Posts

How to use two-factor authentication for critical accounts

Have a small business? Great. Have two-factor authentication for your accounts? If you’re not sure of the answer to that question, you could be in trouble. October is National Cyber Security Awareness Month, the perfect time to learn more about cyber security. As a small business owner, you certainly have thought about data breaches. They don’t just happen to giants like Target and Sony. The common thread in many data breaches is that the hackers got the password.

5DOnce a hacker has a password, they often can get into the account, even if a username or other information is required. But suppose the hacker, mouth drooling as he’s about to break into your business accounts with your password and username, types in this login information and then sees he’s blocked unless he enters a one-time passcode? That’s a form of two-factor authentication. Game over for Joe Hacker.

Two-factor authentication may mean a different login, every time you login, even on the same day, and only YOU have it. It’s sent to your e-mail or phone. Setting up two-factor authentication differs from one platform to the next. See the following:

PayPal

  • Click “Security and Protection” in the upper right.
  • At bottom of next page, click “PayPal Security Key.”
  • Next page, click “Go to register your mobile phone” at the bottom. Your phone should have unlimited texting.
  • Enter your phone number; the code will be texted.

Google

  • At google.com/2step click the blue button “Get Started.” Take it from there. You can choose phone call or text.

Microsoft

  • Go to login.live.com. Click “Security Info.”
  • Click “Set Up Two-Step Verification” and then “Next.” Take it from there.

LinkedIn

  • At LinkedIn.com, trigger the drop-down menu by hovering over your picture.
  • Click “Privacy and Settings.”
  • Click “Account” and then “Security Settings.”
  • Click “Turn On” at “Two-Step Verification for Sign-In.”
  • To get the passcode enter your phone number.

Facebook

  • In the blue menu bar click the down-arrow.
  • Click “Settings.”
  • Click the gold badge “Security.”
  • Look for “Login Approvals” and check “Require a security code.”

Apple

  • Go to appleid.apple.com and click “Manage Your Apple ID.”
  • Log in and click “Passwords and Security.”
  • Answer the security questions to get to “Manage Your Security Settings.”
  • Click “Get Started.” Then enter phone number to get the texted code.

Yahoo

  • Hover over your photo for the drop-down menu.
  • Click “Account Settings.”
  • Click “Account Info.”
  • Go to “Sign-In and Security” and hit “Set up your second sign-in verification.”

Type in your phone number to get the texted code. If you have no phone you can get receive security questions via e-mail.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use.

Being cyber aware also includes backing up your data to a secure offsite location. Back it up with Carbonite, and receive 2 free bonus months with purchase of any subscription through the end of October by entering code “CYBERAWARE” at checkout.

Robert Siciliano is a personal privacy, security  and identity theft expert to Carbonite discussing identity theft prevention. Disclosures.

Why You Should Use a Password Manager

Most experts in cybersecurity suggest that computer users utilize a password manager, and I think they have a great point. These managers ensure that you can use a unique, strong password for all online account. On the flip side, there are naysayers that state a password manager isn’t as safe as you might think, as if the master password is discovered, it could give someone access to all of your information. So, who is right?

3DAccording to a recently concluded survey conducted by uSamp and sponsored by Siber Systems, creators of the RoboForm Password Manager, only 37% of survey participants use passwords that contain both letters and numbers. And only 8% report using a password management system, which can automatically create strong passwords for every site and change them frequently.

Here are some things to keep in mind:

Singing Praises for Password Managers

Why do some experts sing the praises for password managers?

  • Password managers allow you to use the most secure passwords, and allow you to use a different password for every account.
  • Since most websites have their own requirements for a password, you won’t become frustrated every time you log in, and you won’t have to remember if the ampersand is before or after the capital “S.” Besides, no one can remember every single password and username combination.
  • These password managers can work across all devices and on all browsers.

The Possible Downside of Password Managers?

Though there are certainly benefits of using a password managers, some people share their concerns with this software and state some of the following reasons:

  • There is a chance of a hack, albeit a small one, and if someone discovers a master password, they have access to everything including banking and personal information.
  • You also don’t know how secure these password managers really are, especially if it is an online password manager, such as one associated with a web browser, as the data may not be encrypted properly.

Looking At Both Sides of the Fence

When looking at expert opinion, you will typically find that most of them fall somewhere in the middle when it comes to using a password manager. These people see password managers as useful, but people should use them with caution.

  • Only use applications that have good reputations and those that do not rely on third parties
  • Use password managers that alert you immediately of a breach
  • Remember, a password manager is only as strong as the master password. This password should be strong, unique and changed often.

