Can You Hack-Proof Your Personal Email Address?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

How would you feel if the digital “you” were deleted? The common wisdom in cybersecurity circles is that if you think it can’t happen to you, it probably will. Consider Mat Honan’s story.

“First my Google account was taken over, then deleted,” Honan wrote. “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” Honan’s AppleID was used to remotely delete all the data on his iPhone, iPad, and MacBook.

“My accounts were daisy-chained together,” Honan confessed. Sound familiar? Most people have to authenticate via daisy-chain. Even if you have everything segregated and use multi-factor authentication, chances are good that your personal email address is used to log in to most of the places you go online.

If a hacker gains access to your personal email account and, like most people, you’re lax when it comes to personal cyber hygiene, it could be game over for you—not only with regard to your data, but for whatever assets and accounts you manage online.

Can Your Personal Email Be Hack-Proofed? 

The short answer is no. Hacks and data breaches are the third certainty in life, right behind death and taxes. In fact, the most likely reason you haven’t been hacked yet is that there is a staggering number of sitting ducks out there. Needless to say, however, there is no safety in numbers. Hackers become more efficient all the time. 

While there is no silver bullet to our collective vulnerability, brothers Steve and Robert Yoskowitz think they might be able to help with Joinesty, a Chicago-based digital security startup that recently released an interesting Chrome extension.

Like LastPass and other password managers, Joinesty allows users to change passwords for everything they access online. Login credentials are automatically generated and easy to manage.

What makes Joinesty different is that they also let users create unique email addresses (to be forwarded in real time or delivered in daily digest form) for everything they access online, thereby shielding their personal email address from prying eyes.

In addition to email management, Joinesty lets users know about deals that are available at over 7,500 merchants in real time.

“The feature injects into Google so users can see what deals are available within their search results,” CFO and co-founder Steve Yoskowitz told me. “As cybersecurity and privacy become everyday and every-person concerns, we are trying to create an environment of security appealing to a demographic which may not know how much they need it, while targeting the interactions and online behavior that expose users the most.”

Before you decide that Joinesty is an advertising vehicle disguised as a cybersecurity solutions company, I asked about revenue, which is subscription based. Users can choose between monthly or annual subscriptions at $6.99 a month or $41.99 a year.

“The pillars of the Joinesty brand are trust, transparency, and simplicity,” Yoskowitz told me.  “We structured every aspect of our platform around these pillars, including our revenue model.”

Why Personal Email Addresses?

Nobody needs a disquisition on the dangers of using the same password for different accounts and services, though the number of consumers who still do it is alarming.

Instead, how about a quick lecture: According to one recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts. The most popular password in 2016 was “123456.” For less than $1,000, hackers can buy a machine that has the capacity to test billions of passwords per second. Effect: You are vulnerable. Password managers work, so use one. (End of sermon.)

Actually, it’s not quite the end of the sermon. Because lousy password hygiene is so prevalent, you need to know if your personal email address been leaked in a data breach or, better yet, just assume that it has been. Haveibeenpwned.com is one place to go if you’re curious.

Personal email addresses present a huge vulnerability for most people and an infinite number of clear-sky lines of attack for hackers.

A recent data sample found that in the United States there are an average of 130 accounts assigned to a single email address. We’re talking about newsletters, e-commerce site, banks, gyms, portals to your medical records and healthcare coverage, investments, car loans, credit cards, and—as Matt Honan knows all-too-painfully well—social networking sites.

Your personal email address is one of your most visible forms of personally identifiable information (PII), and yet many websites require it. If your email is commandeered, whoever has control of it is just a few clicks away from taking control of your finances and anything else they might care to target. Think of your email address as a much less secure version of your Social Security number—especially if you have bad password habits.

I asked Yoskowitz about the use of personal email addresses as a login credential. After a quick scan of the top 210 Quantcast sites, he found that only 26 had no login. “Two had a username—instead of email—for logging in, so roughly 86% currently require email for login,” Yoskowitz told me.

Fewer Opportunities to Click and Get Got

So, is Joinesty addressing the personal email problem or taking advantage of it? Does the solution open up new vulnerabilities? Is this merely a ploy to sell ads and profit off our collective cyber-insecurity? 

The first thing you need to know is that Joinesty offers something of value.

It is not tokenization per se, but it’s like it in that Joinesty replaces PII (in this case your personal email address) with equally valid but non-identifiable data.

“We retain the purposes and benefits of tokenization allowing the user to retain all the functionality of giving out their personal email—logging into their accounts, receiving deals—without that email address having any inherent value to hackers because of its unique one-off nature.” 

