Let’s start with some basic facts. A crypto miner is a malicious software that uses the resources of your computer to generate cryptocurrency for someone other than yourself. It is, at its most basic level, theft of services.

In 2018, crypto jacking (the practice of using browser-based programs to mine cryptocurrency without your knowledge or consent) and crypto mining (malware that usurps your computer’s CPU to mine cryptocurrency) grew to be major threats. The only way you’d know something was amiss was when you realized your internet browsing was very slow and, after a while, your computer stopped working until you restarted it. After a few days, the malware would cause you to “lather, rinse, repeat.” The biggest player in this arena was Coinhive.

Why did Coinhive target browsers? Because it was relatively easy to slip in as an add-on since the code appeared to be innocuous. It was, until you restarted your browser. At that point, the program would run any time your browser was open, using up electricity and processing power to generate minuscule amounts of the cryptocurrency called Monero.

In February 2019, Coinhive publicly announced it was ceasing operations the following month. The service stated that it wasn’t “economically viable anymore” and that the “crash” (of Bitcoin) had severely adversely affected the business. That pretty much sent a death knell to browser-based crypto coin mining.

So why am I bringing this up at the start of 2022? I recently read two articles and learned that crypto mining is alive and well. And it is not being used solely by cybercriminals. Nope, no, siree. Given the pandemic, it seems marketing types have prevailed at Norton, the eponymous Security 360 product maker. A new feature is the inclusion of crypto mining. Avast, a European maker of security software, has announced it is doing the same.

Apparently we live in an upside-down world when security companies allow their crypto miners but claim they can keep out everyone else’s crypto miners. But what does this mean? Well, for one, you have to opt-in to use this feature; Norton doesn’t install it indiscriminately. Also, your computer has to meet some stringent hardware requirements before you’d even see the option. The critical condition is that your computer has an advanced video card (where the computing will take place) so that you can mine Ethereum.

And then comes the kicker: Norton is going to take a good percentage of the money generated. They get 85% while you get 15%. And if you want to obtain your portion — having donated your computing resources — you are faced with additional fees (one a transaction fee and the other a processing fee to cash it in), which reduce your overall take. But suppose that’s not enough to dissuade you. In that case, this money is considered extra income by the Internal Revenue Service, so you will be responsible for including it on your annual tax return.

But the biggest question (and complaint) from security-conscious netizens is: Why would any security company think of doing this? The answer is simple: They want more money from consumers than they get from the annual subscription to their products. Consumers have learned that when subscribing to Norton 360 for the first year, they get a terrific discount. Norton sets the subscription to auto-renew and keeps your credit card on file. Savvy users realize they can turn off the auto-renewal and remove the saved credit card. The day after the current subscription expires, they can purchase a new discounted subscription with a different email address (e.g., larry2022@gmail.com for the current year because it was larry2021@gmail.com for last year’s subscription). It seems Norton is simply fighting back in a very unusual manner.

Do I think this is a good idea? Absolutely not! Is it well-intentioned? Undeniably no. Should all consumers be extremely wary about this? Resoundingly yes! Are you (my clients) affected by this? Not at all, because your computer is running SentinelOne Vigilance, part of your SPF+ or SHADE subscription. But if you know of someone who thinks Norton has a terrific security product, I would urge you to let them know that’s not necessarily the case.

Thanks, and safe computing!

Microsoft will end support for Internet Explorer 11 (IE) on June 15, 2022, as announced in May 2021.

Starting with Windows 10 version 20H2, which Microsoft released in October 2020, if you attempt to use IE, Windows will prompt you to use the Microsoft Edge browser.  You must make an explicit choice to deny that to continue to use the Internet Explorer browser.

Note: If you want to know what version of Windows you have, type the word winver in the Windows Search box (next to the Start button in the lower left-hand corner). The resulting “About Windows” window contains the version and build information.

The critical point to all of this is that Microsoft will jettison some outdated, still risk-prone software in favor of its new Edge browser, built on the same base as Google’s Chrome.

What does that mean for you? If you have an Internet Explorer icon on your desktop, it is time to delete it. Similarly, if you use IE to browse the web, you should transfer your Favorites (bookmarked websites) and your saved user IDs and passwords over to Edge or Chrome.

