Patch Lady – 31 days of paranoia – day 1

Topic

New Reply

October is National Cyber Security awareness month and I’m going to post every day this month on something that will make you think or take some actio
[See the full post at: Patch Lady – 31 days of paranoia – day 1]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

SueW, abbodi86, PhotM, jburk07, woody, Elly

Reply | Quote

Replies

Susan,
“how good are you at protecting your identity?” Very good.

“Have you followed guidance for protecting yourself from identity theft?” Yes.

“Have you reviewed all your bank statements?” Yes.

“Requested a copy of your credit history?” Yes.

“Have you made sure that the security questions you choose are not readily guessable?” Yes.

” I’ve often seen as security questions things that could be googled about a person that are typically exposed on Facebook or LinkedIn.” DO not use Facebook, Linkedin, or any other social media. Do have one twitter account since need get support from my utitlites but it is make with a fake name, fake birthday, and a lots of fake fake info.

“So are you good at protecting both your identity and your possible password reset questions and answers?” Yes

My security is great. This is one of the reason never register on any site. If need too, provide fake account. My fake twitter got hack when there was a breach of twitter but they got nothing since everything was fake until assoicate email account. Create a new one after that with all new fake email address and name. Never give your real info on the net and you will be safe.

Reply | Quote

Thanks Susan.

Those things should be pretty obvious by now, but I dare say plenty are ignorant of them or else choose to ignore them.

One additional point, which perhaps I should qualify by limiting it to the UK – and others can say whether it applies elsewhere or not:-

Avoid internet or telephone banking. Use your local bank branch in order both to keep it open (because you will miss it when it’s gone and it will go if people don’t use it) and to avoid the risks associated with remote banking. Whenever possible use human beings in the branch rather than machines – for the same reasons.

No matter that you could gain an extra 0.1% return on online savings/pensions accounts, for example, is it really worth risking what is likely to be for you a life-changing investment on the security of online data? But it’s stored on the Cloud – oh, so that’s alright then! Seriously, think twice before entrusting all your money to the internet!

Again for the UK readers – if you own your own home then seriously consider registering with the HM Land Registry Property Alert Activity Update service – which means that whenever anyone makes an enquiry about the Title to your home you will be notified. If nobody makes an enquiry then you’ll receive 6 monthly notifications to that effect.

2 users thanked author for this post.

anita.yk

Reply | Quote

Seff wrote:

Again for the UK readers – if you own your own home then seriously consider registering with the HM Land Registry Property Alert Activity Update service – which means that whenever anyone makes an enquiry about the Title to your home you will be notified. If nobody makes an enquiry then you’ll receive 6 monthly notifications to that effect.

Here in the USA my town has “Property Check” — you register and whenever anyone tries to mess with your property be it checking it or trying to change your ownership — I get an alert.  If this is available to you I highly recommend it.

3 users thanked author for this post.

anita.yk, Seff, SueW

Reply | Quote

They left off one very important thing: SOCIAL MEDIA!

Here are some tips for protecting your identity on social media:

* BE VERY CAREFUL HOW MUCH PERSONAL INFORMATION YOU POST ON SOCIAL MEDIA! I’ve seen people put their phone numbers in an open post! If you need to give someone your phone number, send it to them in a private message.

* I heard about someone one time putting their CREDIT CARD NUMBER in an open post! If I have to tell you not to do that, then you probably should stay entirely off of social media for your own good.

* Lock down your Facebook settings so that they are more secure than the default; and check them now and then, to make sure that Facebook hasn’t changed anything requiring you to lock down yet another setting.

* Remember: Anything you post to PUBLIC on Facebook can be seen by anyone, not just your friends.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

lurks about, Seff

Reply | Quote

Thanks for that prompt, Jim.

I’ve always spurned social media, but have recently swallowed one of those few principles I still have (!) because I realised I was missing out on so much in the way of family photos and other updates which I could ill-afford to do especially with young grandchildren. I therefore opened a Facebook account, with some factual and some false data, and with nothing on the account page except the user name. No photo, no background information, no current location, no public access to email address, a false birthday and so on.

Now for a serious point – in my two comments on this page thus far I have deliberately mentioned my age, the nature of my voluntary work and the fact that I have a wife and young grandchildren. None of these snippets of information should be of any detriment to my security etc, but it all serves to illustrate how easy it is to give away personal information that cobbled together can be undesirably revealing to those who know what they’re looking for and how to misuse it when they find it. Exercise caution (and don’t believe all that you read on the internet, not least on this page)!

Reply | Quote

Several years ago I started using Facebook, so that I could keep up with my college friends who were scattered all over the United States. I never play any Facebook games nor run any Facebook apps, because these things are ways of someone getting your personal information.

I now use Facebook as an outlet for expressing my opinion about various topics, as well as for keeping up with my friends. But I never play any of the games or run any of the apps.

