I’ve been working on another post slowly and steadily, but I wanted to share the events I’ve been dealing with over the past week. Hopefully, it will encourage you to do better in your cybersecurity. I know it has me for sure. I’m no security expert by any stretch of the imagination, but over the past couple of years I have started doing more work in and around cybersecurity. Needless to say, it has made me a bit more cautious and paranoid when dealing with stuff online.
We all have that mentality of “why would anyone want to hack me”, or “I have nothing that could benefit a hacker”. I know we don’t think we will ever be the victim of any type of hack or identity theft…until we are. When you realize you have been a victim of a cyber attack, then everything is reactive in nature. You work to try and clean up the mess, but only find out it’s getting worse! It’s a nightmare to clean up, and even worse when trying to help someone who is almost 70.
Oh no! I’ve been hacked!
Thankfully, I was not hacked, but my mother in law was not so lucky. We received a call last Wednesday from my mother in law asking if we had a few minutes. She proceeded to tell us that her credit card had been used at Walmart to buy about $200 worth of household items online. It was mostly food items. The only reason she found out about it was she just happened to check her email, which she doesn’t do frequently. It was late at night when she saw it, and she decided to wait until morning to try and figure out what was happening. Well, by that time she had started getting emails from multiple retailers and other websites saying they don’t recognize the login locations, and asked if it was her and, if not, then to login and change her password. Some websites sent a code to her email as a security step to ensure it was, and that saved her from her biggest retailer, Amazon. I told her she needed to go in and change all of her passwords to every site on her “password list” because they all were very similar in nature, but she felt like she had taken care of what needed to be taken care of and resisted.
After a couple of days she had cancelled her credit card, established a new email address for a couple of online places, but for the most part left it alone. Well, Saturday her Instagram account she never uses was hacked, and images of grown men sucking paci’s were on there. The account had her picture but was changed over to the Russian language. My brother in law reported it and I tried all day to regain access but was not able to. Again, I said, go in and change all of your passwords. When hackers gain access to one account they reuse credentials to try and get into other accounts as well.
Yesterday morning we discovered her Facebook account had been hacked too with weird fat loss product advertisements being posted. At this point we pretty much had enough, and I began to dig deeper into what was really going on. Some of the passwords used were not anything personal to her that could have been guessed. Something else must be going on for them to get all of these accounts. A virus/malware scan came back clean on her computer, there were no signs of compromise to her iPhone or iPad, and nothing else seemed out of line. Finally, I started thinking about her email. She must have been phished in order for them to get in, but I never saw any real phishing emails. My guess is they have been in a while just sitting dormant and watching. I began to think some more on what was going on. It had to be her email in some way but I just couldn’t pin point it. After thinking for a few minutes I remembered my mother in law had said she wasn’t getting password reset emails for some accounts, like Instagram. Just then I had an epiphany moment. I realized the hackers were probably in her email somehow, so rather than looking at her mail app, I logged into her web mail account so I can see all the settings. She’s using her ISP’s email for her email rather than Gmail or some other well known email provider. Poking around in the email settings I found it. The hackers had setup email rules and filters to forward and delete emails with certain criteria. Most of the criteria was password resets, two factor tokens, and other confirmation type emails. I immediately deleted all the rules and changed the password to something random in nature. Finally, we had control of the email and we began securing her better to help this from happening again.
How do I prevent this?
Unfortunately, for the majority of people we may never be able to stop this from happening. As paranoid as I am about things online it’s happened to me as well. Even seasoned cybersecurity veterans get duped by well crafted attacks. However, there are certain steps we can take to stop cyber criminals from stealing our identities and financial information.
Step 1: Get a credit freeze
This is the single most important and easiest thing you can do to protect your identity. If someone has gained access to your personal information, including your social security number, then getting a form of credit won’t be that hard. You will need to contact the 5-6 major bureaus to initiate a freeze, but before you freeze your credit be sure to get a free credit report from https://www.annualcreditreport.com. Review the credit report in fine detail and scrutinize anything that looks out of place. After you have reviewed your credit report, then contact the following agencies to get a credit freeze.
