Don’t Let Your Connected Devices Ruin Your Holidays

Ah, December.

It’s the time of year when we go out and buy our friends, family and even ourselves (You know you’ve done it!!) brand new computers, phones, and *insert gizmo here*.

Connected devices, wearables, drones, and so many other tech gadgets are all making the holidays much more fun.

However if not configured or set up correctly, these devices could put your personal security and privacy at risk.  They could even expose important personal and financial information.

Default credentials

Many of these devices are shipped with default usernames and passwords. This means that the default username and password combination is well-known by the manufacturer, and support people. It may even be written in documentation posted on the Internet.

Yikes. Because of this, it is important to change the default password and even the username, if you can.

If the device will allow you to use a passphrase, then even better! This will prevent anyone from being able to access your device if someone gets on your home network, or if it accidentally gets connected right to the internet.

If your device also connects to the cloud or an online component (i.e. you log into the manufacturers’ website to use it) its a good idea to change this password as well!

Default configurations

Normally the default configurations these devices are shipped in, are ready for you to use immediately. This means that any barrier to the shortest setup-and-go has been turned off.

Often most security features may be turned off, or be optional. It’s a good idea to acquaint yourself with all the features of your new device – security and otherwise. Acquainting yourself will help in understanding what the implications to your personal security and privacy are when each one is turned on and off. Then make the decision on which ones to turn on.

Some devices will also include administration portals or some advanced network administration tools. If you don’t have any intent to use these, turn them off. This will ensure an attacker can’t use them.

Connected directly to the Internet

Most connected devices out there aren’t mean to be connected directly to the Internet.

It’s easy to assume that when you plug the cable into your Internet router or connect the device to your home WiFi that it is only accessible to your home network.

Have you ever actually checked?

It’s important to understand what the internet needs are for your device and make sure that your router and network is configured properly. Any extra port forwarding or other settings are removed if not required.

If your device is accidentally left accessible on the Internet it could be easily accessed or hacked. This could expose important personal and financial information, be used as a gateway to access or hack other devices or computers in your home, or be used as a staging ground to hack others.

Two things that can also be overlooked here. First, ensure you’re using a strong passphrase or password on your wireless network. A weak one will only put your connected devices (and everything else on your network) at risk.

Second, do not put your devices on a guest or public WiFi network. Where devices are concerned, these networks can be just as bad as the internet.

Cloud connectivity

Devices now often include some type of cloud connection capabilities within them. This capability could be for extra features, or at times is required to use the device.

When you have a device that includes cloud connectivity, it’s important to understand what information is being sent to the cloud. This is to ensure you know what it’s being used for and how it’s being protected.

If your device is collecting personal, location or other sensitive information and it isn’t protected well, there is a risk it could be lost in a breach.

Start by reading any manuals that came with the device, the manufacturer’s website and Terms of Service and Privacy Policy documents, to start.

Ensure other computers and phones are secure

Do you connect to your device via an app on your phone, or from your computer?

If an attacker can compromise your other computers, they can take advantage of them to then attack your connected devices.

Update your connected devices

Check if the manufacturer of your device releases software or firmware updates. If they do, update the software and firmware as often as possible.

Software and firmware are only as good as the humans who create them. It’s easy for humans to accidentally introduce errors and security holes while writing software. Because of this, when manufacturers find these errors, they normally create an update to fix the issue. Updating the software allows you to get these fixes and plug any holes that an attacker could use.

It also will ensure you have the latest set of security features. Sometimes additional features can be released after you’ve purchased the device.

Wrapping it up

Connected devices are becoming much more popular. Not only are they fun, but they can make life much easier. However, they need to be used smartly. If they also collect personal or sensitive information or are left unsecured, they could be putting your online security and privacy at risk.

Photo by Alex Knight on Unsplash

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?
CLICK HERE TO SIGN UP!

How to: Online Shopping With Confidence

These days, online shopping is becoming more often than not the go-to method for shopping for virtually anything.

Not only is it convenient that you can shop right from the comfort of your couch, but you can look up the best options around the world for whatever you’re interested in, just to make sure you’re getting the best price.

Of course, you also get to skip the crowds and long lines if you’re shopping during the holiday season.

Even though shopping online is getting much more common-place, it’s important not to get too comfortable.

There is a lot more personal and financial information involved when you’re shopping as opposed to when you’re only browsing the news, for example.

So, what should you do when shopping to ensure you’re doing it safely?

Don’t shop on public WiFi

I know it’s tempting to get a bit of shopping done while you have a few minutes of free WiFi while you’re sipping on your morning coffee at the coffee shop, however, this could put you at risk.

It’s easy for others to snoop on your traffic, capture your credit card number and even your passwords. Even if you think you’re using a secure connection.

Don’t shop on insecure websites

Any time you’re entering a credit card number or any other sensitive information, it’s always good to ensure you’re sending it over a secure connection. That way, anyone who is snooping on you can’t actually see the information you’re sending.

