Security Alert! Security Alert!

Five million gmail account usernames and passwords leaked by Russian hackers!
Facebook Poker lottery scam!
iThemes membership database compromised!

If you are online at all (have an email address? visit websites? have a smartphone?) you are vulnerable to hacking, scams, and identity theft. I see more than my share of the results of lax security. I feel as though I take adequate precautions and security measures, and yet all three of the above headlines directly impacted my workflow in the past week.

My gmail address was one of the 5 million that was leaked, lucky me! I was informed by LifeLock of the address/password combination that had been leaked, and fortunately, it was an old password. I had changed it recently, and I changed my gmail password again. However, since I use the gmail address as my “username” or login name on several accounts, that old username/password combination was still in use, and I spent a considerable amount of time changing a lot of passwords!

LastPass, a password generator and keeper, has been invaluable in the process. Not only does it keep all your passwords, it can tell you which sites use the same username/password combination, and gives you a security “score” with ways to fix a low score and increase your level of security. It will generate secure passwords, and enter them automatically for you, if you choose to have it do so. There is an add-on for mobile devices (an astoundingly reasonable $12 a year). LastPass definitely made a tedious task a bit less time consuming, a lot more secure, and will continue to provide peace of mind going forward.

Facebook, ah, Facebook! The scam I was exposed to has been around for awhile, but it was my first brush with it. I received a “friend” request from a gal that I thought was already a friend. I accepted the request, thinking she had cleaned her friend list, or somehow redone her account – the request has her picture, her name… a little bit later I got a chat notification, I replied, but the conversation seemed … off. It didn’t sound like my friend. It was a CLASSIC example of the Poker Lottery scam. I texted her on her phone, and she was NOT chatting with me on Facebook. I closed the Facebook chat, and saw I had TWO friends with the same name. I “unfriended” the fake (the profile was nearly empty, unlike the “real” friend) and advised her to report the duplicate.

iThemes is a suite of software tools I use as I develop websites. There are a host of plugins that add functionality, backup options, cloud storage, and a security suite. I use those tools extensively, I pay a good sum of money each year to iThemes to maintain my software licenses to their products, and learning that their database, usernames, and password storage had been compromised was unsettling to say the least. Yes, they took immediate steps to rectify the problem, and reset all our passwords, and required us to change them all again, but it’s unsettling all the same.

As I said in the first sentence, I feel as though I, personally, am doing what I can to protect my online “stuff” – I use LastPass to generate secure, strong, unique passwords. I am eliminating the use of the same username/password combination for multiple sites. Many sites use an email address as the username, and it’s tempting to use the same password that you associate with that email address; I’ve done it. It’s not good practice!! Even with all the steps I am taking, I can’t control what happens to my information that is in the hands of other companies.

I didn’t intend for this to end on such a negative note, but it is what it is. Have a wonderful week!

What is it and why do I need it?

Two-step verification adds an extra layer of security to your Google Account, so if you do not use Google for email, a calendar, web developer tools, analytics, or any of the other services Google offers, then you don’t need 2-step verification.

On the other hand, it’s likely that you DO use one or more of Google’s services, and have one or more Google accounts. Here’s how it works – in addition to your username and password, you’ll be asked to enter a code that Google will send you via text or voice message to a phone number YOU specify. You have the option to make the device (laptop, phone, etc) that you are using to access your account a “trusted” device or location. When you log in from the same location or device you will not have to provide the additional code each time.

If you, or someone else, tries to access your Google account from anywhere else, it will ask for the authorization code. Unless someone also has your phone, and is savvy enough to realize what the 2-step authorization is, your account will be secure from someone randomly guessing your password.

To set up 2-step verification, read and follow the links in this article: How Two-Step Verification Works

If you still think you don’t need the additional security, read how one person was hacked, and how 2-step would have prevented most of the damage: My Epic Hacking. Then think of how much of your online presence is linked to your gmail address or Google account. It’s worth a little extra time and inconvenience now to avoid, potentially, much more inconvenience and harm in the future.

And a good time to review a few ways to remain safe online…both personally and in your online business presence. (I posted this last year, and the information is still good! So I am re-posting again this year!)

Here are a few websites full of good information and some tools that will aid in keeping you and your website safe:

• National Cyber Security Alliance – http://staysafeonline.org
• Anti-Phishing Working Group – http://apwg.org
• Tips from the United States Computer Emergency readiness Team – http://us-cert.gov/cas/tips

Email scams and “phishing” are ways that unscrupulous people can get your personal information without you suspecting that is what is happening.  Being aware of their methods is the first step in protecting yourself so that you are not taken in by their schemes.

Be suspicious of any e-mail, text message, or phone call with urgent requests for personal financial information.  Don’t use links in an e-mail, instant message, or chat to get to any Web page if you suspect the message might not be authentic or you don’t know the sender. Call the company, or log on to the website directly by typing the address in your browser.

Avoid filling out forms in e-mail messages that ask for personal financial information.  Communicate information such as credit card numbers or account information only via a secure website or a known telephone number.   Enter the address of any banking, shopping, auction, or financial transaction website yourself, and do not depend on links. Phishers can forge the yellow lock icon you see near the bottom of your screen on a secure site. When doubleclicked, the lock should display the security certificate for the site. If you get a warning that the address of the site does not match the certificate, do not continue.

Look at the address/status line. Scam sites may show “https://” and/or the security lock icon.   A variation of the URL, i.e., bankname-verify.com, usually denotes a scam site.

Regularly log into your online accounts. This will not only keep you familiar with what they look like and the security procedures they have in place, it will also make it much easier to spot a fraudulent or spoofed site.  Check bank, credit card and debit card statements for suspicious transactions. Ensure that your browser is up-to-date and security patches are applied.

Forward phishing or “spoof” e-mails to:

• reportphishing@antiphishing.org
• The Federal Trade Commission, at spam@uce.gov
• The “abuse” e-mail address at the company that is being spoofed

Be safe!

Tweet