HiddenText Ltd

NCSAM – National Cyber Security Awareness Month – Secure IT

/

, , , , ,

Following on from , this week as part of Cyber Security Awareness Month, we look at the next theme:

 

Secure IT

 

The main themes for this post will be:

  1. Passwords (yes I hear you groan)
  2. What is MFA?
  3. Looking out for scams

 

Passwords

It doesn’t matter if you are an IT guru, the President of a country, a worker in a factory or a kid with their first device. It is fair to say that one thing that you could probably do better on is passwords.

Yep, I agree with you, they are the bane of everyone’s lives. You’re right. BUT … They are a necessity .. at the moment as there’s nothing widely in use to replace them. So love ’em, hate ’em or really loather ’em, they are here to stay.

An Analogy

Let me explain passwords with an analogy. Locking your car door, locking your house is just something you do. You have a (hopefully) unique key to the lock and it secures your property while you are not there.

Passwords should work the same. Your password should be unique whether you are unlocking your ‘house’ or your ‘car’ and that password needs to be a good enough key so no-one can just flip it open easily.

Keys

I know, I know, you go through hundreds of doors and only have a few keys .. I get it. That’s where the analogy doesn’t work unfortunately, it would mean that every door you go through, you’d need to unlock the door with your own special key (actually that sounds quite cool in some ways!).

So let’s make your life easy. Let’s think instead about having a personal chauffeur. You don’t need a key to the car, they open the door for you. Your butler opens your house door and your personal shopper opens the door to the shops you visit. All these people are available at the dial of a phone. What if passwords could work like that…

What if… You went to a website and something did the password bit for you. You don’t need to see the keys (the passwords) you just turn up and it becomes somebody-else’s problem. That key (password) could be some epic monster complicated key but it doesn’t matter … you turn up and your ‘butler’ does it for you.

It Exists !

Well this technology does exist. Moreover … some of the apps that do this are even free! They are called Password Managers. I have 819 passwords in mine, the only one I need to remember is the one to get in it.

So how does this practically work … what happens when you use one?

I go to Facebook.com. Facebook asks me to log in (like it usually does) and a pop-up appears asking does it want to input my username and password for Facebook. I click it once and it does it for me.

Making Passwords Fun

So now I play the game … what is the maximum number of characters that a website can take? And so, a lot of my passwords are now 50+ characters long. it doesn’t change anything for me as the end user, I just click a button and it does it for me.

It works on my laptop, Android tablet and phones and syncs between them all. I also changed it to use my fingerprint to log into the app now!

All sounds simple … so why doesn’t everyone use a Password Manager. Well, they are relatively new so not many people have got round to using them yet. It is a growing number though.

I even have my master password shared (securely) with my wife so that if something happens to me (ill/incapacitated/death), she can still get access to all my services (e.g. Utility companies). Call it a kind of digital will.

So this month … have a look at Password Managers for your home, get the family involved with the decisions. If you want a starting point, have a look at:

  • Lastpass
  • 1Password

 

What is MFA?

It stands for Mutli-Factor Authentication. Yeah I know it’s IT jargon meant to sound confusing … let me break it down for you.

An Analogy

Let’s say you’re in a bar to meet a friend. They have a twin and they often play pranks on you sending the twin instead of themselves.

How can you tell if the person in front of you is the twin of the real person?

Something you know:

We can challenge them with something that one of them knows

“Where did we go for Steve’s wedding”

Now if one of the twins was not there, they might not know that information. Equally, they may know that in which case, one line of defence is now down.

Something you have:

Next we can ask them for something they have.

“Can I just see your phone.”

You could check that phone they give you is the one of the person you expected to meet. Again, a good line of defence, but not infallible … 2 lines of defence.

Something you are:

This is normally a biological trait. Fingerprint, eye scan, face etc. It may be that the twins are not totally identical, a tell-tale mole, a scar, a tattoo.

So how does this work with websites?

  1. You need a password (something you know)
  2. You need a fingerprint (something you are)
  3. You need your phone to receive a one time passcode (OTP, some banks do this) (something you have).

A malicious person is really going to have to do some over-the-top work to gain access to the website now!

 

This protection works best for when you want to stop someone logging into a website from a new device. You know the stuff you are logged into, your phone and your laptop for example. Then someone else tries to log in from their device. They won’t be able to as they don’t have your phone for example to receive the OTP or your fingerprint.

