Keeping safe online …

The threats – real and perceived

Luckily, there’s plenty of advice and guidance available – often slanted particularly towards our demographic (ie oldies) …

Those two sites are particularly easy to follow and understand, but others are equally informative and targeted.

Your bank probably has guidance which it publishes online and which is accessible to everyone, not just their customers …

I’ll return to further information, guidance and references at the end of the talk, but first we need to look at a few issues, discuss some terminology that’s widely used and try and tease out what’s really important, and what’s just an inconvenience and then it’s up to you to judge where you find yourself on the scale of …

Terrified -> Apprehensive -> Sensibly Aware -> Relaxed -> Unconcerned

First let’s distinguish the difference between online security and online privacy. These are two different issues which are however linked. Sometimes you have to relinquish some privacy to receive a service – unless you choose to pay for it (and I’ve long been an advocate of paying for services if they do a job that is necessary); exactly how much privacy are you prepared to relinquish?

Security on the other hand is an absolute – you should not be prepared to accept less than your very best efforts . We’ll deal with that in the third part of the talk.

How do you relinquish your privacy, and how much of a loss of privacy is acceptable?

Some services could not be offered without income from adverts, or paid-for advertising – eg Facebook, twitter and instagram; and some eg Google and Amazon track and provide information to resellers if you don’t block them from doing so. As an example of how much value Google sees in getting knowledge of what you’re doing and where you’re doing it, they paid Apple $8bn recently to remain as the default search engine for any browser that’s running on an Apple device!

Incidentally, if you clicked on that link you’d have been asked whether you wanted to accept cookies – what exactly are they, and what do they do …

This article from Norton explains what they do quite well. Essentially, they record what you do on a website so that when you return some of the settings are remembered and applied. They do however also have a downside in that some can also act to track your activity once you’ve left the site. For that reason, you should disable in your browser the ability of third-parties to glean information from a cookie, and also to prevent them tracking your activity once you’ve left the site. You can at anytime, clear the cookies from your browser, and indeed on some internet browsers set them up to delete cookies when you leave (close the window) the site. You might also have noticed that my browser – Firefox – alerted me to the fact that Norton was using a Fingerprinting cookie itself …

… we’ll leave that for another day!

Another thing you might have observed when I opened the link in my Firefox browser was that the site requested that I enabled adverts to be shown. That is because Firefox, like Brave and Microsoft Edge, by default switches adverts off. These are often annoying and having a browser that blocks adverts, or if you use Chrome – using an ad-blocker like AdBlock Plus often makes for a more “pleasurable browsing experience” by limiting the intrusion you might feel upon your privacy.

Which brings us to browsers and search engines

Search engines are not created equal! Whilst Google is often thought to be the same as the internet and is often mistaken by U3A members to be an internet browser, it is in fact just one of a range of possible search engines that you can use to look for information on the internet. It uses a platform called Chromium to display the results of its searches to you through a browser called Chrome. However, other browsers – Microsoft’s new Edge, Brave and Opera all use the same underlying Chromium technology – the difference being they don’t track what you’re doing “to present the content that most meets your needs” (Google’s philosophy) and in some cases (eg Brave) they can actually prevent tracking of your browsing history. For the reasons given above, I use Apple’s Safari, or either Brave or Firefox as my internet browser.

So what safe and private search engine could you use as an alternative to Google. I use DuckDuckGo

… but others I could have used might have been Bing, Yahoo or another one included in this article or in the list of articles at the foot of the post …

Finally, no discussion of Privacy can ignore Social Media and Facebook in particular. These applications if left to their own default settings are effectively personal information mining engines. They grab what information they can from you, and sell it on to whoever is willing to pay for it, or are indeed the platform for data mining, vis the Cambridge Analytica affair. Online retailers are not exempt from this and Amazon for instance has a wonderful record of your browsing history and who knows what they do with it! So look at this table taken from the recent Which? Publication – Staying Secure in a Digital World – and just check whether you need to change your settings, if you use any Social Media apps …

So that’s Privacy dealt with.


Should you be frightened?

The take away message I want you to have is Frightened – no; cautious – yes!