How do you do that? By first checking in the address bar (that’s the box you enter the website address you want to go to) that https:// comes before the address of the site you’re visiting.

Second check if there is a green lock to the left of the address bar or near the bottom of your browser (the actual placement depends on your browser).

Thirdly – and this is an important step – ensure that the whole website URL after the https:// is exactly what you are expecting, and it isn’t misspelled. It’s become much easier for people to register dubious domain names that look like the original but are in fact fake website and have them be legitimately secure.

Keep an eye out for scams

if the deal seems too good to be true, it probably is.

There are always a large number of scam sites out there, and they seem to always intensify around major shopping holidays around the world.

Don’t “save your info for later”

If the website you are shopping on gives you the option to save your credit card number or other personal information for later, it might be best to decline.

Why? Because this means the website has your information on file. If they happen to be breached for whatever reason, there is a good chance your credit card number or other information could be compromised as well.

This can become quite an inconvenient. Especially if you don’t find out about the breach for a while.

Watch your email

During all of the big shopping seasons, spammers like to take advantage and send malicious emails and texts that appear to be coming from somewhere you may have made a purchase in order to steal your information or infect your machine.

Be smart and if there is any doubt about the email or text, don’t trust it and go directly to the real website instead.

Also, if the email you received is from a website you normally buy things from, consider whether this is a normal email you’d expect from them. If not, it might be a scam.

For more tips on detecting phishing, click here

Stick to the familiar spots

Just like other industries, the online retailing industry isn’t immune to phishing websites being set up to lure you into providing your personal information. Stick to shopping on websites you know are reputable and can trust.

This trust also goes farther than just being confident that they’ll deliver you the product you purchased.
Check their terms of service and privacy policy to see if they are also selling or aggregating your personal information after your purchase.

If you want to branch out, check them out

If you must use a new shopping website before you make a purchase or hand over any information be sure to check out the website and company.

Find ratings and reviews that you know you can trust. Do other people like them? Are there any reputable reviews who did receive what they ordered? How was their experience?

Do they have terms of service, privacy and return policies? Check if these raise any red flags.

All in all, online shopping can save you tons of time and even provide more selection and variety. However, there are those out there who would like nothing more than to take advantage of your comfort with shopping online to con you into handing over your hard earned money or your personal information.

That shouldn’t cause any stress, though. With a little due diligence and by being careful with how and where you shop, you can shop with the confidence that not only did you get a great deal, but you did it while protecting your information and your wallet.

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?
CLICK HERE TO SIGN UP!

Second Factor Tokens are a Pain. So Why Use them?

The other day I had an interesting conversation with a friend.

 

Their bank had just told them they had to add their phone number to their bank account.

 

This was in order for the bank to send them a text message with a code to their phone to input along with their password, every time they logged in to the bank via the web or a mobile device.

 

What are Second Factor Tokens?

You may have seen this before. Second Factor tokens can also be called a one-time-password, 2-Step Verification, or Two Factor Authentication (2FA).

 

Second-factor tokens are a part of Multifactor authentication – a way of confirming you are who you say you are when you log in. It requires you to provide two (or more) pieces of evidence (commonly called factors) to prove it is really you. The two pieces of evidence have to be two of these three: something that you know, something that you have in your possession and something that you are.

 

If you haven’t guessed it yet, your password normally qualifies as something that you know and is your first factor. Second-factor tokens provide evidence for something in your possession and are normally your second factor.

 

These tokens can range from physical devices you have to plug into your computer or place near your computer, to numerical codes (obtained from an app or physical device resembling a key fob) that you enter after your username and password.

 

There are even some newer solutions don’t even give you a code at all.. they just prompt you to approve or deny a request to login via an app on your phone.

 

They don’t exactly make things easier

Not surprisingly, they were not very happy about this change.

 

Multifactor Authentication means an extra step and more things you need to keep track of and worry about when logging in.

 

They almost seemed as if they were telling me about this, expecting me to take their side.

 

To say “of course how could the bank do that horrible thing?!”

 

But do you know what I did?

 

I said, “that’s great!”

 

They were so shocked!

 

While I had to agree with them that the codes are annoying, the thing is, they are very effective.

 

For those who don’t use these one-time codes often, or if they’re completely new,

 

  • they can be very annoying and frustrating, as they’re one more thing you have to deal with
  • If they send the code to your phone, and you don’t have your phone, it presents another problem
  • If you’re not technologically savvy, it’s one more piece of technology to deal with.

 

So what exactly is the purpose of using them?

If they’re so annoying, then what is the purpose of using them? How are they different than the security questions we already use? Why can’t we just continue using the security questions?

 

In short, because passwords alone just aren’t good enough anymore on their own and with the amount of information we share on social media, security questions are just too easy to guess.

 

Not everyone uses long and complex passwords, and even if you’re someone who does there is still the possibility of your password being compromised in a breach.

 

A second-factor token helps in that if your password is compromised, knowing your password alone isn’t enough information for an attacker to login to your account. They still need the code you have, or for you to tap the “approve” button on your app.

