Random Thoughts – Randosity!

How to protect yourself from the Equifax breach

Posted in botch, business, security by commorancy on September 11, 2017

Every once in a while, I decide to venture into the personal financial security territory. This time, it’s for good reason. Unfortunately, here’s a topic that is fraught with peril all along the way. It also doesn’t help when financial linchpins in the industry lose incredibly sensitive data, and by extension, credibility. Let’s explore.

Target, Home Depot and Retailer Breaches

In the last few years, we’ve seen a number of data breaches including the likes of Target and Home Depot. While these breaches are severe problems for the companies, they’re less problematic for the consumer in terms of what to do. As a consumer, you have built-in protections against credit card fraud. If a thief absconds with your number, your liability is usually limited to around $50, but that also depends on the card… so read your fine print.

With the $50 you might have to pay, the inconvenience to you is asking your credit card company to issue you a new card number. This request will immediately invalidate your current card number and then you have to play the snail mail waiting game for a new card to arrive. That’s pretty much the extent of the damage with retailer like Target or Home Depot.

No one wants to go through this, but it’s at least manageable in time… and you can get back on with your life. For breaches like Equifax, this is a whole different ball game, let’s even say, a game changer. Breaching Equifax is so much more than a simple credit card inconvenience.

Credit Reporting Agencies and Breaches

With Equifax breached, this is really where the government needs to step in with some oversight and regulations. What your social security number is the the government, your credit reporting file is to your personal financial health. This breach is a dangerous game… and worse, Equifax is basically taking it lightly, like it’s no big deal. This is such a big deal, you will absolutely need to take steps to make sure your data is secure (and even then, that only goes so far).

First, I’ll discuss what this breach means to you and how it might affect you. Second, I’ll discuss what you can do to protect yourself. Let’s start with some basic information.

There are 3 primary credit reporting agencies (aka credit bureaus):

  1. TransUnion
  2. Experian
  3. Equifax

Unless you’ve never had a credit card, you probably understand what these businesses do. I’ll explain for the uninitiated. These agencies collect and report on any outstanding credit card or revolving lines of credit you currently have. If you have a mortgage, these entities know about it. If you have a credit card (or many), they know. They also know lots of other data (i.e., previous and current address), what loans you’ve had in the past, what bank accounts you have, what balances are on your outstanding lines of credit, any collections activities and the list goes on and on. It also lists your birth date, social security number and full credit card numbers and account numbers.

Based on all of your credit lines, how well you pay and so on, these companies create a FICO credit score. This score determines how low of interest rates you’ll receive on new loans. These companies are not only a bane to actually exist, but they are your lifeline if you need new credit. Even just one blemish on your record can prevent you from getting that loan you need to buy your new house or new car. Without these linchpin companies, lenders wouldn’t be able to determine if you are a good or bad credit risk. Unfortunately, with these companies, consumers are at the mercy of these companies to produce accurate data to lenders (and to protect that data from theft)… a task that Equifax failed to do.

What did Equifax lose?

Equifax lost data for 143 million record holders. While that number may seem small, the damage done to each of those 143 million record holders will eclipse the damage produced by Target and Home Depot combined. Why? Because of how these credit reporting agencies actually work.

Equifax (and pretty much all of these credit reporting agencies) have flown under the radar in what they do. If you go to a car dealer, find a car you want and fill out loan paperwork, that dealership will pull a credit report from one or more of these agencies. Your credit report will contain a score and all loans currently outstanding. It also shows how well you pay your loans, any delinquencies in the past and other financial standing metrics. This credit report will be the basis of whether you get a loan from the car dealership and what what interest rate.

Hackers had access to this data between May and July of 2017. The hack was found on July 29th, but not reported to the public until September 8th. That’s over a month that Equifax sat on this news. It’s possible that they were requested by law enforcement to hold the announcement, we just don’t really know.

What was lost?

According to the Washington Post:

Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information.

According to the New York Times:

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Those dispute documents being PDFs of bills, receipts and other personally identifying information. I’ve also read, but have been unable to find the corresponding article, that the hackers may not have had access directly to the credit report database itself, but only to loose documents in a specific location. However, even with that said, do you really trust Equifax at this point? I certainly don’t.

Why is this such a big deal?

Because the credit reporting agencies have played it fast and loose for far too long. They make boat loads of money off of each credit report that’s pulled. If you pay $50 as part of the loan process to pull your credit report, the dealership will keep part of that money and the rest goes to Equifax. Because many loans applications are processed every day, some credit reporting agency is making money. Making money isn’t the problem, though.

These agencies will pull a report for anyone willing to spend money. This includes people with stolen credit cards. However, that only gets thieves so far before being caught. Instead, breaking into computers at the agency allows them to not only pull credit reports for anyone who has a record, they can get access to lots of sensitive information like:

  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Places of employment
  • Home Addresses
  • Credit card numbers
  • Dispute Documents
  • Etc..

Basically, the thieves may now have access to everything that makes up your identity and could steal your identity and then attempt to divert bills away from your house, create new cards, and do other things that you may not be able to see. If they managed to get access to your credit report, they can open cards out the wazoo. They can charge crap up on those cards. And, they can perform all of this without your knowledge.