Good or bad, it’s probably better to be safe, rather than sorry. As with anything, be smart with your password manager, and you should have no issue with its effectiveness.

Robert Siciliano is a personal privacy, security and identity theft expert to RoboForm discussing identity theft prevention. Disclosures.

What is a Password Manager?

Many people, including myself, make mistakes with their passwords and use them on site after site. To remain safe, it’s important to use a unique, strong password on every site you visit. How do you do this the easy way? Use a password manager.

2PAccording to a recently concluded survey conducted by uSamp and sponsored by Siber Systems, creators of the RoboForm Password Manager, the results indicate that people have some idea of the scale of the password challenge: More than half said they felt stressed out by the number of things they have to remember on a daily basis at work, and 63% reported that they’d either forgotten a password or had a password compromised at some point during their professional career

A password manager can solve this issue. A password manager is a type of software that stores login information for all the sites you commonly use, and the program helps you to log in automatically each time you browse to a particular website.  This information is stored in a database, controlled with a master password, and is available for use at any time.

Word of Warning: Don’t Reuse Your Passwords!

What is the big deal about reusing your passwords? It could be really damaging:

  • If your password is leaked, scammers will have access to information such as your name, email address and a password that they can try on other websites.
  • A leaked password could give scammers access to online banks or PayPal accounts.

What is It Like Using a Password Manager?

The first thing you will notice when using a password manager is that it will take a lot of weight off of your shoulders. There are other things you will notice, too:

  • You first visit the website as you normally would, but instead of putting your password in, you will open the password manager and enter the master password.
  • The password manager will automatically fill in the log in information on the website, allowing you to log in.

Think About it Before You Use a Web-Based Password Manager

Yes, there are web-based password managers out there, but there are problems associated with them:

  • All major browsers have password managers, but these cannot compete with a full password manager. For instance, they store the information on your computer, and this is not encrypted information meaning scammers can still easily access it.
  • These managers cannot generate passwords randomly, and they don’t allow for syncing from platform to platform.

Get Started With a Password Manager

If you are ready to get started with a password manager, the first thing to do is choose your master password:

  • The master password must be very strong, as it controls access to everything else
  • You should also change your passwords on every other site to a stronger password
  • Make sure your passwords have capital letters, symbols and numbers for the strongest password combination

Robert Siciliano is a personal privacy, security and identity theft expert to RoboForm discussing identity theft prevention. Disclosures.

Passwords in Real Life: Don’t be Lazy

It’s tough being responsible sometimes. And managing responsibilities for what is precious in your life usually takes a little extra thought.  Let’s say you’ve just welcomed a beautiful set of triplets into the world.  Lucky you . . . and lots to managed! But, you wouldn’t give all these babies the same name simply to make it easier to remember, right?

5DConsider this same concept as you manage other precious aspects of life, like your on line accounts. It may seem convenient – and easier to remember — to use the same password for all accounts.

But a single password across all accounts can also make it convenient for hackers to access your valuable information on these accounts.

Most of us have a number of accounts that require us to use and remember different passwords, which brings us to the question, “If we can’t use the same password for all of our accounts, how do you expect us to remember all of them?” The solution is easy.

You need a password manager.

A password manager will help you create an un-crackable password, and it will even give you a “master” password that will be able to get you into all of your accounts. That way you really will have only have one password to remember.

Password managers eliminate the need to reset passwords, and improve the security of your online accounts that contain your pertinent information. A password manager allows you to log into sites and apps using multiple factors that are unique to you, like your face and fingerprints and the devices you own.

Here are some useful tips for making strong and protected passwords:

  • Make sure your passwords are at least eight characters long and include numbers, letters and characters that don’t spell anything.
  • Use different passwords for separate accounts, especially for banking and other high-value websites.
  • Change your passwords frequently.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Don’t Rely on the Password Reset

Think about your keychain. It probably holds the necessities: car keys, home keys, work keys, miscellaneous keychains you bought on your previous vacations. Now, imagine you have a keychain full of these keys that all look the same, but each only opens a specific door.

5DSounds kind of like your list of passwords, right? But what happens when you have all of these keys, and you need to get into your house? In either situation it can be easy to forget which key, or password, goes to what door or website.

So, back to the locked door situation, what do you do? A friend wouldn’t have a key that opens your house, and breaking down the door isn’t a good option for obvious reasons. Would you rely on a locksmith to come change the locks every time you forget your key? That would get old very quick.

It’s essentially the same thing when it comes to your passwords. It’s almost like you’re having to call a locksmith every time you want to get into your house because every time you leave, the lock changes. If you wouldn’t rely on a locksmith every time you want to open your house, why rely on the password reset? Step up your password game instead.

