Can You Hack-Proof Your Personal Email Address?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

How would you feel if the digital “you” were deleted? The common wisdom in cybersecurity circles is that if you think it can’t happen to you, it probably will. Consider Mat Honan’s story.

“First my Google account was taken over, then deleted,” Honan wrote. “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” Honan’s AppleID was used to remotely delete all the data on his iPhone, iPad, and MacBook.

“My accounts were daisy-chained together,” Honan confessed. Sound familiar? Most people have to authenticate via daisy-chain. Even if you have everything segregated and use multi-factor authentication, chances are good that your personal email address is used to log in to most of the places you go online.

If a hacker gains access to your personal email account and, like most people, you’re lax when it comes to personal cyber hygiene, it could be game over for you—not only with regard to your data, but for whatever assets and accounts you manage online.

Can Your Personal Email Be Hack-Proofed? 

The short answer is no. Hacks and data breaches are the third certainty in life, right behind death and taxes. In fact, the most likely reason you haven’t been hacked yet is that there is a staggering number of sitting ducks out there. Needless to say, however, there is no safety in numbers. Hackers become more efficient all the time. 

While there is no silver bullet to our collective vulnerability, brothers Steve and Robert Yoskowitz think they might be able to help with Joinesty, a Chicago-based digital security startup that recently released an interesting Chrome extension.

Like LastPass and other password managers, Joinesty allows users to change passwords for everything they access online. Login credentials are automatically generated and easy to manage.

What makes Joinesty different is that they also let users create unique email addresses (to be forwarded in real time or delivered in daily digest form) for everything they access online, thereby shielding their personal email address from prying eyes.

In addition to email management, Joinesty lets users know about deals that are available at over 7,500 merchants in real time.

“The feature injects into Google so users can see what deals are available within their search results,” CFO and co-founder Steve Yoskowitz told me. “As cybersecurity and privacy become everyday and every-person concerns, we are trying to create an environment of security appealing to a demographic which may not know how much they need it, while targeting the interactions and online behavior that expose users the most.”

Before you decide that Joinesty is an advertising vehicle disguised as a cybersecurity solutions company, I asked about revenue, which is subscription based. Users can choose between monthly or annual subscriptions at $6.99 a month or $41.99 a year.

“The pillars of the Joinesty brand are trust, transparency, and simplicity,” Yoskowitz told me.  “We structured every aspect of our platform around these pillars, including our revenue model.”

Why Personal Email Addresses?

Nobody needs a disquisition on the dangers of using the same password for different accounts and services, though the number of consumers who still do it is alarming.

Instead, how about a quick lecture: According to one recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts. The most popular password in 2016 was “123456.” For less than $1,000, hackers can buy a machine that has the capacity to test billions of passwords per second. Effect: You are vulnerable. Password managers work, so use one. (End of sermon.)

Actually, it’s not quite the end of the sermon. Because lousy password hygiene is so prevalent, you need to know if your personal email address been leaked in a data breach or, better yet, just assume that it has been. Haveibeenpwned.com is one place to go if you’re curious.

Personal email addresses present a huge vulnerability for most people and an infinite number of clear-sky lines of attack for hackers.

A recent data sample found that in the United States there are an average of 130 accounts assigned to a single email address. We’re talking about newsletters, e-commerce site, banks, gyms, portals to your medical records and healthcare coverage, investments, car loans, credit cards, and—as Matt Honan knows all-too-painfully well—social networking sites.

Your personal email address is one of your most visible forms of personally identifiable information (PII), and yet many websites require it. If your email is commandeered, whoever has control of it is just a few clicks away from taking control of your finances and anything else they might care to target. Think of your email address as a much less secure version of your Social Security number—especially if you have bad password habits.

I asked Yoskowitz about the use of personal email addresses as a login credential. After a quick scan of the top 210 Quantcast sites, he found that only 26 had no login. “Two had a username—instead of email—for logging in, so roughly 86% currently require email for login,” Yoskowitz told me.

Fewer Opportunities to Click and Get Got

So, is Joinesty addressing the personal email problem or taking advantage of it? Does the solution open up new vulnerabilities? Is this merely a ploy to sell ads and profit off our collective cyber-insecurity? 

