as a verification method until you complete the registration. The entire process can be done more efficiently with a mobile phone that can scan a QR code on a computer screen.
Remember that most authenticator apps still require a password in commercial use, and every user must know their password or risk being locked out. The consequences can be time-consuming and costly – if not fatal. Everyone should write their passwords on a piece of paper and store them in a safe place.
We had a case with a client who used a customized database that was never upgraded for 20 years. A former IT company did the last work on it. Nobody had the password to get into the account housing the database. They suggested calling the programmer, but the programmer had died. Nobody admitted to changing the password at any time. We spent a few hours trying to access the database to no avail. Finally, we called the former IT company, and they had a password for one file.
That was the password that worked, and we were able to perform the necessary work. But we can’t stop thinking about all the time – and money – that was wasted because nobody had a password.
In today’s world of hacking and cybercrime, it will become more and more challenging to try multiple passwords without severe consequences. It’s up to you to ensure that you and key employees have all your necessary passwords and 2FA to protect your data – and to insist that your employees have 2FA set up for their corporate login info.
We can help you ensure you have all the correct authentication and management systems. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.
Work, Life and 2FA
We can’t urge anyone strongly enough to add 2FA (Two-Factor Authentication) to any online login process. But we sometimes run into problems when that second step involves sending an email to a personal account and the phone we’re using to log in is a work phone.
Continue readingIs LastPass’s Hack the Last Word?
In a word: hardly. LastPass getting breached seems like the equivalent of Fort Knox getting breached; it’s not supposed to happen. So far as we know, none of the gold, which represented the monetary value of US currency in circulation, was ever taken from Fort Knox. But password manager LastPass was breached, and data was taken.
The implications are stunning, to say the least. We’ve put our trust in password manager programs, and LastPass compounded the problem for its customers by being breached twice and not being as quick or transparent about it. From all reports, the latest breach occurred in late August when access was gained to parts of their developer environment through an individual compromised developer account. They said the intruder took some source code and proprietary technical information. In mid-September, they reported that the intruder was in their system for four days, but the incident did not involve any access to customer data or encrypted password vaults.
Just after Thanksgiving, LastPass reported that the knowledge gained from the first breach was used to breach the system again, and that the hacker gained access to certain elements of customer information. Just before Christmas, the hacker got customer account information such as names, billing addresses, email addresses, telephone numbers, and their encrypted vaults. They hastened to add the data was strongly encrypted and required decryption of the customer’s master password.
The bad news is that this was a series of breaches; not good. Over time, the attacker was able to target a separate employee to gain two critical pieces of information: access keys to a cloud environment and decryption keys for that cloud environment. This means the attacker was able to easily download copies of those vaults and the other customer data there.
Although each customer’s vault was encrypted, the vaults contained unencrypted information. The attacker likely downloaded all the available information from each and could the unencrypted info to try to crack the master password by brute force.
LastPass doesn’t have the best track record in the industry, and what happened there can happen to any password manager. But you can take steps to minimize the impact if it happens to your password manager.
We highly recommend that you activate two-factor authentication (2FA) for every web-based account you have. Some will give you the option to verify a specific computer, phone or tablet one time, while others will require verification every time you log in. Most systems work through text messages to cell phones because you’re most likely to have your phone with you. Some 2FA systems will send you an email with a code to enter or a link to click. They’re good if your email is secure.
So, make sure you secure your email accounts. Require 2FA – to your cell phone if possible – to access your email account from the web. List a secondary email address in case there’s a problem. It can be through another email provider, or it can be a person you trust.
2FA works with password managers, and it’s effective if the PW manager hasn’t been hacked. If the data is unencrypted, it could have been stolen (another good reason to set up 2FA for a text).
You can manage your password manager and enhance security by keeping it updated. You can change your master password at any time, and you can use the manager to change your passwords at any time. The programs offer random generation of passwords, and you can take advantage of that. It takes away any excuse you have for using the same password for multiple websites.
You can back up your password manager by downloading your website login info from the manager. Most people download the info to a .csv or .xls spreadsheet file. It’s a good idea to do this periodically and store a hard copy in a safe place. If you decide to change password managers, you can export your file to a new password manager. We suggest you create a new master password if you do that and then create new passwords for each account.
There are ways to download your password list with encryption, but they can be a little complicated. Call us – 973-433-6676 – or email us to set up a time for us to walk you through it. You can also contact us with any questions you have about password managers – selecting one or installing one.