An interesting thing I have discovered: If you run Firefox and a script blocker (such as NoScript), you can block scripts from Facebook.net and still have full functionality when you access Facebook. (Accessing Facebook requires that you allow all of the FB*.com scripts.) However, as you visit non-Facebook sites and check what scripts are running in the background, you will find that Facebook.net scripts run on just about every non-Facebook website. I therefore block scripts running on Facebook.net, and allow all of the FB*.com scripts. This prevents (or reduces?) Facebook from being able to spy on me as I surf the web.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

I think Susan wanted to open her 31 days of horror stories with a prologue to show us what was in place 14 years ago. Before social media was a compound noun with a definition more specific than its parts. I’m sure she’ll get there and look forward to a daily item for review.

Reply | Quote

Simple. Never use real info when on line and you will be safe. Only when your bank, hospital, job, etc gets hacked that your real info gets leaked. Too bad you can not give fake info there. But may be you could and be save since they do not protect you.

Reply | Quote

For security questions where a public search could reveal the answers, I will put in fake info, or slightly alter the true info. My bank has questions which would not normally be public, but which don’t apply to the lifestyle I lead. So I am free to make up answers odd enough to be hard to guess, but plausible enough to pass muster, and yet untrue in any event. So not searchable.

I don’t agree in the US that online banking will kill off our local branch offices. I just went in to my local branch office to deposit some quarters (a LOT of quarters!), and that’s also where the ATM is for some of my shopping trips. But if I need to pull out a bunch of transactions for Social Security reporting, the online Ledger and Transactions with Categories (assigned by me) simply can’t be equalled, even with paper bank statements. So online banking for me has some uses not offered by other methods. And if there is a credit card refusal for security reasons, phone banking is the only way to resolve it, either by authorizing the purchase, or by confirming I attempted the purchase but not going through with it.

One way this happens is if an online retailer fails to disclose in advance of checkout that their billing is from a foreign office or warehouse location. It happens more often than you might think, and foreign currency conversion and extra banking fees can result. (One well-known third party antivirus company is notorious for this practice. Even Fastmail bills from Australia, but if you choose Paypal, you can avoid the fees.) Caveat Emptor!

I do use Nextdoor.com for online communications with people from my community, and I am amazed at what personal info people will post, when they think they are posting just to their immediate neighbors. Addresses, phone numbers, you name it, they’ll post away with total abandon. There is a reason that the site provides for Private Messaging, folks!

Password and account recovery should use codes and/or permanent dongles like FIDO2 or Yubikey. Biometrics can be spoofed, so they are not the answer. Google is heading more and more in the dongle direction, and Microsoft recommends the code-based account recovery method. I think Apple also favors code-based, not question-based account recovery. Yahoo is… well, Yahoo. (But let’s face it, using a phone as an intermediary is not secure.) I wonder when Facebook, Instagram and Twitter will start using more secure methods. Maybe after the next data breach… oops, that just happened.

Times change, and so should our methods of securing our accounts and our information.  If you want to beat increasingly automated hacking, you have to be able to think and act more like a machine. Start getting cozy with dongles and recovery codes. They are here to stay. And save your DNA for important things like proving your identity if you lose the dongle. Stop tossing it off on genealogy sites and other public databases.

-- rc primak

1 user thanked author for this post.

Steve

Reply | Quote

@RC_P… “I don’t agree in the US that online banking will kill off our local branch offices.”

You are VERY wrong my friend! The bank I’ve been doing business with for over 35 years closed one of their branches in a town about 20 miles from me in March and they just last week announced that they’re closing the branch I’ve been using for all these years too. They specifically stated to the local news reporter that BOTH branch closings are due to online banking significantly reducing the need to have “live” people to conduct transactions.

The branch I’ve been using for years at one time had 5 people taking care of customers but in the past year or so they’ve cut back to just two people at the counter and I’m never waiting longer than a few minutes in line. In fact, I used to wait in line longer a few years ago when there were 5 of them!

Reply | Quote

One of the creepiest things I have seen in a long time is a bank branch which has no actual tellers present; they are all at an undisclosed location (maybe at the main branch?); and all teller-related business is done via two-way TVs (like some drive-up windows). I no longer have an account at that bank; and if I did, I likely would close my account there and find another bank.

Yeah, I know; I am dealing with an actual person, just not someone who is right there with me. My current bank has actual tellers and does not even have bullet-proof glass separating me from the teller. I live in a small town, and it is really nice to deal face to face with a real person.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

3 users thanked author for this post.

rc primak, anita.yk

Reply | Quote

For the record I also live in a small town and both of these branches are “small town” branches although the bank itself is a large and well known one… I won’t mention the bank’s name but it’s likely most folks in the US are familiar with it.

The worst part of these closings is both of these branches were/are the only bank in town leaving people that don’t do banking online no choice other than traveling at least 10-15 miles to the next closest branch or other bank. Since I’ve been using this particular branch for over 20 years now on a regular basis I know many of the folks I see in there by name, and quite a few of them are seniors that don’t even own a computer and some of them walk to the bank because they don’t have transportation.

What are these seniors with no computers or transportation in this rural area going to do after this branch closes?

1 user thanked author for this post.

