Understanding MFA and Other Security Measures

We recently added a new home-user client through the Nextdoor website, and during our initial conversations, we covered a lot of security issues. The new client, an elderly gentleman, had a really good handle on his online security. There’s a lot for us to unpack as individuals and as those who have elderly parents – though some of this can apply to everyone.

First, let’s look at passwords. While this discussion is inspired by our new client, our conversation can apply to anyone because we never know when someone will not be able to access vital personal information either stored on a computer or device or in the cloud.

When we take on a new elderly client, we spend a lot of time talking about online security, including passwords, password managers and MFA. We were heartened to learn our new client knew all about using his passwords properly. He seemed to understand the system better than many of our younger clients.

When he asked about using a password manager, a subject he brought up, we advised against it. While password managers can greatly enhance online security and can be extremely convenient (think about accessing a website from your mobile phone when you’re in an urgent situation), everyone needs to know the law of unintended consequences. Every password manager has an encryption key, and if you don’t have the master password with that encryption key, you won’t get in. That includes you as the account owner and anyone who might need to get into a website.

We told him it would be preferable to write all his passwords in a book. It doesn’t need to be locked in a safe, but it should be kept in a secure place – and at least one other trusted person should know where it is. This is critically important for the elderly or anyone else who may need someone to manage their affairs because of some impairment or death.

Second, let’s look at forms of security generally known as two-factor authorization (2FA) or multi-factor authorization (MFA).

We discussed using MFA for his online banking and financial activity, and he said: “That is so easy, everyone should be doing it.”

I agree wholeheartedly. It’s not that complicated to use it once you set it up. In most cases, you can link the authorization to a specific device or devices, such as a computer, tablet or phone. When you do that, you can sign into a website account from the authorized device(s) without going through the authorization every time – or you can set it up to require authorization every time. It becomes difficult if somebody is trying to sign into your account from another device, but of course, this is what the process is designed to do.

The way most MFA processes work is that when you sign in from a device, a code is sent by text message to a phone or to an email address. Once you receive the code, you enter it on a designated page associated with the website. The complication will come if someone is truly signing in on your behalf from an “unknown” device. That person will need access to the authorization message.

Another security measure that works for iOS devices is Apple’s iCloud Keychain. Functioning like a password manager to some extent, it allows you to use your device access code to activate a complex password to enter a secure website.

We can help you understand all the benefits and pitfalls of using MFA. The big problems, obviously, are to make sure you don’t lock yourself out of your account and know what do to if your phone is not working. Call us – 973-433-6676 – or email us to get comprehensive information about MFA and password managers and to configure your systems to work best for your needs.

CAVEAT EMPTOR!!!

“Buyer Beware!” is a more important warning than ever before if you’re buying phones, computers, tablets and other electronic devices online. We all like online bargains, but the looting that took place as peaceful demonstrations fell apart will put a lot of stolen goods on the market. It’s a fact of life – not a political or social statement. Here’s what you need to know.

First, mobile phones, tablets and computers have built-in tracking. If the merchant from whom the devices were stolen reports the identifying information to the manufacturer, a message can be displayed as soon as the device is connected to any kind of network. It will tell the user that the device is stolen and cannot be put into service.

Second, in all likelihood, if you bought tainted goods on the internet, you bought it from a less-than-reputable seller, which means you won’t get any support from the manufacturer or a cellular network carrier. We can’t say for sure, but a manufacturer or merchant who knows where a stolen device is could initiate action to get it back.

Third, if you used a credit card, your account information is now in the hands of people who can monetize it at some point.

In short, you’ll have no consumer protection, and you could have a lot of liabilities. That puts the onus squarely on you to make sure you visit only legitimate merchant websites and buy from legitimate sellers.

Everyone can expect to be bombarded with offers from sellers, legitimate or not. We’ve been bombarded for years. Some offers come through phishing expeditions, which can look legitimate but may have one slight change from a seller that might be familiar to you. You might see an ad on a website, and that can be a tough call. Huge businesses have been built – legitimately – by tracking your browsing history and then sending you ads. It’s easy for a “fencing” operation to set up a website that has every appearance of legitimacy.

