Category: Security

Weekend Technology Notes

Big Kid Macs

I was basically right in the email that I sent out to my Mac clients early Monday morning about Apple’s new Mac Book Pros. I knew the pricing would be higher.  The new Mac Book Pro 14 inch starts at $1999 and the 16 inch (which I don’t expect a lot of my clients will be buying), starts at $2499.  These are not rip offs by any means.  They are high powered professional machines.  Unless the “best” is desired out of principle rather than practicality, I think the Mac Book Air is going to suit the vast majority of my Mac clients seeking a laptop.  The 512 GB model @ $1249 would be the one I steer you toward.

Couldn’t Stop This Scam

I had a sad phone conversation with a client today about their friend.  Sadly this friend had been given my name before but had never joined my business family and the system of services and education that I provide.  This person got a  call from “Amazon” saying that someone had tried to purchase an iPhone Pro Max with their card but they had “stopped” it.   Sound real?  Think again.  The representative was granted access to the victim’s computer and had them log into online banking.  There the refund was “issued.” However it wasn’t.  The scammer simply adjusted the text code on the banking website.  Instead of a $1400 refund, the victim was “credited” $14,000 – by “mistake” of course.   The scammer said they would lose their job and demanded the difference back as a wire transfer.   Hint:  If it was $1000 involved, the scammer would have asked for gift cards.  However, the scammer saw that there was more than $14,000 in the victim’s bank account.  Only a wire transfer would do!  Their bank actually allowed the victim to send out the transfer, which went to Hanoi. 

UNBELIEVABLE!!   It really happened.  And the victim still believed it was real.  I told my client to tell this guy to go to his bank immediately.  Explain he is the victim of a crime.   Maybe — it can be reversed — but it’s doubtful in my opinion.  It’s hard to claw back a wire transfer, especially an international one. 

Update On T-Mobile Breach

Here is the most updated info from T-Mobile

https://www.t-mobile.com/brand/data-breach-2021

It turns out 47.8 million customers were affected (which is about 1/2 their US customer base).  It breaks down to 8 million cellular accounts and 40 million prospective customers that applied for credit.  Keep in mind credit was pulled in the past whenever new customers signed up or financed a phone.  (T-Mobile and Sprint now are one company.  I don’t know how many of these records pertain to old Sprint customers or if they are pre-merger T-Mobile accounts).    T-Mobile CLAIMS that no financial data, like Social Security #’s were accessed. 

Here is what they are doing however.  They are going to offer two years of ID theft protection through McAfee.   I’m going to skip that.  McAfee hasn’t done anything good for computer security since the 1990s.  The late, great company founder John McAfee despised what his old company had become before his death.  You can sign up for it if you wish, but I would prefer that  you obtain all of your credit reports from annualcreditreport.com, then sign up for a credit freezes or at the very least fraud alerts.

Secondly — here is something you can take action on today.  T-Mobile is asking you to change your account PIN.  This is also known as a billing passcode.  You can do it online or you can call 611 from your phone and talk to customer service.  If that billing passcode is in the wrong hands — someone can port your number out — steal it and take it to a different company. 

T-Mobile Data Breach

I don’t know all of my clients that have T-Mobile so I am going to make a general announcement in the weekly newsletter later.  However, I know you have T-Mobile.

Per reports I read in multiple sources like this Bloomberg article….

https://www.msn.com/en-us/money/companies/t-mobile-investigating-claims-of-data-breach-on-online-forum/ar-AANlDJU

TMobile’s entire customer database has been breached by hackers!! 100 million people.  The data discovered included full names, social security numbers and driver’s license numbers.    This is disgusting.  This information should have been stored in an encrypted fashion. 

My Thoughts

– I don’t think I’m going to leave T-Mobile tomorrow.   This could have happened to Verizon or AT&T as well, in theory.   They could have better security, but I don’t know.

