Security Audit
The difficulty level in evaluating the appropriateness of, and if necessary, acting on/putting into place, the various things discussed above range, from simple to pretty geeky.
Some of these risks are mitigated with technological solutions, some with education/tutoring to recognize and avoid, and some simply by having read this article and being aware.
To the extent you aren't comfortable or confident in adopting some of these precautions or knowing which things are/should be important to you, then I can assist you with those.
Password Hygiene
This is the biggie. Here are my five recommendations for good password security. These are all important, but the first two especially so.
1. Passwords must be unique. You don't want a cybercriminal logging into your bank or Amazon account because you reused the password from some other web site that got hacked. Yet this happens all the time. By using a unique password for every account and website, then any password breach will be limited to just that one breached account. And it's not enough to just put a "1" at the end of your favorite, use-everywhere password.
2. Passwords must be long. Today's best passwords are a long string of uppercase letters, lowercase letters, and numerals. At 20+ length, you can do without special characters unless a website requires one. Non-complex passwords are easier to type, even if they are longer. My passwords are all 20+ characters long, depending on what the web site allows.
3. Use a Password Manager. We are long past the era for people needing to commit their passwords to memory. You should be using a password manager to do the remembering. And I don't mean putting them in your contacts, either! All browsers, iPhone, and Android phones have their own password managers baked-in. Use them!
Caveat: Password managers that are baked into the browser won't work with any other browser. If you use only one browser, such as Google Chrome, that's not a big deal. But if you like to have multiple browsers installed, as I do, and if you want your passwords to sync between them, then you'll need a 3rd party password manager that is browser agnostic, such as 1Password.
Another benefit to a password manager, either baked-in or 3rd party, is that it can detect a bogus, look-alike web page asking for credentials and refuse to provide them. You, silly human 😁, might easily be tricked by sophisticated and convincing (but bogus!) password prompts. But your password manager won't be tricked.
There's lots of 3rd party password managers. Here's a PC Magazine article outlining several. No, they aren't free. But the few dollars they cost is well worth the added protection you'll receive since you'll now be using strong and unique passwords. But, again, if you use only one browser, then you can simply use its free built-in password manager.
4. Fib when setting up your security questions. Most websites automate the "I forgot my password" self-recovery feature. When you first create an account, your bank, for example, they'll often ask you to provide answers to a menu of questions like your mother's maiden name, the street you lived on when you were a kid, the name of first pet, the name of your high school, stuff like that. This is called knowledge based security. Problem is, a lot of that information is discoverable online either through social media or from Big Data (more on that below).
But if you provide fake answers to these questions, then no one else can use the actual truthful answers to reset your password to gain access. Of course, you must write down those questions and fake answers you give in the dedicated password spiral notebook that you should have as a backup to the password manager.
5. Use Two Factor Authentication (2FA) when available. 2FA is when you type in a numeric code that's texted to your phone, or better yet, displayed by a code-generating app like Google Authenticator, when you log into an account that's 2FA protected. The idea is that even if a criminal figures out your password (like from a breach), they will then hit the second-factor roadblock. No phone, no code, no access! Rather than waste time, they'll usually move on to the next victim. It's not perfect, but it goes a long way to securing your account.
Some services, like Gmail, let you trust your commonly-used computers and devices so you aren't pestered for a 2FA code each time you login. But a login attempt from an untrusted computer, like a criminal using an internet cafe in Bangladesh, will prompt for the code -- and that's the protection. You can think of the 2FA code as a second, randomly generated password.
We've long since hit "peak password" -- the flaws are that obvious and glaring. Best security practices are, albeit very slowly, moving away from passwords. One approach is using the 2FA code as the primary, and only, passcode with various options for what to do if you lose your device.
Never store passwords in your phone's contacts or address book.
More on passwords here.
Security 101
Staying safe and maintaining privacy these days is difficult, to say the least. Nearly everyone is trying to get your data -- the more sensitive the better.
So here's an article that offers an overview of many things that'll help keep you safe and secure online, your computer and data safe, and privacy maintained. Well, at least better than it would be otherwise. We'll discuss a bunch of topics and go into some detail about each.
There's also some links to further reading in some of the topics.
I've arranged these more or less in order of importance, so you ought to do the higher-up things first. But, really, it's all important.
I mean, anything you can do to reduce the already significant chances of being swindled, having your private information breached, etc. is worth doing, yes?
About Your Credit
Freeze your credit file!
One of the main reasons that identity theft happens is to establish credit in the victim's name. But freezing your credit file fixes that.
You can easily freeze your credit yourself with all the major credit bureaus at no charge. Why is this important? When your credit file is frozen, then potential lenders cannot examine your credit worthiness. So if a bad actor tries to get new credit in your name, the credit grantor being applied-to cannot access your file. Application denied.
