Bring on the Passkeys

Passwords are porous, and so are some forms of two-factor authentication (2FA), such as those numeric codes sent to your phone or email to verify your identity. Known as one-time passwords (OTPs), they’re relatively safe, but hackers are getting better at breaching that defense. Passkeys are coming into their own as a stronger cybersecurity tool.

OTPs are typically provided in a text message, which is vulnerable to attacks in several ways. A hacker who intercepts the text to your phone might not get the password directly, but they could launch a smishing attack (it’s like an email phishing attack) and wait for you to make a mistake (responding to the text) to get into your account. More sophisticated hackers engage in SIM swapping or a more effective means of message interception to take over your phone and account. With those latter two forms of intrusion, it may take a while for you to discover the hack. Even if it’s less than an hour, it could be too late.

Risky as they are, OTPs by text are likely to remain in use for a while. Some companies are reluctant to change because they fear it will cost them customers who are not tech-savvy enough to adapt to more sophisticated verification tools. Most of you can reduce the risk somewhat by using a password manager. Reputable providers keep your master password secure – sometimes allowing you to bypass using it (as you’ll read shortly) – and add a strong layer of protection by generating long, complex passwords that are hard to crack.

As a smartphone and password manager user, you’re likely to be using a passkey already. For iPhone users, it’s facial recognition. For Android users, it’s a fingerprint. These and other passkeys work in the background to assemble a mathematical puzzle. The numbers are always changing, and they are not tied to anything that’s unique to you as a person. It doesn’t care about your mother’s maiden name or your first-grade teacher.

Most password managers use biometrics to authenticate you and your device, and you don’t need to be a tech wizard to set up and use it. For facial recognition, you just need to let the authentication app see several views of your face. For fingerprints, you just need to roll a finger over a sensor. In most cases, when using your smartphone, tapping on the app for a website automatically starts the authentication sequence.

Authenticator apps such as Microsoft Authenticator and Google Authenticator can work with website visits from a computer or mobile device. We like to set up our Microsoft OneDrive clients using Microsoft Authenticator to access files securely from any device from any internet connection.

For mobile devices, you can use a mobile app push for even more security. It works with mobile apps on your phone. When you log in to a website, you get a notification in the corresponding app on your phone that prompts you to verify your identity through that notification. This verification method is independent of the device you are logging in on and better than SMS or authenticator OTPs. However, you still need to pay attention. A hacker could repeatedly try to log in to your account using a stolen password, and you would get multiple messages on your phone to verify. If you click to verify, you could give the hacker account access.

We can help you move to a stronger authentication process. Call us – 973-433-6676 – or email us to see what authentication could work best for you. We can help you install and configure the necessary software and get you started on using it.

Phishing in Your Own Waters

If you own a small business or professional services firm, you depend on your employees to have enough tech savvy and common sense to avoid links in email messages or on websites that open your system to bad actors. No matter how much you trust them, you need to verify they’re doing the right thing. You can test your human security defenses by using your own phishing expedition to see how they’re doing.

We’ve become acquainted with independent cybersecurity firms by attending conferences over the years. We learn a lot from our peers and presenters – such as it takes an average of 244 days to detect a system breach and that using the cloud will be a necessity by 2028. We’ve also emphasized the need to have a thorough security audit, but as an IT firm, there’s only so much we can do. We also think that an IT firm is not the best organization to really get into the granular details of your security because we all have a vested interest in finding problems to fix.

An independent security expert can find the smallest breach openings in your system and tell you what needs to be done. One of the most fascinating tools they use is a phishing campaign aimed at everyone who works in your organization. They can plant fake links and QR codes and any other tool that a hacker can use to get someone to open a window into your system. They also have tools to mimic the follow-up methods that hackers use once somebody makes the initial click – or the first phone call to a bogus number.