Credit Monitoring

You might be thinking, I’ll set up a credit monitoring service and have the credit reporting service report when activity happens. Even that, while only somewhat effective is still subject to being breached. If the thieves have access to all of your identity information, they can request the credit reporting service to do things like, reissue passwords to a new email address and send sensitive reports to a bogus address. These thieves can even undo security setups like a credit freeze and reassign all of that information to their own address. You won’t see or even know about this unless you regularly check your credit reports.

This problem just barely peeks into the can of worms and doesn’t even open it fully. There are so many things the thieves can do with your identity, that by the time you figure it out, it could be far, far too late. So, don’t think that signing up for credit monitoring is enough.

Sloppy Security Seconds

In fact, it wasn’t seconds, it was almost 2 months before the breach was known to the public. A move that not only shows complete disregard for 143 million people’s financial security from a company who should be known for it, Equifax doubled down by creating a lead generation tool in their (ahem) free TrustID tool. Keep in mind that that TrustID tool is only (ahem) free for one year, after that you pay. Though, protecting against new account creation is only half the problem. The other half to which TrustID can’t help is protecting your existing accounts. Because credit reports contain every account and every account number you own, if your data was compromised (and with 143 million accounts worth of data lost, it’s very possible), you need to do so much more.

Even the Security Checking Tool (which was questionably put up on a brand new created domain???) seems to have been a sham and had its own share of SSL certificate problems leading to some browsers showing the site as a scam. Some Twitter users have entered bogus data… and, this checking tool seems to have stated this bogus data was included in the breach. The question is, does that tool even work or is it merely security theater? Yet another black eye in among many for Equifax’s handling of this data breach. To wit…

and then this tweet…

To sign up for Equifax’s TrustID premium service, you have to enter even more personally identifying data into a form of a company that has clearly demonstrated they cannot be trusted with your data. Why would anyone do this? Seriously, signing up for a service with a company who just lost a bunch of information? No, I think not. Instead, Equifax should be required to pay victims for a monitoring service with either TransUnion or Experian (where breaches have not occurred.. yet).

On top of entering even more personal information, the service requires you waive your right to lawsuits against Equifax and, instead, requires binding arbitration. Yet another reason not to sign up.

It’s not as if their credit monitoring service is really going to do you a whole lot of good here. If you really do want a credit monitoring service, I’d suggest setting it up with Experian or TransUnion instead. Then, figure out a way to get Equifax to pay you back for that service.

Can’t I reissue credit card numbers?

While you can do this, it won’t protect you fully. The level of what the thieves can potentially do with your data from Equifax goes much deeper than that. Yes, changing the numbers will help protect your existing cards from access. However, it won’t stop thieves from opening up new accounts in your name (and this is one of the biggest problems). This is why you also need to set up a credit freeze.

Because the thieves can now officially pretend to be you, they can do such things as:

  • Pretend to be you on the phone
  • Call in and request new pin codes based on key identifying information (address, SS#, phone number, etc)
  • With your old address, they can then transfer your bills to a new address
  • They can reissue credit card numbers to that new address

You’re probably thinking, “What about the security measure my bank uses? Won’t that protect me?” That depends entirely upon how convincing the thief can be over the phone. If they can answer all of your identity information and find a representative who can bypass some of the banks security steps, they can get a foot into the door. That’s all it takes for them to basically take over your credit accounts… which is one step away from potentially hijacking your bank accounts. A foot in the door is enough in many institutions to get the ball rolling towards full hijacking.

How do I protect myself?

If your data was involved in the breach (unfortunately, the tool that Equifax provides is sketchy at best), the three bare minimum things you should do are

  1. Contact one of the three credit bureaus and ask for a free 90 day fraud watch
  2. Contact all three and ask for a credit freeze on your records at each credit reporting agency
  3. Set up credit monitoring at TransUnion or Experian

The 90 day fraud watch means they will need to let you know when someone tries to do anything with your credit report. However, this watch is only good for 90 days and then expires. The good thing about requesting this watch is that you only have to do it at one bureau. All three will receive this watch request from your contact with one of them. The bad thing is, 90 days is not nearly long enough to monitor your credit. In fact, the thieves will expect the 90 day fraud watches, wait them out, then go after it hard and heavy after these begin expiring.

A freeze, on the other hand, lasts until you unfreeze. A freeze puts a pin code on your credit record and that pin is require each time a company needs to pull a copy of your credit report. This will last far, far longer than a 90 day watch and serves to stop the thieves in their tracks. To freeze your records, you will need to contact all three separately and perhaps pay a fee of $5-10 depending on where you live.

Setting up credit monitoring means you can be alerted to whenever anything changes on your credit report. But, credit monitoring won’t stop the changes from occurring. Meaning, you’ll be alerted if a new card is opened, but the monitoring service isn’t a preventative measure.