The first thing you need to know is that Joinesty offers something of value.

It is not tokenization per se, but it’s like it in that Joinesty replaces PII (in this case your personal email address) with equally valid but non-identifiable data.

“We retain the purposes and benefits of tokenization allowing the user to retain all the functionality of giving out their personal email—logging into their accounts, receiving deals—without that email address having any inherent value to hackers because of its unique one-off nature.” 

Parting shot from my book Swiped: When creating an account on sites that allow a non-email login name, let your spirit fly. Be creative (but store it somewhere on a cheat sheet that resides on an encrypted memory stick). You might even consider using a long-and-strong password as your login name if the site will allow it.

image svetikd

The post Can You Hack-Proof Your Personal Email Address? appeared first on Credit.com.

How Secure Will ‘The Cyber’ Be Under Trump?

Here's why we need the CFPB to protect us from identity theft and maintain our cyber security.

I have to admit that when President-elect Trump uttered “the cyber” during the first presidential debate, I was right there with the tech community in the collective eye-rolling that followed. “The Cyber” memes were born, along with real concern about the candidate’s grasp on cyber security, and with the recent announcement of former New York City Mayor Rudy Giuliani as the cyber czar, those concerns multiplied.

The seeming “miunderestimation,” or possibly anti-comprehension, regarding something so crucial to national security may not on the surface seem like a consumer issue, but it is.

Our nation’s approach to cyber security at this juncture — beset by hostile state-sponsored attacks on our electoral process, expertise and secret information grabs from major industries and the federal government, and ransomware attacks —is a matter of the utmost urgency, and the President-Elect has said as much to his credit.

But Mr. Trump’s response can’t be just a marketing move or a branding opportunity — things he gets. There must not be merely the appearance of change — commissions talking and debating endlessly with little to show for it. There must be actual boots-on-the-ground solutions — now. Unfortunately, I don’t think that’s what will happen.

The Consumer Financial Protection Bureau specifically comes to mind—our nation’s most successful boots-on-the-ground agency — if Mr. Trump does as many are predicting he will do, and makes it yet another piece of President Obama’s dismantled legacy.

The CFPB was an important accomplishment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The agency is charged with protecting consumers from the predatory financial practices that brought about the economic meltdown of 2007 to 2008, and to watch out for signs of future trouble. The CFPB has the power to ban financial products deemed “deceptive, unfair or abusive” and to impose penalties on companies that take advantage of consumers.

Barring a judicial miracle, the current CFPB director Richard Cordray is almost certainly going to receive one of Mr. Trump’s signature “You’re Fired” communiqués. (Interesting side note, our President-elect doesn’t own that trademark.) Worse, an anti-CFPB former Texas Congressman, Randy Neugebauer, appears to be the leading candidate to get the job.

Among other things, the Distinguished Gentleman from Texas thinks payday lenders are too roughly treated by the CFPB and that all business contracts should contain mandatory arbitration clauses (barring class action suits). He also thinks that the CFPB should be headed not by a single director, but by a commission of people from both sides of the aisle. Those of us who support the CFPB believe that this would diminish the agency’s ability to go after dangerous practices that harm consumers in a timely and effective way.

The Trump transition team did not respond to a request for comment regarding it plans for the CFPB and/or Cordray.

This Is About Appointing the Right People

It was reported last week that the cyber security czar role in the Trump administration will fall to the President-elect’s close associate and campaign stalwart, former New York City Mayor Rudy Giuliani.

There is a connection here between what appears to be afoot at the CFPB and the next administration’s approach to cyber security — both represent bad decisions based on a basic incomprehension of what is at stake and what needs to happen next. The CFPB works, specifically the single-director approach. Instead of hiring an opponent of the agency to presumably dismantle it, we should be using it as a model to create a single-director federal agency that emulates the CFPB to oversee cyber security.

As it stands, Mr. Giuliani will be bringing together experts working on cyber security solutions and business leaders who are targeted by hackers from the energy, financial and transportation sectors. The next step that is missing here is a government agency that can fine entities that do not meet the threshold for cyber security best practices— mandated employee education, maintaining technology and tools, hiring experts — practices that the agency would determine and set as a standard. (You can learn more about how to protect yourself from cyber threats like identity theft here and monitor two of your free credit scores for signs of foul play every 14 days on Credit.com.)