Clever? Plus, if you receive a OTP, then you know someone is trying to hack into one of your services so you know which password to change!

Enable MFA where you can, it will really help with stopping people gaining access to your websites and services.

 

Looking out for Scams

It used to be easy to spot scammers. They were unconvincing at best, generally they were trying to give you some amazing deal and next to no costs. But as with other criminal activity, the criminals learned too and now scams are getting more sophisticated and they seem to know more about you to make scams sound more convincing.

In this section, I’m going to deal with those phone calls you get … specifically, the Talk Talk ones. I’ve done my best to pick out my notes from this call and remember the call as accurately as possible. The numbers are right, but allow me some artistic license on the conversations!

OK, I used to be with Talk Talk and just after their breach my contract was up and so I moved provider. It was a few days after signing up with my new provider that I got my first call. It was an Indian sounding male who opened with this statement:

And another one. OK.

Hello, Sir. I’m calling from Talk Talk. As you know we’ve had a few issues recently. We have been speaking to customers that have been leaving Talk Talk to see what we can do to retain them

As it stands that all sounded accurate and expected. The world’s media was still ripping them apart and it was obvious that they would be losing customers. the customer services reps mush have been fed up too so opening calls like that probably was going to be expected.

We are offering you two deals today, one is a compensation figure and one is a retention figure, are you OK to proceed

Well, so far, all sounds legit.

The compensation figure is £10.66 for each month you have been with us

I thought it sounded an odd figure because that could be several hundreds of pounds for some customers and with the millions affected, that really caught my attention. I couldn’t remember how long I had been with them so I asked how it was calculated.

It is done off the value of your data and the number of months you have been with us

OK, red flag time, … criminals don’t put that kind of value on credentials. So I decided to poke the bear. So I asked if they knew how much I would be expecting to get back in compensation.

£2087.00

Hmm suspicious … One of those random things I know is that 2087 is a Prime Number. Quick bit of maths time

2087/10.66 = 195.78 months

195.78 / 12 = 16.315 years

I knew had not been with Talk Talk 16.315 years! That’s interesting I said, but I have left Talk Talk now.

Have you only just signed with your new provider

Yes I have.

That’s great news, because we can buy you out of that contract too as well as give you the compensation. Our security is now Tip Top and we can guarantee your safety

Ok … red flag number two. “Tip Top”

Red flag three how much money are they giving away? So I feigned amazement .. Wow, I said, I feel like I’ve won the Lottery

It certainly looks like that. With your new contract, I assume it is for two years, so that would make a further £2089

Red Flag four … another prime number and technically Red Flag three again … how much !

I wanted to see where I could take this call, how did the scam work, so I asked what I needed to do.

Could you do a Western Union payment to prove your identity and then we can release the money

I feigned again, my acting skills must have been awesome, I don’t know what that is I said.

It is our financial partner that we work with for Payment identification

He said it so buttery smooth, I wondered what he would have said if I had queried it!

All we need you to do is transfer to us £4176 plus a £20 admin fee and we will reimburse you with the money and your compensation a total £8387

My maths is pretty good and that number is not £4176 + £4176 and what/where is this admin fee?

I said I needed the details for the transfer and he gave me a name, a postal address, bank details and unfortunately for them .. a Hotmail address.

Sooo close.

I do wonder how many people must have fallen for that scam. Had I been busy and not really paying attention, that would definitely sounded plausible.

So how do you stop a scam call?

  1. shouting at them does not help, it seems to anger them and they seem to distribute your details further
  2. don’t ask them to call back later, that means you are the right person and they will continue to pursue you
  3. Lie. Always lie. Sorry, that person has left, they don’t live here, they died, they are in hospital and unlike to recover. What is it to them if you are not giving them genuine data. In fact, if they see that the data point for that telephone number is worthless, it is unlikely they’ll do anything with it.
  4. Block the number. Most telecoms providers have a way of you to report scam numbers. Use those services. Not for you but for the unsuspecting person who will get swept up in the scam.
  5. It is rare now that suppliers phone you up. You should feign the lie as above. Hang up. Give it a few moments then dial the genuine number that is known to you for your provider.

 

 

So there we have it … Hope you found that useful and can use those simple tips to get you started this month. Plenty more tips to come …

 

Share your own tips below and see if you make the 4th blog I’m doing … Readers Tips !!

[gravityform id=”1″ title=”false” description=”false”]

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by