By Phone: 800-685-1111
By Mail: Equifax Security Freeze, PO Box 105788, Atlanta, Georgia 30348-5788
By Phone: 888-397-3742
By Mail: Experian Security FreezePO Box 9554, Allen, TX 75013
By Phone: 888-909-8872
By Mail: TransUnion LLC, PO Box 2000, Chester, PA 19016
By Phone: 800-540-2505
By Mail: Innovis Consumer Assistance, PO Box 26, Pittsburgh, PA, 15230-0026 https://www.innovis.com/assets/InnovisSecurityFreezeRequest-110141767716e41ac7d862e221ac5831.pdf
By Phone: 800-887-7652
By Mail: Chex Systems, Inc. Attn: Security Freeze Department, 7805 Hudson Road, Suite 100, Woodbury, MN 55125
By Phone: 866-349-5355
By Mail: NCTUE Security Freeze, P.O. Box 105561, Atlanta, GA 30348
Step 2: Get a Password Manager
If you have all of your passwords memorized then you either have a photographic memory, or you reusing the same password or a similar password with a small variation. Simply put…If you can remember all of your passwords then you are doing it wrong. The best approach is to use a password manager and use it’s built in password generator to get a random password with numbers and special characters. Also, your password length should be at least 16 characters long, or as long as the service will allow. Some websites only allow certain lengths and characters. Here are the password managers that I either use or have used in the past.
This is probably one of the more well-known password managers but it’s only used locally. Meaning it’s not a cloud-based password manager. You have to be sitting at your computer to use it. I use this one for all of my work, website, hosting, etc, and as a backup for my household accounts. You can make multiple databases for work, home, business, etc. You can download KeePass for any operating system.
Strongbox is an iOS/Mac companion for KeePass databases. I use this on my iPhone for when I’m on the move. You basically copy your existing KeePass database over to your iPhone and you’re ready to go. You can find it in the AppStore
I’ve recently started using BitWarden for all of my household accounts like personal email, financial, retail, and anything else my family needs to share. You can use it on all operating systems, and it has browser extensions to allow your passwords to automatically be input when you visit a website. The data is end-to-end encrypted, so someone must have access to your device to get your passwords. I have mine setup with a pin and my FaceID. Also, data syncs across all your devices and there is an online vault that allows you to login and see your passwords if you don’t have your device with you.
Encryptr is an open source password manager offered by Spider Oak. It’s a light weight, cloud-based password manger which offers end-to-end encryption, and can be used on any operation system, including mobile devices. It doesn’t have a lot of bells and whistles, but I’ve used it for many years before slowly moving to more feature rich managers. However, I do still use SpiderOaks One Backup to back up my computers to an encrypted server. No one, including SpiderOak, can see my data without my password.
Step 3: Use Two-Factor Authentication (2FA)
I’m sure most of you either use or have used this in the past, and most likely it’s either via an email or text message sent to you containing a six-digit code. If you’re doing this, great, you’re ahead of the curve. However, given how easily email can be compromised, like my mother in law, and now experts are saying text messages are not a secure second factor due to cell phone hijacking, we should really look to a more secure method to get our second code.
Two-factor authentication software tokens are setup with your account (i.e. email, retail, or other online accounts), and when you log into your account, the website/application will ask you for that second factor number. These numbers typically rotate every 30 seconds, and you need to enter the number before it switches to a new number. Once setup, accessing your online accounts can be simple and secure. Here are my recommended methods for a second factor.
YubiKey is your only option that will cost you money. It’s arguably the most secure because it is a physical piece of hardware that you insert into your computer or mobile device. So in order for your second factor to be used, you must have this key in your hand. Unfortunately, not all services support a hardware device like this, but you can use it in conjunction with other tokens, like software ones. I have not purchased one of these yet, but I have it in my sights to buy one soon.
Authy is probably the most well-known software 2FA token generator. It’s now owned by Twilio, but is one of the few cross-platform applications. Meaning you can set it up on your phone, computer, or another family member’s device. This is a good option for families that have one account but multiple people logging in. This is good for Amazon, your bank (if supported), or other utilities. I use Authy for all my home accounts that support it.
This application is similar to Authy except you can’t use it on multiple devices. Once you set it up on one device, then you won’t be able to use from another device. Some people like it, but most reviews are more…meh. It’s a worthy mention because it’s a Google product.