Online banking is very secure – a recent survey in Which? produced the following scores …

… plus you are protected and most of the banks are increasingly opting to adopt an online and mobile guarantee to refund you where you’ve been the innocent victim of a fraud. Here for instance is Barclay’s “Online and Mobile Banking Guarantee.”

They really don’t want to shell out money, so are trying to educate us to be wise to scams. So let’s take a scam test

Banks are also often supplying software free (or at reduced cost) for you to install to protect your machine, to protect you from fraud – and of course themselves from having to pay out! I was recently offered a piece of software called Malwarebytes by the NatWest and although I have an Apple Mac computer which are well known to be relatively secure from Viruses, Spyware, Trojans and other malware, I installed it. I was pleased to note that I didn’t have any malware on the machine. We’ll return to this later!

Surprisingly you might think … it’s safer to use the mobile app on your phone, or tablet to do online banking and retail purchases than a web browser. This is because the app on the mobile device has to be verified by Google for Android (Google Play Store) or Apple for iOS/iPadOS (Apple Store). Whereas a browser could be infected, or compromised with malware. That’s something I’ve learnt from preparing this talk!!!

What is more with the advent of Two-factor Authentication (2FA) which makes use of a personal device associated with you, your phone which you’ve protected with your fingerprint, or facial image), is even more secure.

When you’re out and about and NEED to do an online transaction from your mobile – use cellular rather than WiFi. The latter can be really open to “sniffers”. [I must admit I try to avoid doing online transactions when away from a domestic network.] Alternatively use a Virtual Private Network (VPN) to connect through the Public WiFi “Hotspot”.

So we come to phishing and pharming, vishing and smishing – I kid you not! We’ll leave aside spear phishing because we’re not important enough for that! [Please excuse me not going into details on any of these. You can follow the links for further information.]

However the most scary scam I’ve been made aware of is one that befell a member of my family when they were distracted sufficiently to become the victim of SIM swapping.

I have discussed this with you before and you can read read the updated post on the public Thought grazing site.


Bruce Springsteen shouts out at his legendary concerts “Is there anyone alive out there?” I hope there are still many of you alive out there with me, because we now arrive at perhaps the most important part of the talk.

What should you do to protect yourself?

Some of these are really quite straightforward, some require some intervention by yourselves.

  • Keep your operating software up to date. This is particularly true if you’re a Windows user, and even more true if you are still running an older version of Windows than Windows 10. If you’re using Windows XP, Windows Vista or even Windows 7 you should seriously consider disconnecting your machine from the internet.
  • Install anti-malware, or anti-virus software if you’re a Windows user. Don’t pay more than you need to. Windows Defender from Microsoft is Free and for us relatively undemanding users more than sufficient. Keep it up-to-date as well! [As I said previously, your bank might be offering free software as well.]
  • Keep the software you use regularly up to date as well. Consider removing any software from your machine you don’t use – this is because software vulnerabilities are discovered sometimes quite a while after the software was first released.
  • Be cautious over installing extensions into your browser. These are often extremely useful and valuable tools, ie password managers, Dropbox, note taking, Google Back up and Sync, but if you don’t get them from the official sources then you might be importing vulnerabilities, eg spyware and trojans to your system.
  • Very seriously consider logging-out from social media and other retail sites when you’ve finished using them, especially Facebook, you just don’t know what tracking and logging of what you do, even where you are, if you’re logged in on a mobile device.
  • Free software is both a boon and a curse. Only download open source software from a reputable site such as Softpedia, and never try and get proprietary software for free. Read this article about Free download sites if you want to know more.
  • Remember the golden rule 1 – if it seems too good to be true, it probably is, so steer clear!
  • Remember the golden rule 2 – don’t speak to strangers (an oldie but goldie one, that); in other words if you don’t know where an email has come from – ignore it; if the website address looks a little strange – do an internet search on the company or organisation to check if the address you’re looking at is a spoof of the proper one.
  • Have more than one email address. Use one as your personal address, other ones you can use to “throw away”when you need to register to a website, but you’re unlikely ever to go back to it again. Or have an email address (UserID) specifically for online purchases. Splitting things like this reduces the risk of you being the victim of fraud.
  • Seriously consider using an email service that is NOT connected to your Internet Service Provider (ISP) – if you decide to change your ISP, and you should review them periodically, then you will have real problems if your email address is linked to their service!
  • You’ve got Spam filters running? Of course you have – but you better check! Probably your ISP, or email provider (eg Gmail, Yahoo, Microsoft Outlook or Hotmail) is filtering out what it thinks is spam, but occasionally some gets through. If that’s the case then you can always look at the real sender of your message.