Elly

Reply | Quote

Why do your security questions have to be “plausible enough to pass muster”?

Who was my 3rd grade teacher? I honestly can’t remember, but the company that handles my flex-spending account thinks it was nTAblfF85f (not actually that but whatever my password manager came up with as random 10 character string to fill out for 3rd grade teacher).

2 users thanked author for this post.

Microfix

Reply | Quote

This is exactly the way to treat passwords, non relative to the question. The more cryptic the better with use of lowercase/ uppercase /numbers /symbols as any password.

Windows - commercial by definition and now function...

2 users thanked author for this post.

anita.yk

Reply | Quote

I have had banks especially, but some other places, during telephone contacts try to verify my identity using the same security questions which they use on the online sites. When they ask the question over the phone, it’s not possible to use these random character or nonsense replies, as the person you are talking with won’t accept those answers as genuine. I have seen this issue with health care providers, insurance companies and banks. It may not be a problem for all people.

That’s why my online answers always sound as if they could be real, without actually being true. I haven’t had my fake answers challenged as not matching some sort of records somewhere — not yet anyway. When it’s fraud prevention and the account could get frozen if the questions aren’t answered correctly, this can make a real difference.

-- rc primak

1 user thanked author for this post.

Reply | Quote

” if there is a credit card refusal for security reasons, phone banking is the only way to resolve it”

I agree. That’s how I would resolve any such issue too, but when referring to the desirability of avoiding phone banking I was talking about accounts that are routinely managed only over the phone.

Local bank branches may operate differently in the US compared to the UK, and I believe you have a lot more purely local banks in the US. In the UK the banking sector consists of a handful of national/global banks and they are currently closing local branches and ATMs on a massive scale, hence the need to do everything possible to keep them open if you use them.

Incidentally, I only use ATMs that are sited inside a bank, be it my own or a different one. They can still be compromised if the whole computer system is hacked but cannot have skimmers attached to them unlike unsupervised ATMs outside in the street.

1 user thanked author for this post.

rc primak

Reply | Quote

Susan,

The steps I take are:

1. Use different email accounts for social networks and financial accounts.

2. Use a password manager to generate very long complicated passwords,

3. Enable 2FA on all accounts that support it.

4. Use a different credit card for all on-line automatic payments, so if a card gets compromised at a restaurant or store it doesn’t affect my automatic payments.

5. Balance all bank accounts and credit cards monthly (yes, I save all my CC receipts).

6. Pull my credit report 3 times a year once from each of the main services  (spaced 4 mo. apart) so I can keep an eye on my credit w/o subscribing to a service.

7. Placed a freeze on all three major credit reporting agencies.

8. Avoid dodgy web sites!

9. Use ScriptBlock, Privacy Badger, and UBlock Origin in Chrome & FF.

10. Facebook set to Friends ONLY!

FYI: I just tried out the new FireFox service to check comprised email accounts. Financial email not found, social media email account compromised in the LinkedIn breach. Sure glad I use a different password on all accounts!

HTH 😎

 

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Reply | Quote

Paranoia? Does that mean we are wiser to ignore it as fake news?
I go back to the source – the human factor
Proof – even 2FA is a huge breach of security and privacy when the mind behind it (such as FB) is intent to collect it (with your consent) but use/sell it for a different purpose
How do you prvent those legal crime? yes its legal since the user volunteer the info
but criminal as when the agency got the data they used it for a different cause (you dont even know)
Same as the security at the airport with fingerprints and facial scans
Now even the airline staff are required by their job to scan and keep a copy of your passport for ‘security’ reasons
Since when an private airline company get the right to scan our passport AND keep a record of it?
What law has granted them such power?
Does anyone even notice that? Or most ppl are just unaware of the law and its implications?
Further to say the airline company (or someone in the company) can sell your passport info to the market?
What good is the ‘national security’ reason when they respect no human rights? Again – as said – its the persons/company behind it and their ‘other’ business (usually money related)
and usually they are a very small bunch of people
M$ could be a friendly and fabulous company but they (somebody there) has CHOSEN NOT TOO.
Paranoid or REAL?
If there is no ethics and moral in the person, then the person is likely to discount the humanity in others, and see others as ‘their job to deal with’ or ‘a buck to be made’. In turn this mindset will make the person lose even more of his humanity and human sense until it spiral down to ‘a blckhole that has no return’. That place with that kind of ppl would not resemble earth we once knew and called ‘HOME’

back to fishng for better dreams

Reply | Quote

I don’t agree in the US that online banking will kill off our local branch offices.

rc-primak, it will destroy local branch office. Two branches offices in my town were closed because of online banking. There were too few customers coming to the branches. Now I have to drive 20 min (or 40 min with traffic) to get to another local branch.

Reply | Quote

It has already destroyed local banks. Many local branches have been closed. My email statements are sent to wrong email for months. Bank mixed up several accounts email address. When switch to paper back they charged me for them. How can banks rob from you more? Online banking is too messy and too many errors are done by banks.

Reply | Quote