Symantec VIP has a unique feature for supported websites. I have a separate bank account that I use just for my website and related expenses. I do this to separate it from my daily checking/savings accounts. In order to log into this bank, you must have a username, pin number, and the six digit code from the app. You basically enter your username, but the password is your pin combined with the six digit code provided. Your password changes each time you log in. This is a great security feature and better than any other financial institution I’ve used. Also, you can setup the application to give you a second factor number like Authy or Google Authenticator. The only drawback for families is it is device specific. I use VIP for all my website/blog related 2FA needs.
Step 4: Secure Email
Your email is probably the single most important form of communication you have. Your bank uses it, retail stores use it, your kids school, doctors office, neighbors, and everything else that is important in your life. Your most common options for email providers are Google, Yahoo, Microsoft (Hotmail, live, outlook), Apple, and your home internet service providers email service. All of these companies have a huge email base and they all serve you ads in your email. So, somewhere within their software your email is being read by them. It’s how they generate so much income. Most probably don’t realize it, but you do have secure options available and the best part is their free. Granted, you won’t get 15 GB of email storage on the free options, but instead of reading and selling your email, they look to a subscriber base to pay for the service. I have two recommended services and they both are zero knowledge email providers. Meaning no one can read your email without your credentials. The email is encrypted on your end and it can’t be read…even by law enforcement. The encryption “can’t” be broke.
Protonmail is my preferred email service. They are located in Switzerland where privacy laws are very strict, their servers are deep in a mountain data center surrounded by pure rock, and they own and maintain all of their servers. Protonmail encrypts everything and if you send an email to another ProtonMail user, then there is no one who can intercept your message and read it. If you choose to go the paid route, then you can send encrypted messages to anyone outside of ProtonMail. You set a password for the email and the receiver must know that password to decrypt it. All of your contacts are encrypted and they now offer an encrypted calendar on their beta test website. The encrypted calendar will be released soon. They also have a free virtual private network (VPN) for all users so your internet surfing is private, but you can upgrade to a faster, more robust VPN service for a small fee. Additionally, they are working on ProtonDrive, which is an encrypted cloud storage service. Currently, I have a few Protonmail accounts and I pay for the Protonmail Plus and the premium ProtonVPN service.
Tutanota is a German based email provider similar to Protonmail. The primary difference is they offer free users 1 GB of mail storage and already have an encrypted calendar in production. They offer the same level of encryption and privacy, but have a few different features to purchase at an additional cost. The free option should be good for most people, but they do offer more storage for a small fee per year. I do have a Tutanota free account, but I don’t really use it unless someone I know uses it. I just made the account to lay claim to my preferred email/username. Overall Tutanota is a little cheaper than Protonmail, but I like the Protonmail environment and Protonmail has given me 10 addition GB on my paid plans for free.
I’m sure there are other providers out there, but Protonmail and Tutanota are the most well known and respected. I’ve listened to the Protonmail CEO talk and their company is community driven. Meaning they look to the users and private community to guide where the company goes with features and development. Regardless of which one you choose, go ahead and make the switch and encourage those in your inner circle to do the same.
I know you’re probably thinking…”This is way too much for something that may never happen”. You may be right and I hope you are, but taking a little bit of time upfront can prevent weeks or even months of work trying to clean up a mess. I have a friend who had a veterans disability check stolen from him. Someone called the VA posing as him and had the direct deposit account changed to a bank in Romania (or somewhere like that). He ended up fighting the VA over it because they needed to “investigate” to make sure he wasn’t lying. Eventually, he called his local state representative to Congress. He was paid in two days.
Review the things I have written here, make a plan of what you plan to do and who you need to include. You don’t have to go gangbusters over a weekend. Choose one step each week or weekend and just work through it. If you have a family at home then you can help protect them too or walk them through the steps to do it themselves. It’s better to be proactive than to be reactive.
This was a fun post to write and it gave me an opportunity to learn a few more things and share what I know. If you’re interested in learning more about how to be a more secure and/or private nudist, please let me know and I will try to share what I have learned. It’s become an interesting hobby of mine lately, and I’ve started to enjoy learning more about it.
Get Naked Securely. Stay Naked Securely.