While Microsoft will provide a hybrid form of IE under Edge’s covers, the rest of the world has moved on. According to W3Schools, the internet’s most extensive tutor of web-based material, Chrome held the lead in usage with a commanding 81% of the market. Edge came in second with 6.6%, and Firefox held on with 5.5%. I am, and probably always will be, a stalwart fan of Firefox (at least until Mozilla stops supporting it).

In the upcoming months, I am hopeful that companies whose websites contain code explicitly built for Internet Explorer will remove that code to strengthen the security of their website. However, if they don’t, your browser should automatically switch to IE mode in Edge. But I won’t be surprised if bad actors make multiple attempts to figure out how to take over those websites to try to introduce malware to the unsuspecting.

Thanks, and safe computing!

Yes, I’ll admit it: I make mistakes. And yes, sometimes my clients make mistakes. But most of the time, Verizon simply compounds them. Here’s one recent nightmare experience.

A client called and told me she was having trouble getting Wi-Fi on her phone. I asked her to reboot her Verizon modem, and if that didn’t fix it, to call Verizon. My expectation was they would identify any Wi-Fi problem.

Mistake number one: Mine, for not asking if any other Wi-Fi devices she had were working. I forgot she also had a tablet — and it was working.

When she called Verizon, the Customer Service Representative (CSR) looked at her account and said that her router was eight years old (effectively blaming the hardware) and arranged for a service call to replace it. My client, innocently enough, said OK.

Mistake number two: Hers, for not calling me back after she spoke with Verizon to let me know what happened.

Several days later, a Verizon technician came to her apartment. He removed her old, perfectly good router and installed a new huge device in her hallway closet. Then he went to her computer, enabled the Wi-Fi (which I had explicitly disabled when I delivered the computer a few years ago), and told her everything was working. Hours after he left, she realized that he had taken the old router.

I came along the following week to deliver a new all-in-one printer. Almost as an aside my client told me what the technician had done. I don’t know how many times I have to say this, but I will keep on repeating this forever: DO NOT LET ANYONE ELSE ACCESS YOUR COMPUTER! And if you do, let me know immediately.

I got over my anger and uninstalled the old printer’s software in preparation for the new one. I rebooted the computer, and… Darn it! The computer did not connect to the Wi-Fi. I tried every trick I knew, but the computer could not connect to the new Verizon router.

I called Verizon to complain and to get the new device set up as a wired connection. The CSR who handled this call told me that there were two fees associated with my request. The first was a $60 service charge to move the router; the second was a $99 dispatch fee to arrange the appointment with a technician to do the work.

Here’s what I told the CSR, “No! My client is not going to pay $160 to fix your mistakes. The first CSR should not have tried any form of upselling — that’s just despicable. (The new device will cost my client $15 a month forever.) The technician should not have placed the new router in the hall before asking what she wanted. And he should never have set her computer to use Wi-Fi.”

Mistake number three: All of them Verizon’s for sheer greed and stupidity.

“What would you do if this was your mother or your grandmother?” I asked the CSR. “Would you expect her to come up with $160 to fix a problem that wasn’t hers to begin with? In the spirit of the holiday season, let’s make this right.” Eventually, the CSR got a supervisor who listened to the story and agreed to waive the fees.

Another Verizon technician arrived a week later and listened to the story. He explained that the original CSR had also upgraded the old service to a new speed level and there was no way to go back. We discussed what options my client had — most were going to cost her significantly more money each month. He had a thought and followed it up. He told us that a network extender could use the old cables to connect to the network. He hooked one up, it worked spectacularly, and my client learned that because of a glitch in Verizon’s system, she wouldn’t have to pay $55 for the part. And I got to install her new all-in-one printer, albeit a week later.

Here are the lessons to be learned from this awful experience. If I don’t ask all the appropriate questions when a problem is reported, then that’s an item for improvement on my list of New Year’s resolutions. But if you are not technologically inclined (and that’s many of you), DO NOT take it upon yourself to go forward with computer-related changes without doubling back and checking with me. And I’ll offer my appreciation to the second Verizon technician who was willing to take the time to fix a problem others in his organization had caused.

Thanks, and safe computing!