If you have loads of accounts and can’t deal with the hassle of creating and remembering long, strong passwords that are different for every account, then you need a password manager.

Not only will such a service help you create a killer password, but you’ll get a single “master” password that gets into all of your accounts. A password manager will also eliminate having to reset passwords.

Use these tips to make sure that your passwords are strong and protected:

  • Make sure your passwords are at least eight characters long and include mix matched numbers, letters and characters that don’t directly spell any words.
  • Use different passwords for separate accounts, especially for banking and other high-value websites.
  • Change your passwords frequently.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Don’t Name Your Dog After Your Password

Recently I got a puppy for my child. We decided to name the puppy 4wgu23x5#9. My wife,8yysH3m, thought we should name the dog 0x2%#b5. But I’m sure she’ll get over it. Meanwhile, I’m helping my older child with setting up a few social media accounts, and I suggested the two passwords: Rover and Spot.

5DIs there something wrong with this picture?

Of course! But this picture replays itself millions of times over all the time, as people name their passwords after their pets, family members or favorite sports teams. Don’t do online what you wouldn’t do in real life.

When creating passwords remember that you should avoid using things that are personal to you and that could be easy for a hacker to find out about you. Things like your pet’s name, maiden name, birthday, name of your high school and child’s name can be easily found on social networks, making it even easier for hackers to crack your passwords.

Here are some other great tips to make sure that your passwords are strong and protected:

  • Make sure your passwords are at least eight characters long and include numbers, letters and characters that don’t spell anything.
  • Use different passwords for separate accounts, especially for banking and other high-value websites.
  • Change your passwords frequently.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Check out Google’s Password Alert

Cyber crooks have phony websites that masquerade as the legitimate site you want to log onto. They’ve spun their web and are just waiting for you to fly into it. Google now has Password Alert, which will tell you if you’ve landed into such a non-Google web.

2DFor the Chrome browser, this extension will prompt the user to change their password.

When you change a password (regardless of reason) or sign up for a new account and it’s time to come up with a password…don’t just make up an easy word to remember or type.

  • No part of the password should contain actual words or proper names.
  • Each account, no matter how many, should have a different password.
  • If allowed, use a mix of characters, not just numbers and letters.
  • Use a password manager to eliminate the excuse of “I can’t remember a zillion passwords so that’s why I use the same one for multiple accounts.”

Even a strong password, when used for multiple accounts, can present a problem, because if that password gets in the hands of a cyber thief, he’ll then be able to access not just one—but all of your accounts with that password.

A different password for every account at least means that if any password gets into the bad guy’s hands, he’ll only be able to hack into one account per password.

And how might he get the password if it’s long, strong and full of different characters in the first place? By the user being tricked into giving it to him.

This is most often accomplished with a phishing attack: an e-mail that fools the user into thinking it’s from an account they have, such as PayPal, Microsoft or Wells Fargo. The message states there’s a problem with their account and they need to log in to get it fixed. The truth is, when you log in, you’re giving out your crucial login information to the villain.

However, Password Alert will intercept this process. And immediately, so that you can then quickly change the password and protect your account before the thief has a chance to barge into it.

Other Features of Password Alert

  • Many sites are phony, appearing to be legitimate Google sites. Password Alert will spot these sites by inspecting their codes when you visit them. You’ll then get an alert so you can get out of there fast.
  • Password Alert has a database that stores your passwords in a very secure way called a “hash.” This is the reference point that Password Alert uses every time you enter your password into the login field, to make sure you’re not entering it on a malicious site.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Lost your Master Password, do This

You have a master password, from your password manager, for 28 accounts. Life has been so easy since!

5DBut then you lose this master password. First off, you can’t fix this like you would if you forgot your password for PayPal or your credit card’s site. Plus, each password manager service has a different solution.

Yet how do you lose a master password in the first place? If it’s impossible to remember,then it may not be a good master password, regardless it should be written down somewhere in a secret location.

Lifehacker.com explains the requirements for various password manager services if you actually lose your master password.

Dashlane

  • A lost master password with Dashlane is like, well…imagine your backpack falling into a dark crevasse—gone forever—even if you have applications for your smartphone for Dashlane.
  • You’ll need to create a new account or reset the existing account, but either way, you must start from scratch.

1Password

  • You’re out of luck if you lose your master password—gone with the wind; you must begin all over again, just like with Dashlane.

LastPass

  • Offers a one-time password, after which you must reset your password
  • Requires the computer you’ve already been using LastPass for
  • You’ll need the associated e-mail account. Otherwise, you must begin everything from ground zero.

KeePass

  • Lose your master password with this and you’re done. You must start from scratch.
  • Don’t even bother trying to crack it because KeePass does have built-in protection.

