Fools and Their Money: A Seasonal Shopping Guide

“A fool and his money are soon parted” is a saying often attributed to Thomas Tusser, an English poet and farmer, who first wrote a version of it in his 1573 book Five Hundreth Pointes of Good Husbandrie. If only he could have envisioned today’s internet. AI will test your ability this year to differentiate the fake from the real more than ever.

As we scour the internet for bargains, hard-to-find items, and the best possible shipping terms, charities are making their annual push for donations, including major online solicitation campaigns. Scammers of all sizes are also using all sorts of AI tools to get between you and the companies you want to buy from or donate to.

Succumbing to a scam doesn’t make you a fool; the scammers and their tools are really, really good. AI helps them create exceptionally good graphic and video deep fakes. It helps them replicate flawless logos and improve their grammar, spelling, and syntax, all of which used to be dead giveaways of a scam.

But it would be foolhardy not to raise your antennae and harden your common sense with renewed vigilance. The cardinal rule remains the same: If something looks too good to be true, something is likely wrong.

Let’s look at some things that should raise a red flag:

  • Links: Whether in an email or especially on a website popup, don’t click on a link from a person or entity you don’t know or can’t verify. It’s the quickest way to allow a bad actor to plant malicious code that can compromise your data and that of anyone in your contact list.
  • Emails from Businesses, Charities or People You Don’t Recognize: The sender’s name may look legitimate, but you can hover your mouse over the sender’s name and see the real email address. If you’re not sure about anything you see, you have two options:
    • Delete the email.
    • Open a new browser window and type in the name of the business or charity as you know it to be. You should be able to find a phone number to call to verify if it’s from a legitimate organization.
  • Unsolicited Text Messages: This is another form of phishing known as smishing. Treat them the same as an email.

Be careful of really good prices when shopping for all products and services. Prices that are too good to be true may be outright fraudulent or carry terms and conditions that are extremely unfavorable to you. Check closely to make sure a product or even an airline ticket or hotel room is not offered by a gray-market or third-party provider. Read the terms and conditions and look for authentic user reviews. Again, if something looks funny, it should raise a red flag.

No matter what you’re looking to do online, it’s more important than ever to use two-factor authentication (2FA) for all the websites you can. While a code sent to your computer or phone is better than nothing, more advanced forms of 2FA, such as authenticator apps or biometrics, rely more on information stored on a specific device, making them more secure.

If you think you may have been hacked, call us – 973-433-6676 – as soon as you possibly can to assess the breach and take steps to close up your security holes.

Secure Your Email

Security measures such as encryption and 2FA help make email communications more secure, but they have their own issues for many users and fall short in some ways. Use them wherever you can, but remember that nothing works better than common sense, especially when you click on links in an email.

The majority of breaches of computer systems through email are user-initiated. A user clicks on a link – usually because of carelessness – that results in giving up login credentials for a website or a technology system. Encryption is no protection against a user causing a breach.

Security holes in encrypted email include human error, such as failing to encrypt messages or falling for phishing attacks, reliance on imperfect encryption in transit where servers may not support it, vulnerabilities on the recipient’s device like malware or unsecured devices, and issues with key management, such as weak passwords or lost private keys.

Let’s focus on those last two points. Securely managing and distributing encryption keys is complex. If private keys are lost or stolen, recipients may be unable to access their encrypted messages, and attackers could use stolen keys to decrypt emails. Easily guessed passwords for email accounts can be compromised, allowing attackers to access encrypted emails on a device.

Attackers can also exploit complex email systems by compromising intermediary servers or utilizing features that weaken security. These can include URL redirects to bypass encryption and deliver malicious content.

Instead of adding complexity, it might be better for most organizations to reemphasize some proven basics. One of them is 2FA. As imperfect as it is, 2FA can utilize a device such as a cell phone, which should be in the hands of the user. Yes, it can be defeated, but that happens if a system has already been breached and the attacker has changed the phone number and/or email address of the user.

The other basic is common sense. Don’t click on a link in an email unless you are 10,000 percent certain it’s correct and legitimate. AI is making it harder to detect malicious links, so users must be more vigilant. Don’t be in a rush, especially if you’re juggling several tasks. The safest way to respond to an email with a link or phone number is to open a browser and go to the website of the company. You should be able to find a phone number and maybe a legitimate email address to contact.

We can help you with email security in two ways. One way is to conduct a security audit of your email system to find and patch holes. The other way to help you set up 2FA systems, including biometrics and authenticator apps. Call us – 973-433-6676 – or email us to discuss your needs and possible solutions.