Cyber Monday 2020 set a record for e-commerce spending in one day, totaling $10.8 billion. With the pandemic raging on, many customers took to online stores to do their holiday shopping. While New Jersey COVID-19 cases have declined in recent weeks and vaccinations continue, I expect many people will choose to conduct their shopping online and potentially start shopping earlier than usual, given concerns for supply chain issues and shipping delays. Some predict that online shopping spending will total over $200 billion for the first time by the end of the holiday season.

Given that volume of e-commerce shopping, cybercriminals will continue to target online shoppers and marketplaces for financial gain. Therefore, it is vital to maintain awareness of the many cyber threats posed by these individuals and groups. Threat actors may target victims through various methods, including compromised or spoofed websites, phishing emails, social media ads and messages, or unsecured Wi-Fi networks. I’m going to present a list of common attack vectors, along with some tips and best practices that will help you to combat cybercriminals’ threats during this holiday season.

Magecart and Other Online Skimming Attacks

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Magecart attacks are conducted by many threat actors and are not specific to one group.

Once they steal payment card data, they can make fraudulent purchases or sell it on the dark web or other marketplaces. Cybercriminals are likely to continue to target online marketplaces this year. As such, I encourage you to use credit cards rather than debit cards because they often have better consumer fraud protections. Also, if you are especially concerned about fraudulent attempts on your card, you can consider enabling charge notifications for every card transaction. Enabling these notifications may make it easier for you to identify a fraudulent transaction as soon as it occurs. If you discover fraudulent activity on your account, lock the affected card, notify your bank immediately, and request a new payment card.

Be Wary of Links and Attachments in Unsolicited Emails

Around the holidays, you will likely receive emails from known retailers regarding sales and coupons, order confirmations, and shipping notices. Cybercriminals can create spoofed emails by stealing retailer branding to make fraudulent emails appear legitimate and may contain links or attachments that install malware or lead you to spoofed websites that steal your credentials. These emails may attempt to convey a sense of urgency — “Limited Time Offer!” — to prevent you from thoroughly inspecting the email for red flags. I urge you to avoid these schemes and go directly to retailer websites by typing the legitimate URL in your browser instead of clicking on links in emails. And please refrain from entering your login credentials on websites if you clicked on a link in an email that looks even slightly suspicious!

Take Caution with Social Media Ads

Everyone is blasted with ads as you scroll social media platforms. While many of these ads link to known, legitimate vendor websites, you may also be confronted with ads that link to malicious or otherwise suspicious sites that could be used to install malware, steal credentials, or sell counterfeit goods. Cybercriminals frequently employ URL shortening to trick people on social media sites and other outlets by hiding the true destination of a link. I suggest you use a URL expander (e.g., https://urlexpander.net) to reveal the true destination of shortened URLs before you visit any website and verify it is a legitimate vendor before making any purchases.

Look Out for Holiday-Themed eCards and Messages Meant to Install Malware

In the past, people have reported being targeted with various Thanksgiving Day-related scams. In some cases, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Last year, an Emotet banking trojan campaign was observed using Thanksgiving lures, with the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card.” As malicious actors commonly leverage public interest and current events to conduct financial fraud and disseminate malware, I want to remind you to exercise caution with unsolicited emails, especially those with a holiday theme.

Do Your Online Shopping at Home

Avoid using public computers, such as those at a library or hotel, or public Wi-Fi connections to log in to your accounts or conduct online shopping. Miscreants could infect public computers with malware designed to steal your information, and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals. If you must connect to public Wi-Fi, use a virtual private network (VPN) to secure information transmitted between your device and the internet. Additionally, I advise you to refrain from using your office (or work) computer to make online purchases as cyberthreats could endanger company and customer information.

Beware of ‘Secret Sister’ Gift Exchange Scam

Many people enjoy participating in group gift exchanges this time of year; however, beware of potential scams. Social media posts promoting a “Secret Sister” gift exchange promise between 6 and 36 gifts in exchange for sending one gift. While this type of chain letter appears innocent, it is illegal and considered a pyramid scheme. The scam, detailed by the Better Business Bureau, begins by requesting the name and address of the recipient and their friends. This holiday season, only participate in gift exchanges with individuals you know personally and refrain from sharing too much (or any) personal information online.