Parting shot from my book Swiped: When creating an account on sites that allow a non-email login name, let your spirit fly. Be creative (but store it somewhere on a cheat sheet that resides on an encrypted memory stick). You might even consider using a long-and-strong password as your login name if the site will allow it.

image svetikd

The post Can You Hack-Proof Your Personal Email Address? appeared first on Credit.com.

6 Things You Should Do Immediately If You Have a Yahoo Account

Sunnyvale, CA, USA - Apr. 23, 2016: Yahoo Inc. Headquarters. Yahoo Inc. is an American multinational technology company that is globally known for its Web portal, search engine Yahoo! Search, and related services.

Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.

But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.

Now, onto the better advice:

  1. Change your Yahoo password immediately.
  2. Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  3. Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
  5. Don’t trust password strength meters – these are unreliable and inaccurate.
  6. In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.

I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic.  Instead, I’m an advocate of having password families.

One simple password for throwaway accounts you don’t care about, like newsletters;  one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.

For that tough password, use something clever, like the first letter of every word in a sentence.  Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way).  Change a number to a symbol and you are in good shape, like IWBoN!iND.

Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.

Depends.

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)

For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.

James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.

Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

  1. You suspect (or know) it has been compromised.
  2. You feel like changing it.
  3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.

 

The post 6 Things You Should Do Immediately If You Have a Yahoo Account appeared first on MagnifyMoney.

How to Tell If You’ve Been Hacked (& What to Do About It)

youve-been-hacked

Due to the countless ways we connect digitally, the odds of getting hacked are right up there with the likelihood of catching a cold — and like the common cold, you can increase or decrease your risk of exposure to germs that may make you miserable.

The goal of a particular hacker may be the creation of a spamming-for-dollars botnet or cracking a target that requires an enormous amount of computing power. It might be grabbing information for identity-related crimes. Increasingly, it involves ransomware that takes an organization’s servers hostage until extortion demands are met.

There are so many phishing schemes floating in cyberspace, so many pitfalls set by hackers, the chances are good you’ve already come in contact with malware of one stripe or another. One recent estimate found that more than half of the infected files in cloud storage apps get shared.

Digital hygiene isn’t much different from any other kind, but in the same way parents pass on common sense advice to wash your hands frequently during cold and flu season, it’s crucial to learn about your various exposures and how to spot trouble when it happens.

The most important behavior needed here is restraint. If you’re not sure about a file or a link, take a breath and listen to the cyber angel sitting on your shoulder who says, “Don’t click.”

When It Happens?

The best way to reduce the odds of falling for something is to accept the premise that that you will almost certainly get hacked — in the event that for some reason beyond the ken of understanding you haven’t been hacked already.

I’m not saying that you shouldn’t do everything you can to prevent it, but the real thing to focus attention on is the telltale signs that a hack has already happened.

Identifying Social Media Nightmares

The most obvious sign that your social media account has been hacked is the appearance of posts that you didn’t put there, whether they show up on your timeline or feed — often spammy-looking advertisements for goods or services. You may also discover messages that you didn’t send, or be unable to access your account after a hacker has changed the password and your recovery email and phone number.

If you log in to any of your social media accounts and find a random flood of new friends or there’s suddenly a bunch of complete strangers you are now following that you neither confirmed nor requested, you’ve been hacked and need to take action.

Related, though not hacking per se, is account-cloning. This is what happens when a hacker creates a timeline that looks just like yours but isn’t — a copy made of stolen photos and information from your timeline to trick your friends into providing personal information that can (and most likely will) be used to turn a profit.

What To Do: On Facebook, regularly monitor the active sessions on your account. If you see logins from strange locations or posts that you don’t recognize on any social media account, assume there’s a problem and immediately change your password (not to “password” or 1234567). If you see that someone has cloned your timeline, follow the instructions on Facebook’s Help Community site. Instagram users should go to its Help Center. And Twitter followers of the non-Carlos Danger variety — i.e., those who’ve actually been hacked — can go to its Help Center as well.

Keeping Your PCs Clean

If you are running older versions of software with known security issues or have failed to upgrade your anti-virus software, the odds are better than ever that your machine has been infected with some form of malware.

Signs that your PC has been compromised are many and various, but one of the key ways a compromise manifests itself is slowness. Nothing else is going on (no programs are running), but your computer takes F-O-R-E-V-E-R to accomplish the simplest tasks. Other signs: Toolbars, programs and pop-ups appear; there are new programs in Windows Start Up, you can’t shut down or your anti-virus program is disabled.