You can contact each bureau as follows to set up any of the above services, including a credit freeze (links below):

  1. Equifax or call 1-800-349-9960
  2. TransUnion or call 1-888-909-8872
  3. Experian or call 1‑888‑397‑3742

Neither a fraud watch nor a credit freeze will impact your credit score. A freeze simply prevents any business from pulling your credit report without having your pin code. Companies for which you already do financial business or have loans established can still pull reports as needed. However, any new loans will be required to have your security pin code.  You can learn all about the details of a credit freeze at this FTC.gov web site.

Unfortunately, because the breach may have been more extensive than it appears, a thief can now contact the credit bureaus over the phone, pretend to be you and have any pin codes removed and/or reissued. Then, gain control over your credit records. This is why this breach is so treacherous for consumers. You need to be on your guard, vigilant and manually monitor your credit report for at least the next 12 months regularly. This is the part no big box media site is reporting. Yes, this is a very treacherous landslide indeed that is at work. Even if you do all of the protections I mention above, thieves can still subvert your financial records for personal gain by knowing your key personally identifying information.

How do I stop the thieves?

This is the fundamental problem. You can’t, at least not easily. To truly protect yourself, the scope of changes would include all of the following:

  1. Get a new social security number
  2. Reissue all of your credit card and debit card numbers
  3. Open new bank accounts, transfer your money into the new accounts
  4. Close the old bank accounts
  5. Reissue new checks
  6. Change your telephone number
  7. Move into a new address (or obtain a P.O. Box and send your bills there)
  8. Legally change your name
  9. Change all of your passwords
  10. Change all of your email addresses
  11. Set up multifactor authentication to every financial app / site you log into that supports this feature.

Unfortunately, even doing all of the above would still mean the credit bureaus will update your credit report with all of this new data, but your prior history would remain on the report… possibly up to and including all of the old account, name and address information. It is very, very difficult to expunge anything from a credit report.

In addition to the above, I’d also suggest closing any credit lines you don’t regularly use. If it’s not there, it can’t be exploited. None of this is a magic bullet. You just have to wait it and shut the thieves down as things materialize. Being diligent in watching your credit report is the only way to ensure you nip things in the bud early.

Tidal Waves and Repercussions

It is yet unknown the extent of their breach or the extent to which each consumer may have to go to protect themselves from this deep gash in the financial industry. Not only does this gash now undermine each account holder’s personal financial well being, it undermines the credibility of the very industry holding up the world’s economy. This is some serious shit here.

If half of the US’s residents are now available to identity thieves, those organizations who help protect the small amounts of identity theft throughout a normal year cannot possibly withstand a financial tidal wave of identity theft paybacks which could seriously bankrupt many credit organizations. In fact, if this tidal wave is as big as I suspect it could become, we’re in for some seriously rough financial waters over the next 6-12 months. By the time the holidays roll around, it could be so bad, consumers cannot even buy the goods needed to support the holiday season. Meaning, this could become such a disruptive event in the US’s financial history, many businesses could tank as a side outcome of consumers not being able to properly spend money during the most critical season of the year.

This has the potential to become one of the most catastrophic financial events in US history. It could potentially become even more disruptive than the 1939 stock market crash. Yes, it has that much potential.

Since I have no reason to believe that Equifax has been totally honest about how much data has actually been lost, this is the reason for this level of alarm. I’d be totally happy if the amount of data lost was limited to what they have stated, but the reality is, nothing is ever as it seems. There’s always something deeper going on and we won’t find that out for months… possibly at the point where the economy is hit hard.

Equifax Aftermath

Because the US is so pro-business, Equifax will likely get a slap on the wrist and a warning. Instead, this company should be required to close its doors. If it is not providing adequate data security measures to protect its systems, then it needs to shut its doors and let other more capable folks handle this business. This sector is far too critical of a service and that data too risky if lost to allow flippant companies like Equifax to continue to exist in that market.

Tagged with: , , , ,

Rant Time: Password Bombing

Posted in best practices, business, security by commorancy on June 29, 2017

What is password bombing? This is a malicious activity by trolls on the Internet just to inflict chaos and to annoy legitimate account holders on the Internet. Like DDoS attacks affect Internet providers, password bombing affects individual Internet users. It works like this. You have an account somewhere, let’s say Apple. Apple institutes a policy that after 3 failed password attempts your account is locked. You must then jump through a bunch of hoops to unlock the account… typically answering ‘security questions’ in addition to entering your password. Sometimes these hoops are much more problematic, like bank logins. You might even be required to call in to have someone there verify your identity and unlock your account. You might also be required to reset your password. Some companies, depending on the lockout procedure, might even require that you re-register a brand new account. The hoops you are required to jump through can be minimal to numerous… all in the name of security. A password bomber takes advantage of these security practices and bombs your account to force this account lock inconvenience on you. Let’s explore.

Security and Logins

Yes, we all want our login IDs to remain safe, but not at the expense of being locked out of our account by a random schmoe on the Internet. After all, when they enter your account’s password incorrectly, there’s nothing that affects the malicious troll except a few failed attempts… at which point they can move on and try yet another account. All of the burden and inconvenience is firmly placed on the account holder to resolve the lockout. The malicious user gets to lock you out, you as account holder have to jump through the hoops to get the account reinstated. Depending on the organization’s security practices, you might be online in a few minutes, sometimes it can take days for the lockout to expire.