– I don’t apply for credit all the time, so more often than not, I keep my credit reports frozen.  No one can open up accounts with the freeze in place.   If you do have your credit run often, you may want to consider a FRAUD ALERT instead, which will require your permission before lines of credit are opened.

– I assume T-Mobile will be providing its customers with a couple of years of some credit monitoring service.  That may be worth using, but keep in mind that during this pandemic annualcreditreport.com is offering all 3 credit reports free on a weekly basis.  https://www.annualcreditreport.com/index.action  — this website is the only one authorized by the federal government for obtaining free credit reports.   (The one on TV with that hideous jingle is NOT the same website.)

Websites for setting up credit freezes

https://www.transunion.com/credit-freeze

https://www.equifax.com/personal/credit-report-services/credit-freeze/

https://www.experian.com/freeze/center.html

Windows Ransomware Protection and Windows 11

Two Points for you today

1.  Some of you use a 3rd party anti-virus – a Norton, an Avira, ESET, etc.  That’s fine.  Keep using it if you like the features it provides.  However, for most Windows clients I say to use the built-in Windows Defender.  This is what the majority of you are doing.   You have heard about these awful ransomware attacks in the news.  Individuals and companies get their files locked and then get asked to pay thousands of $$$ in ransom.    Fortunately, Windows Defender now has anti-ransomware technology built in.   However, it has to be turned on.  I found this helpful article from Forbes that tells you how to do it.  If you feel uncomfortable doing so yourself, write this down and we can save this task for a future appointment.   https://www.forbes.com/sites/brookecrothers/2021/05/16/yes-windows-10-has-ransomware-protection-heres-how-to-turn-it-on/?utm_source=pocket-chrome-recs&sh=d09573a4c575

***If you use a different anti-virus — look into whether or not it has anti-ransomware capabilities.  This Forbes article is not meant for you at this time.

2.  There should be some exciting news coming out of the Microsoft camp this week.  On Thursday, they are announcing the future of Windows — which may entail a new version of the operating system called Windows 11.  Some test versions of this new software have leaked out into the wild and I have attached a picture for you.  I think Microsoft is going for a fresh look and a simplified interface.  When Windows 10 came out in 2015, it was billed as the last version of Windows ever.  It will be interesting to see how Microsoft explains their change of heart.   If they indeed call it Windows 11, it seems like a game of copycat is being played here.  The latest mac OS is also called version 11.  I have no idea when Windows 11 will be released or which existing computers it will be appropriate for.  I’ll fill you in as I find out.


windows11main_edit

My Thoughts On Life Lock and Identity Theft Protection

I remember when Life Lock first started out — they used to take out big ads in the WSJ (circa 2007).  Their CEO was a bold man — Todd Davis.  He would put his full social security number in those ads and say — go ahead and try me.     I remember there were some years after that when  people sued Life Lock, said they were a scam.  Then the credit bureaus stopped wanting to partner with Life Lock.   Life Lock did not give up but they evolved (several years back).  They ended up buying into one of the largest credit card processing companies so they could see all the transactions flowing through and this would give them a mechanism to protect you.   However, you have to give them all your credit card #’s and bank account #’s — so they can protect you.  I don’t think that’s a bad thing — for people who really want the service.  My bullet points on them are

-Life Lock is legit – despite some of their past controversies. 

-But customers should not be fooled by their $7.99 a month price they have on lifelock.com right now.  If you look at the cost of the REAL membership with the $1 million protection “Option 3”   — its $42 a month for a husband and wife ($35 / month paid annually)  and $25 / $30 a month if for individuals.  Those are just the first year introductory prices for year 1.  The “true price” for the 2nd year kicks in and is much higher.  I think someone has to really want the protection to want to pay that kind of $$ and you have to want the Norton services, which cannot be separated out.

-Again, you have to give them all account #’s for the protection to work.

-They are now partnered with Norton Anti-Virus — one and the same company and say that this is one of their key benefits.  It might be a great for a Windows computer — but in my personal experience with Mac clients — Norton is awful.  so this isn’t much of a selling point. 