When you need to open a new line of credit, such as getting a car loan, applying for a mortgage, or a new credit card, you can temporarily lift the freeze for, say, 15-30 days. Then you apply for the needed credit. The freeze will be automatically reapplied.
Credit freezes have been around since the mid-aughts yet only around 17 percent of Americans have frozen their credit file. It's pretty dang disappointing that 83% of us aren't taking advantage of this free and extremely effective service. Don't be one of them.
Freezes must be individually placed with each credit bureau -- they do not automatically convey between the bureaus.
Here's the links to freeze your credit file with the three well-known credit bureaus and a fourth, lesser-known credit bureau:
Freezing your credit is that important. Please don't lolly gag. Go ahead, I'll wait...
Credit monitoring
Companies like LifeLock and even the credit bureaus themselves offer credit monitoring that promises to alert you when certain changes appear in your credit file such as new credit being granted in your name. That may sound good, but it's really akin to having your neighbor watching your house and calling you if someone is carting away your TV set and silver. In other words, it's reactive. Freezing your credit, however, is proactive, keeping them out in the first place.
Since credit monitoring can only catch what appears on your credit file then types of fraud that doesn't appear on your credit file would be missed. Credit monitoring will not detect tax fraud, where someone claims a tax refund in your name. (See the next section for more on tax-related identity theft) Nor will it detect claims for benefits under Social Security, welfare, Medicare, Medicaid, or unemployment insurance.
This isn't to say that credit monitoring is totally useless. It could detect fraudulent use of an existing line of credit. But you'd be likely to see that anyway by checking your statements and when the bills start arriving. It's probably not worth the cost, which can be several hundred dollars per year. But only you can decide that.
Fraud alert
A fraud alert is a statement that you can place in your credit file saying that you've been a victim of fraud, warning credit issuers that they need to be extra careful before granting credit. It's better than nothing, but not nearly as good as a credit freeze. That's because credit grantors may not exercise sufficient extra care, meaning they may grant credit anyway, possibly to a convincing-enough bad actor.
You only need place your fraud alert on one credit bureau and it'll be shared with the others. And it's temporary, lasting one year, last time I checked.
Breach-related credit monitoring
When your personal data is compromised in a breach, you may be offered one or two years of free credit monitoring, typically paid for by the company that was breached. You may have already received such offers in the mail. However, be cautious before accepting these offers. As the saying goes, "There’s no such thing as a free lunch." These offers often come with an underlying ulterior motive: the agreement may contain a binding arbitration clause that would prevent you from pursuing legal action, including participating in any class action lawsuit that could arise from the breach.
Binding arbitration is a process where a private party, typically an arbitrator, rather than a court of law, examines the case and determines who "wins" and what, if any, award is due. This process is almost always paid for by the company you are seeking redress from, which presents a potential conflict of interest and could influence the outcome. For this reason, many legal experts advise against agreeing to binding arbitration as it can limit your ability to pursue a fair resolution.
If you suffer actual damages from identity theft linked directly to the breach, you could be waiving your right to sue or join any class actions that may arise. This is particularly concerning when the breach has caused you significant harm.
---
What's really needed is a top-to-bottom overhaul of how credit is applied-for, approved, and reported-on. We've made some piecemeal improvements over the years, but significant progress toward this end has been elusive.
Backup Your Data
If you have locally stored data, such as pictures, videos, your taxes, and other important files, then you need a backup system to protect against loss.
Security software, like what is included with Windows and Mac, may help* protect you against malware, but it won't protect you from data loss due to fire, flood, theft, equipment failure, or even your own carelessness. For that, you need a data backup system. There are local solutions and cloud-based solutions, each with their own pros and cons. The time to backup is now before data loss occurs.
* Nothing is bulletproof. Having a backup may be the only way to recover from a ransomware infection.
Local solutions (external storage devices) are cheaper over the long run, are much faster, and, with the right software, will backup everything, including the operating system, data, applications, and all your settings.
Cloud solutions cost a lot more over the long run (they are subscription-based), take longer, especially for the first backup, and may not save every file. But depending on your use case, there may be reasons to consider a cloud-based backup as a secondary backup system.
More on data backup.
Secure Your Laptop
Laptop theft is rampant because it's so easy to pull off. A Kensington survey found that as many as 1 out of 10 laptops will be stolen during their lifetime. Gartner, a well-respected tech research firm, found that a laptop is stolen every 53 seconds. Whatever numbers you read, the takeaway is the same: Lots of laptops are stolen every year from airports (especially in the security screening area), cars, offices, and public places.
Laptop data security is an absolute must. Just having a login password won't cut it, either, because any half competent criminal (or an I.T. guy like me) can bypass that. Full disk encryption (such as BitLocker) combined with a strong password and aggressive lockout policy is the solution.