Overreaching Security Methodologies vs User Preferences

As more and more breaches occur, ever more organizations are making huge security knee-jerk reactions by, in most cases, silently instituting tougher and more problematic security measures for user accounts. After all, it’s my account and, in many cases, I’m paying to have that account (in one way or another).

This is one of those times where organizations think they know better than you. They think they can simply institute security procedures and everyone will just go along with them all happy like. It doesn’t work that way. If you’re an organization instituting security practices that will affect your user accounts, you need to not only inform your user base, you need to also offer ways to set preferences to control these security practices. If you’re planning on instituting a lockout policy, then you should offer ways to prevent lockouts (multi-factor authentication) or in ways to remain informed of lockout attempts. For example, if you’re planning to lock an account due to bad data, send an email WHY your system locked the account and the IP address that caused the lockout.

Locking out accounts may sound like a great security prevention practice, but it’s what’s happens after a lockout that makes this security measure useful or a fail. Making your users jump through a bunch of sometimes impossible hoops to reactivate their account is not cool. Simply because some random schmoe on the Internet decided to type in my account name with a bad password three or more times shouldn’t require me to spend 30 minutes or longer resolving this issue. It’s your system that allowed that schmoe to continue to enter the password multiple times. That had nothing to do with me.

Why not just block that IP address from your site after multiple bad attempts and then inform the actual account holder that someone attempted to gain access from that specific IP? Let the account holder determine how to handle this issue. That’s the better way to handle this. Let us know that people are attempting to access our accounts and tell us where they are from and what device they are using. Let us make the decision. Don’t just lock us out without a word, then assume we’re okay with spending 30 minutes jumping through your silly hoops to gain access again. Do you really want us to use your services?

Password Bombers

As we are forever required to have and own more and more accounts on the Internet, it’s becoming much more common for our usernames to clash with other people. This is especially true when we’re required to use our email addresses as our login IDs. I preferred the time when we could choose our user IDs so they could be unique. Instead, we are now forced to use our email addresses which can be easily confused with other users, particularly when using an email domain like @gmail.com, @yahoo.com, @outlook.com or similar common email services used by perhaps millions of other users.

Worse, though, is when malicious trolls decide to be contrary. When they can simply go out to Yahoo or Apple or Google and just plug in random data into the login screen simply to lock user accounts. Even though this vulnerability has been around for a long time, it’s now becoming more and more common. As we move forward, it will become even more common in retaliation to stupid things like Internet comments.

These password lockout practices need to be refined to not inconvenience legitimate account holders. But, instead, it should inconvenience the password bomber. Yes, inconvenience them. Make them pay for their stupidity of entering incorrect data multiple times. Instead of locking out our accounts, block that IP from your site for 24 hours after entering incorrect login data. Prevent them from locking any further accounts through their contrary actions. Make them contact your team to get the IP unblocked. Leave the accounts alone unless it’s absolutely necessary, like under a real breach. If your organization loses password data, then yes lock our accounts until we change passwords. If some random troll decides to password bomb as an activity, make them pay for this activity by blocking their IP from your login screen.

If you have been password bombed by someone on the Internet, please leave a comment below with your story. If you like what you read here, please subscribe to the Randosity blog so you don’t miss my newest posts.

Tagged with: ,

Security vulnerability: Apple Watch, iPhone and Apple Pay

Posted in Apple, security by commorancy on March 6, 2016

apple-watch-passcode-screenIf you own an Apple Watch, there is a security vulnerability that could compromise your Apple Pay cards. Let’s explore.

Watch Stolen?

Let’s say you’re on vacation and you decide to visit that cute little patio coffee shop. Naturally, you’re sitting, sipping and enjoying your coffee. Your wrist adorned with your new Apple Watch is sitting on top pretty wrought iron fence. Someone comes along and grabs your Apple Watch off your wrist and runs away. What do you do? Chase after them to get it back? Oh, but they’re already gone. So then, try to disable the watch on your iPhone? So, here’s the dilemma (and the vulnerability). As soon as you unlock your iPhone, your watch is now quite vulnerable thanks to Apple.

Unlocking your iPhone

Apple has recently pushed an update that automatically and, by default, unlocks both your Apple Watch and your iPhone merely by unlocking your phone… so long as the watch is on anyone’s wrist (it doesn’t have to be your wrist). And herein lies the vulnerability.

So now, that thief who has just stolen your Apple Watch is standing close enough to still get a connection from your iPhone. The thief already knows what will happen after you unlock your phone. So, they patiently wait until you unlock your phone. Then, they get access to your stolen watch’s data until you A) Mark as Missing or B) remove all your credit cards from your wallet. It’s doubtful you can unpair the watch once they have taken it out of range of the Bluetooth/WiFi, but you can mark it as missing.

The thief will wait just long enough to get the watch unlocked and then run for it to get out of connection range. This may allow them to get access to the Apple Wallet and skim your cards from NFC. They could even still do it while in range of your phone, especially if you somehow hadn’t noticed the watch was missing (i.e., you had taken it off and placed it in your bag).