You can also apply filters to divert incoming email into different folders in your email system. That reduces the amount of Junk that you need to review. [I’ve also advocated using the “native” email application for your device rather than rely on the web-based service the email provider has. Thus on a Windows device – use Windows Mail (or Outlook); on a Mac use Mail. You can then easily synchronise your email between devices from multiple email accounts. Tidy!]

So we come to Passwords …

… this is the point at which you need to consider intervention and changing your behaviour! You might also need to do a fair bit of work, but it’s worth it if you want to have a secure internet experience.

Let’s just see what using an insecure Password can lay yourself open to. Frightening eh!?

The most common password I use, has not been discovered on any pwned site. Phew!

What about the combination of your email address with your password has that been “pwned” (ie stolen through a data breach)?

Oh no! I’ve been pwned … but it was a long time ago and I’ve changed my password many times since then!
Ah! That’s better – my “throwaway” email and passwords are “safe”!

And if you want to see a list of which websites have been breached, it’s alarmingly long!

So … use a unique password for everywhere you sign on. There’s lots of tricks to achieve this; some of which I wrote about in a post quite a long time ago …

… but the real change of behaviour is to use a Password Manager – again I wrote about this a little while ago and linked it to using Two Factor Authentication, which I described earlier.

Password managers

I used to use LastPass and I believe there’s nothing wrong with it – despite the security scares last year, but other common ones are Dashlane and 1Password. Please make up your own minds after reading some Reviews and seriously consider using one. 

However the biggest change in Online Security which started last year with Apple’s announcement of the launch of its’ implementation of FIDO is Passkeys.

The Video and the Slides from the talk given to the Cardiff u3a General Meeting

Slides: https://thoughtgrazing.org/wp-content/uploads/2020/09/Keeping-safe-online.pdf

References

Which? webpages – Scams & older people

Which? Scam Alert Service – sign up for an email alert

Age UK webpages – Staying safe in your digital world and specifically How to stay safe online

Your bank, eg NatWest – mine has a Security Centre web presence and particularly they provide a number of Fraud Guides

I could give a million references to changing your privacy settings on Social Media, but here are a couple relating to Facebook, perhaps the most challenging service of the lot.

First – what Facebook unchallenged will want to get from you. You are able to disable (prevent) all or some of these … Sign up for Facebook – this is not sign-up site, it’s just one to educate you on the privacy you might give up without realising then How to change settings on Facebook and finally Securing Facebook: Keep your data safe with these privacy settings.

Scams

You might want to consider signing up for the Which! Scam Service, I have …

There are necessary steps we can all make to protect ourselves from fraud. But as they become more sophisticated, it can be difficult to know what’s genuine. We’re here to act as a source of trusted advice for those times when you’re just not sure.

From email scams and copycat websites to nuisance calls and tax rebate scams, our guides help you to spot a scam or get money back.

— Forum Responses —

Here’s a nasty one, which on the surface looks OK – just remember that if you’re using Facebook Messenger, you shouldn’t need to login to Facebook again, and vice versa.

Passwords harvested by fraudster (from Which? Scam Watch)

remember also my advise, if you do use Fb, or FB Messenger please Logout – I know it’s a pain but there’s a distinct chance that if you don’t Fb will record all your internet comings and goings and you’ll get loads on unsolicited emails, etc.

David Harrison May 29, 2020 6:26 pm

Identity Theft

This will probably be one of the most challenging posts I’ve ever attempted to write because in all truth, I don’t think we really still know what actually happened to my daughter’s online identity, let alone wholly knowing how it happened, but I’m going to try and explain the sequence of events as an alert to you all, and a reminder to us too!

Some background and a plausible explanation of why they got themselves into the situation they found themselves.

They’d been self-employed for a short while now, working as a freelancer, and had just submitted their first tax returns in that capacity.

