6 Ways to Make Your Family Harder to Hack 2018

Hacking

While there are a thousand resolution-worthy action items out there, the time is always now for the things that need to change in our lives. Never were truer words spoken when it comes to our potential vulnerability to hackers.

The number of breaches and the granular nature of the data exposed in those attacks over the past year are both unprecedented. The Equifax breach alone included everything (and then some) that a scammer needs in order to buy a house or a car, pay for college or medical procedures, steal a tax refund or any other transaction.

But that’s not the only reason you should be on high alert. Technology is the friend of the hacker. Cybercriminals make a living being up-to-date on the latest security protocols and protections. They are also the most common spur for innovation, discovering the latest “eureka” moment in cybersecurity while reverse-engineering existing ones to steal data.

Side by side with the general threat is a “pre-set” attitude prevalent among consumers. Breaches and the identity theft that flows from them have become the third certainty in life, right behind death and taxes. The attitude tends to be, “There’s nothing I can do about it,” or “If it happens, it happens.”

I get it. I own a company that among other things, helps consumers resolve the fallout of identity theft. But working on the front lines of what amounts to a war of attrition against the bad guys, I can tell you that consumers can, and should, be doing more.

Here are my suggestions: 

  1. Avoid Account Takeover with Better Password Tactics

According to a recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts—a practice called daisy-chaining.

Here’s the scary part: You will almost certainly be able to guess the most popular password used by consumers in 2016. (It was “123456.”) Consider, there are affordable machines on the market today that can hit a website’s authentication system with billions of passwords per second. “Password” isn’t going to do much in the way of keeping you from getting got.

Even if your personal email address hasn’t been exposed in a data breach—you can check on Haveibeenpwned.com—you need to take extra precautions.

Here’s why: If a scammer gets control of your personal email, they can commandeer many, if not all, of your accounts—retail, financial and beyond. For this reason, whenever possible, do not use your name or email address for login purposes. Rather, treat it like another password (but bear in mind, many sites will not allow you to do this).

If that seems like a hassle (remember, security and convenience aren’t always compatible) there’s an automated solution offered by a start-up called Joinesty that offers a Chrome extension that randomizes the email addresses used for login on various accounts thereby rendering your personal email address useless to a hacker.

  1. Use 2-Factor Authentication

Do you use 2-factor authentication on all your accounts that offer it? It’s a relatively seamless process whereby every account login requires both a password and a six-digit code that is emailed or sent to your smartphone via SMS.

It is not failsafe. If a criminal has control of your personal email account or possession of your phone—and your password—they can beat 2-factor authentication. That said, you are a much less attractive a target—the predator equivalent of a spiny hedgehog waddling down the road with an excessively plump piglet. Which one would you rather be? 

  1. Turn Off Location Services, and Don’t Overshare

Remember the bumbling duo in the holiday classic “Home Alone?” It used to be that burglars cased a neighborhood. With oversharing on social media, including location data posted in photographs that permit geotagging technology and-or volunteered by way of preference settings, we are constantly “casing” ourselves for the would-be thief.

An added layer of complication here is that even if your social sharing doesn’t include location data, other members of your family might be sharing it. Remember, you are only as secure as your most insecure family member.

The conversation about cybersecurity should be ongoing with those closest to you, because increasingly we’re all connected in ways that can get people robbed. 

  1. Have Nothing to Ransom

Ransomware is going to continue to plague consumers in 2018.

Ransomware is a form of malware that occupies a victim’s computer and then encrypts every file on its hard drive. There are few things scarier than a ransomware attack, especially when the victim has no idea what just happened.

First rule of thumb: never make a payment to get files back (or stop someone from sharing embarrassing files—another prevalent scam). Contact a resolution expert first.

Second rule: Back up your files daily.

If you want to be one-hundred percent unaffected by ransomware, back up your hard drive on an encrypted, long-and-strong password-protected external drive and store a mirror backup on a cloud server. Then when your would-be extortionist demands cryptocurrency (which if you own any, should also be stored on an external wallet), you can say: “No,” and go on with your day.

  1. Enroll in Transaction Alerts and Identity Monitoring

There is no better way to calm fears of account takeover than transaction alerts. All banks and credit card companies offer them for free. They make fraud a momentary crisis that’s easily contained, since the moment a fraudulent charge occurs, or a scammer attempts to open a new line of credit, the consumer is notified.

Think of it as an under-age keg party that gets shut down by the police—a quick burst of annoying nothing, and then everything is back to normal.

There is an added benefit to transaction alerts: Every charge you make pops up on your phone or in your email, detailing the purchase, which can help you curb spending since there is a constant—albeit instant—reminder of how much money is going to be due at the end of your billing period.

  1. Practice the 3 Ms

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
  1. Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laidback approach, see No. 5 above.
  1. Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The New Year offers the opportunity to turn a now-old threat into new peace of mind.

The dangers out there are manifold, but if you are prepared, even the worst attacks are survivable. The above suggestions aren’t resolutions. They are common sense. At their best, New Year’s resolutions are an arbitrary deadline to change your habits in one way or another. When it comes to hack-proofing your life, were way past midnight.

 

If you’re concerned about your credit, you can check your three credit reports for free once a year. To track your credit more regularly, Credit.com’s free Credit Report Card is an easy-to-understand breakdown of your credit report information that uses letter grades—plus you get two free credit scores updated each month.

You can also carry on the conversation on our social media platforms. Like and follow us on Facebook and leave us a tweet on Twitter.