Fixing the Vulnerability

It’s quite amazing that this exists, a stupid security feature from the same company that’s trying to defend itself from unlocking a terrorist’s iPhone for a judge. Hypocritical much? No no, mustn’t unlock a phone for a judge. But, it’s perfectly okay to give thieves access to Apple Pay credit cards by enabling this dual unlock feature. First thing I’d immediately recommend is going into the Watch app on your iPhone and disabling this feature pronto! You’ll find that the Apple Watch itself also has this setting available under Passcode, but thankfully it can only be enabled or disabled on the iPhone.

However, this feature should not be available at all, Apple.

Preventative Measures

While you are still in possession of both your Apple Watch and your iPhone, you should immediately disable this feature. On the iPhone, it’s under Watch app=>My Watch (Screen)=>Passcode=>Unlock with iPhone set to OFF.

You’ll need to perform this while you are in possession of both devices, before your watch is stolen or misplaced. If you fail to make this change now, you cannot make this change after it is stolen. You can only mop up the mess.

Reactive Measures — My Apple Watch has been stolen!

If you leave the Unlock with iPhone setting enabled, anyone wearing your watch will see it unlock as soon as you unlock your iPhone if they are still in connection range (possibly 30 feet or so, but could be farther). So, you realize your watch is missing and the first thing you do is think, “I need to delete my Apple Watch from my phone”. However, merely by unlocking your phone, you may have just now given the thief access to your watch and to anything on that watch including your Apple Pay credit cards. This means they can activate the NFC on the watch and skim those card numbers off or even use them to charge in shops around the area, possibly even for the entire day until you remove the cards from the wallet. This gives the thief access to wallet and your credit cards until the watch runs out of battery or it locks again once taken off. Or, until you have taken measures to remove the cards from Apple Pay and have marked the watch as missing.

It’s very important to understand exactly how exposed you are by using the Apple Watch with the Apple Pay when enabling the Unlock with iPhone feature. But, you have to know that it’s stolen to take these measures.

Protecting Yourself

What do you do after it’s stolen?

Assuming you know that the watch has been stolen, the first thing you should do before unlocking your iPhone is disable Bluetooth and WiFi. How do you do this? At the > Slide to Unlock screen do not unlock the phone. Instead, swipe up from the bottom of the screen to the top. This will bring up the quick access menu that lets you manage items like WiFi on/off, Airplane mode on/off, Flashlight on/off and, yes, Bluetooth on/off. From the quick access menu, you need to disable both WiFi and Bluetooth before ever unlocking your iPhone. Because Apple Watch relies on Bluetooth and apparently an adhoc WiFi connection, the signal that you’ve unlocked won’t be sent to your nearby watch. It doesn’t seem to send this signal when your phone is on a carrier LTE or 4G data network. However, disabling Bluetooth or WiFi alone is not enough. The Watch can still connect to the cloud if close to a WiFi network it knows about. If you’re out on the street, that’s not likely. If you’re in or near your hotel, it might.

If you are not sure where your watch is, you should disable WiFi and Bluetooth before unlocking your iPhone. Once you’ve disabled WiFi and Bluetooth, go into Watch app=>My Watch=>Apple Watch and then Mark as Missing (making sure you have access to an LTE or 4G data network). You will not be able to disable the Unlock with iPhone feature while the watch is locked even if you reenable both WiFi and Bluetooth.  In fact, if you do enable WiFi and Bluetooth, the app seems to remember the last unlocking for some period of time and will pass that unlock to the watch to unlock it. You don’t want to do this.

Whatever you do, don’t enable WiFi and Bluetooth until you’ve selected Mark as Missing under the Apple Watch menu. The last thing you want to happen is the iPhone to send an unlock signal to your watch.

Didn’t notice the watch was missing?

If you’ve left the watch in a hotel room or at pool or on the beach, you may have inadvertently unlocked the watch for a thief while you did not know the watch was missing. In this case, you should immediately Mark as Missing (see above). The second thing you will need to do is go into Wallet and Apple Pay is remove all credit cards from this area. This will deauthorize the card from Apple Pay and prevent the watch from making any further purchases with your cards.

Because Apple Pay creates a unique new Apple Pay card ID for each card, the thief won’t get access to your actual card number. But, a thief can still skim these unique numbers from the NFC and continue to use the numbers as long as you have not removed the card from the Wallet and Apple Pay menu. See ‘Thievery at its finest’ below for a caveat on skimming of NFC Apple Pay card numbers.

You should also call all of your credit card companies and let them know the period of time the watch was lost. While replacement of the cards is not necessary due to the way that Apple Pay registers new card numbers for use, it might still be a good idea just to be safe.

Forever losing things?

If you’re one of those people who is prone to losing or misplacing your stuff (especially things like Watches), then you need to head back up to Preventative Measures and disable Unlock with iPhone while you still have both your iPhone and Apple Watch in your possession. In fact, you can do it now while I wait here… patiently… for you to open up Settings on your iPhone… and disable Unlock with iPhone. Yes, you. Go do it now.