The educational value of using your own phishing expedition is enormous. Not only will it help you patch up holes in your organization, but it also becomes a great teaching tool about why everyone needs to be vigilant. As we use more and more data to conduct business – and in our personal lives – it becomes more and more important to protect that data. You should remember that your organization is part of a data custody chain – a chain that can branch off in many directions. Intruders are highly sophisticated and well-funded – as well as very patient. They will do whatever it takes to get into your system and build tunnels to other systems. You put your reputation and integrity on the line every time you take in data and send it out.

AI will be able to generate untold amounts of data, but there is little it can do to eliminate misinformation automatically.

Eliminating misinformation requires real human intelligence and deliberate, active steps to prevent that first breach – the one that could take 244 days to find. At the risk of sounding like a broken record, in every location and on every device used to conduct your business:

  • Use a firewall and make sure it’s up to date.
  • Use anti-virus and malware software and make sure it’s up to date.
  • Install updates to operating systems and application software on every device you have. Those updates contain security patches and bug fixes to prevent intrusions.

We can help you arrange for a comprehensive security audit that includes a phishing expedition and a deep dive into your equipment and practices. Call us – 973-433-6676 – or email us to discuss your needs and develop a security action plan.

COVID Vax Posts Help ID Thieves

You lock your doors. Security cameras ring your house. And then you post pictures of your vaccination cards on Facebook after you get your injection. We regard our vaccinations as an achievement and an encouragement for others to get their shots. Identity thieves are not gonna miss their shot at mining your data.

Let’s be real. The information on most vaccination cards is minimal: your name and your date of birth. Both pieces of information are likely known to many people and organizations who interact with you, and it’s all readily available on public information websites. We won’t get into how many of you don’t make your year of birth available on Facebook for “privacy” reasons. But you do appreciate birthday greetings.

That said, let’s get back to the vaccination cards. I fall into two groups: 1c for my age and 1b for health reasons. If an ID thief is looking for some way to carry out medical fraud, my info is right there. Looking at my age and 1b status, the thief has the makings of a target. The name and date of birth on an official document validates who you are.

The thief can find my home address. Again, it’s public information, but when it’s added to my “dossier,” it’s another piece of a puzzle. I know I have added more clues about me when I shared some of my hospital visits. By and of themselves, each piece is small, but a thief may have enough to start looking at things just to let me know that they know me.

Then comes the phishing email disguised as an offer about some kind of insurance. If I bite by clicking on a link or opening an attachment, the thief can plant some malware to get a lot more information by mining my data. They might even get into my medical records and have enough info to file a false claim for treatment I never had. They might also lock me out of my records by changing all my login credentials and using HIPPA regulations. In short, I can wind up on the hook to pay for treatment I never had, and I can’t get info about the bill.

It’s one scenario about how big data can be mined – legally and illegally – from one small piece.

You can be vulnerable in other ways.

Let’s say you take a car trip somewhere, and you post a picture that includes your car and shows its license plate number. If your car is desirable, a thief can use your license plate number to trace your address – or maybe start observing you. When you leave the car somewhere, such as in a supermarket parking lot, it’s easy enough to get the VIN number through the windshield and then take steps to retitle your car before stealing it and selling it “legitimately.”

Big data makes these examples possible. There’s a lot more out there all the time, and hackers are more sophisticated. Better software tools allow more thieves to gather and analyze data to pinpoint a target and let them commit a larger number of small crimes that add up to decent money.

Our advice is simple: Don’t put any more of your data out there than is absolutely necessary. Be careful about what you photograph and post. Be careful about how you handle email and about the info you provide – even to legitimate businesses and organizations – by email or telephone. Even with those you know, question why they need certain information, such as your Social Security Number. Use common sense.

You can augment your common sense by keeping all your operating system and application software up to date; updates usually include security patches and bug fixes. Install, properly configure and update anti-virus and malware protection software. We can help you install and maintain software. Call us – 973-433-6676 – or email us to set up an appointment.

Oh, and one more thing: Get your COVID vaccination as soon as you can!

Websites and the Need to Know

Why do some companies and organizations, especially non-profits, feel the need to post the names of their entire staffs on their websites? The question came up in a recent conversation with an IT colleague.