Our advice is simple. Only click on links that you are 100 percent sure are legitimate websites. Only buy electronics from legitimate sources. They may be well-known retailers as well as vendors vetted and supported by services such as Amazon. You can be reasonably assured you are getting a legitimate product and that your credit card information will be properly protected. And if your product is defective or not what you expected, you should be able to exchange or return it within a clearly stated policy.

If you have any questions about a product you’re shopping for, don’t hesitate to ask us about its properties or things to look for in a seller. Call us – 973-433-6676 – or email us if you have any questions.

What Are Your Biggest Online Threats in 2020?

Cyberthreats will be coming at you – and any person or organization with whom you have an online relationship – with increasing speed and sophistication. For some, it might feel like you’re living inside an online fantasy game, but it’s real life. Here’s what to look for.

Phishing and Social Engineering

There’s nothing new about phishing, where cybercriminals try to obtain sensitive information, like passwords or financial information, usually by using links in emails to install malware to breach your system. Non-profits have been major targets because they don’t have alert systems built into network infrastructures, but any business, governmental organization or individual can be hit. We’ve discussed the need to be highly aware of what you’re clicking and to exercise extreme caution. As an individual user, you have control.

At businesses, it’s a bigger chore to combat phishing. Attacks enable hackers to steal user logins, credit card credentials and other types of personal financial information, as well as gain access to private databases.

Going hand-in-hand with phishing is social engineering, which can cover a multitude of attacks such as disinformation and deep fakes spread by social media. We see this as one of the biggest threats you face this year.

Social media makes it easier to spread disinformation faster than anyone can send out the facts to repudiate fakery or misrepresentation. Deep fakes relate to fake images and videos being created by deep learning techniques. We’ve seen them in the political arena and can expect more them to be leveraged as a tool to attempt to discredit candidates and push inaccurate political messages to voters via social media. We’ll also see them in ransomware, showing targets realistic videos of themselves in compromising situations. We’ll also see more spoofing in business email with deep fakes used to add a further degree of realism to the request to transfer money.

Ransomware

Ransomware attacks cost billions of dollars every year, as hackers literally kidnap an individual or organization’s databases and hold all of the information for ransom. The rise of cryptocurrencies such as Bitcoin spurred ransomware attacks by allowing ransom demands to be paid anonymously. As companies build stronger defenses against ransomware, some experts believe hackers will increasingly target other potentially profitable ransomware victims such as high-net-worth individuals.

Third-Party Vulnerabilities (IoT, Cloud, Supply Chain)

This is a tough threat to ward off because you have some control over your vulnerabilities but not all of them. With the Internet of Things (IoT), you have control. Make sure that you change every default username and password for every device you connect to your network and have a strong network password and firewall. I have little sympathy for people whose systems are hacked because they didn’t take the proper setup steps to prevent invasion.

The cloud is as safe as you can get, especially with large, reputable service providers. They have the resources to deploy the most advanced security measures and multiple services to protect your data. Our advice here is to use a top-rated cloud service provider and make sure you have protected your network, just you would to maintain IoT security.

The supply chain is tough. With so many companies using the internet to fulfill product orders, manage vendors and customers and provide financial services, each one of them can rely on hundreds of vendors. You rely on all of them to keep your data safe, and that can make any one of them the weakest link in your security. Your best defense is to take every security precaution you can, such as keeping your software and hardware up to date, using common sense on what you click, and letting others know when you have concerns about their security.

Internal Attacks

We have only begun to see the impact insiders can have on organizations as well as national and global security. While the news focuses on dangerous insiders exfiltrating data to foreign governments and terrorist organizations, you need to focus on your business – and your business partners. In all likelihood, your biggest threats will be data theft for monetary purposes – similar to effects of ransomware – or some disruption of your business by a disgruntled or careless employee.