 

So while this whole second-factor authentication thing might seem like a nuisance, its actually meant to help you secure your logins better.

 

Second Factor tokens still aren’t completely foolproof.

Although, like other things,second-factor tokens aren’t a silver bullet. For example, if you receive a code via a text message, someone could impersonate you to your cell phone provider. Doing this, they can obtain a new SIM card that has your phone number tied to it. Then a request is made for the code and because they now control your phone number, it’d be sent directly to them instead of you.

 

Of course, your information on the service is only as secure as the security the service has in place. Even if your password is top-notch and you use second-factor tokens, your information can still be compromised if the service itself is compromised.

 

Still, these types of codes do provide much more security for your login than a password alone.

 

Speaking of passwords…

While second-factor tokens do help, it doesn’t mean you can become lazy with your passwords. Long, complex and strong passwords are still important!

 

If you’re struggling with creating long and strong passwords and remembering them, we have a few tips for that: Two Simple Tips to Remembering Passwords

 

How do I get a second-factor token?

Unfortunately, second-factor tokens aren’t something you can just get for yourself. Multifactor authentication and second-factor tokens have to be supported and by whatever service you’re logging into and does take a bit of setup.

 

However, more services these days do support some type of two-factor authentication. The website at twofactorauth.org maintains a list of many services which support multi-factor authentication and second-factor tokens.

 

To find out if your service does support second-factor tokens, try looking in their help documentation. If all else fails, reach out to the company and ask! They may also be able to provide some instructions for how to set it up, too.

 

Long story short…

While second-factor tokens may seem like a nuisance, they are actually meant to help. They can help username and password become stronger and more resilient to hacks and data breaches.

 

However, while they do add to the password you already use, they should be used as a compliment. Not as a replacement to your password.

 

Do you have second-factor tokens setup for all your logins?

 

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?
CLICK HERE TO SIGN UP!

Two Simple Tips to Remembering Passwords

If you do a number of things online, then you usually have a number of passwords.

 

As I’m sure you have all experienced, this can sometimes be frustrating and annoying when you can’t remember the password you need for the specific place you’re trying to login.

 

You’ve probably also heard that you should be using a unique password for every login you have, which is true, but have you ever heard how to manage all those passwords?

 

Using multiple passwords is great, but it’s not going to happen if you can’t manage all those passwords.

 

Us as humans are instinctively going to choose whatever path makes life easier. If that means using one password instead of 10, or 10 really simple passwords instead of complex ones, many of us will take that tradeoff.

 

So, How can we make remembering passwords easier?

 

There are two tricks to doing this effectively:

  • Putting them all in one place, somewhere that isn’t your brain.
  • Putting them on a medium that works best for you.

 

Yup, that’s it.

 

Let’s break it down:

 

Putting them all in one place allows you to know where they all are, and have one thing to keep safe. If they were all in separate places, then you have to remember where those places are… And keep all those places safe… and then we’re back to square one.

 

Choose a medium that works with your life. There is nothing saying your passwords have to be stored on your computer. Or any electronic device for that matter. The idea here is that if remembering passwords isn’t severely routine-altering, and is something you can easily add to your day, then you’re more likely to stick with it.

 

So how can we put this into practice?

 

Here are a couple of examples:

 

Someone who is tech savvy, takes their phone everywhere, and is used to looking things up electronically should try a password manager.

 

This is a piece of software that lives on your computer or your phone which stores all your passwords. Then, you only need to remember one password to access the manager and select the password you want to use.

 

There is one catch though. If you forget the password to your manager, all your passwords saved in it are gone! You can’t get them back.

 

If you don’t work on a computer all day, or prefer to lookup information in books and references, try relatively low-tech idea. A notebook!

 

A few years ago I wouldn’t have ever suggested using a notebook, but it’s becoming a more appealing option just because its not digital. It can’t be hacked like a computer can.

 

A Word of Caution..

 

In using a notebook however, passwords should be written without an obvious reference to what site they’re for or the username that goes with them. This makes it difficult for anyone who finds your notebook to understand, hence making it more secure than just a notebook of usernames and passwords.

 

The notebook should also be hidden well, or even locked in a safe (if you happen to own one!).

 

And because I know someone will mention this: No, sticky notes on your monitor or under the keyboard are not OK!

 

Of course, at the end of the day its important to pick something that will work for you and that you can manage. If you write everything down in a notebook and then hide it so well you can’t find it, its not going to help much is it?

 

This Weeks Challenge

 

How do you remember all the passwords you need? If the answer to that question is by using only one password, then this weeks challenge is now that you know a few ways to keep track of multiple passwords, can you consider changing each password to being unique and using a password manager to keep track of them?

 

If you do use unique passwords then this weeks challenge is to consider how you could keep track of them. If you’re a rockstar already keeping track of them easily then consider taking them one step further and make them more complex! If you don’t understand what I mean about more complex, don’t worry. I’ll have another episode on complex passwords later on.

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?
CLICK HERE TO SIGN UP!