Okay, so now that that’s done. You did go do it, right? Okay, just checking. Assuming you didn’t lie about disabling it, there is no way a thief can get access to your Apple Watch by being in proximity of your iPhone if stolen or lost (i.e., like at the beach or at a pool).

If you are the type of person who loses things regularly, you might not even want to enable Apple Pay on the watch at all. Though, if you have a credit card on file for iTunes, Apple tries to be nice and imports this card into your watch on your behalf after its first setup. You should immediately go into the Watch app on your phone and remove that card. You can always add it back if you like.

Thievery at its finest — (the thief who returns most of what is stolen)

If you take your watch off by a pool, at the beach or any place where you might not want your watch damaged, a would-be thief could ‘borrow’ your watch just long enough to NFC skim all your cards off of the device (after waiting for you to unlock your phone). Then, carefully return the watch to you. He now has all your cards and you aren’t even the wiser that the watch was even missing.

Before this happens to you, you should disable Unlock with iPhone. Though, if you’re concerned about the credit card situation at all, you might just want to delete all the cards from your Apple Watch entirely and not use the watch for Apple Pay. Even if a thief attempts to skim your card data from your watch, they won’t be able to do it if the cards aren’t even there. However, if you do choose to use Apple Pay with your watch and as a security measure, I’d suggest removing and re-adding the cards once every couple of months. Better, once a month. This forces your bank to issue a new unique Apple Pay card number for each credit card. This will invalidate old Apple Pay unique card numbers that may have skimmed from your watch.

You should always remove and re-add your cards if your Apple Watch has been out of your possession for any period of time.

The Takeaway

Hopefully, by reading this article someone doesn’t end up taking more than your Apple Watch from you. The takeaway from this article should be to secure your device by undoing stupid Apple counter-security measures. Disable Unlock by iPhone in the Apple Watch app. Remove unnecessary cards from Apple Pay. Better, don’t use Apple Pay on the watch if you’re prone to losing things. If you’re planning on wearing the watch, don’t take it off your wrist.

I can’t even believe that Apple would stoop to putting in such an obvious security hole onto a device capable of storing credit card information (even if the numbers are unique to Apple Pay). If an Apple Watch could identify my wrist differently from someone else’s reliably 100% of the time, then this feature might be worthwhile. Because the Apple Watch can’t detect who’s wrist it is currently sitting on, this is a security compromise just waiting to happen.

Amazon Kindle: Buyer’s Security Warning

Posted in best practices, computers, family, security, shopping by commorancy on May 4, 2012

If you’re thinking of purchasing a Kindle or Kindle Fire, beware. Amazon ships the Kindle pre-registered to your account in advance while the item being shipped. What does that mean? It means that the device is ready to make purchases right from your account without being in your possession. Amazon does this to make it ‘easy’. Unfortunately, this is a huge security risk. You need to take some precautions before the Kindle arrives.

Why is this a risk?

If the package gets stolen, it becomes not only a hassle to get the device replaced, it means the thief can rack up purchases for that device from your Amazon account on your registered credit card without you being immediately aware. The bigger security problem, however, is that the Kindle does not require a login and password to purchase content. Once registered to your account, it means the device is already given consent to purchase without any further security. Because the Kindle does not require a password to purchase content, unlike the iPad which asks for a password to purchase, the Kindle can easily purchase content right on your credit card without any further prompts. You will only find out about the purchases after they have been made through email receipts. At this point, you will have to dispute the charges with Amazon and, likely, with your bank.

This is bad on many levels, but it’s especially bad while the item is in transit until you receive the device in the mail. If the device is stolen in transit, your account could end up being charged for content by the thief, as described above. Also, if you have a child that you would like to use the device, they can also make easy purchases because it’s registered and requires no additional passwords. They just click and you’ve bought.

What to do?

When you order a Kindle, you will want to find and de-register that Kindle (may take 24 hours before it appears) until it safely arrives into your possession and is working as you expect. You can find the Kindles registered to your account by clicking (from the front page while logged in) ‘Your Account->Manage Your Kindle‘  menu then click ‘Manage Your Devices‘ in the left side panel. From here, look for any Kindles you may have recently purchased and click ‘Deregister’. Follow through any prompts until they are unregistered. This will unregister that device. You can re-register the device when it arrives.

If you’re concerned that your child may make unauthorized purchases, either don’t let them use your Kindle or de-register the Kindle each time you give the device to your child. They can use the content that’s on the device, but they cannot make any further purchases unless you re-register the device.

Kindle as a Gift

Still a problem. Amazon doesn’t recognize gift purchases any differently. If you are buying a Kindle for a friend, co-worker or even as a giveaway for your company’s party, you will want to explicitly find the purchased Kindle in your account and de-register it. Otherwise, the person who receives the device could potentially rack up purchases on your account without you knowing.