Authenticator Apps Can Protect You from SIM Swapping

We hate taking extra steps, especially if we think they’re complicated. But with the rise of SIM swapping, you might want to bite the bullet and get used to using an authenticator app.

The benefits of using an authenticator app for 2FA were illustrated by the problems of a new client who was victimized by a SIM swap of their phone number. The SIM swap caused untold problems, including untangling them based on hard-to-find phone records.

Again, just to recap from last month, SIM swaps happen when a bad actor is able to convince a carrier that they’re you and that you need to transfer your phone number to a new device. While the bad actor has your phone number hijacked, you lose your cellular service. You can’t make or receive phone calls or send or receive texts. If it happens for a short time and you’re not using your phone, you’ll never know it happened. If you’ve set up a form of 2FA that involves getting a code through a text message, you’ll never know about that, too.

An authenticator app is different. It uses a Time-Based One-Time Password (TOTP) algorithm to generate unique, time-sensitive codes for 2FA. The apps are set up on a mobile phone, and the process can be difficult for some. We suggest professional help to avoid untimely problems down the road.

When you type in a link from a computer or a phone to link the app to an online service, both the app and the service’s server use a shared secret key and the current time to independently generate the same time-sensitive codes. When a user logs in, they enter the code from the app, which the server verifies by comparing it to its own generated code. The verification code almost always comes in on your cell phone, and the authenticator app automatically regenerates the code every 30 seconds.

The key point here is that the authenticator app is tied to your device, not your phone number. So, if the bad actor tries to enter a website or app link that uses an authenticator app, they will not see the code. It will come to your device. If you don’t recognize the reason for that code being sent, it’s a big, bright flag that someone may have hijacked your phone number or breached your security in some way.

Of course, the website or online app being accessed must offer an authenticator app as a security measure. More of them are offering it as a security measure, and you should take advantage of it wherever you can. If you’re on your computer, you need to have your phone handy, and if you’re using your phone, it will take a little juggling. But it’s well worth the effort.

We can help you set up Microsoft Authenticator or any other authenticator app. Call us – 973-433-6676 – or email us to learn more about the app and get help setting it up.

Secure Your Email

Email security continues to be the most vulnerable security link in your email chain. Ninety-six percent of all phishing attacks use email, and some three billion emails are launched daily. Phishing can cost businesses $26 billion annually. The more email accounts you have, the more vulnerable you are.

One of our clients had six email accounts, all of them created for a variety of legitimate reasons. The problem is that it meant they had to guard six doors against intruders. That’s worrisome enough, but if you use multiple email clients, such as Outlook and Gmail, you need to deploy your security measures in line with each client.

Google’s Gmail has a particular vulnerability. According to a report from Malwarebytes, Russian hackers were able to bypass Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks. They did it by posing as US Department of State officials in advanced social engineering attacks, building a rapport with their target, and then persuading them to create app-specific passwords (app passwords). App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Outlook faces several significant security challenges, including vulnerabilities that allow for remote code execution, phishing attacks, and the potential for credential theft. These vulnerabilities can lead to data breaches, unauthorized access, and the spread of malware.

Here’s how to strengthen your defenses.

  • Only use app passwords when absolutely necessary. Change to apps and devices that support more secure sign-in methods whenever you can.
  • Authenticator apps, such as Microsoft Authenticator, or hardware security keys (FIDO2/WebAuthn), are more resistant to attacks than SMS-based codes.
  • Stay up to date on phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords.
  • Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. Limit those logins where possible.
  • Regularly update your operating system and the apps you use to patch security vulnerabilities.
  • Enable automatic updates whenever possible so you don’t have to remember them yourself.
  • Use security software that can block malicious domains and recognize scams.

When it comes to SMS-based codes, we want to emphasize one particular vulnerability: SIM swapping. It’s one of the internet security industry’s biggest worries.

It’s undetectable and it works like this:

  • A hacker puts your mobile phone number on a SIM card installed in their own phone.
  • Using their phone, they get your authentication code, which gives them access to a website or email account.

Despite this vulnerability, SMS-based codes are better than nothing. At a recent training seminar, we learned that many people don’t use any kind of 2FA or MFA methods at all. That is totally unacceptable.

We can help you – and your employees and family members – set up better security measures on all apps devices. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.

Cybersecurity Keeps Them Awake at Night

“What keeps you awake at night?” That’s a question that seems to come up at many a business networking group when someone begins to offer a solution to a problem they can solve. If you’re a CEO at a major corporation, the answer to that question is: cybersecurity.