And don't think that having no user data on your laptop protects you. All your website bookmarks and stored passwords are (likely) on the laptop as well. And that's okay; stored passwords relieve you from having to remember passwords so they can be unique, longer, and more complex, which is a very good thing. But those stored passwords also let a criminal access your online accounts with ease. There's ways to fix that by using full disk encryption, such as BitLocker (Windows) and FileVault (Mac).
It's bad enough if a laptop with your personal info is stolen. But what if the laptop has sensitive client information on it? Or access to sensitive online accounts that contained such information? That could be a ruinously expensive, extinction-level event for your company. Upward 60% of companies, usually smaller ones, that experience a severe data breach are bankrupt within six months.
Laptop theft is just one of many ways that data can be breached. By properly securing your laptop, you eliminate that particular way as a possibility. Sure, you might lose the laptop. But that you can deal with. Loss or compromise of data is way worse.
The good news is that if your Windows laptop was purchased within the last few years, then it likely already has BitLocker enabled.
Multiple Email Identities
Most online accounts today use your email address as your user identifier, or userid. One big reason sites do this is it reduces friction at the initial sign-up because the person doesn't have to think-up a unique userid for themselves. After all, the email address is already guaranteed unique. And people won't forget their email address like they might for a random site-specific userid.
The problem with that, however, is that your email address is well-known and not-private, so it's really not suitable as a login credential, which should be secret. It's true that you also have a password and, possibly, multi-factor authentication. But nevertheless, no part of a credential should be known to other people. That's just basic security.
But since we don't have a choice in the matter, and since email addresses are (mostly) required as a userid, then what do to?
The answer is to use a separate email addresses for sensitive sites. I know, I know, I can hear you screaming now all the way from my home office. Unique passwords are already a pain. But unique email addresses, too!? Seriously?? Yes. Seriously.
But there's an elegant solution if you use an @gmail.com email address.
Gmail has a little-known yet incredibly useful email alias feature that lets you create special-use alias email addresses for certain online accounts. By using a unique Gmail alias for each of your sensitive accounts, then if a different website is breached (usernames and passwords stolen), the bad guys will never know what the other email aliases are. So they can't try to login as you even if they sussed out the password.
How is that?
Let us assume your email address is johndoe@gmail.com.
For your bank account, you might use johndoe+chase@gmail.com. The portion in red, +chase, is the alias. You can make the alias whatever you want. +PNC, +Chase, or even a random silly word that pleases you. (The + must be the first character of the alias.)
Email sent to that alias address resolves to the root address johndoe@gmail.com and will land in the same inbox. If you use that alias for your bank login only, then no other web site will know that. So if some other website gets hacked, the bad guys won't know your bank alias, even if they know your root email address. Cool, huh?
The alias feature is already turned on and available to all @gmail.com addresses. And you don't have to register your +aliases with Gmail, either. Whatever you put after the + sign will automatically work.
Here's how to set it up:
-
Log into whatever existing account you want to protect with an alias, like your bank.
-
Think up an alias such as +chase or whatever. Your email address just for this bank account becomes johndoe+chase@gmail.com
-
Go to your profile settings for your bank and change your login email address. It's probably in the same place where you'd change your password, phone number, etc.
-
You'll probably have to confirm the new email address. That confirmation will be sent to johndoe+chase@gmail.com and a warning might be sent to the original address, too. Since +chase is just an alias, then those emails will automatically land in your regular johndoe@gmail.com email inbox.
You should repeat this for all your important accounts, giving each one its own alias. For less important accounts, you can use your root email only. Note that some websites won't let you use a + symbol in your email address, so that trick won't work for them. But most will allow it. I make extensive use of this feature, even for non-important accounts as a tracer, of sorts, to see how my email address gets shared.
Another cool use for aliases is that you can filter incoming email for special processing that is sent to that particular alias, e.g., bypass the inbox, or mark it bright red to get your attention.
Just another of the many reasons to use Gmail.
Disable Lockscreen Notifications
Most of us like seeing our text messages and other notifications while our phone is locked. Problem is, that's good for thieves as well. If your phone is stolen, especially if it was a targeted theft, a thief who knows or susses out your email address could be inside your online accounts in minutes, including possibly your bank accounts. How?
When you, or a bad guy pretending to be you, uses the "forgot password" feature of most websites, one of the (several) self-recovery features is to send a one-time security code text message to your phone. We've all done this; you know how that works. That code is how you prove your identity. If your phone is set to display text messages while locked, then that code is visible to anyone holding your phone. They can use the security code to reset your passwords and gain access to whatever accounts they want.
Imagine this: If I personally know or specifically targeted you and stole your phone, chances are pretty good I could be inside your Amazon account in less than five minutes and having lots of nice expensive laptops shipped to a mail drop or to your home and ready to be intercepted by me when the UPS guy drives up in two days.
Or, better yet, gift card instant delivery (ka-ching!) and you'll never know this happened because once I'm in your Amazon account, I'll be resetting your password, changing the email address, and changing all your account recovery options to make it that much harder for you to regain rightful access. All without ever unlocking your phone. Wow! Who knew?