5G’s Unprecedented Data-Theft Speeds

5G cellular technology promises unprecedented speed to make it possible to have more effective infrastructure, autonomous vehicles, faster emergency response and greatly improved telemedicine. It will be almost entirely software-driven; you’ll need hardware capable of handling it. Because it will be software-driven, it will be susceptible to hacks. You’ll need to follow safe internet practices and hope that everyone else does, too. There’s not much you can do technologically in the grand scheme of things, but you can and should demand that large organizations and governments take steps to protect 5G networks.

We can help you make sure you have the knowledge and systems in place to protect your systems from cyberthreats. Contact us by phone – 973-433-6676 – or email to discuss your needs.

7-bit#, 7-bit#-not PW123 – A Password Primer

This headline depicts how passwords are written and stored in your computing environment. We won’t go into heavy details, but it essentially works this way.

When you put letters – upper and lower case – and numerals and special characters into your password, the storage system records them in a code involving 7 bits and a # symbol. Hackers have learned that if they attack your password in #s, or hashes, they have a shot at cracking your password.

When you change just one special character – or number or letter, you’re only changing one #. You’re actually making your security worse when you do that, especially if you have a really simple password and depend on a &, $ or @ to keep your passwords secure.

Here’s what you need to know about keeping them secure, and if you understand the principles, you’ll know why passwords can’t go away fast enough.

  • Don’t change just one number or special character. If someone has managed to get close to your password, it doesn’t take much run a program that swaps out 10 numerical characters and maybe eight special characters.
  • Don’t use short passwords. A computerized analytics program can run through a short combination of letters and characters faster than you read this sentence.
  • Do use long passwords with combinations of upper- and lower-case letters, numerals and special characters.
  • Do change several numbers and/or special characters when you change your password.
  • Do make your passwords illogical. We all try to keep some semblance of something we can remember because we need to have passwords for so many websites or apps. But if a hacker catches onto your logic, you’re more vulnerable.

We can’t emphasize strongly enough that password and internet security get more critical every day. Hacking and ransomware attacks get more prevalent, and the stakes are higher as we digitize every aspect of our corporate and personal lives. Governments, agencies and school boards – Livingston here in NJ being the latest – have fallen victim to ransomware attacks, and all face the agonizing decision of whether to pay up or try to recover their data. The latter can take longer and be more expensive than the ransom payment, but for some, it’s a matter of principle.

This leads us to four other recommendations when it comes to passwords and internet security:

  1. Use fake answers for the security questions that accompany passwords on many websites. So many of them involve facts that are the matter of public record, including addresses, your first car and your maternal grandmother’s middle name.
  2. Use a password manager program – and let it generate random passwords for every online account you have or ever hope to have. You just need to remember one password, and you can use it to download every password you have if and when you need to know each one.
  3. Have a real backup program for your data. OneDrive and Dropbox are good for storage, and you can recover your data file by file. A backup program such as Azure allows recovery and restoration more efficiently.
  4. Switch from passwords to biometrics whenever and wherever you possibly can. Biometrics are becoming more available, and it makes sense to incorporate them where you can.

Contact us by phone – 973-433-6676 – or email to talk about a good backup program, a password strategy and/or moving to biometrics. And above, practice safe password protection.

Password123 and Other Common-Sense Anomalies

We continue to be amazed at the utter lack of common sense some people have when choosing strong passwords. Even if you satisfy all the algorithms for an allegedly strong password (upper- and lower-case letters, numerals and special characters), you may leave hints that make all too easy to crack it. Here are some factors to be aware of.

We believe the most important thing anyone has to understand is that nobody – absolutely nobody – is not on the internet. Obviously, you’re an online regular if you’re reading this, but even somebody who has never owned a computer or has paid for everything only in cash has an online profile. Birth certificates, census reports and immigration records from over 100 years ago are available online. Have you ever seen a security question (not one you’ve chosen and answered falsely) that asks about an old, old address of yours or a sibling?

Based on all the available information about you, it defies my logical definition of common sense to know why an attorney uses lawyer123 – or even lawyer123! – as a password. If you promote your profession or business on a website and somebody wants to crack your personal info, they’ll likely try using your profession – with 1234 and a special character.

