Robin Hood 2018: Thank Your Local IT Geek

We interrupt our regularly-scheduled posts to bring you a public service message on security.

A wise person once told me to always befriend your company's admins. They basically run the place and suffer under the yoke of having lots of accountability but little authority. Another person at your company you should get to know is your IT person. Because they have useful knowledge that can help keep you safe at home and at work.

Note, I'm not currently wearing a hoodie

Disclaimer, I'm not a security expert nor do I play one on TV. You may disagree with some of these points, however the advice was given to me by people who should know, including my workplace, my bank, etc. Here's a short todo list for those of you don't have as much exposure to or tolerance for IT security:

  • Call your cell phone carrier TODAY and restrict number port access with some kind of long and hard to crack passcode. There's an exciting new scam going on where someone will steal your phone number by porting it to a different carrier. They then use your number and other information they have nefariously found out about you to reset your passwords and steal your money. You know how if you forget your password, places will offer to send you a text to reset it? Yeah, like that. This happened to me on Wednesday, though they didn't have a chance to steal any money because I reacted fast. But it was an epic, epic pain in the ass nonetheless. You need to do this because you also need to...
  • Turn on dual factor authentication for everything you can. This is that thing where it will text you a code to type in in addition to your password. Give me access to your email and I can figure out where you have accounts, reset all your passwords, and steal all your cash. Your email is probably the most valuable thing you have. Gmail is one place that does this and I recommend that you point all your password resets to this account and then turn on dual factor authentication using the phone app. 
  • Speaking of phones, make sure yours is encrypted. This is where the information on the phone is munged up before you put in a passcode, so if someone got your phone and pulled your chip they still wouldn't get anything. I'm skittish of biometrics, though the jury is out. If you regularly go to protests you should to turn off iris scan or facial recognition because cops don't need a warrant to use them to open your phone (or leave your phone / take a burner -- talk to the experts who are probably coordinating the protest). I'm more paranoid about things like iris scanning because if someone stole your digital iris (not your eye mind you, but the picture of your eye the computer uses to compare to) they could get into your stuff and unlike a password you CAN'T CHANGE YOUR EYE.
  • Monitor your credit cards for small, innocuous-looking charges (like .99 to iTunes). Scammers run this kind of tiny charge to test the CC numbers they've stolen to see if they are live. If the small charge goes through, many larger ones will follow. If you see a charge like that, call your bank immediately and put a lock on your card. This happened to me some years back, which is why I know about it. But it might be passe' since recently they don't even do the small charge anymore, they spoof your electronic card onto a fake card and buy stuff in person. This happened to me last year. Someone walked into a Walmart in Arizona and bought a bunch of stuff with the physical card I had in my wallet at the time. You need to be checking your accounts every couple of days and as soon as you see a weird charge, call your bank's fraud line. This happened to our family THREE TIMES in the past 18 months.
  • For credit cards you don't use (like emergency cards) have it text or email you when a charge is made. That way you don't have to remember to keep an eye on the account. Some cards even allow you do turn them off when you don't need them, so they won't actually work. Remember, someone doesn't have to have your physical card to use the card data to steal all your shit.
  • Turn off overdraft protection. Based on a recommendation from my bank, our family currently has two household checking accounts. One account is used for paying all the household bills every month. These are auto-drafted out of the account and paychecks are auto-drafted into the account. These transactions are slightly more secure than day to day spending. Day to day spending is a separate checking account that gets a certain amount of money every other week and no more. Neither account has overdraft protection. Why? Because if someone gets your card number they can quickly clean out your account, and it can take weeks so sort it out. Image how much worse that would be if they also cleaned out your savings account through overdraft protection.
  • Change all your passwords. It's probably long overdue. And note that really long passwords made up of tons of words strung together like "HorsesAreSomeOfMyClosestFriends4Ever!" are currently considered more secure than short l33t speak ones (NE1410S?). I have a password I use for stuff where no money is involved and there's a low risk to account theft -- like my Ravelry password (a knitting site, don't judge me). I have a password I use for stuff where money is involved that's much longer and newer. I have a password I use for critical accounts (bank, email access, etc.) that's redonculous and a huge pain in the ass. They all recently got changed after the phone number issue so fuck you scammers. 
  • Consider locking down your credit reports. This is where no one can attempt to do anything that requires pulling credit (like get a new credit card using your information) without you unlocking it first. This is an epic pain in the ass as there are three credit reporting agencies and they are all different and, frankly, all suck. Should I be elected potentate, I would immediately outlaw them.
One of my wise readers sent me the following and was kind enough to give me permission to include it here:

Regarding passwords, they should all be different and add spaces and special characters (Shift + Number keys) in there as well. As an example, "HorsesAreSomeOfMyClosestFriends4Ever!" might change to “Hor#sEs ar* sOme $f my Cl&sEt Friends 4(ever!” Put spaces in at different intervals (i.e., don’t do 4 characters, space, 4 characters, space, etc. – mix it up). I know that banks and some security people tell you that you shouldn’t write your passwords down. I’ve read more arguments to the opposite and I’m very pro-writing down because it allows your passwords to be bigger and more complex (i.e., more German-like!). Also, the only way that you can have a different password for each login is to write it down (unless you’re a total memory geek – which I’m not!). I’m also NOT a fan of those on-the-computer password keepers. Only 1 password would have to be decipher to get the keys to the kingdom!

Secondly, and this is my own kinda thing, you know how you can set up those security questions where they ask you personal information like your pet’s name, your father’s oldest sibling’s name, etc.? Select as many of those as you can and fake it! Make up a fake life. Make up names that have no connection to your past. Hackers can dig up your life on the web and the dark web, but they can’t dig up a fake life that didn’t exist! If your dog’s name is Fido, then call him Peter on the question! Obviously this would also have to be written down so you don’t forget! Whatever you do, write it on paper, not on the computer

So, that's all boring and tedious and a huge pain in the ass. But you should probably do it anyway.


Popular posts from this blog

Sustain-ability: The Dishes of Life

EBER Project -- Crossroads