 

Image: iStock

The post 6 Ways to Make Your Family Harder to Hack 2018 appeared first on Credit.com.

Why Spam Is More Dangerous Than Ever

Can I Deal With a Debt Collector Over Email?

Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.

There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.

Unfortunately, it was a repeating number.

Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.

Multi-Tiered Attacks

Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.

That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.

Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.

There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.

“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”

Stunning Advancements

Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.

Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.

These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.

Wide-Open Attack Vector

Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”

Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.

What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.

Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.

Image: istock 

The post Why Spam Is More Dangerous Than Ever appeared first on Credit.com.

Are Your Connected Devices Safe?

phone-bill

The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.

It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?

I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.

Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.

We need a time-out to think through and implement best security practices for the IoT market.

Are Connected Devices a Cyber Catastrophe Waiting to Happen?

With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.

IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.

On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.

Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.

So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.

Even the most cursory look backward reveals the likelihood of future attacks.

New Products, Better Prospects?

Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.

In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.

The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.

In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.

Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”

My questions:

There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?

What measures have been taken to protect other smart home products from hackers?

These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.

The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.

Image: istock

The post Are Your Connected Devices Safe? appeared first on Credit.com.

The National Security Nightmare the Candidates Aren’t Discussing

donald_trump

Whether you love it, or it makes you want to move south of the border, Donald Trump’s Great Wall of Mexico is an idea whose time has come.

That said, the Republican presidential candidate has a few things wrong.

First, The Donald’s wall is misnamed. It should be called the Great Cyber Wall of America or the American Cyberdome or, at any rate, something denoting a digital information and communication protection system.

The second thing Trump has wrong is functionality. The wall America needs should not be effective at keeping immigrants from entering our great nation. It needs to protect us from the vast array of hostile hackers who wish to do us harm from both within and beyond our sovereign borders — be they state-sponsored, terrorist, in pursuit of some cause, or simply precocious teenagers. It needs to protect every inch of coastline and border we have in three dimensions. And it needs to do this reliably.

Why a Cyber Wall Matters

In 2007, Estonia, the “most wired nation in Europe” experienced something unprecedented: denial-of-service attacks that crippled the country. Wave after wave of attacks targeted government websites, Estonian newspapers, universities and banks. It wreaked havoc. The government took the extraordinary action of blocking international web traffic — effectively isolating Estonia from the rest of the world during a portion of the attacks. Suddenly, the assault stopped as quickly as it started, but while it lasted, there were riots in the streets.

Those denial-of-service attacks were in retaliation for the Estonian government’s decision to remove a Soviet-era war monument. Increasingly, ideology is driving more fervent fights and drastic measures in the world.

Around Christmas in 2015, parts of the Ukraine started experiencing blackouts. Large swaths of the population lost electric power, all of them in areas associated with the opposition to the Russian annexation of the Crimea, and pro-Russia separatists. The blackouts were caused by hackers. To date, nothing has been proven about who was sponsoring them. The only fact in evidence is that a Trojan called BlackEnergy was used, and the initial penetration into the power companies was achieved through social engineering (also known as trickery and/or deceit in combination with all-too-fallible humanity). In this case, the social engineering took the form of spearphishing — an employee was sent an email that appeared legitimate, they clicked an attachment, and, quite literally, all hell broke loose.

Because many cyber attacks have a social engineering aspect, there is a tendency in the data security community to assume that there is no cure-all for the cyber insecurity that ails us worldwide. But regardless it is a problem in dire search of a solution.

Just last week, National Security Administration Director Michael Rogers stated our need for better protections when he said it was a question of “when, not if” state-sponsored hackers decide to take out parts or the entirety of our power grid, our communications and our emergency response systems. Doubtless, banks and other financial organizations are tasty targets as well.

Meanwhile on the Campaign Trail

This election season we haven’t heard a whole lot about cyber security (or the lack thereof), which boggles the mind. After all, the barbarians are no longer knocking at the gate. They are crawling through millions of investigative reports at the Office of Personnel Management, harvesting tens of millions of Social Security numbers in the breached files of our health insurers, burrowing into countless bank accounts and medical files, rifling through our travel plans, diverting billions of tax refund dollars from the IRS and (doubtless) exploring various avenues into our power grid.

Yet there has been barely a peep on the campaign trail, save former Sen. Jim Webb — who, as you will no doubt remember, was quickly dispatched to the scrapheap of Presidential election history.

Instead, we are witness to a heated debate about the size of a candidate’s hands, and get “Big Donnie” and “Little Marco” sniping at each other like eighth graders who have a crush on the same person while Hillary tries to sound more like Bernie without alienating Wall Street. Meanwhile, Bernie keeps delivering the same stump speech despite a horde of super delegates who plan to make Hillary the Democratic nominee regardless his performance in the primaries.

I don’t just blame the candidates. The media has had a hand in this. Les Moonves summed up part of the problem recently when he said that this crazy election “may not be good for America, but it’s good for CBS.”

In an era of reality show politics, why would anyone with any skin in the game want to risk losing the eyes and ears of Americans because they talk about something substantive like cyber security? Unfortunately, just as convenience often trumps security in this day and age, the failure to intelligently discuss and debate various approaches to keeping our nation cyber safe is a major opportunity loss for the U.S.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Data Security & Identity Theft:

Image: iStock Editorial

The post The National Security Nightmare the Candidates Aren’t Discussing appeared first on Credit.com.