Roboform

  • It’s too bad here, too. Resetting your password means losing all of your data.

Of course, you don’t ever have to be in this hairy situation in the first place.

  • Write down your master password and store it in a secret location; do this several times, even, and make sure the locations are ones you won’t forget.
  • Write down the one-time password or backup code for your service (if it has these features). Write it down in more than one location, e.g., tape a stickie with it on the underside of your desk may not be the most secure, but an option.
  • See if the service allows you to export your password, then do so. Then save it on your computer and also print it out for a hardcopy duplicate. For better security don’t store it in your computer but instead in a USB drive (in addition to hardcopy).
  • See if the service provides a feature for emergency contacts, then set this feature up.
  • Back up all of your data as a general rule.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Keyloggers log wirelessly

Gee, it sounds like something out of one of those 1970s TV shows about government spies, but it’s reality: Plug this little thing into a wall socket and it records the keystrokes of a person nearby typing into a Microsoft wireless keyboard. The little gadget sends the information back to the gadget’s owner over the Internet.

1DThe device looks like a USB wall charger, and this “KeySweeper” can be created with instructions from Samy Kamkar, a hardware hacker and security researcher who developed the gadget.

An article on threatpost.com explains that KeySweeper can alert its operator when keystrokes spell out something that the thief-operator would be interested in, such as a bank’s website address. The device continues working even when removed from the wall socket.

As for making a KeySweeper, Kamkar says that it’s not wise for a person without strong knowledge of electrical things to attempt to construct one.

To remain as inconspicuous as possible, the KeySweeper relies upon low profile hardware and very low power. It can also be powered by a battery because it’s installed inside a USB wall charger. So if you unplug the device (and thus disconnect it from A/C power), KeySweeper is still going, relying on its battery inside.

And if you think that KeySweeper is difficult to detect, you’re correct. It could be sitting in someone’s lap one table over from you at the Internet cafe and recording your keystrokes.

Your only protection then would be to use a keyboard that requires an electrical cord, or, a wireless one that’s not from Microsoft. Kamkar’s device works only with Microsoft because of the technological compatibility that Microsoft’s wireless keyboards have with the gadget. It is likely however that devices such as this will become more common and will also work with other keyboards.

So how do you protect yourself? Seems difficult if not impossible. One way would be to reduce the amount of data that could be exposed. The most sensitive data is generally passwords and credit card data. A password manager will enter all this data for you and not require keystrokes. This is the most effective and secure “autofill” available that bypasses keystrokes.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

4 Tips for Spring Cleaning Your Digital Life

Spring is in the air (if you’re in the northern hemisphere) and it’s traditionally a time to clean every nook and cranny and get rid of excess stuff in your house. But it’s also a good time to clean up your digital life. Just like your house, your digital life needs a good cleaning once in a while, but sometimes this can seem like a daunting task, so here’s some tips for you to get started.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294First, begin by emptying your trash or recycle bin on your computer and clearing your browser cache of temporary files and cookies, both of which will free up valuable space on your hard drive, then follow these tips for cleaning your digital presence.

  1. Clean up apps and files. Are some of your apps gathering dust? Do you have files from high school (and it’s been years since you graduated)? If you’re not using these items, think about deleting them. Clearing out old, outdated and unused apps, programs and files leaves more space and memory on devices to fill with things you use.
  2. Back up your data. Our devices are a treasure trove of family memories like pictures and videos and they also often include key documents like tax forms and other sensitive information. None of us would want to lose any of these items, which is why it’s important to back up your data, and often. Back it up to both a cloud storage service and an external hard drive—just in case
  3. Review privacy policies. Are your accounts as private as you want them to be? Take the time to review the privacy settings on your accounts and your apps so you understand how they use your data. This is important for your social media accounts so you can choose what you want or don’t want to share online. For a good resource on social media privacy, see this article. This is also critical for your apps as many apps access information they don’t need. In fact, McAfee Labs™ found that 80% of Android apps track you and collect personal info–most of the time without our knowledge.
  4. Change your passwords. It’s always a good to idea to change your passwords on a regular basis and there’s no better time during a digital spring cleaning. To help you deal with the hassle of managing a multitude of usernames and passwords required to manage your digital life, use True Key™ by Intel Security. The True Key app will create and remember complex passwords for each of your sites, make them available to you across all of your devices, ensure that only you can access them simply and securely using factors that are unique to you, and automatically logs you in when you revisit your sites and apps—so you don’t have to.

So before you consider yourself done with your spring cleaning, make sure you finish this last bit of spring cleaning with these tips, and you’ll be well on your way to cleaning up your digital life.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.