Verify Charities Before Donating

It is common around the holidays to donate to charities, particularly those that provide goods or services to those individuals and families in need. You may be prompted to donate via solicitations received through email or social media; however, these could be promoting fake charities or impersonating legitimate charities. Prior to donating, research the charity through a nonprofit site such as https://charitywatch.org or https://charitynavigator.org for information on charity legitimacy and other details, such as the percentage of donations that go directly to the associated cause.

Be cautious with your online activities, think before responding to emails, and call me if you have any questions.

Thanks, and safe computing!

Redmond, Washington-based Microsoft officially released Windows 11 on October 5, 2021. In a blog post, the lead project manager expects the operating system successor to nearly seven-year-old Windows 10 to be widely available by the middle of 2022. I’ll admit, the “geek” in me couldn’t resist the siren call of a shiny new object. So, I spent less than half an hour downloading the 5.1 gigabyte file and an equivalent amount of time creating a virtual machine environment (running under Hyper-V) on a test Windows Server.

The installation was speedy compared to previous versions of Windows, even though the source file was on a USB drive. The initial phase after installation, commonly referred to as the “out-of-box experience” (OOBE, pronounced “oo-bee”), was pleasant and easy. No muss and no fuss getting to the initial Windows 11 desktop.

Here is a brief overview of some of the new features in the latest iteration of the Windows operating system.

First and foremost is that the Windows Taskbar is now in the center of the screen. I’ll call this blatant effect mimicry (or stealing) of Apple’s Dock, found in all Mac devices since 2001. This change may not be creative, but it is certainly different. This is especially apparent when for more than two dozen years, ever since Windows 95, Windows users have been accustomed to moving their cursor to the lower, left-hand corner to access the Start menu. Now it is in the “home” position – meaning the left-most spot – on the Taskbar. Now when you click it, the Start menu opens in an entire window in the center of your screen instead of sliding up an extensive menu. According to Microsoft, this sleeker, more straightforward screen gives you a better overview of the available features and programs to make it easier to accomplish your work (or play). Over time, the apps you use most frequently will take their place in the Recommended section.

New to Windows 11 is the confluence of several individual components that Microsoft thought would be useful to consumers. This item is Widgets, which includes news headlines, weather, stock information, and sports. Each item displays current information based on your location. You can change the size of each widget and customize it by clicking the three-dot menu icon in the upper right corner. You can add more widgets based on your preferences to the display. The privacy implications of all the Widget telemetry exchanged between you and Microsoft is a discussion for another newsletter. Also, I don’t know the corporate equivalent of this feature, nor if Group Policy can eliminate it.

Another change is what Microsoft is calling Snap Layouts and Snap Groups. In Windows 7, you could snap one window on each side of the screen by clicking on the window’s Title bar and rapidly moving it to the right or left. Windows 10 maintains this capability, and Microsoft expanded the concept with the Task View (described in the August 2019 edition). The purpose of this new functionality is to let you design how many open windows you want at one time, what they should contain, and where you want them to be positioned. For instance, you might wish to have an Excel spreadsheet open on the right-hand side of the screen, and your email client and an internet browser open, stacked one above the other, on the left-hand side. You can then save this layout to a named group and call it up when you want all three apps to open at once. Windows 11 gives you the ability to resume where you were working when you click on the link to the layout.

As you might have guessed, having all these apps open simultaneously (never mind saving their condition to restore them quickly) is going to require more memory than ever before. Most of you have been very comfortable working with 8 GB of RAM (memory). In some cases, I have given “power users” 16 GB of RAM. If you plan to use this feature extensively, I may have to double the amount of memory in your computer. Only time – and practical usage – will let me know if this will be a problem in search of a hardware solution.

The last element of this first peek at Windows 11 is Microsoft Teams integration. Teams is Microsoft’s equivalent of Zoom or WebEx. Working from home – or from anywhere, really – will continue to be part of our culture for the foreseeable future. Microsoft fully believes that a dispersed workforce is inevitable, so it placed this icon in a prominent position. After all, what could be easier than clicking on an icon to launch a discussion with co-workers or colleagues? I expect that as time goes by, probably with the first annual Feature Update, Microsoft will provide more integration with the corporate version of Microsoft 365 and Teams.

Over the next two years, I’ll be giving you more information about this new operating system. But, as I’m sure you realize, it is still Windows. Most of you use the operating system for probably opening a browser to get your mail and see what’s going on with your friends, family, and organizations on Facebook. All the bells and whistles don’t mean much to you – I get it. It’s just that Microsoft doesn’t feel the same way.