Use common sense as well as technology’s tools to both make your life convenient and more secure. You can start with a password manager, such as Dashlane, which requires you to know only one really strong, difficult-to-crack password. You use that password to use the password manager, and the program generates random passwords that have no connection to you, your hometown or your first pet.

When you use a GPS system to go someplace, are you always aware of your surroundings in case something just doesn’t look or feel right? Common sense should tell you that you might not be in the right neighborhood or that the system’s algorithms are telling you to make a left turn where you can’t or to go the wrong way on a one-way street. Technology is an imperfect tool. It’s up to you to make sure you have the latest version of your technological tool, which we hope will have fewer imperfections.

Common sense will be society’s best defense in combating the way technology can spread disinformation and misinformation. This is not a political statement. Disinformation and misinformation have been used since before the printing press, but today’s technology makes it much easier to create and distribute words and images. There is no technological tool for critical thinking.

However, we can help you with the tools that can help you enhance your online security and your life. Call us – 973-433-6676 – or email us with any questions you have about better living through technology. It makes sense to be up to date.

Convenience vs. Competition: What do You Think?

The Department of Justice is beginning an investigation of “big data” companies and their hold on your online activity. This is not intended to be a political rant, but we’d like to know your thoughts on convenience vs. competition.

Here’s the executive summary of the DOJ’s investigation:

  • DOJ is reviewing whether and how market-leading online platforms – Amazon, Apple, Facebook, Google and the rest of the usual suspects – have achieved market power and are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers.
  • The review will consider the widespread concerns about competition that consumers, businesses, and entrepreneurs have expressed about search, social media, and some retail services online.
  • The goal of the review is to assess the competitive conditions in the online marketplace in an objective and fair-minded manner and to ensure Americans have access to free markets in which companies compete on their merits to provide services that users want. 
  • If violations of law are identified, the DOJ will proceed appropriately to seek redress.

The investigation – or review – caught our attention because Amazon’s recent Prime Day blew projected numbers out of the water. Why not? When you want to buy a product, what do you usually do? You use Google to find the best price or fastest delivery, and you generally go to an Amazon website – where Amazon has your address and credit card info on file. Yes, it’s basically one click or just a few, and your shiny new object is on its way – sometimes with same-day delivery.

I admit, that’s how we sometimes shop for products and make our purchase decisions. I don’t know if the size of Google and Amazon limits my choices – or if they limit them significantly. I might never know if a local merchant has a better product, price or customer service because smaller businesses don’t have the numbers to show up in a Google search where I can easily see it. I don’t know if another search engine (not Bing, which is Microsoft) would give me better results because Google is ingrained in my mind. It’s even become a verb.

We recognize that technology and laws are complex fields, and we’ll all have different opinions about what makes a good law. But we’d like your thoughts on competition and convenience. If you would answer a few questions either by return email or by leaving comments for everyone to see, we can share what’s important to us:

  • Do you automatically use Google for product searches?
  • Would you use another search engine if it were readily available and gave the results you needed?
  • Do you go to websites only at the top of a Google search?
  • Do you click on the ads at the top of the search results?
  • Do you go to a product provider’s website directly before or after seeing Amazon results?
  • Do you really care that Google and Amazon are so big that they might be stifling competition and limiting your choices?

Thanks in advance for sharing your thoughts.

Kohls and Amazon Starting a Trend?

“If you can’t beat ‘em, join ‘em” is an old adage. It applies to today’s retail environment, in which we love ordering stuff online but hate the process to return the stuff we don’t love. Kohls and Amazon may solve our problem while they help themselves with a new program.

Beginning in July, the companies will roll out nationally a program that began two years ago at 100 selected stores in Los Angeles, Chicago and Milwaukee. It should be a win-win-win for consumers, Amazon and Kohls when the program goes operational in some 1,150 locations in 48 states.