Disable that feature. iPhone and Android have settings to prevent showing text messages while locked, so you'll want to ensure that's turned on. In fact, it'd be wise to disable all lock screen notifications except maybe calendar alerts, but especially text messages.
Allowing personal content to show on the lock screen undermines the entire point of having a lock screen in the first place. My phone shows that a message is waiting, but not the contents.
Examine Statements
How often do you examine your credit card statements? Probably never? I'm guilty of that, too. But you should. A lot of fraudulent charges are purposely small dollar amounts that aren't likely to be noticed if all you look at is the outstanding balance. Worse, your credit card company is less likely to catch or flag small dollar fraud. Although the likelihood is still small, you could be losing a couple of hundred dollars per year in small-dollar fraud. It's not at all common, but it happens.
Checking your statements is also a good way to ensure you aren't being overcharged for subscription services, paying for a service you no longer need and forgot about, or that a subscription service that you cancelled is indeed still cancelled and didn't somehow reincarnate.
You should also check on any investment and brokerage accounts. It takes just a few minutes each month to check over your statements.
Lockdown Bank Accounts
If you don't regularly perform wire transfers or other large money transfers, call your bank and ask them to place a notice on your account to disallow any telephone-originated money transfer orders. Ask that such transfers must be made in person at a branch office. Same thing with any investment and brokerage accounts, especially if there's a local office that you can visit.
This is also important for the elders in your life. More on elder abuse here.
Minimize IoT Gadgets
IoT stands for "Internet of Things." This is when an everyday appliance or gadget becomes "cloud-enabled," like thermostats, refrigerators, coffee makers, door locks, garage door openers, kids toys, and countless other things that never were before. It also applies to new things made possible because of the internet, such as Amazon Alexa and remote doorbell cameras.
These gadgets are often poorly designed, have crappy security, and, unbeknownst to you, may be recruited into a "botnet," attacking other users and websites on the internet.
I'm not saying that every single last IoT gadget is bad or dangerous. But it's a common-enough problem that you should be cautious and wary of installing stupid IoT gadgets that offer no compelling functionality to you.
More on the security hazards of IoT gadgets.
Stop or Reduce Using Social Media ... yeah, right
We all know that social media can't be trusted. Zuck and other Meta executives should probably be in prison for the data crimes they've committed. But Meta (nee Facebook) isn't unique. All social media companies make their money largely the same way: monetizing your data.
Remember what I said above: When something is free, like pretty much all social media, you aren't the customer; you are the product.
I know very well you aren't going to curtail social media use, so at least be aware of how invasive they really are.
More on social media privacy here. There's tons more information just a google search away.
And while we're on the topic of Big Data, let us not omit the huge data mining companies that you've probably never heard of. You know, household names like Acxiom, DataLogix, Epsilon Data Management, and Intelius, to name a few. Many of these Big Data companies have free opt-out features you can use. To the extent they offer these opt-outs, you should use them.
To see opt-out URLs for many Big Data repositories, click here and here.
Anti-Virus Software
Do I need an anti-virus security product?
Each platform has its particular vulnerabilities and methods for mitigation. Here we'll go over the four most popular computing platforms.
Microsoft Windows
Microsoft has finally beefed-up the security for modern versions of Windows, especially 10 and later. Earlier versions of Windows, especially farther back (XP, Vista, 7), were highly vulnerable to viruses. Virus remediation was one of the most frequent calls for support that I received.
Not anymore, thankfully. I've not performed a malware removal or mitigation in probably 3 or 4 years now. In addition to a better security product included in Windows, the OS itself is less vulnerable to exploits than ever before.
These improvements have made 3rd party security products pretty much unnecessary for casual users. If you still want a third-party product, then I recommend Bitdefender.
I do not recommend McAfee or Norton. If you bought a computer that came with one of those preinstalled, delete it. If you actually paid money for these, cancel your subscription, then delete it.
Apple Macintosh
MacOS (the operating system for the various Mac computers) comes with multi-layer security products built-in: Gatekeeper, Xprotect, and MRT. This combination of security products is sufficient for most users of Apple computers.
As with Windows, there are third party products available for Mac. And, again, if you do want a third party product, then I'd recommend Bitdefender.
iPhone
iPhone is a tightly-closed ecosystem that is quite resistant to viruses and malware. Security experts agree that iPhone needs no additional anti-virus software because of the inherent security of iOS. (iOS is the operating system, or "OS".)
This is due to the nature of the iOS ecosystem. With iOS (and iPadOS for iPad), all the apps you install and run must come from Apple's App Store -- and cannot come from anywhere else. The App Store serves as a gate keeper in addition to being a repository of downloadable apps.
Because of that, it's not necessary for the iPhone device itself to have virus-detecting software built-in. There are other security measures in iOS, such as sandboxing, code-signing, and entitlement declaration*, that help prevent bad app behavior.