They were working from home, with two young children with one under six months old, and both very demanding of their time.

The family is living in another family member’s house whilst they “do up” their new house.

They’re adept at multi-tasking (obviously too adept as it turns out) and is (as many of their age are able to do) capable of nestling their phone between chin and shoulder whilst doing other tasks!

What happened next!

She had a phone call purporting to come from HMRC (we’re presuming this was just a fortuitous coincidence from the fraudster’s point of view – they had no way of knowing the employment status of the family member) – saying that they had a refund owing. As explained above she thought this was quite possibly the case as she had just completed a tax return – again an unhappy coincidence! She was told to click on a link in a text message to complete the process of getting the refund. She had their youngest child on her hip, was preparing a meal and was “distracted”. She filled-in the required information from the link!!!!

Agh! No!

Shortly afterwards (the same day) she presented her credit card at a supermarket and payment was refused. She realised something was wrong. She found she didn’t have access to her online banking. She contacted the bank by phone. The bank “supposedly” froze the account there and then but it was apparent that at least two transfers of money had been made to someone who was a Payee in her account – why? That’s the clever bit of the scam, I’ll explain later!

More payments appeared to have been made … help!!!

How could this be? The account was frozen … wasn’t it?

Get the family involved!

Having a son who’s an IT expert comes in useful, especially if he lives on the other side of the world! He worked through the night (day) in securing as many of her accounts as he could. Changing passwords, which were admittedly rather weak and used more than once (should have listened to Dad) – but he had no idea just how much data had been downloaded, or indeed just how much they had to start with as a result of perhaps a previous “pwned” event.

Having another local son who’s also very practical and logical helps also. He suggested that she contact the payee and tell them about the payment and request it be refunded. What transpired next turns out to be the “clever” part of the scam, although on this occasion it wasn’t conducted very expertly because they attempted multiple payments to the same payee. The payee confirmed that they’d had this payment, wondered what it was and had been a bit puzzled as to why Mr X had contacted them and requested a refund to a bank account because “he’d made a mistake”.

This was obviously NOT the same account as that from which the payment had originated and turned out to be the way the scammers were hoping to transfer funds from the hi-jacked bank account to one of their own! Fortunately, my son’s suggestion alerted the payee and the payee advised their bank NOT to transfer the money.

Phew! How did this all happen when the bank account was supposed to be frozen?

The key to this scam was getting control of my daughter’s mobile phone number. She didn’t realise it immediately, but soon became aware that it had been “stolen” through a scam called SIM swapping. This usually is done by a seemingly distressed person going into a mobile phone shop and pleading for a new SIM with a phone number “because their phone has been stolen” and “it’s absolutely imperative they have their number back immediately as there’s something very important happening right now”.  This is described here.

Why do they want to do this? Because they can transfer calls made to the rightful owner of the phone to their own phone.

Why do they want to do this? Because they can then request the bank account to be unfrozen, and also use their access to the phone number for any number of authorisation features.

And what is more they can lock you out of your phone accounts.

How did they do this in this case? Well GiffGaff is an online service provider and they have stated that they did everything they were supposed to do to authenticate the request for a SIM swap – but it is evident that there are serious weaknesses in their processes. They have stated they are looking at this for the future. Just Google “GiffGaff SIM swap Fraud” to see what is returned – it’s frightening!

So what happened next, and was there a happy ending?

Well, believe it or not, even with a personal visit to the bank and assurances that no more payments would be made, the bank did allow the account to be unfrozen and transfers out of her account were attempted. A second visit to the bank resulted in heartfelt apologies being made and offered over the way their fraud department had handled the problem and a complaint being raised by the branch against their own department on my daughter’s behalf – I don’t know the outcome of that!

Well, there was a happy financial outcome. Thanks to the prompt action and thinking of my local son, the initial transfer was halted. It’s not conclusive whether my daughter could have received compensation (as detailed here) as she was the instigator of the problem through her own mistake (the HMRC phone call). All other attempted transfers were eventually trapped by the bank and refunded to her – so no financial loss.