Smaller companies and non-profits seem to get hack-attacked more often, and they tend to list everyone in the company or organization on their websites – along with their contact information. If that organization is running “lean and mean,” it could have a lot of people wearing many hats and juggling unrelated tasks. That can create a vulnerability when an outsider can distract a busy worker who has access to sensitive information.

Here’s a possible scenario that illustrates the problem.

When you list the contact info for the bookkeeper, you may be listing it for an employee who has access to all the organization’s financial data but has no need for public contact. A hacker doesn’t need to be especially skillful to use the bookkeeper’s email address to launch a phishing attack in a variety of ways. The most obvious, of course, would be to spoof a bank. But it could also be a spoof email from someone connected with the organization who is looking for something, such as wanting to know if a check was deposited.

If the bookkeeper responds to the bogus bank link or the spoofed email, it could open the door to getting more financial information or sensitive data – not only from your organization but from every person or organization you deal with.

Why take the risk? If you limit names and contact information to those whose duties involve some aspect of public contact, you can limit your exposure. If someone really needs to contact your bookkeeper, for example, they can call a general phone number for the organization where a gatekeeper can determine if it’s a legitimate call or can “take a message” so the bookkeeper or another employee can return the call. If the contact is made by email, it can go to a general mailbox, where a gatekeeper can read it and distribute it appropriately.

If you limit contact info in a small company or non-profit to the C-Suite, you can limit your exposure to hacking, ransomware and other vulnerabilities. If people outside your organization need to contact specific individuals, that information can be provided privately.

We can help. Call us – 973-433-6676 – or email us to help you set up appropriate email addresses and work with your web designer to make your website more secure.

CAVEAT EMPTOR!!!

“Buyer Beware!” is a more important warning than ever before if you’re buying phones, computers, tablets and other electronic devices online. We all like online bargains, but the looting that took place as peaceful demonstrations fell apart will put a lot of stolen goods on the market. It’s a fact of life – not a political or social statement. Here’s what you need to know.

First, mobile phones, tablets and computers have built-in tracking. If the merchant from whom the devices were stolen reports the identifying information to the manufacturer, a message can be displayed as soon as the device is connected to any kind of network. It will tell the user that the device is stolen and cannot be put into service.

Second, in all likelihood, if you bought tainted goods on the internet, you bought it from a less-than-reputable seller, which means you won’t get any support from the manufacturer or a cellular network carrier. We can’t say for sure, but a manufacturer or merchant who knows where a stolen device is could initiate action to get it back.

Third, if you used a credit card, your account information is now in the hands of people who can monetize it at some point.

In short, you’ll have no consumer protection, and you could have a lot of liabilities. That puts the onus squarely on you to make sure you visit only legitimate merchant websites and buy from legitimate sellers.

Everyone can expect to be bombarded with offers from sellers, legitimate or not. We’ve been bombarded for years. Some offers come through phishing expeditions, which can look legitimate but may have one slight change from a seller that might be familiar to you. You might see an ad on a website, and that can be a tough call. Huge businesses have been built – legitimately – by tracking your browsing history and then sending you ads. It’s easy for a “fencing” operation to set up a website that has every appearance of legitimacy.

Our advice is simple. Only click on links that you are 100 percent sure are legitimate websites. Only buy electronics from legitimate sources. They may be well-known retailers as well as vendors vetted and supported by services such as Amazon. You can be reasonably assured you are getting a legitimate product and that your credit card information will be properly protected. And if your product is defective or not what you expected, you should be able to exchange or return it within a clearly stated policy.

If you have any questions about a product you’re shopping for, don’t hesitate to ask us about its properties or things to look for in a seller. Call us – 973-433-6676 – or email us if you have any questions.

What Are Your Biggest Online Threats in 2020?

Cyberthreats will be coming at you – and any person or organization with whom you have an online relationship – with increasing speed and sophistication. For some, it might feel like you’re living inside an online fantasy game, but it’s real life. Here’s what to look for.