* Sorry, that was all pretty geeky. A detailed explanation of these measures is beyond the scope of this article. But suffice to say, it's all good stuff.
In short, you don't need any 3rd party anti-virus product for iPhone. Any such product you see is unnecessary and useless. Do not install.
Android
Android is not as locked-down as iOS. Apps can request broader and more-privileged access to the OS and to other installed apps wherein they could cause more damage.
Although disabled by default, with a simple tweak, most Android phones will allow you to download apps from non-officially-endorsed sources. This is called sideloading. It's not recommended unless you're an advanced user who understands 3rd party repositories and their associated risks.
Still, Google’s reputation for curating and vetting submissions to Google Play is not as robust as Apple’s. But if you stick to apps with a lot of downloads (hundred of thousands or more) and are consistently rated highly then you should be ok. Let everyone else be the guinea pigs.
I generally don't recommend anti-virus products for Android phones for casual users with only a few apps. But if you tend to download many dozens of apps on a whim, then you might consider adding a security product.
Granting Unnecessary Permissions to Apps
Lots of phone apps ask for permissions they don't really need. You should deny those permissions. Here are three of the more sensitive permissions and what they can allow an app to do.
Access Contacts Permission
This permission is huge. You should never* grant this permission to an app. IMO, the contacts permission should never have been created in the first place. It's virtually impossible to use it ethically.
* The only apps that could rightly claim to need access to your contacts are email, the native dialer telephone app (not some 3rd party dialer), and maybe the calendar. Nothing else.
Wowzers! Why?
When you grant an app access to your contacts, you are allowing that app to read -- and upload! -- everything about those contacts that you have stored.
That could include the contact's...
-
Full name
-
Various phone numbers and types (mobile, office, home)
-
Various email addresses
-
Home and work physical addresses (to the extent you've stored that)
-
Profile picture and birthdate (if you have that stored)
-
Contact affinity grouping, e.g., family, friend, work associate, club, etc.
-
Any other random notes you may have included along with that contact
Make no mistake, it may be your address book, but it's filled with the personal information of other people. You almost certainly have not gained permission from any of your contacts, let alone all of them, to disclose their personal information to some random app you decided to download.
App makers and Big Data can use that information to create a comprehensive relationship graph among all the users of that app and of other apps as well. I cannot overstate how valuable that data is to app makers. And you, perhaps honestly not appreciating the gravity, provided it for free and without permission. You could possibly be personally liable if something bad came of it. Oof!
Each app's privacy policy should enumerate how they will use your contacts. But if time and experience have revealed anything, it's that a great number of app developers lie about their intentions. Or just (alas, accurately) expect that you'll never read those terms, thereby granting them permission to do what they may with that data.
Even if you did read the app's privacy policy (highly unlikely) and found that it promises not to share that data, that still doesn't give you the green light. You must have permission from everyone in your contacts to ethically allow that permission.
Sidebar: This is exactly why it's bad netiquette to send an email to a large group of people without using the BCC (blind carbon copy) feature. This is especially true if the recipients don't already know each other.
If you already gave contacts permission to an app, then go and remove it now. You can google how to do that. Yes, that damage was done and cannot be undone. But at least you can prevent any further sharing. That might make the app less convenient to use. Sorry about that, but you'll just have to cope. The data in your contacts is not yours to give.
I suspect the above may never have occurred to you. It quite likely never occurred to anyone. It's an obscure secondary consequence that no one even knows to think about.
But now you know 😊.
Location Permission
Some apps, like Google Maps, work far better when they know where you are. But for most location-aware apps, like shopping apps for local stores, weather apps, etc., just knowing your city or zipcode is usually sufficient. Granting location access to an app allows that app to track your whereabouts in real time. From that, a digital breadcrumb trail is established, giving the app maker bucket loads of incredibly valuable, and possibly sensitive, information.
If you grant location permissions to an app while at home, then the app maker can quickly determine who you are, even without you disclosing that or signing up. Once the app knows who you are, it can suss out a lot of extremely valuable information about you as you move about. No, thank you.
You should be very cautious and wary about granting location permission. As a rule, I deny location permission to everything except certain mapping apps.
Background Processing Permission
This permission allows an app to run in the background while it's not on your screen. It's not super-sensitive per se, but allowing an app to run in the background can drain your phone battery, especially if it's up to no good. Crypto-mining malware is a thing, and it'll eat up a phone battery like a six year-old who finds the cookie jar. If you've also granted location permissions to that app, then it can track you 24/7.
Very few apps need background processing. You should disable that for most of the apps on your phone. Google for how to do that.
Table of Contents
Add a PIN to Mobile Carrier Account
Granting Unnecessary Permissions
Disable Lockscreen Notifications
Dodgy and Excessive Phone Apps
Stop or Reduce using Social Media
Add a PIN to your Mobile Carrier Account
Did you know that it's possible for someone to steal your mobile phone number? And once stolen, the bad guys will have access to all new incoming text messages, including those six digit security codes, making password resets a lot easier.