We expect to be able to return merchandise that doesn’t work out or when we change our minds. It’s especially true when we buy online because we’re buying it sight-unseen or without having tried on or tried out the product. In a report in the publication Retail Dive, more shoppers than ever factor returns into their purchasing decisions. They cite a report from Stockholm-based payments company Klarna, which shows that 82% of shoppers consider returns a routine part of shopping, while 84% say they’re more likely to buy from a store offering free returns. Sixty-two percent say they wouldn’t purchase from a store that doesn’t offer free returns.

The numbers show online shoppers want a more seamless experience and will reward retailers who deliver it. Nearly half (44%) of respondents say slow returns are the most frustrating part of the returns process, as anyone will attest to. You have to put the product back in the box (a challenge of its own), seal it and bring it to a designated shipper. Still, 86% say they are more likely to return to a retailer that offers free returns.

Clearly, we demand mulligans, and that creates logistics issues for online retailers.

First, Amazon, which could handle 50% of online purchases by 2023, doesn’t have many retail outlets. Yes, you can pick up Amazon-ordered merchandise at Whole Foods, and the company is experimenting with cashless retail stores, which can be pick-up points. But those types of stores are not equipped to take back large volumes of clothing or household goods. The return program with Kohls gives Amazon customers a convenient place to bring back unwanted items, and Kohls must obviously have the logistics network capable of handling the returns.

Kohls can win by getting traffic into its stores. That’s a no-brainer. Just because you return something doesn’t always mean you don’t need the item. Who knows? You might find just what you need or want – in the right size or better style – while you walk through the store. And if you carried an item into a store, you can certainly carry it home.

The return policy covers “eligible” items, which may have something to do with size. You’ll be able to find out when you initiate the return process online, which is a requirement. You’ll need to take care of authorizations and paperwork through your Amazon account.

Our only advice: Make sure you maintain tight security for your network and account passwords. Any questions, call us – 973-433-6676 – or email us.

Tax Season: The Next Scam Season

I don’t know whether more money changes hands during the holiday shopping season or during tax season, but a lot is at stake between now and April 17 as people prepare tax returns. It’s a busy time of year for scammers, most of whom want to use fraudulent information to get your tax return money.

Probably one of the most common scams is someone calling from the IRS to say you owe back taxes. This happens every year and all year long, too. But there’s just one thing we want to remind you about, even if you know it: The IRS does not contact you by phone. Nor does the IRS contact you by email, a form of communications a scammer will use in a phishing expedition. The IRS sends you a letter.

The other scams you are likely to encounter are calls or emails from people or companies offering to prepare your tax returns and even provide you with an advance on your refund. The email scams are more insidious because if you click on a link, it could automatically trigger a breach of your computer that reveals sensitive information. If you follow through on a phone call or link, the scammer is going to request your Social Security number and other info that goes on a tax return. If the scammer is offering to advance you money from an expected refund, they’ll want your banking info, too. Once a scammer has this and other personal information, it’s easy to get credit cards and loans and commit crimes in your name.

From a computing point of view, we again remind you not to open emails from people you don’t know who offer help during the tax season. Delete them immediately. Do the same with an email from someone you know that seems out of context because it’s so easy to spoof an email address. For example, would you really expect Norman Rosenthal or Sterling Rose to prepare your taxes?

You can protect business and home networks and computers by making sure you have new, strong passwords for all networks and accounts. Strong passwords are long and contain a combination of upper- and lower-case letters, numerals and special characters. With the breach at Equifax, the risk of fraud is higher, and one of the problems it can lead to is that someone will file your tax return before you do.

With protection in place, you can use the internet for all of your tax-related activity, starting with IRS’s official website https://www.irs.gov/. In addition to being able to get tax forms and answers to questions, you’ll find links to help you find and verify information about tax preparers, including 10 tips for choosing one.

If you are preparing your own taxes, we recommend you use one of the established software providers to reduce your risk of a security breach, especially when you file online.

While we don’t prepare taxes, we can help you keep your networks and computers secure. Call us – 973-433-6676 – if you think your system may have been compromised. Call us or email us if you have any questions about system security or security settings for any software you use for tax preparation and filing.