In a recent interview, Mr. Giuliani said of the President-elect, “He’s going to elevate this to a very large priority for the government — and I think by doing this, he’s trying to elevate this as a priority for the private sector.”

As the Christian Science Monitor’s Passcode noted, quoting the former NYC mayor, the idea here is pretty simple: Trump will go straight to the public to “educate people on how important [cybersecurity] is, even to the point of their own personal protection.”

That is a fantastic idea that everyone should applaud. Whether the user is in the Pentagon or logging onto a free Wi-Fi network, our cyber security too often comes down to an individual clicking or not clicking on a malware-laden link or falling prey to some other security pratfall.

That said, any agency dedicated to cyber security would need to work closely with the military and intelligence communities, and would also have to focus its resources on real solutions to the dangers we face, many of them extinction-level threats. The person running it would have to be at the cutting edge of cyber security best practices.

When the news came down of Mr. Giuliani’s cyber czar role, experts almost immediately hit Twitter with reasons this was a bad idea. (Mr. Trump’s transition team also didn’t respond to request for comment regarding this choice. Guiliani was not readily available for comment either.) As happens, the cyber security community took a look at the website of Giuiliani’s cyber security company, giulianisecurity.com. They found serious problems, including expired SSL, no https and an exposed CMS login, to name a few. You don’t need to know what these things are, but the cyber czar sure does. There can be no “oops” in his or her record.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

Image: DeanDrobot

The post How Secure Will ‘The Cyber’ Be Under Trump? appeared first on Credit.com.

9 Ways to Protect Your Credit While Holiday Shopping

Here are nine ways to protect yourself while shopping this holiday season.

The holiday shopping season isn’t just a favorite time for retailers, but also for scammers who are hoping to take advantage of all that extra spending you’re doing.

That’s why I want to urge you to use caution this year. It’s easy to be focused on trying to find everything on your list and miss some of the risky behaviors you might be engaging in.

Here are some things you can do to protect yourself this holiday season.

1. Carry just one credit card with you and leave the rest at home. That way, you’ll minimize the risk if your wallet or purse is stolen.

2. Only shop at well-known stores. “Pop-up” stores are becoming increasingly popular, especially in major urban centers, but these stores may not always be legitimate, or they may not have the best payment security.

3. Cover your PIN when paying with your card so others can’t see it.

4. If shopping online, make sure the website is secure and provides a level of security and authenticity for your purchases.

5. Don’t lend your credit card to a family or friend. You may trust them, but you lose control of your card and if it’s stolen, it will be YOUR credit that could be affected.

6. Review charges while still in a store. It’s so easy to accidentally turn a $10.00 charge into a $100.00 charge.

7. Be cautious when filling out forms, such as those for home delivery, extended warranties, rain checks, etc. These forms contain a lot of personal information that can easily be used by a scammer or identity thief. Ensure that the form is received by a store employee.

8. Keep all receipts for every purchase you make. When your credit card statement arrives, sit down and go line by line through each purchase, comparing the purchase on the statement with your receipts. This seemingly daunting task will not take as long as you think it will, and your credit will benefit, since too much debt can hurt your credit scores.

9. Never spend more than you can immediately pay back. Even if the deal is really good, you’ll lose the benefit of the discount if you can’t pay off your credit card before you are charged interest, so set a budget.

The holidays can be a lot of fun and a good opportunity to get some deals, but make sure to follow these tips so you come out ahead and your credit is protected.

[Editor’s note: Regularly checking your credit scores can help you recognize quickly if you’ve been a victim of fraud. That’s because your scores can be vulnerable to major spending changes. You can get your two free credit scores, updated every 14 days, on Credit.com.]

Image: Eva-Katalin

The post 9 Ways to Protect Your Credit While Holiday Shopping appeared first on Credit.com.

Nearly All Data Breaches Happen in Minutes, Report Finds

identity_theft

Most data breaches happen fast — in a matter of minutes, according to a new Verizon report — but the impact on you and your credit report could make for a very long lasting financial headache.