An inside look at Heliotropic Systems’ operations.

I spend a significant amount of time every month learning about new and improved technology and products from the vendors with which I partner. These vendors include familiar names such as Lenovo, SonicWall, Xerox, APC by Schneider Electric, SentinelOne, and Microsoft. Most of the solutions I obtain from these vendors are designed to help keep you secure while using your computers and network devices.

In the middle of September, I took a mere moment to look up an existing part number. I ended up spending more than 12 hours consuming a ton of new information to offer a more secure business solution. Let me explain.

I keep extensive lists of all hardware components for each of my small business clients. One of those components is a Network Management Card (NMC) found in higher-end APC UPS battery backup devices. NMCs manage, maintain, and report on the condition of the UPS device to which they are connected. I program NMCs to send email alerts when conditions differ from normal (e.g., electrical issues, or battery problems). I also use them to update the device’s firmware with security enhancements.

I was adding new equipment to one client’s Excel spreadsheet, and in doing so, pulled up the corresponding page in another client’s spreadsheet to copy over as a template. I noticed I had not filled in one attribute on the existing spreadsheet, so I logged into that client’s server, pulled up the component in a browser, and highlighted the attribute to copy it to the clipboard. As I did, I noticed that I had not rebooted the network device for more than one year.

That was very strange because I thought I had an Outlook reminder to update the firmware of these devices annually. It should have kicked off at the start of June. But after I looked through Outlook and confirmed the calendar entry, I reviewed my daily activity logbook and discovered I had not done the work. Several issues interrupted my day, and I lost track of the task. (Yes, I admit, that was very sloppy, and I’m pretty embarrassed about it.)

Read More →

Imagine receiving an email, delivered to your business email address, offering a “Partnership Affiliate Offer.” Would you open it? Oh, come on, of course you would! Your curiosity invariably gets the better of you all the time. But when you read this email, you pause and then shudder. What the heck? Here’s the offer:

If you can install and launch our Demonware Ransomware in any computer, company main Windows Server, physically or remotely, (there’s) 40 percent for you, a million dollars for you in Bitcoin.

A researcher at Abnormal Security engaged with the bad actor behind this poorly written email offer for several days. The researcher documented how he tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he was building.

Funny, right? Unfortunately, Business Email Compromise (BEC) or CEO Scams in which crooks, mainly based in Africa and Southeast Asia, spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers are bigger business than the blitz of ransomware attacks that have made headlines recently.

The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams increased to more than $1.8 billion in 2020. These extortion attempts have proven to be highly profitable for cybercriminals.

And, of course, it is incredibly humorous that this latest cyber scam is authored by a Nigerian because the classic email scams began decades ago. Referred to as the “419 scam” (because of the area code), the “Nigerian prince” emails requested your assistance because of a will or lottery win. If you were willing to engage in helping the email author obtain the funds, you’d be rewarded with a percentage of the total amount.

What I found amazing while researching this article is that these 419 emails continue in only slightly modified formats to this very day. That someone has taken the initiative (albeit warped) to reboot this for the Bitcoin era is not surprising — but enterprising.

Bottom line: Be extremely careful of unsolicited email offers!

Kaseya had a bad July. The vendor, who sells solutions to Managed Services Providers (MSPs), learned over the July 4th holiday weekend that some servers running their software were taken over and distributing ransomware to the clients that were being managed. Kaseya has two offerings, on-premises (server-based) and cloud-based. Usually, MSPs who have the resources to run their own data centers employ server-based solutions. So that means the clients will be of high value to bad actors, which was precisely the case.

As I wrote in an email shortly after the attack became public knowledge, Heliotropic Systems does not use any Kaseya products (server- or cloud-based). We use products from ConnectWise for monitoring your computers and remotely accessing them. These are both cloud-based offerings, and ConnectWise has been very transparent in letting partners know what flaws have been identified and when they are corrected.

No software is exempt from bugs. After all, people code the programs and do not necessarily consider everything when designing and developing those programs. Yes, there are Quality Assurance teams that are supposed to test the programs — but they are only as good as the instructions they receive in terms of what the test cases should be. And not all possibilities are (or can be) tested.