Internet systems are more complex, and complexity leads to more risks. It’s become a boardroom issue, and the most concerning part of the problem should be the increased time it takes to find a system intrusion. It now takes 292 days – more than nine months – to discover a breach.

Part of the problem is the size and complexity of large corporate networks. They have thousands of endpoints, and it’s become harder to spot anomalies and deploy patches. While our clients typically don’t have large, sprawling networks, we all interact on the corporate or personal level with large global networks for just about everything we do.

Other parts of the problem are that companies may take too long to investigate the breach, and then they need time to develop a plan to patch it. That time is directly related to the network’s size and complexity. If a company doesn’t have a continuous monitoring plan (yes, it’s hard to believe a large company wouldn’t have one), it also extends the time to discover a breach.

Two other reasons are:

  1. Hackers have better stealth tools to invade a network. Once they’re in undetected, they can take their time to look at all of their victim’s data to see what’s best to monetize.
  2. Hackers can steal login credentials and hang around a system for a long time until they’re detected.

Companies that can detect intrusions in less than 100 days can save $1 million in containment costs. But they may not be as motivated as you are to protect your network and the people they serve.

Here are some things you can do right away:

  1. Make sure you have strong passwords for every account you and your employees and family members have.
  2. Insist on using passkeys or some other form of two-factor authentication (2FA) wherever possible. A good authenticator should be device-specific and tied to a device that’s always with the user.
  3. Make sure all your software (operating systems and apps) and firmware (hardware systems) is up to date.
  4. Have an easily accessible list of your key usernames and passwords for emergency use.

Microsoft is making strides in a couple of areas. The company introduced passkey support across most of its consumer apps a year ago, allowing you to sign into your account without the need for 2FA methods or remembering long passwords. Today, it’s encouraging all new signups to use passkeys as it removes passwords as the default.

Windows Hello allows users to securely sign in to their accounts with their face, fingerprint, or PIN. Today, more than 99 percent of users sign into their Windows devices using Hello. The company reports that 98 percent of passkey attempts to login are successful; passwords are only 32 percent successful.

To help keep all your software up to date, Microsoft is developing an update orchestration platform designed to unify the updating system for all apps, drivers, and system components on Windows systems. Right now, it’s aimed at developers and IT product teams. The goal is to run an update scan tool that will queue downloads and updates at optimal times. We’ll see if they can actually make it work.

That’s in the future. For the here and now, we recommend you contact us for a security audit. It’s something you should do annually to make sure you’ve taken the four steps we enumerated above. At the very least you can strengthen your own systems before the big guys know they were breached. Call us – 973-433-6676 – or email us for an appointment.

Making Technology Work Abroad

When you travel to some of the more remote parts of the world or parts of the world that lag in communications technology, you need to be flexible. You could need to work around slower internet service or service blackouts. But you may not be able to easily work around security and tech support issues that can crop up at the most inopportune time.

As experienced travelers and technology experts, we’re used to dealing with less-than-ideal conditions. But we still came across glitches we didn’t foresee. We need to plan for less-than-optimal service (sometimes no service) and problems with internet access, and we need to have some flexibility.

When we were in a game reserve in South Africa, we knew there would be limited Wi-Fi or cellular service, but we were too busy being awed by all the animals we saw. We were surprised on our cruise ship when we were in Madagascar. The ship had internet blackouts; there was no Wi-Fi service. Satellite connections were not available. We also had to work around 3G technology (which has basically been eliminated in the United States). In some cases, VPNs would not allow access to certain websites – and we had counted on that access for certain business needs.

This presents an interesting dichotomy. We take vacations to get away from our normal routines, but sometimes we need to stay in touch. We like being able to resolve issues remotely for our clients or get a detailed understanding of issues so that we instruct those who provide services on our behalf. We believe it’s a critical part of our pledge to serve you.

We also like to take a lot of photographs and shoot videos to share with family and friends during our vacations. With images and videos creating ever larger files, we rely on fast internet service, which may not be available.

Then, there’s the matter of security, especially with authenticator apps and VPNs (virtual private networks).

Authenticator apps are part of the two-factor authentication (2FA) process for accessing websites. The first thing you should do is log in to your authenticator app and make sure it works. You should especially make sure it works with any privacy measures you might take, such as a VPN. Microsoft Authenticator (our preferred app) and Google Authenticator are two of the most commonly used apps, and they work with mobile devices – even if you are logging in from a computer.

If you get a new phone or tablet, you’ll need to reinstall your authentication app; it doesn’t transfer. When we get a client call about an authenticator problem, the first question we ask is whether you have a new phone. We can always walk you through the setup process.

While we’re on the subject of VPNs, be prepared for yours not to work when logging in to a website you normally use. In some countries, an international company’s website might be hosted in a country outside the US. If you are running a VPN that identifies your device as being in the US, just hope it works well so that you can access the site. If you need to contact that company’s tech support, make sure you know what time it is in their location.

If you’re planning a trip to remote locations anywhere in the world – even here in the US – we can help you with contingency plans based on your needs. Call us – 973-433-6676 – or email us to see what you can do.

Turn on 2FA with Microsoft 365

If you’re using Microsoft 365 without two-factor authentication (2FA), you could have a basic security problem. Cybercriminals are taking advantage of a loophole in Microsoft’s Basic Authentication, an outmoded system doesn’t require extra security checks, like a second password or a verification code sent to your phone. Here’s how to harden your system.

Hackers are using a method called “password spray and pray,” where they try common passwords across many accounts, hoping for a match. Security researchers have discovered that a botnet of at least 130,000 infected devices is being used in this attack. The hackers use non-interactive sign-ins, a method commonly used for automated logins between services. Because these logins don’t require human interaction, they often bypass 2FA protections, and many security protocols don’t pay much attention to them.

While Microsoft is phasing out Basic Authentication, it will still be partially active until September 2025. The threat is immediate and serious.

If you have a website, experts urge you to disable Basic Authentication and monitor non-interactive sign-in logs. You should also adopt access policies based on location and device security to restrict logins from unknown locations or requiring extra security steps for an unfamiliar device. Enabling multi-factor authentication (MFA) or certificate-based authentication would require users to verify their identity with a second factor, like a phone code or fingerprint scan. Even if hackers steal a password, they still won’t be able to access the account without this extra verification.

On the user side, eliminate multiple-use passwords. A password manager makes it easy to generate long, unique, complex passwords that are extremely hard to hack. And if a hacker does happen to hit one, it’s highly unlikely they’ll get another one.

If the websites you use require 2FA, we suggest using your password manager to set up a six-digit token through your phone’s authenticator app. With a cell phone, you can use facial recognition or fingerprint for authentication. And there’s still the six-digit code sent to your phone as a text message or an email.

We can help businesses and individual users upgrade or improve their online security. Call us – 973-433-6676 – or email us to talk about your needs.

Busting the Passkey Myths

Passkeys are replacing mere passwords at a rapid pace, and that may be scary for some people. Passkeys are inherently more secure than passwords. For the most part, they are extremely difficult (we won’t say impossible) to crack, and that’s why you should get more comfortable with using them.

Tech leaders such as Microsoft, Google, and Apple are among those leading the passkey charge because there are nearly 7 million combinations of usernames and passwords on the dark web. When your passwords end up on the dark web, cybercriminals can use them to get into your accounts and steal your private data. That’s why passkey-based authentication is becoming a fast-growing trend. Their main benefits are that they can’t be stolen like passwords, and there’s nothing for you to remember.

Still, myths persist, and Dashlane, the password manager app that we prefer, has its own magnificent seven myths it wants to bust.

  1. If you lose your phone, you can’t access your passkeys. If you have a password manager, your passkeys should sync across all devices – unless you “cheaped out” on a freebie. If you only use a mobile device for your passkey, make sure you store it in your phone’s password app. That will enable you to move them to your new device.
  2. Only Google and Apple currently sync passkeys. Third-party passkey providers like Dashlane use their own cloud infrastructure for syncing, similar to Google and Apple. Microsoft has announced that synced passkeys will be coming to Windows 11 and associated with Microsoft accounts. Google recently indicated that synced passkeys in Google Password Manager will soon be available on both macOS and Windows.
  3. Passkeys send your biometric information over the internet. All verification methods operate solely on your device. No biometric information is sent to the website, only confirmation that verification was successful.
  4. You can change your password but not a passkey. Passkeys can be changed simply by deleting them from the website they’re set up with and re-enrolling a new one. This is because every new passkey is unique, even when multiple passkeys are set up for the same website.
  5. PIN codes are not as secure as passwords. Once a device PIN code is set up, it can only be used on a particular device. That’s a security feature not available with a password.
  6. Using a password manager for your passwords is better than using passkeys. While password managers help, they can’t completely prevent phishing. Passkeys, by contrast, are phishing-resistant by design. Additionally, almost all leading password managers now support passkeys for both secure password storage and the added protection of passkeys.
  7. Passkeys are a way for vendors to lock users into their platforms. The FIDO Alliance has published new standards that will allow password managers to safely and easily export passwords and passkeys.

The myths point to a certain intimidation factor about using passkeys. Our advice is don’t be intimidated. We can help you set up an authentication app, such as Microsoft Authenticator, and other methods, such as biometrics and PIN codes. Call us – 973-433-6676 – or email us to talk about what’s best for you and your organization.

Upgrade for Security

Should you upgrade to Windows 11 and get a new computer? Microsoft and an increasingly aggressive, more sophisticated hacking environment are calling the question. For a number of reasons, our answer is a resounding “yes.”

We’ve discussed this before, but we have an increased sense of urgency about upgrading technology to improve your security. Microsoft reports that in 2015, they were detecting around 115 password attacks per second. In 2024, that number has surged 3,378% to more than 4,000 password attacks per second. We need stronger, more comprehensive security approaches than ever before, and we need them across all devices and technologies we use in our lives, both at home and at work.

Microsoft and its hardware partners developed an array of software solutions to harden your security. These solutions rely on brute power to process massive amounts of security protocols and tools to keep out bad actors. Many of these tools use artificial intelligence (AI) to find and implement security measures that require nimble, changing movements, much like you find if you’re a gamer. They also power increasingly sophisticated passkeys (such as facial recognition or other biometrics) or two-factor authentication (2FA).

Windows 11 has the software tools, but they’re either useless or toothless without the hardware to power them. To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements:

  • Processor: 1 gigahertz (GHz) or faster with two or more cores on a compatible 64-bit processor or system on a chip (SoC).
  • Memory: 4 gigabytes (GB) or greater.
  • Storage: 64 GB or greater available disk space.
  • Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
  • System firmware: UEFI, Secure Boot capable.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Display: High definition (720p) display, 9″ or greater monitor, 8 bits per color channel.
  • Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. Windows 11 Home Edition also requires a Microsoft Account to complete device setup on first use.

These are the minimum requirements, and they can change at any time.

Is your computer compatible? If it’s more than three years old, it’s unlikely. Three years has become the lifespan for many machines because the technology changes so quickly and extensively. We recently replaced the personal computers in our family so that we could all take advantage of new computer capabilities. For personal computers, it will be a crapshoot as to how much longer you can safely go online.

For businesses, it can be to your advantage to upgrade your computers before the end of the year – though your tax advisors can give you more precise information. We can only tell you that you need to balance the cost of a new computer against the possible costs of a security breach.

We can help you in several ways.

  • We can evaluate your hardware, especially if you are still running Windows 10, and help you determine if new hardware will be cost-effective for running Windows 11.
  • We can help you select and buy computers and other systems that fit your budgets, and business needs as best as possible.
  • We can configure your new computers and systems to make sure you have the best balance of security and performance.

Call us – 973-433-6676 – or email us for an appointment.

Hacked SSNs: What, Me Worry?

With apologies to Alfred E. Neuman, yes, you should worry. But you don’t need to panic, especially if you have Windows 11, a computer with a later-generation chipset and a lot of common sense.

New reports say the hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, FL. The breach was believed to have happened in or around April, according to the lawsuit. A class-action law firm said the stolen file includes 277.1 gigabytes of data and includes names, address histories, relatives, and Social Security numbers dating back at least three decades. A post from a cybersecurity expert on X claims the records for citizens of the U.S., U.K., and Canada were sold on the dark web for $3.5 million.

Yes, that’s scary. But it’s not as dire as you think. Security breaches happen all the time because thieves find vulnerabilities in large systems and exploit them. Some thieves steal simply because they can. If they don’t try to use stolen information, you don’t have a problem. But if they do try to use stolen data, they need to know how to defeat whatever aggressive defenses exist at, say, a bank. Often, they fail.

They may try to sell the data, but if there’s no market, the stolen information languishes. If they do sell it, the data might turn out to be outdated. Finally, the buyers may be state actors. If you’re not a likely target of blackmail or in possession of interesting secrets, they may have the goods on you but not want to use them.

All you can do is harden your defenses as best you can.

Set up two-factor authentication for every online account that offers it, or use an authentication app, such as Microsoft Authenticator to secure your online accounts. If thieves haven’t intercepted your email, text messages, or phone, it’s going to be hard for them to break in.

Sign up for account alerts. Depending on your bank or card company, you can set them up for many things, including any charge outside your home country, any (or all) ATM withdrawals, or transactions over a certain amount.

If you get an alert you didn’t expect — or even one you did — don’t click links or call phone numbers in the alert. Instead, log into the account in question and find a contact number there. That will keep thieves from redirecting you to their own operations.

We can answer questions about 2FA, and we can help you set up Microsoft Authenticator. A proper set-up will prevent problems down the line. Call us – 973-433-6676 – or email us for an appointment.