Cybercriminals institute data breaches to steal your Social Security number, credit card number, bank account information and many other forms of personal financial information. And according to the latest Verizon 2016 Data Breach Investigations Report, these thieves still find success with phishing emails. Per the report, 30% of phishing messages were opened. This compares to the previous year figure of only 23%. Meanwhile, 13% of those clicked to open the malicious attachment or nefarious link.

Regardless of what method was used to compromise sensitive data, in 93% of cases, attackers were able to compromise systems in just a matter of minutes.

Verizon anaylzed more than 2,260 confirmed data breaches and more than 100,000 reported security incidents, finding that 89% of all attacks involve financial motives while ransomware attacks were up 16% from 2015. Meanwhile, 63% of data breaches were thanks to weak or stolen passwords.

Also blamed for data breaches are ‘miscellaneous errors,’ which can include improper disposal of sensitive information, misconfiguration of IT systems, and lost and stolen devices, such as laptops and smartphones. These errors also include people mistakenly sending sensitive information to the wrong person, which accounts for 26% of these errors, Verizon found.

What Can You Do About It?

When your information is stolen, thieves will typically sell it — or use it for themselves — to open as many accounts as fast as they can in your name. Unfortunately, you may not find out about it until you’re applying for a mortgage, opening a line of credit or financing a car, when it’s already too late.

You can, however, take a few simple steps to help protect yourself from cybercrime. For starters, you can implement a two-factor authentication for your applications and social networking sites, encrypt your data and limit who is authorized to access it. It is also helpful to be familiar with the signs your identity has been stolen or your credit information has been compromised.

Staying informed about your credit scores and individual credit accounts is also helpful in minimizing any damage done by data compromises. You can check your free annual credit report every year at AnnualCreditReport.com, and keep track of your credit scores by viewing your two free credit scores, updated monthly at Credit.com, to make sure there aren’t any fraudulent accounts on your file. You can also go here to learn what to do if you are victim of identity theft.

More on Identity Theft:

Image: Anchiy

The post Nearly All Data Breaches Happen in Minutes, Report Finds appeared first on Credit.com.

The Typo That Can Get You Hacked

online_security

Here’s another reason to be extra careful about what you type into your web browser.

Cybersecurity firm Endgame has unearthed a new spin on the good old “typosquatting” scam — the practice of purchasing domain names similar to legitimate websites (Think Gooogle.com) in hopes that a small keyboard snafu nets hackers access to your computer.

The new scam aims to install malware on devices after users accidentally type “.om” instead of “.com” after popular urls. Endgame discovered the scheme after one of its employees mistakenly typed “Netflix.om” instead of Netflix.com when attempting to watch the latest season of House of Cards earlier this month.

Per a company blog post:

“He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist.  Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully. His browser was immediately redirected several times, and eventually landed on a ‘Flash Updater’ page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups.”

After doing some more research, Endgame found the streaming service wasn’t the only popular url being “om’ed. Though some sites bearing that ending were legitimate, 319 .om domains appeared to have some type of scheme attached to them. (Fake Flash Updates, for instance, are commonly linked to a well-known malware named Genio that attaches itself to web browsers and mines for data.)

You can see a full list of the potentially dangerous domains here. It’s important to note you could also be in trouble if you typed the “c”, but misplaced the period. (Example: bestbuyc.om or cnnc.om.) This particular typosquatting game was easy for hackers to play, Endgame said, since “.om” is the country-specific domain name for Oman.

Protecting Yourself

Phishing and malware schemes are common attempts by scammers to get your personal information. For better Internet safety, it’s generally recommended you stick to trusted and encrypted websites (double-check, of course, the spelling of each address); refrain from clicking on links in unsolicited emails and keep your security software up to date.

It’s also good to monitor financial accounts regularly for fraud, and keep a close eye on your credit since a sudden drop in credit scores or unfamiliar line items on a credit report are signs identity theft is occurring. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.)  If have fallen victim to an Internet scam, you might also consider freezing your credit reports to keep new accounts from being opened in your name. And you can go here to learn what to do if you’ve already spotted identity theft on your credit report.

More Reads From Credit.com:

Image: moodboard

The post The Typo That Can Get You Hacked appeared first on Credit.com.