uc logo white
Text Size

Home

Password Security vulnerable to Trickery

There’s only one entrance to the house: a steel door two feet thick. If someone from the outside touched the door—even with a battering ram—they’ll get an electric shock. No bad guys could get through, right?There’s only one entrance to the house: a steel door two feet thick. If someone from the outside touched the door—even with a battering ram—they’ll get an electric shock. No bad guys could get through, right? Well, suppose the bad guy tricks the homeowner into opening the door…and once open, the bad guy strangles the homeowner. Do you see what happened? All that security is worthless if the homeowner can be tricked. And the same goes for passwords. You can have the longest, strongest, most gibberish password around…but if you allow yourself to be skunked by a hacker…it’s over. Think you can’t get skunked? A hacker could post a link to a “video” claiming it’s Taylor Swift with a 50 pound weight gain—anything to get you to click—and you end up downloading a virus to your computer. Or maybe you get suckered into giving your credit card number and the three-digit code on its back to some site to “re-verify your credentials” because your account has been “compromised” – says an e-mail supposedly from the company you have the account with. Instead it’s a phony e-mail sent by a hacker. Security begins by not falling for these ruses but also by not having crummy passwords. First ask yourself if it’s super easy to remember any of your passwords. If it is, chances are, they contain actual names of people…or pets…in your life. If you have your pet and its name plastered all over your Facebook page, for instance…a hacker will figure that your password contains the name. Another way to easily remember—and type—passwords is to use keyboard sequences. Maybe you use the same password for 14 accounts: 123kupkake. Is this easy for a hacker to crack? Depending on the level of sophistication of the hacker and the tools he possess, maybe. Imagine a hacker cracking this with his software. He’ll get into all your accounts if you have the same password. There are many password manager services out there to help you create a strong, long password, though randomly hitting keys on your keyboard will produce the same result. But the password manager will grant you a single password to get into all your accounts, sparing you the drudgery of having to remember 14 long passwords of jumbled characters. Another layer of security is to try to only register with online accounts that have two-factor authentication. For instance, see if your bank offers this (many actually don’t). Two-factor makes it next to impossible for someone to hack into your account. Strong and long passwords—all different for all of your accounts; a password manager; two-factor authentication; and what else? Don’t be suckered into giving up your private information! _________________ Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

It’s the IRS calling…or is it?

Here at the FTC, we think about scams all day long. What are the scammers’ new angles? How can we keep ahead of them? We hear from people about the scams they see, and we turn that into tips people use to spot and avoid scams.Here at the FTC, we think about scams all day long. What are the scammers’ new angles? How can we keep ahead of them? We hear from people about the scams they see, and we turn that into tips people use to spot and avoid scams. But scammers find FTC staff, just as they find the rest of America. My colleagues and I have even gotten calls on our work phones, offering reduced credit card interest rates, or claiming to be tech support calling about problems with our computers. We also get the calls at home. In fact, someone claiming to work for the IRS called my house just last week: [youtube][/youtube] This has all the signs of an IRS imposter scam. In fact, the IRS won’t call out of the blue to ask for payment, won’t demand a specific form of payment, and won’t leave a message threatening to sue you if you don’t pay right away. Have you gotten a bogus IRS call like this? If you did, report the call to the FTC and to TIGTA – include the phone number it came from, along with any details you have. __________________ The Federal Trade Commission (FTC) is the nation’s consumer protection agency. The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace.