That's called "SIM swap fraud", and it is a serious breach since your phone is the focal point for many verification needs.
How does it work? Someone (the bad guy) calls your mobile carrier or visits your carrier's store and tricks* the employee into thinking it's you and says their phone was lost or stolen and needs to get a new SIM card (or eSIM) to assign to a new phone. Your legit phone stops working, and the bad guy now has your number on their phone. You can just imagine the headache that'll cause.
* If in-person at a carrier's store, the bad actor might have a convincing fake ID or other documents. Via phone, the bad actor may have other personal information or otherwise play on the emotions of the agent to please please help. There have also been cases where the employee was in league with the bad actor, probably for a handsome bribe. Employee cooperation isn't common, however.
You can reduce the likelihood of this happening by setting up a carrier PIN or verbal code word. This isn't the same PIN used to unlock your phone. It's a separate PIN or code word that you'll be asked for before being allowed to make changes to your mobile account, especially SIM reassignments or port-out requests.
Depending on your carrier, you might be able to setup other verification methods, like requiring a harder-to-counterfeit government document such as a passport for in-store visits.
But whatever methods you choose or that are available to you, they must be in place before any SIM swap fraud happens, so you should get on this ASAP.
Dodgy and Excessive Phone Apps
I've visited clients whose phones were chock-a-block with apps, screen after screen. Although Apple's App Store is generally considered safer than Google Play, it's still not perfect. Apps with hidden malware have been discovered on both platforms.
Phone malware can do many things, including the ever-popular cryptocurrency mining, which can turn your phone into a pocket-sized hand warmer and slow it to a crawl.
It's best to keep your apps to a minimal number. Delete apps that you don't use at least once a month, and don't download new apps that have comparatively few reviews, even if those reviews are good. This is especially true on Android because Google Play simply isn't as careful or extensive with vetting new apps. I'm always reading about some new Android malware. Apple, too, but not nearly as often.
You can always download the app again if you need it.
Also, if you've allowed an app background processing permissions, it can eat up the battery and data plan faster. Review all app permissions and deny the permissions the app has no business having, especially contacts, location, and background processing. If the app refuses to function after that, then remove it and say good riddance.
Remember, if it's free, then you aren't the customer; you are the product. Remember, "there ain't no such thing as a free lunch." That free app wants something from you. The developer didn't create it from the altruistic goodness in their heart. If you aren't giving them money, then you damn sure are giving them data. And often both.
Add a PIN to your IRS/Taxes
An increasingly common fraud today is when someone files a tax return in your name. How can that be a bad thing, you might ask?
Because the bad guy who's filing a return in your name will claim all manner of false expenses and deductions in order to fatten-up a refund. Then they'll have the refund deposited by the IRS/US Treasury into a prepaid debit card. And getting that fixed is one of the levels of hell in Dante's Inferno.
Since pretty much everyone has had their private and confidential details stolen in multiple data breaches by now, then figuring out who the higher earners are is pretty simple.
If you're a higher salaried person or earn a fair chunk from investments, in other words, if your annual tax return shows a comparatively high income, then a bad actor will have even more room in which to claim false expenses, deductions, and other refund-boosting shenanigans.
Hundreds of thousands of taxpayers per year have experienced tax-related identity theft in the last 15 years amounting to billions of dollars in fraud. There were over one million such fraudulent returns detected just in 2022.
How to protect yourself from that.
One way is don't procrastinate! File your taxes as soon as you have all your documents in order. Once your taxes are filed, then any further attempt to file taxes against the same social security number will be rejected.
But the best way to reduce the likelihood of tax-related ID theft is to apply for an Identity Protection PIN (IP PIN) from the IRS. It's free.
Applying for an IP PIN involves creating an online account with id.me which is used by the IRS and several other government agencies like Social Security, the Veterans Administration, and a few others.
A six-digit IP PIN will be assigned to you when you register. You'll then include the PIN with your tax return. After you have registered, the IRS will no longer accept a tax filing without that PIN. That's the protection! The PIN changes annually. It's not mailed to you, either. You get the PIN by logging into your IRS account (via id.me) that you created when applying for the IP PIN.
I did this as soon as it became available. Don't lolly gag. This is just as important as the credit freezes mentioned above.
Fraudulent Warnings via Email
Be wary of emails that seem urgent in any way -- that are warning you that something bad is going to happen if you don't follow the advice or instructions given in the email.
Here's a partial list, in no particular order.
-
That you missed jury duty and you'll be arrested if you don't follow the instructions in the email
-
A friend/relative is traveling abroad and their password, money, etc. were stolen and they need your help
-
You have a tax refund coming but the direct deposit isn't working and they need your help
-
You are late paying taxes. Call to resolve or you'll be arrested.