The news is now filled with stories that malicious actors are targeting more and more small businesses because they think the “work from home” population is getting lax with their security consciousness. There is a movement within my industry to implement what’s called the “Zero Trust Initiative.” (Note, Marvel fans, this is not another Avengers movie). Zero Trust is not a product but a concept, and what it means is this: Every object in a network is identified, and every person with access to anything is identified. Then, rules are established to define what access level each person has to those objects — and when those rules are to be invoked.

Here is a simple example. Madeline and Roland are employees at Total Prepared Foods. She is an inside salesperson who is responsible for calling on existing clients. Her computer accesses the cloud-based Customer Relationship Management (CRM) system to perform her daily tasks. He is an accountant who works with the payroll system and handles the firm’s online banking.

In a Zero Trust environment, the hours that both employees work are known. The CRM software Madeline accesses has rules regarding what aspects of the program she’s allowed to see (e.g., client information but not payroll). Roland can access the payroll system but has no access to the CRM system. The network knows who logs in to which computer. It also knows which external Internet address is supposed to be used when she remotely connects from home. If someone — or something — tries to access her computer in hours when she is not authorized to use it, an alert is sent. More importantly, because Madeline’s computer requires two-factor authentication, a bad actor would not have access to the token on that device. Similarly, Roland does not have access to the payroll system except from his office computer, which is not authorized for remote access.

Previously, most believed that protecting a business had to occur from the outside in. Now, it is becoming evident that companies must be protected from the inside out. I am going to take two actions before the end of September to begin a journey toward zero trust. The first will be to ensure that no computer user at any client site has administrator privileges (meaning they can install programs). The second will be to add a new product to the SPF+ and SHADE subscriptions. This new product is a browser extension that should stop anyone from getting to a fake website if someone inadvertently clicks on a link in a phishing email. Combining a limited user desktop experience and a program to thwart potential problems, will make you much safer.

I received a phone call from a client who said that her laptop was running exceedingly slowly — even more so than usual. So I remoted in to take a quick look. I found a new icon on the taskbar that looked like a fat, folded Sunday newspaper. By way of definition, the taskbar contains the Start button, icons for pinned and running applications, and a system tray area that contains notification icons and a clock.

When I hovered my mouse over the icon, the tooltip said it was the Windows 10 News and Interests news feed. Once clicked, it opens a pane that displays various widgets that contain current news, weather, stock prices, and more based on your location. The initial download of all this “stuff” caused my client’s perception of slow response on her laptop.

I searched Google and after reading several articles, I learned how to eliminate this icon from appearing. Therefore, I am writing this article to teach you how to do the same thing when it “miraculously” appears on your computer.

But first, let’s be clear about one thing. Not one of you went and asked the folks at Redmond to install this. You didn’t explicitly agree to get the news, weather, and more on your desktop. And you certainly shouldn’t need to try — on your own — to figure out just how the heck to get rid of this intrusion. I don’t know what they were thinking. (Can you tell I’m annoyed by this nonsense?)

Here are the steps you can take to get rid of this and regain control of your taskbar:

  1. Right-click on any blank section of your taskbar. This will open the taskbar menu.
  2. Left-click the News and interests banner. This will open a fly-away menu.
  3. On the fly-away, left-click Turn off. This should disable this “feature.”

Now, I’ve read reports that the icon just shows up again after the computer is restarted. If you experience that, please let me know.

While you’re at it, if you see an icon that resembles a wristwatch, right-click that and select Hide. I don’t believe anyone needs the Meet Now function, a Skype quick meeting setup feature. If you still use Skype, you are usually talking to one person. When you need to engage with more people for discussions, you are most likely using Zoom (or Microsoft Teams).

I received an email from a client requesting help regarding a form his bank sent him to fill out because his bank detected a fraudulent attempt to access his account. They explained that the IP address of the failed attempt, which used his actual username, was located in Miami, Florida. My client lives in a town in Nassau County on Long Island.