Phishing and Social Engineering

There’s nothing new about phishing, where cybercriminals try to obtain sensitive information, like passwords or financial information, usually by using links in emails to install malware to breach your system. Non-profits have been major targets because they don’t have alert systems built into network infrastructures, but any business, governmental organization or individual can be hit. We’ve discussed the need to be highly aware of what you’re clicking and to exercise extreme caution. As an individual user, you have control.

At businesses, it’s a bigger chore to combat phishing. Attacks enable hackers to steal user logins, credit card credentials and other types of personal financial information, as well as gain access to private databases.

Going hand-in-hand with phishing is social engineering, which can cover a multitude of attacks such as disinformation and deep fakes spread by social media. We see this as one of the biggest threats you face this year.

Social media makes it easier to spread disinformation faster than anyone can send out the facts to repudiate fakery or misrepresentation. Deep fakes relate to fake images and videos being created by deep learning techniques. We’ve seen them in the political arena and can expect more them to be leveraged as a tool to attempt to discredit candidates and push inaccurate political messages to voters via social media. We’ll also see them in ransomware, showing targets realistic videos of themselves in compromising situations. We’ll also see more spoofing in business email with deep fakes used to add a further degree of realism to the request to transfer money.

Ransomware

Ransomware attacks cost billions of dollars every year, as hackers literally kidnap an individual or organization’s databases and hold all of the information for ransom. The rise of cryptocurrencies such as Bitcoin spurred ransomware attacks by allowing ransom demands to be paid anonymously. As companies build stronger defenses against ransomware, some experts believe hackers will increasingly target other potentially profitable ransomware victims such as high-net-worth individuals.

Third-Party Vulnerabilities (IoT, Cloud, Supply Chain)

This is a tough threat to ward off because you have some control over your vulnerabilities but not all of them. With the Internet of Things (IoT), you have control. Make sure that you change every default username and password for every device you connect to your network and have a strong network password and firewall. I have little sympathy for people whose systems are hacked because they didn’t take the proper setup steps to prevent invasion.

The cloud is as safe as you can get, especially with large, reputable service providers. They have the resources to deploy the most advanced security measures and multiple services to protect your data. Our advice here is to use a top-rated cloud service provider and make sure you have protected your network, just you would to maintain IoT security.

The supply chain is tough. With so many companies using the internet to fulfill product orders, manage vendors and customers and provide financial services, each one of them can rely on hundreds of vendors. You rely on all of them to keep your data safe, and that can make any one of them the weakest link in your security. Your best defense is to take every security precaution you can, such as keeping your software and hardware up to date, using common sense on what you click, and letting others know when you have concerns about their security.

Internal Attacks

We have only begun to see the impact insiders can have on organizations as well as national and global security. While the news focuses on dangerous insiders exfiltrating data to foreign governments and terrorist organizations, you need to focus on your business – and your business partners. In all likelihood, your biggest threats will be data theft for monetary purposes – similar to effects of ransomware – or some disruption of your business by a disgruntled or careless employee.

5G’s Unprecedented Data-Theft Speeds

5G cellular technology promises unprecedented speed to make it possible to have more effective infrastructure, autonomous vehicles, faster emergency response and greatly improved telemedicine. It will be almost entirely software-driven; you’ll need hardware capable of handling it. Because it will be software-driven, it will be susceptible to hacks. You’ll need to follow safe internet practices and hope that everyone else does, too. There’s not much you can do technologically in the grand scheme of things, but you can and should demand that large organizations and governments take steps to protect 5G networks.

We can help you make sure you have the knowledge and systems in place to protect your systems from cyberthreats. Contact us by phone – 973-433-6676 – or email to discuss your needs.

Fraud’s Warning Signs

Anyone who tries to defraud you online – or even on the telephone – is literally banking your carelessness. Take a good look at emails and links and listen carefully on the phone. You can spot the fraud, and if you’re not sure, disengage and call the person you think contacted you – on the telephone – or send a new email, totally separate from the thread.

It’s important to be on “high alert” because the hackers and scammers are at the top of their game, and their targets include trusted advisors, such as accountants and tax preparers. We should state that these people should have secure systems in place and should know not to send or request sensitive, confidential information through email.