Why Hotels Check your ID

I know someone who tried to make a hotel reservation over the phone. She goes by the name “Kelcie,” but her birth name is Frances. She hates her birth name. When making the reservation she used the name Kelcie, which is what’s on her credit card and checks, but her driver’s license says Frances. I know someone who tried to make a hotel reservation over the phone. She goes by the name “Kelcie,” but her birth name is Frances. She hates her birth name. When making the reservation she used the name Kelcie, which is what’s on her credit card and checks, but her driver’s license says Frances. She was told that when she arrived, she’d need to present a photo ID. She asked if there’d be any problem since her driver’s license said Frances and the reservation said Kelcie. She was told most definitely. “Why should they care if the name on my photo ID doesn’t match the name in the reservation or my credit card? As long as I can pay for the room, right? You’d think I was applying for a government job!” Why do some hotels require the photo ID or even information about your car, even if you have wads of money ready to pay for your stay? In some areas, the law requires hotels to do this. But this answer only sets back the question further: Why does the law require this? The law also requires hotels and other lodging facilities to be able to turn over this information to the police when requested. A warrant is not necessary. If we’re talking a little “ma and pa” motel, it’s actually more understandable that they’d require guests to show a photo ID, especially in a seedy part of town. If the room is trashed, the owner knows whom to go after. But the large name-brand hotel is a bit different. Requiring a photo ID when someone uses a credit card or check is understandable. But some hotels also require it if the guest has cold cash. The true answer would have to come from the lawmakers, even though we can think of some hypothetical scenarios in which a person could claim to be someone else and then get that person’s room—but the imposter would have to know ahead of time that the real guest had reserved the room. It’s not likely that the lawmakers have this scenario in mind for their reasons for requiring hotels to require photo IDs. One plausible explanation is to protect people from fraudulent credit card use. More reasons include weeding out of imposters to make everything a bit safer by reducing nefarious activities such as drug use, meth labs, prostitution, or using the hotel room as a staging area for various crimes. Hotels will want to do anything to cover their butts just in case a crime occurs. And I suppose the lawmakers have the hotel industry’s back. If you are concerned about privacy of your personal information, you should be. But recognize that “personal identifying information” or PII is “public” and not private. So giving it to a hotel clerk shouldn’t be considered a “private” transaction. Know the risks. __________________ Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

What is private Information and what is not?

Data Privacy Day was Wednesday, January 28, and these days the concept of “privacy” can be ambiguous, generic or confusing. What you might think of as private actually isn’t. Data Privacy Day was Wednesday, January 28, and these days the concept of “privacy” can be ambiguous, generic or confusing. What you might think of as private actually isn’t. The definition of personal identifying information, by the U.S. privacy law and information security, is that of data that can be used to contact, identify or locate an individual, or identify him in context. This means that your name and address aren’t private, which is why they can be found on the Internet (though a small fee may be required for the address, but not always). Even your phone and e-mail aren’t private. What you post on Facebook isn’t private, either. So what’s private, then? An argument with your best friend. A bad joke that you texted. Your personal journal. These kinds of things are not meant for public use. What about vacation photos that you stored in a cloud service? Well…they’re supposed to be private, but really, they’re at significant risk and shouldn’t be considered totally private. And it’s not just people on an individual scale that should worry about privacy. It’s businesses also. Companies are always worrying about privacy, which includes how to protect customers’ sensitive information and company trade secrets. But even if the company’s IT team came up with the most foolproof security in the world against hacking…it still wouldn’t protect 100 percent. Somewhere, somehow, there will be a leak—some careless employee, for instance, who gets lured by a phishing e-mail on their mobile phone…clicks the link, gives out sensitive company information and just like that a hacker has found his way in. Even when employees are trained in security awareness, this kind of risk will always exist. An insider could be the bad guy who visually hacks sensitive data on the computer screen of an employee who was called away for a brief moment by another employee. Tips for Training Employees on Security Savvy
  • Make it fun. Give giant chocolate bars, gifts and prizes out to employees for good security behaviors.
  • Post fun photos with funny captions on signage touting content from the company’s security policy document. It’s more likely to be read in this context than simply handed to them straight.
  • Show management is invested. Behavior changes start from the top down,
  • Get other departments involved. Even if they’re small, such as HR, legal and marketing, they will benefit from security training.
  • Stop visual hackers. Equip employees with a 3M Privacy Filter and an ePrivacy Filter which helps bar snooping eyes from being able to see what’s on the user’s screen from virtually every angle.
  • Don’t forbid everything that’s potential trouble. Rather than say, “Don’t go on social media,” say, “Here’s what not do to when you’re on social media.”
  • Make it personal. Inform workers how data breaches could damage them, not just the company. A little shock to their system will motivate them to be more careful.
_________________ Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.