-
Your bank or credit card company detected fraudulent activity on your account and needs your help to catch the bad guys
-
You have a past-due traffic ticket and must pay now to avoid arrest
-
Congrats, you have won a lottery, they just need your banking info or maybe to pay some taxes first to collect
-
Could not deliver a package to you, click a link to resolve
-
Invoice for goods you never ordered. Fraudulent invoices for McAfee or Norton are common.
-
Donate to a disaster relief charity
-
Offers of money or prizes for completing a survey
-
Some online accounts (bank, brokerage, etc.) will be suspended unless you verify some information
There are many more scams, the variety of which are as countless as grains of sand on a beach.
But they all share some of these common traits and that's the "tell".
-
If you don't act, something bad will happen or something good won't happen
-
Their tone is urgent and dire, not giving you time to think
-
Misspellings and weird use of English is common. But now AI is fixing that. While misspellings and weird use of language can indicate a fraud, not exhibiting that doesn't mean it's all good.
First and foremost, no legit authority will ever arrest you on the say-so of an email. So you can relax on that threat.
Email scams usually proceed in two ways: 1) Call the phone number included in the email. 2) Click a link included in the email. Never do either of these things.
If any included details are correct, like your bank or social security number, don't just automatically assume it's legit. Countless data breaches over the years have made public everyone's sensitive information. Information privacy is dead.
If you think there's any shred of truth to the email, then stop, take a beat, and do a Google search to separately confirm any phone numbers that may be included in the email. Non toll-free numbers are a strong indicator of fraud. But that doesn't automatically mean a toll-free number isn't a fraud.
Fake Malware Popups
You're on your computer minding your own business then out of the clear blue you see desperate, urgent warnings start popping up, saying you have malware on your computer that's doing something bad.
The likelihood of you actually having malware is very small indeed. Unlike years ago, computers today are far less likely to get viruses or malware. These fake warnings are delivered by websites that you may have visited and, especially, if you granted "notification" permission.
This type of notification is when a website can present info to you, usually on the lower right corner of the screen, even if you're not on that site anymore. Notifications are theoretically useful, but they are ripe for abuse.
Even when used non-fraudulently, they're a frequent source of unwelcome interruption -- another stupid pop-up that demands your attention. I recommend disabling all notifications.
Sometimes the notification mechanism isn't used, but instead an infected webpage you clicked on is taking over your screen and making it impossible to leave by intercepting your clicks. There may be a voice echoing the warnings on the screen.
The methods for getting rid of these fake popups varies depending on how they are being presented to you so you might need to call a computer savvy friend for help. But usually rebooting or logging out will fix it. To do that, hold down the Ctrl, Alt, and Del keys (like the old days) and select "sign out" on the menu that appears.
But you can at least relax as far as having actual, damaging malware goes because you almost certainly do not.
Deep Fake Phone Calls
These are next-level scary! You get a phone call that sounds for all the world like your spouse or child (even an adult child). It'll probably be rushed, desperate, and panicky -- something bad happened.
The bad thing could be being kidnapped, arrested for causing a wreck, DWI, caught with controlled substances, firearms violation, or other emergency. And fixing that will likely involve you sending money somehow.
You may be victim of a deep fake. That's when a person's likeness, voice usually, in these type of scams, is accurately reproduced by AI, to trick you.
I wrote an entire article here on Deep Fakes. Read more here. But don't forget to come back here 😉
Final Comments
You may wonder why all the companies involved in these breaches and security lapses discussed above have not solved these weaknesses. For them, it's simple math. Is it cheaper for the company to maintain the status quo? Or to fix it? And by cheaper, I mean for the company. Your cost and pain are a very minor input into that equation. This is why we need federal regulations -- to force recalcitrant corpos to do the right thing. Because they damn sure ain't doing it on their own.
Alas, in today's political environment, getting relief in the form of stronger consumer protection laws and regulations is unlikely.
Some of the above advice may seem rather extreme to those who aren't I.T. or security/privacy geeks. Feel free to use whatever advice you think is best for you. But understand this: Everything I've mentioned above is borne from actual events. It's all happened before. These threats are all fairly easy to prevent or at least make less likely. Some are pretty unlikely in the first place. But some are difficult or impossible to mitigate once they occur. The time to safeguard is before something happens.
Device Theft at the Airport
You might be surprised, or maybe not, to learn that the number one place where laptops and tablets are stolen is at an airport. And the number one theft hotspot in the airport is, ironically enough, the TSA security screening.
Why, you may ask? Because nowhere else are you forcibly removed from control of your belongings, even if only briefly. We've all been there before, you know how this goes.
You're finally at the x-ray conveyor where all the bins are, removing your shoes (you can thank Richard Reid, the shoe bomber, for that), removing your laptop and tablet from their cases and putting them by themselves in a tray, making them plainly visible, then pushing them along the conveyor until it reaches the motorized part where it's pulled into the x-ray machine.