But at the end of the day, you need to take ownership of your privacy, so here are some tipoffs that a communication might not secure or might be out-and-out fraudulent.

First, does your accountant normally contact you by email? If not, that ought to raise a red flag. Second, can you absolutely verify that the email is from your accountant? While some email systems are good at spotting something fishy (or phishy), a scammer is betting that you’re not going to pay attention. Check the properties of an email address. It could very well be that cybercriminals were able to recreate the look and feel of an email from your accountant, but unless they actually got into the accountant’s server, a phony email will have a phony email address.

Attachments can be another tipoff to fraud. You should be suspicious if you get an email with attachments that are supposed to be forms, such as a tax form you need to fill out or a return to verify, are you being asked to provide your Social Security number and maybe your birthday? Can you open it without having to go to a secure website and enter a password? That doesn’t pass our initial smell test.

If your accountant does contact you about sensitive information or forms, are you referred to a secure website? Do you have that link with your access credentials safely stored? In a safe world, you can log into your account by entering the website address from your browser and entering your credentials.

If something doesn’t look right, you should always be able to call your accountant on the telephone.

And just to go one step farther this spring, here are some other things to be wary of.

Are you getting emails supposedly from someone you haven’t heard from in ages? And does have a short subject line, such as “hi”, with no message but a link? That’s a sign of fraud and clicking the link could open a breach in your system that can expose your sensitive data.

Are you getting Facebook friend requests from people who are already your friends? That’s generally a fraudulent request by someone looking to get into your system.

Anyone using fraudulent methods to get into your computer system may also be planting some kind of virus or malware to help infect other computers. If you think you may have clicked a link by mistake that could lead to a breach of your system, shut down your computer and disconnect it from the internet. Then call us – 973-433-6676 – so that we can apply our tools and expertise to minimize the damage and clean up your system.

Tax Season: The Next Scam Season

I don’t know whether more money changes hands during the holiday shopping season or during tax season, but a lot is at stake between now and April 17 as people prepare tax returns. It’s a busy time of year for scammers, most of whom want to use fraudulent information to get your tax return money.

Probably one of the most common scams is someone calling from the IRS to say you owe back taxes. This happens every year and all year long, too. But there’s just one thing we want to remind you about, even if you know it: The IRS does not contact you by phone. Nor does the IRS contact you by email, a form of communications a scammer will use in a phishing expedition. The IRS sends you a letter.

The other scams you are likely to encounter are calls or emails from people or companies offering to prepare your tax returns and even provide you with an advance on your refund. The email scams are more insidious because if you click on a link, it could automatically trigger a breach of your computer that reveals sensitive information. If you follow through on a phone call or link, the scammer is going to request your Social Security number and other info that goes on a tax return. If the scammer is offering to advance you money from an expected refund, they’ll want your banking info, too. Once a scammer has this and other personal information, it’s easy to get credit cards and loans and commit crimes in your name.

From a computing point of view, we again remind you not to open emails from people you don’t know who offer help during the tax season. Delete them immediately. Do the same with an email from someone you know that seems out of context because it’s so easy to spoof an email address. For example, would you really expect Norman Rosenthal or Sterling Rose to prepare your taxes?

You can protect business and home networks and computers by making sure you have new, strong passwords for all networks and accounts. Strong passwords are long and contain a combination of upper- and lower-case letters, numerals and special characters. With the breach at Equifax, the risk of fraud is higher, and one of the problems it can lead to is that someone will file your tax return before you do.

With protection in place, you can use the internet for all of your tax-related activity, starting with IRS’s official website https://www.irs.gov/. In addition to being able to get tax forms and answers to questions, you’ll find links to help you find and verify information about tax preparers, including 10 tips for choosing one.

If you are preparing your own taxes, we recommend you use one of the established software providers to reduce your risk of a security breach, especially when you file online.

While we don’t prepare taxes, we can help you keep your networks and computers secure. Call us – 973-433-6676 – if you think your system may have been compromised. Call us or email us if you have any questions about system security or security settings for any software you use for tax preparation and filing.