However …

Much more significant than the potential financial loss was what it did to her confidence. She insisted on getting a new phone, because she wouldn’t accept any advice from any family member (especially me) that there wasn’t anything on her phone that wouldn’t continue to monitor her.

She also lost all confidence in using any online systems – which up until then she’d been very reliant upon.

She also lost a lot of confidence in herself as she realised just how gullible (but extremely unfortunate) she’d been … but the positive side of this, and the main reason for sharing this is that she’ll be much more careful in the future!

Postscript.

We don’t know whether the identity theft side of this will ever be resolved. We all know that a huge amount of information is held on us on the internet. We all know that some websites have had their security breached and identity information stolen. We don’t know what was held by others about my daughter. She had a public profile, they now have the potential to add even more information to their database about her if they had managed to download information from her email (and other) accounts before my son locked them down. We just don’t know.

There was a mysterious book that arrived at her house with a cryptic message in it.

There have been some scamming emails purporting to come from her since this event.

She now uses a different email account.

We just don’t know whether these are connected to the fraud event or are just strange random occurrences … and I suppose we never will know just how much additional information they may have downloaded – emails, photographs, documents, etc. etc. Very frightening.

NatWest Guide to Fraud
Some privacy tips for iPhone users.

Problems with Two-factor authentication on a Mac during a recent upgrade

John raised the problem he’d had with implementing Two-factor authentication on his Mac during a recent upgrade (to High Sierra, I think). Now Two-factor authentication is generally a good thing when you’re talking about access to cloud based services, eg OneDrive, eMail, Google Drive, iCloud – but it seems a bit OTT when you’re talking about an operating system as protection to prevent access to services running on the hardware. But Apple doesn’t make this clear.

When I was doing my High Sierra and iOS upgrades the other day I was prompted to ask whether I wanted to implement Two-factor authentication, but was also advised that some of my devices wouldn’t support it and I would lose access to services if I chose to implement it. That was enough to warn me off, so I didn’t. John was not scared off – possibly because he didn’t get the warning that I got – and has had to make a trip to the Apple Store to try and get it sorted.

Two-factor authentication is a “good idea”, don’t get me wrong, but Apple’s implementation is a bit clunky it would appear.

https://www.macworld.com/article/3130566/security/the-apple-two-step-my-disastrous-attempt-to-use-apple-s-two-factor-authentication.html

Protecting a USB stick

The subject of protecting a USB stick came up – I’d forgotten to provide the solution! As I suggested, in an earlier post, the answer is to create a Folder on the USB stick and protect the folder, not the stick.

Two articles here I think provide the solution. The first one proposes encrypting the contents and is probably the easiest, you must remember the encryption key though!!

A number of other alternatives are also provided in the second article …

http://www.makeuseof.com/tag/password-protect-folder-windows/

… for me. I’d prefer to put stuff I’m worried about on a USB Disk (not a stick) and use the security software provided by the drive manufacturer, eg Western Digital.

http://www.tomshardware.co.uk/faq/id-3114794/password-protect-folder-windows.html

Spams and scams

In the meeting yesterday the quite common topic of spams and scams came up, as did the enquiry “Can I find out whether one of online accounts could have been compromised” – these are the ones that you should consider changing your password, if you haven’t already.

Martin Lewis’ website – Money Saving Expert provides a comprehensive guide to all things scam, and includes a link to the “Have I been Pwned” website which tells from your email (account) address whether there are any websites you subscribe to which have been hacked. Try it … hopefully you’ll get a null result!! If you don’t, don’t panic. Look at the date of the compromise. It could be that you’ve already changed the Password.

https://haveibeenpwned.com/

The second article is from Which? Always a good resource to check, even its “free” pages …

http://www.which.co.uk/consumer-rights/l/internet-scams?gclid=Cj0KCQjwvabPBRD5ARIsAIwFXBkjRe6ivtypKkT59hf_S5LAGat1qxrZgu8YVaxOVVExq_WFZtDErwQaAnnEEALw_wcB

Finally, Martin Lewis mentions the use of a Password Manager to remember your passwords and even to generate secure passwords – I don’t use that facility with LastPass – the password manager I use, rather preferring to use the “template” approach I describes a couple of weeks back.

https://www.moneysavingexpert.com/shopping/stop-scams