You look with trepidation as your $1000 (or more) laptop is sucked into the x-ray, soon to be ejected on the other side, and you're still waiting your turn at the body scanner. These are the critical seconds or minutes where your naked laptop is a sitting duck 20 feet away, in a bin that looks like all the others, and you are helpless.
Any person that's already passed through security but not yet left the immediate area can simply throw a light sweater over your vulnerable laptop, scoop it up, and walk away, and no one, not even you, will see it happen. These are the seconds that send me into a near panic! My only comfort is knowing the odds are with me, that's all. Because I certainly have no control over it.
Sometimes the "theft" is inadvertent. Laptops all look pretty much the same. It's easy to grab the wrong one when rushing to gather up your stuff to not cause a backup on the x-ray outfeed belt. To characterize the security checkpoint as controlled chaos is being charitable.
How to reduce that risk?
First of all, put some stickers on the laptop lid or tablet cover. This will help prevent someone from innocently mistaking your laptop as theirs. It may even give pause to a thief who doesn't want to steal the instantly-recognizable laptop from the sea of random laptops that all look alike. Choose stickers that express who you are. That's always fun!
Secondly, putting your mobile number inside the laptop on a sticky label can also help with reunification in case of laptop mistaken identity at the outfeed belt. I left an iPad on a bus in Barcelona some years ago. Fortunately, I had put my email address on a sticky label, and indeed received an email from a Good Samaritan a few hours later who had found it, enabling me to retrieve it.
Traveling solo
It's difficult, not gonna lie. Checking a bag is one way, but then you're trading one risk for several others. And with bag-check fees pretty common today, more people are traveling with only a carry-on, electing to buy their liquids (shampoos, lotions, etc.) at their destination.
To the extent you can, try to coordinate the timing of your laptop on the x-ray infeed conveyor to your being next to enter the body scanner and the passenger ahead of you has already passed through. Yes, this is difficult, and you may have little control if a TSA officer starts barking orders to move along.
Traveling with someone
Things are much easier when you've got a travel partner. Here's the process for Alice and Bob, traveling together. In this first scenario, there's only one laptop/tablet.
-
Alice and Bob stay together until they've passed the initial TSA officer that's checking IDs and boarding passes. This way, they're together and are unlikely to be directed to separate lines at the bank of x-ray machines. For a small airport with just one x-ray machine, this isn't a concern.
-
Alice and Bob should now split up, allowing 2-3 passengers between them, as they approach the x-ray infeed belt.
-
Alice will place her stuff (but not a laptop) on the belt, pushing it along, until her turn at the body scanner. Bob is still several passengers behind Alice.
-
Alice safely emerges from the body scanner and is positioning herself somewhere along the x-ray outfeed belt.
-
By now, Bob has finished loading up bins with his stuff and their laptop. The first bin should be Bob's shoes, the second bin should be the laptop, and the additional bins after that for Bob's coat, and other less valuable things. I sometimes use four bins!
-
Bob should not enter the body scanner until the laptop has entered the x-ray machine. If it seems that his turn at the body scanner is coming up too quickly, he can offer his position to the passenger behind him, with some excuse like needing to double-check that his pockets are empty.
-
Alice, already safely past the body scanner, is in prime position to snag the laptop the moment it emerges from the x-ray machine.
If both Alice and Bob each have a laptop, Alice will simply give her laptop to Bob before entering the queue and he'll handle both of them.
If Alice is selected for additional screening, then Bob unfortunately will need to quickly adopt the solo traveler strategy, because Alice may not be available to snag the laptop(s).
If Bob is selected for additional screening, then it's not such a big deal, because Bob's stuff including the laptop(s) should have already entered the x-ray machine.
If both Alice and Bob are selected for additional screening (pretty unlikely), then explain to the TSA officers that you have laptop(s) on the outfeed belt and to please secure them.
With a little thought and practice this is easy to pull off and will go along way to help secure your valuable laptop(s) or tablet(s) in one of the highest theft risk locations there is.
You can rest a little easier once you're past the security screening. But remember that other areas of the airport have their risks as well. Don't leave your laptop unattended! If you are charging it at a charging station then it might be possible to secure it with a Kensington Lock* to something on the charging station. These stations don't provide locks, you must bring your own.
* A Kensington Lock attaches to a tiny rectangular hole on the left or right side of most laptops.
If you take a cat nap at the gate, secure your laptop in your carry on (hopefully lockable) and then secure to you person however you can. If there's a shoulder strap, loop it around your body or legs.
If you are dining before your flight, ensure your bags are always in your line of vision, never behind you. If dining solo, resist the urge to hang your handbag on the chair. If dining with a partner, face each other at the table for better sight lines of your belongings.
Random people (without flight tickets) inside the secured zone are far less common these days since 9/11 changed the rules. But theft still happens!