Shame on Amazon

Amazon should stop this practice of pre-registering Kindles pronto. All Kindles should only register to the account after the device has arrived in the possession of the rightful owner. Then, and only then, should the device be registered to the consumer’s Amazon account as part of the setup process using an authorized Amazon login and password (or by doing it in the Manage devices section of the Amazon account). The consumer should be the sole responsible party to authorize all devices to their account. Amazon needs to stop pre-registering of devices before the item ships. This is a bad practice and a huge security risk to the holder of the Amazon account who purchased the Kindle. It also makes gifting Kindles extremely problematic. Amazon, it’s time to stop this bad security practice or place more security mechanisms on the Kindle before a purchase can be made.

Tagged with: , , ,

Stupid Security Measures: autocomplete=off – How To Turn Off or Disable

Posted in banking, security, technologies by commorancy on April 16, 2012

While I’m all for some browser related security, this one feature is completely asinine because it’s so unpredictable, uncontrollable and stupidly implemented. This is the complete opposite anyone should expect from a quality user experience. Let’s explore.

What is auto-completion?

Most browsers today will automatically fill forms and password fields from locally saved browser login and password information (usually the field is yellow when automatically filled). This is called autofill or autocompletion. While I admit that storing passwords inside a browser is not the smartest of ideas, specifically if it happens to be connected to your bank account. With that said, it is my choice. Let me emphasize this again loudly. Saving passwords IS MY CHOICE! Sorry for yelling, but some people just don’t listen or get this… hello Chrome, Firefox and IE, you guys (especially Chrome) need to take notes here.

So what’s this autocomplete=off business?

As a result of autocompletion, the browser creators have decided to give web site creators the ability to disable this mechanism from within their own web pages. So, when they create forms, they can add the tag “autocomplete=off” to the form which prevents the browser from storing (or offering to store) passwords or other sensitive information. This is fine if the browser would give the user the choice still. It doesn’t.

I’m fine with browsers trying to prevent stupid behavior from users, but always provide an override. Never implement features like this, however, at the expense of a frustrating and inconsistent browser experience. This is exactly what autocomplete=off does. Why? The browser doesn’t give the user control over this web page mechanism nor does it even warn of it. If the site sets this flag on their form, the browser won’t offer to store anything dealing with this form. That’s fine IF I can disable this behavior in the browser. I can’t. As I so loudly said above, this is MY choice. Make this a preference. If I want to store logins and passwords for any site on the Internet, it’s my choice. This is not Chrome’s choice or Wells Fargo’s choice or any other site’s choice. If you offer to store and save passwords, you need to let me do it under all conditions or don’t offer to do it at all. Don’t selectively do it based on some random flag that’s set without any warning to the user.

Inconsistent Browser Experience

When autocomplete=off is set on a form, there is no warning to the user that this value is set. The browser just doesn’t save the password. You have no idea why, you don’t know what’s going on. You expect the browser to offer to save and it doesn’t. This just makes the browser look broken. And, frankly, it is. If the browser can’t warn that autocomplete=off is set by the site through changing the color of the bar, flashing, an icon or some other warning mechanism (like the lock when https is in use) the user experience has been compromised and the browser is broken. This affects not only Chrome, but IE, Safari and Firefox. Yes, and this is extremely bad browser behavior. It’s also taking a step back in time before web 2.0 when the browser experience became more positive than negative. We’re heading back into negative territory here.

Browser Developers Hear Me

Not warning the user that the experience is about to change substantially is not wanted behavior. For auto-completion, we already have mechanisms to shut it off entirely. We have mechanisms to exclude sites from saving credentials. Why do we need to change the browser experience just to satisfy Wells Fargo or some other site? I’m all for letting these sites set this flag, but just like overriding bad certificates at https sites, users should be able to override autocomplete=off. There is no need to break the browser experience because you want to allow sites stop saving of passwords. No, again, hear me, it’s MY CHOICE. It’s not your choice as a developer. It’s not Wells Fargo’s choice. It’s not PayPal’s choice. It’s MY CHOICE. If I want to save passwords into my browser, allow me t0 always override this setting.

Hacks Galore

Yes, there are browser hacks available as browser extensions (Chrome or Firefox) to disable autocomplete=off on forms on sites. While these hacks work, they require updating, can break on browser updates and can be generally problematic under some conditions. No, this is an issue that firmly needs to be addressed in the core browser, not through clever browser add-on hacks. Let the sites set autocomplete=off, that’s fine. But, warn me that it’s turned on and let me override it. I shouldn’t need a hack to fix a bug in the browser.

Always Warn of Browser Experience Changes

Why am I going down on this issue so hard? Because this is a completely crappy implementation of this feature. Why? Because it breaks the user’s browsing experience without any warning. If this the page is attempting to prevent me from saving credentials, then this information should be marked clearly in the browser somewhere. Perhaps by adding a special icon to the address bar indicating that credential saving is not allowed on this site. Then, when I click that small icon, I should be able to override this behavior immediately. Again, this is my choice to store or not store passwords to the browser. There should never be any defacto security mechanisms which cannot be overridden by a user control. Never!

If the user chooses to do something stupid, that’s the user’s choice. No, it’s not a bank’s, chrome’s or any other company’s responsibility to ensure the safety of user data. It’s entirely the user’s responsibility and those choices should be completely left up to the user to decide, for better or worse.

