Security Articles

Back in September & October, 2017 I posted two articles about Internet security in the Lorain County Computer Users Group newsletter, “Interface”.  I combined these two articles into one post and am posting them here below:

 

Security

 By Micky Knickman

It makes me sad when I hear stories of people falling for the traps that scammers set.

I would like to take this opportunity to remind our readers of some ways to keep safe in our present time.

Phone calls:

Many scammers will call and say that you have a problem with your computer.  The scammers will have you check multiple things on your computer in order to convince you that your computer is not working correctly.  They will then ask you to go to a web site, click on or download something and then ask you to allow them to get into your computer so they can “fix” your computer.  Never allow anyone into your computer unless you know them and are convinced that they are reputable and honest.

Microsoft, the IRS, etc. will NOT call you out of the blue.  If you believe the call to be legitimate, then tell the caller you will call back.  Hang up and dial the phone number that you KNOW is the actual phone number of the company/organization that is supposedly calling you.  Scammers can easily spoof the phone number that is displayed on your caller ID screen.

One beneficial practice to adopt is to never answer the phone if it is a number that is not known to you.  If it is important, someone will leave a message.

I personally use this policy, but sometimes I answer the phone if it seems to be from a local number (since I answer questions and help people whom I don’t always know in advance).  When I answer one of these calls, however, I never say “hello”.  Instead, I mute all external noise, answer the phone and just listen.  A normal person will usually say, “hello” and then I would respond.  Most robo-callers or telemarketers will not do this and they eventually hang up.

Emails:

If you should receive an email that says there is a problem with your account which you must correct, never click the link that is provided in the email.  Instead, open your browser and go to the company’s web site that you KNOW is correct.  From there, you should be able to navigate to the appropriate web page to see if there’s a problem.  If it is not obvious, you can also call the company (again with a known good phone number) and ask if they sent any emails concerning problems with customers’ accounts.

Another thing to consider is that web browsers and most email programs will display the URL of the link if you hover the mouse over the link without clicking on it.  The URL may be displayed at the bottom of the page.

Passwords and Security Questions:

Most “security experts” will tell you to have unique usernames and passwords for each site you visit.  This can be a daunting task.  One way to make this easier is to use a Password Manager software to keep track of this information.  Password Managers are programs that keep all the usernames, passwords, security questions, etc. locked up in an encrypted database that is secured by a master password.  A user runs the Password Manager program and then enters the master password.  This unlocks the database and allows the user to view/copy/paste all the usernames, passwords, and whatever information the user has stored.  I personally use the free Keepass Password Safe program (keepass.info) to secure my passwords.

Another way to use different passwords, but have them be unique is to use the first letters from a common phrase that is known by you and easily remembered, but will be hard for someone else to guess.  For instance, if your phrase was “Mary had a little lamb its fleece was white as snow”, then you could incorporate the letters, “Mhallifwwas” into your passwords for different sites by appending or prepending letters that would be associated with each site, along with numbers that are easily remembered by you.  A gmail password using this strategy could be “1950Mhallifwwas-gmail”.  Hopefully, you get the idea.

Regarding the Security Questions that a lot of sites force you to create, this could be a way for hackers to infiltrate your account relatively easily.  Most sites have security questions that allow someone to access his account without knowing the password if he can answer one or two of these questions.  Depending on the security questions that you selected when you set up your account, anyone who knows you & your family may be able to get into your account.  For instance, a security question, “What is your favorite color?” could be easily guessed since there aren’t that many colors for most people.  Besides that, anyone who knows you would be able to answer that question.

I regard Security Questions as “creative opportunities”.  When answering these questions, remember that there is no rule against lying and I highly recommend lying.  For instance, in answer to the  favorite color question, you could answer, ‘apple pie”, or some other such nonsense.  This would thwart most hackers & acquaintences.  If you adopt this practice, however, you need to make sure you keep track of your usernames, passwords and security questions in a Password Manager (or even a notebook or some other means) so you don’t get locked out of your account yourself.

Also don’t forget that you can use spaces and hyphens or some other special characters in your answers to security questions in order to make them more obscure.  Note, however that most answers to security questions are NOT case-sensitive, so don’t think that using upper case will make your answer difficult to guess.

Hopefully these tips have helped to  keep your computing experience a bit more secure.

 

 

 

More on Security

 By Micky Knickman

Continuing the discussion on security from last month’s article, here are some more tips on privacy and security.

Try to keep the personal information shared on the Internet to a minimum.

When filling out forms for non-critical web pages or when signing up for newsletters or other free things, there is a good possibility that the requesting site only needs this information for advertising purposes.  A site that needs your address because you will be getting something delivered or for entry into some contest, etc. will require your actual address.  For a site that is asking for your address simply for marketing or to view something on a web page, you should try using a fake address.

Similarly, for marketing sites, who said you need to enter your real name or birth date?  I have been using the same fake name, address and birthdate for over three decades when asked by companies that really don’t need to know my true information.

Protect your privacy by revealing true personal information only to sites/companies that REALLY require them for legal, or medical reasons.

What about your email address?  Do you only have one?  Do you give it out to everyone?  Protect your email address by signing up for another disposable email address that you can use on sites where you need to provide an address, but you don’t care about any emails they may send.  You could also use one of the temporary email services like mailinator.com or 10minutemail.com to sign up for some web site, get an email verification code, and then never have to worry about getting spammed by the company.

Email aliases are another way to keep your “true” email address private, but give out an email address to a site you don’t trust.  Most email providers will allow the creation of email aliases so that you can then define a rule/filter to send all email that comes to that address into the trash directly without having to view it.  A good article on how to do this with Gmail is found in the article, How to Use the Infinite Number of Email Addresses Gmail Gives You.  You can find other tutorials for other email providers by using your favorite search engine.

Last month’s discussion brought up the subject of Security Questions for web sites.  Another way to keep those answers secure is to use spaces or special characters when answering the questions on sites that allow the use of those characters (not all sites allow all special characters).  For example, a security question that asks what your favorite color is will not have very many answers.  In order to help thwart hackers who will try to break into accounts by guessing security questions, the strategic use of extra characters will help.  If your favorite color is “red”, then that answer is not very secure.  However, if your answer is “r-e *d”, then your answer is far more secure and harder to guess.  Set up a rule that you remember that says “put a dash after the first character, then a space and an asterisk after the second character and then the rest of the answer” (for this particular example).  So, using this example, if your favorite color is “yellow”, you could follow that rule and answer,  “y-e *llow”.  Again, make up your own rules to help keep your answers secure.

Do you make online purchases?  Are you concerned about your credit card number getting stolen?  Virtual Credit Cards help to limit your exposure to this theft.

Virtual Credit Cards are temporary credit card numbers tied to your credit card account.  These numbers are different than your physical card number and are typically valid for only one merchant for each number.  Unfortunately, not all banks offer Virtual Credit Cards.  Discover, Citibank and Bank of America are three credit card issuers who do this.  There may be more.

When using virtual credit cards, you would typically login to your credit card’s web page and choose the option on the web page typically under the Security section.  LCCUG gave a presentation on this topic many years ago which was recorded as a video which can be downloaded and played on your computer.  The video can be found on lccug.com/movies.