It took a while before my client realized he had been locked out of his account for safety’s sake because of the fraudulent attempt. I get that. In a “normal world,” you’d ask that the password for the account be reset, you’d provide a new password, and you’d be back to online banking. But not with this bank. Nope, they wanted more — much more! They asked my client to acknowledge having taken one of the following options:

The hard drive of each computer was wiped clean and the operating system, as well as any software the Client utilizes was reinstalled. Thereafter, a scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s computers and no virus or other malicious software was found. [or]

Each computer was replaced with a cleaned computer. A scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s replacement computers and no virus or other malicious software was found. [or]

Client will access [bank name redacted] from a different computer/device and a scan utilizing proven effective anti-malware/anti-virus software was run on the computer and no virus or other malicious software was found.

The paragraph appearing before these options contained jargon that implied the computer itself had been compromised, thus warranting these extreme measures. But here’s the thing: that wasn’t the case here, and there isn’t any way to accurately determine when – or even if – this computer was the reason someone attempted to access the account.

I’ve written for years that name, email, and password information is readily available to anyone who wants it for nefarious means. Vast troves of data are inexpensive and they can pay off significantly if used maliciously. Anyone can go to https://haveibeenpwned.com to see if their email address is out in the wild. I found this client’s email address was in six data breaches.

With billions (yes with a “b”) of email addresses and passwords that can easily be cracked, less than honorable people miscreants then try to see if they can find other accounts that use the same credentials. Because, after all, most of us are creatures of habit (i.e., lazy) and don’t want to keep track of lots of different passwords.

After several discussions, I learned that my client used a specific construct for a username and password on different sites. It was an easy construct, something like joebob1823. While easily remembered, it is an awful security measure. How many sites was this used as a username? I didn’t ask. How many sites was this used as a password? Again, I don’t know. But if it was more than one, it was way too many.

Why? Because his email is associated with joebob1823, and joebob1823 is associated with a password for one of the compromised websites. Now, go to LinkedIn and see if this works to gain access to his account. Then go to Instagram, and Facebook, and all the social media sites. Next, try some common banks, like Citibank, Chase, or Wells Fargo. Then go after brokerage accounts, like Charles Schwab or Fidelity Investments. You see where this is heading. To a group of bad actors with nearly unlimited computing resources, this is child’s play. They set up scripts to run multiple iterations at various sites until they either gain access or the site stops them because of repeated violations.

What could help this client the most? That would be if his bank offered two-factor authentication (commonly referred to as 2FA). I explained it to him as follows:

You go to your bank’s website, supply your credentials, your username, and password, and click Enter or Next. Then, you must enter a code to continue. The bank can generate that code in several ways. For example, the back will call the phone number associated with your account, and an automated voice recites the numbers, one at a time. Or you can get an email sent to the email address associated with your account. You can then copy and paste that number into the field. Or you can use an app on your phone, such as the Google Authenticator. This app generates a series of random numbers every 45 seconds. Enter that number into the field, and you gain access to your account. The primary reason as to why this is a reasonably successful security measure is that this second form of confirmation is yours and yours alone.
Now there are known ways of spoofing every single one of those 2FA mechanisms. But they require more effort than most bad actors will use to hack an individual’s account. And using 2FA is much better than not having it. Surprisingly, my client’s bank does use 2FA, but it is not required. I am particularly livid about that when you consider what they want him to do to his computer because of the fraud attempt.

What else could help this client? The use of more sophisticated passwords. joebob1823 is not a rigorous or strong password. Using the University of Illinois at Chicago’s Password strength test (https://www.uic.edu/apps/strong-password/), it merits a complexity score of “Good” (although I disagree with that). There are many indicators on the results list that are red or yellow.

I suggested that he use a more complex formula to create a password, essentially using a phrase. For example, he has an adorable dog whose name is Lizzy. So, he could make a more complex password from the words, “Lizzy is a cute dog.” With minimal effort, this becomes Li##yI$@Cut3D06. Checking the complexity score, this received a “Very Strong” rating, and it only picks up some nits for repeating characters and numbers. But a simple dictionary attack is not going to discover this. And if it is used at only one website, then the likelihood of its being compromised is lowered exponentially.

Oh, and before you ask, yes, you can write these down if you are at home. Some of you may ask why I don’t recommend using a third-party product to keep track of passwords. That’s because I have yet to find one that has a sure-fire mechanism of preventing access to your account information if their database is breached.

Takeaway: Ask your financial institutions how to set up 2FA on your accounts, and start to use more sophisticated passwords everywhere.

Thanks, and safe computing!