What To Do: Most everything you need to know to remove malware from your PC can be found online. The bottom line: Do something. Don’t assume that because your computer is working more or less that everything is okay.

Safeguarding Your Mac

Although it’s not as common, iOS can, and does, get hacked. The signs are similar: Your machine is moving glacially on the simplest tasks, strange pop-ups appear. You may discover fake anti-virus programs.

What to Do: Visit the Apple Genius bar, but bear in mind, many Anti-Virus programs can be the culprit as they sometimes require serious processing power. Regardless, your destination is the same since the experts at the Genius Bar will be able to determine the issue quickly and most likely solve your problem that day.

Protecting iCloud

The indications that your iCloud account has been compromised are numerous. You may start receiving emails about password changes or attempts to login in to your iCloud account. If you use two-factor authentication, you may get requests for your token or security code even though you didn’t initiate the process.

While you may think it’s a glitch, it probably isn’t. Ignore these emails at your peril. Chances are good that it’s either a hacker or your kid. Either way, you need to take action.

Watch out for downloads and iTunes purchases that you don’t recognize, and if your phone no longer works correctly or does strange things, you may well be having a problem.

What To Do: Change passwords, and if that doesn’t do the trick, head over to the nearest Genius Bar.

Smart Email Security

It’s relatively easy to hack an email account, so the first rule is to stay vigilant. Check your email regularly and also monitor your Sent file. That may give you the first indication of a problem.

When it comes to Gmail in particular, it’s easy to see if you are having an issue. To be sure, go to Last Account Activity at the bottom of your Gmail Inbox. This will show you the last 10 logins. If you don’t recognize something there, you may have a hacker in your stuff.

Next, email forwarding can be an issue because no one ever checks it, but hackers use it all the time. You can make sure your email is not being forwarded by going to settings and then to the Forwarding and Pop/IMAP tab. POP/IMAP is another way a hacker can tap into your email, since the feature allows email to appear on any device that has the password. Best to disable this feature if you’re not using it.

At the end of the day, getting hacked is becoming almost as commonplace as breathing, but it needn’t be an extinction-level event. That said, if you download ransomware, it can be costly. (If you ever have reason to believe you were hacked, it’s a good idea to monitor your credit for signs of identity theft. You can view a free credit report summary, along with two free credit scores, updated every 14 days, on Credit.com.)

There is no magic wand and impenetrable moat that keeps the bad guys out. You must be thoughtful, deliberative and cautious in order to avoid the tricks and traps that are laying in wait behind a cute baby panda video.

Image: Pinkypills

The post How to Tell If You’ve Been Hacked (& What to Do About It) appeared first on Credit.com.

Are E-Gift Cards Safe? Here’s What to Know

digital_gift_cards

As the days disappear from the December calendar, panic can start to set in as last-minute gift shopping heats up. Increasingly, consumers are easing the tension by giving digital — digital gift cards, that is.

Email gifts continue to skyrocket in popularity, with consumers preferring their ease of delivery, speed of purchase and “coolness,” according to transaction firm InComm. Apparently any stigma with giving a gift that can’t be put in a gift box is fading away.

Among consumers who bought gift cards online (not in a store) last December, 63% skipped the plastic and sent the gift electronically, InComm said – up from 57% in 2013. And 90% of those aged 18 to 25 said they were more interested in purchasing digital gift cards than they were two or three years ago.

In fact, the later it gets, the more popular digital gifts become. In the six days leading up to Christmas last year, 88% of online gift card sales were for digital cards compared with 80% for the same period in 2013. Predictably, InComm says that Christmas Eve stands out as the biggest sales day for digital gift cards.

Secure Gifting?

However, e-gift cards raise some security issues, as all that stands between a criminal and money is a long alphanumeric code that can be stolen via cutting and pasting. And as the U.S. continues its long transition to chip-enabled EMV credit cards, some analysts predict that criminals will shift a bit of their focus towards electronic gift cards.

“As the United States begins its efforts to reduce credit card fraud by transitioning to EMV, another type of card — the online gift card — could see its fraud risk skyrocket,” wrote Chris Uriarte in PaymentsSource earlier this year. But in the InComm survey, consumers actually cited security as one of the reasons for making these digital purchases. Here’s why: Most e-gift cards come with electronic registration that makes it easier to keep track of value if a gift is lost or stolen. Physical cards, when lost, are useless unless the card has been registered with the retailer.

But e-gift cards raise other concerns: They’re easy to spend online, but can create a hassle in physical stores. Some consumers must print out evidence of the card to use it, though increasingly, the e-gifts can be stored and spent on smartphones, one feature consumers do care about, InComm says. In fact, 96% of recipients said they were “interested” in storing the cards on their phones.