[Update] Safari is now warning when autocomplete=off is set on a page. Safari now tells you that the site you are visiting doesn’t allow saving of passwords. Bravo to at least Apple for getting this one right.

I have also found that Firefox with the Greasemonkey plugin and this Greasemonkey script works best for completely disabling all pieces of autocomplete=off.  While the above plugins do at least allow saving passwords, the plugins don’t always allow autocomplete to work.  This means that if you want to see your credentials autopopulate into the fields on page load, you may have to use Greasemonkey instead. I have found that the Greasemonkey solution is the most complete at disabling autocomplete=off.  The reason this works is that Greasemonkey actually removes this autocomplete=off pieces from the page before Firefox renders it. The other plugins just tweak the browser to ignore the setting for password saving, but it still exists in the page source and, thus, the pieces that manage the autocomplete parts are left unhandled.  So, these pieces still don’t populate the fields.

Security tip: Don’t sign-up for sites without ‘delete account’ function

Posted in data security, security by commorancy on April 2, 2012

As security of data becomes more and more important and as security breaches become more and more frequent, the ‘delete account’ link becomes very important.  So many sites today allow you to import information such as credit cards, birth dates and other sensitive information, but many times they don’t allow you to delete that information (or your account) easily.  In some cases, you can’t delete your data at all.  It’s important to understand why it’s critical to have the option to delete your account (and all data associated with it). Let’s explore.

Account Security

Few people consider account security when signing up for an internet service like Facebook, Twitter, MySpace or even Yahoo or Google.  As more and more sites become victims of security breaches, without deletion of old dormant accounts, your data is sitting out there ripe for the picking.  In some cases, these accounts may have stored credit card, social security or other potentially sensitive or revealing data.  So, when you begin that sign-up process, it’s a good idea to check the help pages on how to delete your account information before you sign up.

Old Dormant Accounts

We all have them.  We signed up for a site 4 years ago and then either never used it or used it only a few times. Don’t leave old dormant accounts sitting unattended.  Delete them.  You don’t need some random hacker gaining access to the account or, worse, obtaining the password through a break-in to that site.  If they obtain an old password, it’s possible that they may now have access to all of your accounts all over the net (assuming you happen to use a single password at all sites).

If you are using a single password, change them to all be unique.  If you can’t do this, then find the delete button on all these old accounts.  If you can’t remember what you’ve signed up for, then that’s beyond the scope of this article.  Still, deletion is the best option at avoiding unintended intrusion into other important accounts, so delete old accounts.

No Delete Function?

Two ways to handle this one.

  1. Delete all data that you can from the account, then find a random password generator and change the password to a randomly generated password.  Do not keep a copy of the password and never use it again.  Basically, you have locked the account yourself.  If someone does access the account through the web, they won’t get anything.  If they break into the site and gain access to the passwords, they will get a randomly generated password that leads them nowhere.
  2. Contact the site administrator and ask to have the account completely deleted without a trace.  Sometimes they can, sometimes they can’t.  Depends on how the site was designed.  It’s always worth asking.

New Accounts at New Sites

When signing up with new accounts, if you cannot find a way to delete the account, then contact the administrator and explain that you would join the site, but you cannot find a way to delete the account when you no longer wish to have one.  If they state that there isn’t a deletion function, explain to them that until they implement this function, you can’t use the site.. and walk way.  Note that there is nothing more important than your own personal data security and you have to be the champion of that security because no one else will.  If sites refuse to implement deletion functionality, then don’t use the site.  There is no site functionality that is more important than your data security.

No Reason for Lack of Delete Function

In fact, there is absolutely no reason, other than sheer laziness, to not implement a delete function in any internet web site.  If it can be added, it can be deleted.  It’s very simple.  I know, some developers are going to say, “Well, it’s not that easy”.   That’s a total crock.  It is that easy.  If you have developed software that is incapable of deleting user account information, then you are either seriously inept as a programmer or you simply don’t understand what you are doing.  There is no excuse at all for not adding a delete function to any site (including deletion of a user account).  To my knowledge, there is no operating system or database that does not have the ability to delete data.  Not adding this feature is just not acceptable.  Always demand this feature if you cannot find it.

Pre-existing Site Accounts

I know that some of you may have joined sites ages ago when data security breaches were less common than today.  Back then, account delete functions may not have been available.  This may have been carried forward and these sites may still not have delete functions.  Demand that the developers add this functionality.  If you are an avid user, you should always demand this functionality.  You never know when something may change that may require you to delete your account at that site… like a data breach.  Security is important and your personal ability to delete your account is your right and should not be undermined.  Again, always demand this feature from the sites you frequent if it is not present.

I challenge you to visit all of the sites you regularly use and locate the delete account function.  I’ll bet that more than 50% of the time, it’s not there.  Demand that this feature be implemented if, for nothing else, than your own personal peace of mind in case you need it.  It’s like that insurance policy you buy, this is the same.  The delete account feature is your insurance policy to prevent unauthorized access whenever you need to exercise this option.  However, you cannot delete your data if the functionality is not there, so always make sure the delete feature exists before you sign-up.

%d bloggers like this: