A password manager program going “passwordless?” Yup. Passwords are the bane of everyone’s existence, and the internet industry is looking to get rid of them.
Continue readingEmail Demands Two-Way Vigilance
Hackers are not always the brightest bulbs in the box. Their success depends more on you making mistakes than almost anything else. When they hack or spoof an email account, you’re dependent on your friends and associates to tip you off. Then, it’s up to you to resolve the problem as soon as you can. Here’s how our client handled their issue and how we handled one of our own.
Our client’s hack of their Comcast email started off simply enough. Hackers got their address book and sent an email to everyone asking if they used Amazon. That’s a normal start to a scam. Our client and spouse got tipped off when both got text messages from recipients – and the spouse got emails – suggesting that one of their email accounts might have been hacked.
Both of them were out of the house when they got word of the problem, but one of them was able to get home and start looking into the problem. The first thing they did was to change the password and the secondary email address used for notifications from Comcast. They also set up two-factor authentication (2FA) to the client’s cell phone number and changed the password again.
Those were two good steps to take, but there were two more surprises. First, they discovered that the hackers had set up an email address that they tied to the Comcast account. Our clients checked through all their accounts but didn’t see an email address that corresponded to the one set up by the hackers. They thought they were in the clear, but they hadn’t found the second surprise.
Later in the day, the client noticed they hadn’t been getting any emails on their Comcast account. They could send messages. Suspecting that a forwarding rule had been inserted by the hackers, they contacted Xfinity by telephone and after a few branches on the phone tree, they were able to speak to a security specialist. After an exhaustive security check, the specialist was able to remove the forwarding rule, securing the account.
They were fortunate that no emails involved responding to financial or healthcare websites. Had that happened, they could have been compromised. They did the right thing by changing the password, setting up 2FA, resetting the secondary email address and changing the password a second time. Those are things you can do immediately. They should have contacted Xfinity immediately after to see about any other changes and had them resolved right then and there.
Those are steps you can take if your email is hacked.
Our hack involved our QuickBooks address, and it’s typical of the problems small businesses can face. I noticed an email that looked like junk mail, so I didn’t pay much attention to it. But soon after, I took a closer look because the email address was [email protected]. It still didn’t seem that urgent, but it began to bother me.
So, I called QuickBooks (remember, we always urge people to pick up the phone if a problem seems bad enough) and explained what was going on. We have a merchant account. They said that hackers had set up an invalid account using the bogus email and an invalid tax ID number. It was a bare, basic account, but it was enough to raise a white-risk flag at QuickBooks. Our phone call put it on their radar screen.
This story should be on your radar screen, too. As small businesses – and even as consumers – we constantly get emails that we’ve been “approved” for something or other. We also get a lot of fake invoices that look like they’re coming from companies we do business with.
We need to be on guard against these. It’s easy to impersonate a business, and if the recipient isn’t careful, they might make a real payment to a real bank account that’s not tied to the legitimate vendor account they thought it was. As a business owner, we likely have no responsibilities or liabilities to the company or person that paid the fake invoice. HOWEVER, this is not a discussion I want to have with anybody.
At the end of the day, small businesses remain a huge target for hackers and cyber thieves. We need to depend on our own vigilance and the help of people we do business with to monitor anything that seems out of the ordinary and let someone know. I want you to let me know you got something odd from me – just like our client was tipped off about the bogus email. Any of these breaches can have serious consequences.
If you’ve been hacked in some way, take immediate steps to secure your accounts, including multiple password changes built around other security measures that you can take. Then, you can call us – 973-433-6676 – to let us know about the breach. We can help you investigate if any further damage was done and help mitigate the consequences as best as possible. If you have security questions, you can call or email us to discuss them.
Living with 2FA
Two-factor authentication has become a necessary part of life for access to critical websites, such as those that deal with your banking and your health. For those of us who are getting older or have parents who are getting older, access to some of those websites could be a life-and-death matter in extreme cases. You may have access to an account or have given someone access to it. But the 2FA is likely still tied to a cell phone, presenting an authentication issue. Workarounds are not easy.
Increasingly, 2FA is a requirement, not an option. If you opt not to use 2FA, you run a security risk. If 2FA is required, many people choose to have a code sent to their cell phone as a text message. The idea behind that is that the user has the device in their hand and is the only one who can see the code. It’s a safe choice. (OK, there’s a chance that someone might be able to intercept the text or that you might be in a kidnap situation. For most of us, the probability is practically nil.)
Fortunately, a cell phone number is not the only method of authentication. Most sites that require 2FA ask you to have an email address on file, too, and you can have that code sent there. If you or someone acting on your behalf has access to that email account, it’s easy to get the code and complete the authentication step.
Those are the easy situations.
Unfortunately, we’re asked to help reactivating and accessing old email addresses and old financial websites. The reasons are varied; helping an elderly parent or spouse or family member is most common. Sometimes, you need access because someone has died. Sometimes, you need access to close up accounts that you forgot about and are no longer using. We find the biggest culprits there are when you open an account somewhere to take advantage of free stuff. You use it for a single transaction and forget about it. Then, all of a sudden, you run into trouble because somebody got into your long-forgotten account. Remember, there’s no such thing as free stuff.
The obvious step to prevent all such problems, of course, is to write down all the login info for all accounts you need for yourself or someone else – even those godforsaken freebies. Equally obvious, close all online accounts or email addresses that you no longer use.
If we need to gain access, it’s a tedious and risky process. We can try to follow all sorts of breadcrumbs from old texts and emails (“to” and “from” addresses, subject lines, dates) to see if there are clues to an access point. We need to be careful at every step along the way because just like in a computer game, one mistake can knock you out. Microsoft, for example, has an automated system that monitors access tries. When the system sees something it doesn’t like, it rejects any future tries. There’s no human intervention involved.
Sometimes, we can help our clients reset a Gmail password; sometimes we can’t.
The key to all this electronic poking around is that you need to know where the pitfalls are in each site’s process for resetting a password. Making the wrong move can strengthen the lockdown. You need to know when you’re jeopardizing the entire reset process.
If you need to deal with resetting login credentials, give us a call – 973-433-6676 – or email us to discuss the problem, process and risks. We want you to be able to make an informed decision on how we can help.
MFA and Insurance Forms
This has nothing to do with a graduate degree in fine arts. The problems of weak passwords have raised alarms for the insurance industry –
Continue readingUpdate Account Recovery Info
Update Account Recovery Info
Facebook, Gmail, and iCloud are among the many online services that either require or strongly encourage you to have an alternate email address or cell phone number that enables you to recover your account and all the data you have in it.
Understanding MFA and Other Security Measures
We recently added a new home-user client through the Nextdoor website, and during our initial conversations, we covered a lot of security issues. The new client, an elderly gentleman, had a really good handle on his online security. There’s a lot for us to unpack as individuals and as those who have elderly parents – though some of this can apply to everyone.
First, let’s look at passwords. While this discussion is inspired by our new client, our conversation can apply to anyone because we never know when someone will not be able to access vital personal information either stored on a computer or device or in the cloud.
When we take on a new elderly client, we spend a lot of time talking about online security, including passwords, password managers and MFA. We were heartened to learn our new client knew all about using his passwords properly. He seemed to understand the system better than many of our younger clients.
When he asked about using a password manager, a subject he brought up, we advised against it. While password managers can greatly enhance online security and can be extremely convenient (think about accessing a website from your mobile phone when you’re in an urgent situation), everyone needs to know the law of unintended consequences. Every password manager has an encryption key, and if you don’t have the master password with that encryption key, you won’t get in. That includes you as the account owner and anyone who might need to get into a website.
We told him it would be preferable to write all his passwords in a book. It doesn’t need to be locked in a safe, but it should be kept in a secure place – and at least one other trusted person should know where it is. This is critically important for the elderly or anyone else who may need someone to manage their affairs because of some impairment or death.
Second, let’s look at forms of security generally known as two-factor authorization (2FA) or multi-factor authorization (MFA).
We discussed using MFA for his online banking and financial activity, and he said: “That is so easy, everyone should be doing it.”
I agree wholeheartedly. It’s not that complicated to use it once you set it up. In most cases, you can link the authorization to a specific device or devices, such as a computer, tablet or phone. When you do that, you can sign into a website account from the authorized device(s) without going through the authorization every time – or you can set it up to require authorization every time. It becomes difficult if somebody is trying to sign into your account from another device, but of course, this is what the process is designed to do.
The way most MFA processes work is that when you sign in from a device, a code is sent by text message to a phone or to an email address. Once you receive the code, you enter it on a designated page associated with the website. The complication will come if someone is truly signing in on your behalf from an “unknown” device. That person will need access to the authorization message.
Another security measure that works for iOS devices is Apple’s iCloud Keychain. Functioning like a password manager to some extent, it allows you to use your device access code to activate a complex password to enter a secure website.
We can help you understand all the benefits and pitfalls of using MFA. The big problems, obviously, are to make sure you don’t lock yourself out of your account and know what do to if your phone is not working. Call us – 973-433-6676 – or email us to get comprehensive information about MFA and password managers and to configure your systems to work best for your needs.
Using Alternatives to Passwords
We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.
When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.
IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.
You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:
- Sign-in risk to identify who’s signing in and determine who’s a risk.
- Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
- Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
- Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.
There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.
Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.
If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.