What I do instead…

– I get free copies of my 3 credit reports each  year by the only site authorized by the federal government per a law that was passed about 15+ years ago.   https://www.annualcreditreport.com/   (During this Covid 19 era– they are actually allowing for free WEEKLY credit reports)

– I regularly keep all 3 of my credit reports frozen — and this can be done for free on each of the 3 bureau’s websites.  If i need to apply for credit — I go in and unfreeze the report the bank wants unfrozen.     (By comparison Life Lock only offers locking for one bureau)

-With my approach, I don’t have an “insurance” policy protecting me or monitoring of all my credit card purchases.  I check all of my banks online regularly. 

So bottom line — I think Life Lock can be great if you want all the hand holding or if you think you need all of the hand holding.  However, it can be very expensive.  Check around for other identity theft insurance without all the software if you think you need this.   More affordable options are Zander Insurance and Identity Guard.  These two companies and Life Lock offer US based phone support when needed.

Using A VPN–Privacy and Security Factors

I have previously written generally about why VPNs are important, even for consumers and small business owners.   Here I am going to get specific, covering two many reasons for use (privacy and security) and the scenarios where they come into play.

Rewind:  If I were to rewind just a step, a VPN is an application you run on your computer, smartphone and tablet to give you a private tunnel out to the internet.  I’m not going to endorse one over the others — but the three I like are Express VPN, Windscribe, and Private Internet Access (PIA).  Costs range from $2 to $10 per month.   I have explored Mozilla VPN (put out by the Firefox people) with some clients and it lacks a key feature at the moment so I am not going to put it on the same level as the other three. 

So today I am talking about “John the consumer” and “Jane the plumber.”   John uses computers and other devices at home.  Jane owns a plumbing company and has an office on Main Street that she controls.  (I’m going to leave working in an office under some big corporation out of the discussion because they often tell you what you can and can’t do with your computer).    John and Jane have two factors to consider when using a VPN — Privacy and Security depending on where they are using the internet

1.  At home or their office — Here the reason to use a VPN is PRIVACY.  John and Jane have routers with up to date firmware, computers with antivirus software, and computers and smartphones with the proper security updates.  Their internet connections are secure.   Speaking for myself, my home / home office Internet is totally secure even if I never use a VPN.  If you meet all of these parameters I laid out — there is like a 99% chance no one is going to infiltrate your internet connection.  John, Jane, and I use a VPN in the confines of our homes and offices because we don’t want our internet providers to know every website we visit.  We don’t want news or other shopping or informational websites recording our IP address (which ultimately links back to us).  It’s an issue of principle and privacy — not primarily for security. 

2. On Public WiFi –  I’m talking about the mall, the library, the hotel,and the coffee shop now.  People are going out a lot more and traveling.  You do not have control over these public internet connections.  It should not be presumed to be secure as in #1.   This is a different ballgame.   Here John and Jane use their VPNs for security.  Even though you are on that public WiFi connection, you are doing so through your VPN tunnel.  You will be protected from bad actors on that network.  Snoops on that network are not going to be able to do harm to your devices.   You are still getting that private connection,  but the security of the VPN is the biggest factor here. 

2a.  I should add this section here to say — I have found limited situations over the years where public WiFi connections refuse to play nicely with a VPN even after the settings are adjusted.   In these scenarios, if I am just using my smartphone, I turn WiFi off and just use the cellular connection.  At least I have a secure connection.  If I needed to use a laptop and couldn’t use a VPN, I would set up my smartphone as a hotspot. 

When Not To Use A VPN

– With Express VPN, Windscribe, and PIA — a split tunnel can be set up to allow certain apps to bypass the VPN.   Some bank websites do not work properly with a VPN on.  John, Jane, and I set up one browser to split off from our VPNs so that we can access any website that does not play nicely with the VPN.  This split tunnel feature does not work on iPhones.  It may work on some Android phones.