Here are some other reasons digital gift cards are hot:

• 68% like the instant delivery

• 51% said they’re easier to send

• 45% said they’re easier and quicker to purchase

• 37% said they’re easier to redeem

• 36% find them secure

• 27% feel they’re harder to lose

• 22% said they’re a cool gift

• 20% said the recipient prefers them

How to Give a Digital Gift Card

If you plan to give a digital gift card, make sure the recipient gets it, as it could wind up in their spam folder. And if you receive a digital gift card, see if you can get the credit right away. Retailers like Amazon let you redeem the card immediately by storing the value on your account until you’re ready to use it. This can be smart since you won’t lose track of the email with the code and the money could be safer.

This is also a good time to remind you to guard your email account. Hackers know our inboxes will be stuffed with valuable gift card codes, so consider changing your email password. If you have reason to believe your personal information was compromised, you can monitor your credit for signs your identity has been stolen. You can do so by pulling your free credit reports each month at AnnualCreditReport.com or viewing your credit scores for free each month on Credit.com.

More Money-Saving Reads:

Image: Minerva Studio

The post Are E-Gift Cards Safe? Here’s What to Know appeared first on Credit.com.

Are E-Gift Cards Safe? Here’s What to Know

digital_gift_cards

As the days disappear from the December calendar, panic can start to set in as last-minute gift shopping heats up. Increasingly, consumers are easing the tension by giving digital — digital gift cards, that is.

Email gifts continue to skyrocket in popularity, with consumers preferring their ease of delivery, speed of purchase and “coolness,” according to transaction firm InComm. Apparently any stigma with giving a gift that can’t be put in a gift box is fading away.

Among consumers who bought gift cards online (not in a store) last December, 63% skipped the plastic and sent the gift electronically, InComm said – up from 57% in 2013. And 90% of those aged 18 to 25 said they were more interested in purchasing digital gift cards than they were two or three years ago.

In fact, the later it gets, the more popular digital gifts become. In the six days leading up to Christmas last year, 88% of online gift card sales were for digital cards compared with 80% for the same period in 2013. Predictably, InComm says that Christmas Eve stands out as the biggest sales day for digital gift cards.

Secure Gifting?

However, e-gift cards raise some security issues, as all that stands between a criminal and money is a long alphanumeric code that can be stolen via cutting and pasting. And as the U.S. continues its long transition to chip-enabled EMV credit cards, some analysts predict that criminals will shift a bit of their focus towards electronic gift cards.

“As the United States begins its efforts to reduce credit card fraud by transitioning to EMV, another type of card — the online gift card — could see its fraud risk skyrocket,” wrote Chris Uriarte in PaymentsSource earlier this year. But in the InComm survey, consumers actually cited security as one of the reasons for making these digital purchases. Here’s why: Most e-gift cards come with electronic registration that makes it easier to keep track of value if a gift is lost or stolen. Physical cards, when lost, are useless unless the card has been registered with the retailer.

But e-gift cards raise other concerns: They’re easy to spend online, but can create a hassle in physical stores. Some consumers must print out evidence of the card to use it, though increasingly, the e-gifts can be stored and spent on smartphones, one feature consumers do care about, InComm says. In fact, 96% of recipients said they were “interested” in storing the cards on their phones.

Here are some other reasons digital gift cards are hot:

• 68% like the instant delivery

• 51% said they’re easier to send

• 45% said they’re easier and quicker to purchase

• 37% said they’re easier to redeem

• 36% find them secure

• 27% feel they’re harder to lose

• 22% said they’re a cool gift

• 20% said the recipient prefers them

How to Give a Digital Gift Card

If you plan to give a digital gift card, make sure the recipient gets it, as it could wind up in their spam folder. And if you receive a digital gift card, see if you can get the credit right away. Retailers like Amazon let you redeem the card immediately by storing the value on your account until you’re ready to use it. This can be smart since you won’t lose track of the email with the code and the money could be safer.

This is also a good time to remind you to guard your email account. Hackers know our inboxes will be stuffed with valuable gift card codes, so consider changing your email password. If you have reason to believe your personal information was compromised, you can monitor your credit for signs your identity has been stolen. You can do so by pulling your free credit reports each month at AnnualCreditReport.com or viewing your credit scores for free each month on Credit.com.

More Money-Saving Reads:

Image: Minerva Studio

The post Are E-Gift Cards Safe? Here’s What to Know appeared first on Credit.com.