A Different Key for Everything that Matters

A colleague of mine recently learned a difficult lesson when her computer was stolen from her car. At first, she was mostly concerned about having lost all of the work (she’s a writer) that was stored on her machine. Sadly, there was a lot more than poetry at stake: her entire identity was at risk.

While using one password for all the secure sites she visited seemed smart at the time, it turned out to be a disaster. It was anything but smart. One little password gave the thief access to literally every aspect of her life: banking records, bills, medical records, emails, social networks and more.

To put this in perspective, think of what we already do in the real world. We have a different key for everything that matters – house, car, safe-deposit box, gym locker, work, file cabinet, desk drawers, etc. And yet, many of us do what my colleague did — use the same password across multiple websites from social media to online banking to shopping sites. Many of us learn the lesson of safeguarding personal security after it’s too late.

The good news is that this kind of privacy invasion can be avoided with some relatively easy steps. Exercise caution in choosing passwords by selecting passwords that can’ t easily be connected to you. Names of loved ones and important dates (births, anniversaries) are too easy to guess. Passwords that contain combinations of numbers, characters, and letters are great choices. If you have a laptop you frequently travel with, even if it’ s just to your local coffee shop, consider turning off your browsers’ password storage function. You’ll notice this function when a pop-up comes up asking you if you want to store this password.

Most importantly, use a different password for every site that matters, just like you do with your keys. Examples of sites that matter are sites for banking, mortgage payments, bill pay services, online shopping, and social media sites where you share your personal life with family and friends. If all your passwords are the same and someone fraudulently obtains your login info for one site, they will have obtained ALL your passwords in one small coup.

Different logins for everything might sound daunting but not only is this the single best way to protect your valuable information, it is also not as terrible as it sounds. Thankfully, there are many password storage sites and pieces of software that are fairly priced or totally free that will help you keep track of your passwords. For example, try using software like Password Locker to keep all of your passwords organized and secure.

Choosing hack-proof passwords and different log-ins for different sites have saved thousands of people money, time, and hassle by making their personal and financial information that much more secure.

And we can all appreciate a little more security and peace of mind online.

Don’t Remind Me Later

Imagine a bunch of scammers and hackers sitting around in a dark room together. They’ve just created brand new viruses that will invade your life by invading your computer to steal your banking information, take all your passwords, send threatening emails to all your friends, make all your personal photos public, and….. And, they’ve devised a simple and yet genius way to get it into your laptop or smartphone that’s always connected to the Internet using some of the hundreds of software pieces that run on your computer.

Amazingly, software providers have also just figured out a way to block these viruses. But the only way this will work is if you update your laptop or smartphone with the latest security updates they have just sent you. And out of sheer courtesy, they are asking you if you want to update now or “Remind Me Later.”

What are you going to do? What do you do nearly every time you see that nice “Remind Me Later” button looking so sweetly at you while you’re busy updating your Facebook or sending an IM or working on a work email? We all do it. We all tell our friends who are trying to protect us to come back another time. You’re OK leaving all the doors and windows wide open for the bad guys to break into your life. You’re OK with giving your life away to some stranger in a dark room on the other side of the world.

This scenario might sound dramatic, but, it’s really not. The “Remind Me Later” button is not your friend. In fact, it is probably the most dangerous ‘button’ you can push.

Let’s put this in perspective. If robbers had figured out how to turn off your home alarms or break into your house, would you fix it right away or put a note in your calendar to “Remind Me Later?” Similarly, we don’t ask someone to remind us to lock our car later if we know we have left it unlocked. The same is true for every security measure we take in our real lives.

And yet, we hit that “Remind Me Later” button as quickly as we can, like we’re playing whack a mole at an arcade.

Some people complain that security updates take too long, are too cumbersome, and bog down their computers. That was true…about 10 years ago. With today’s high speed systems, security updates can run quietly in the background. Kind of like the locksmith who can do his thing, while you’re busy doing yours in the house.

Hackers are literally creating and launching new viruses every day. That means that these invaluable updates are needed frequently. Every time a software provider figures out a way to block the bad guys, they send out an update. They have effectively put a new lock in an existing door, ensuring the safety of your personal life.

So, next time the dialogue box appears asking if you want to run a security update now, just remember the “Remind Me Later” button is not your friend.

Taking a Moment to Pause With Phone Hacking Scandal

For companies that can be broken if their security breaks (anything from email providers, to cell phone providers), headlines like “Phone Hacking Scandal” should garner special attention. The latest “phone hacking” scandal involving allegations that reporters at News of the World listened to or tampered with voicemails of, potentially, over 10,000 victims, has left many in shock and wonderment. But, as with any crisis, we can use this as an opportunity to take a moment to pause and consider what we can learn from it.

The word “hack” implies that a highly technical break-in into a security system occurred, as in the case of the recent CIA breach. What appears to have happened in the phone hacking scandal is really not a ‘hack’ at all carried out by highly technical criminals.

Reporters, allegedly, used some pretty simple tactics, exploiting voicemail procedures by using them in the way they were supposed to be used. When a customer purchases a new cell phone, a default password is set up for accessing voicemail. Often, it’s a simple 4-digit number such as “1111” or “0000” or the last 4 digits of the customer’s cell number. Unfortunately, most people don’t personalize these passwords once they have the phone. Hence, a stranger can call a cell phone and when the subject doesn’t answer, they can simply put in the standard password for the carrier and gain immediate access to voicemails. Here is some more info on just how all this can happen.

Unfortunately, this isn’t the only way people can get into voicemails. Social engineering, a term now used to denote unethical or illegal practices involving impersonation and manipulation, is a very effective means by which people can gain access to voicemails or information. So instead of hacking into a secure system, the bad guy can simply call the cell carrier’s support center, impersonate an actual cell phone customer, and obtain the password for the voicemail. The customer never knows this happened.

And here-in lies an opportunity for cell carriers to pause and consider what types of security mechanisms are in place to thwart the social engineer. For example, consider providing any customer who calls a temporary one-time use password that forces a password change once it is used. Then text and email the customer to let inform them of what just occurred in case it was a social engineer who got through all the mechanisms already in place. Also, consider whether two-part security, security that involves what a customer knows and what a customer has, can work for you. With two-part security, a customer would need to provide info to the customer service rep to recover/replace a forgotten password, and then would have to have the cell phone in hand where the reset info is sent. A social engineer who succeeds in one part ends up getting only half the info needed to succeed. Finally, consider whether the default passwords freeze if they are not changed within a certain period of time from purchase.

Each company will have to weigh everything from customer experience to ease of use to adoption rates when determining what type of security works best for their user base. Note that many carriers have been working towards these goals and should be commended for their work.

The ability to convert challenges to opportunities can be a major asset for a forward thinking, security conscious company. So, take head of the latest events in the news and pause to reflect on what more can be done to protect the most valuable asset any company has – the trust of its customers.