– When downloading operating system updates:  These happen outside of any browser and are typically very large files.  As long as John and Jane are on a secure connection in the home or the office, it wouldn’t be the end of the world to turn the VPN off solely for the purposes of the updates.

In conclusion, after digesting these two installments I’ve sent you, you may decide a VPN is not for you or it is right up your alley.  The choice is yours.  VPN use in on the rise among people like John and Jane.  They keep theirs on automatically, whenever their devices are in use.  Surfing the internet through a VPN tunnel is a pathway to freedom.

Important Security Update

For iPad and iPhone

If you have an iPhone or an iPad (even an Apple Watch) – there is an important security update that I just got notice of on Friday.   It is known as iOS / iPad OS 14.4.2.   This update fixes a critical flaw in Web Kit.   Web Kit is the engine that powers Safari (all the website browsing you do) on those devices, along with any apps that might render parts of websites.    Without Web Kit, the iPad / iPhone does not function. This update covers the iPhone 6s and later and iPad Air 2 and later.   Even though Apple is not updating the iPhone 6 and original iPad Air anymore, Apple did you a real favor.  They have issued an OS 12.x update for these 2 as well so that you have the Web Kit fix as well.

Settings >> General >> Software Update.    Get Updating!


Critical Password Practices

I had to deal with another security breach last week. It could happen to anyone.  Accounts get hacked.  Passwords are guessed.  Bad guys keep trying until they get it right.  These scammers will even try to make up fake email accounts and impersonate you if they have extra motivation to deceive.  In this one instance I got called out to deal with, the hacker was probably in China but they were clever enough to make it seem like they were hacking from the USA.   You don’t want this to happen to you right?


You cannot MUST NOT reuse passwords for multiple websites / services.   Each account needs a separate password.  A password should be easy for you to remember and hard for others to guess.  It should not contain family members’ names.  It should not contain your street name, street number, or year of birth.  Do a Google Search on yourself.  Your password should not contain any key words that come up in that search.  You could use a password manager like 1Password or Last Pass.  However, this requires learning a new tool and I know not all of you are prepared to do this.  You could use a random password generator tool, creating passwords of 12 characters or longer.   https://www.random.org/passwords/  is a tool I have used with clients repeatedly over the years.  If you are still saying this isn’t for you, OK, so at the very least you should do the following.  Create a memorable base that you will use over and over again, then put a unique ending that helps you identify each site.  Record everything in a password notebook at the very least.   For example, let’s say you attended Camp Redwoods as a child and no one else knows that.  Your password for Microsoft could be   — ILoveCampRedwoods20msft — and then you could repeat this formula  over and over again.  That would be a bare minimum, but acceptable strategy.   Each password should ideally be 12 to 14+ characters long.  Personally speaking, I have started making my passwords 25 – 30 characters long whenever possible. ( This is very easy with a password manager.) 

How to check for suspicious logins to Comcast Xfinity email account

I have now had 2 clients in the past year who’ve had their Comcast email accounts broken into.  Scams were attempted and some damage was done. 

They have now put out a tool so you can see all of the login attempts on your Comcast account with the past 30 days.  If you suspect anything or are just curious — you should sign into this website with your Comcast e-mail address and password.


https://security-console.identity.xfinity.com/

It worked very well for me with a client yesterday.  We determined that her account was hacked by someone accessing the internet through a server in Seattle, WA. 

One more tip — make sure that your Comcast email password is not the same as ANY OTHER password you use.

Your iPhone Records Everywhere You Go–How To Turn Off

Just wanted to give you all a mid-week blast. This came across my desk today and I thought some of you would want to flip the switch to turn it off.

I learned something new today — there is a fairly hidden setting in (Settings > Privacy> Location Services >>  then down to the bottom, System Services) — called Significant Locations.   It is a record of EVERYWHERE you have visited with your phone.    Kind of creepy!

Anyway, you can turn this off.   If you like the iPhone intelligently learning your patterns and making suggestions based on that — by all means leave it on. 

I think I’ll be turning Significant Locations off.