Seems protecting your own on-line identity, data and assets is an ongoing battle with the various scammers and thieves who would like to help themselves to our hard earned assets.
Thought it may be useful to create a topic that lists out the top tips as there are many experts on this forum.
Here is a list of some of the things I do ...
1) I maintain an email account which is only used for financial matters which isn't used anywhere else to ring fence it away from everyday use. I use https://proton.me/mail as security is their thing. I never give out this email and only a few financial institutions know it.
2) Don't duplicate passwords; always use strong passwords with a range of characters
3) Always use multi-factor authentication
4) Always update devices software
5) Keep an off-line back-up of key data (cloud services can go wrong) I use https://www.kingston.com/unitedkingd...?capacity=64gb as it encrypted and password protected
6) Keep an eye on your credit rating as that can signal unknown activity. I use ClearScore and Credit Karma
What are you top tips for staying secure? I note the recent topic on PAC codes; is there a way to lock this down?
Set a PIN code for your SIM - it locks out if someone steals your SIM / phone
Change passwords regularly and use strong ones and a password manager.
Use Multi Factor Authentication if available (sadly a lot of banks still seems stuck on two factor authentication)
Have multiple phone numbers for authentication in case one is compromised (thinking iCloud ident etc).
“ Ford... you're turning into a penguin. Stop it.” HHGTTG
With most email providers you can create unique email addresses by appending +‘something unique’ to your email user name.
E.G. captain.morgan@gmail.com becomes captain.morgan+dailymail@gmail.com
Useful if you want to track who is selling on your details as any email to captain.morgan+dailymail@gmail.com not from a daily mail address is a sold on spam mail.
Edit: you will not be able to send from the + addresses so it won’t work with accounts that need input from the mail addresses themselves, but these are very rare.
Obviously any encryption keys, one use login codes or backup passwords should be held securely be that paper or electronic copies, ideally both at home & in a offsite location in case of fire, flood, theft, etc.
Along similar lines backups should follow the 3-2-1 standard, 3 copies of your data, on a least 2 media types, 1 copy offsite.
Last edited by Captain Morgan; 5th May 2023 at 13:31.
Great tip re aliases. I sometimes go overkill and button bash numbers at the end of the alias to prevent someone guessing my username elsewhere. For example captain.morgan+dailymail37363720@gmail.com
One day I need to go through previously set up accounts and update logins.
I didn't know you could do that +tail thing on emails; is that a gmail feature of all servers?
I am very security coscious but had a minor incident recently.
As a result I changed all email addresses ( old ones will die out ), changed all passwords and changed my mobile number.
Bit of a pain but better safe than sorry.
That must have been a massive headache; I have 173 accounts associated with my work email address ... I can't imagine having to work through that lot ...Originally Posted by brigant
Using a dedicated email account for financial correspondence does seem like a very good idea. Think I'll be taking this suggestion onboard and I'll be using Proton for that.
?
Gmail, exchange (ms365), proton, most others too, obviously test it by sending yourself a email with the +tail.
An obvious tip is a non-technical one - common sense and awareness. Be very careful where you enter information, especially any username / email and password you use. If you're sent an email asking you to login to something, try and avoid following the link and instead go to the website directly, for example. And chances are you haven't won a prize / have a missed package with USPS / something equally as spurious.
It's very rare for normal folk to be targeted specifically in a security attack, so the most common cause of losing your data (or another security attack type) is unknowingly giving your own information away.
Be very cautious with things like this, follow the other advice in the thread, and you'll have a far higher chance of being safe.
One other tip, is try a service such as Jumbo (https://www.withjumbo.com) as well as credit agencies to monitor your data. There are alternatives so do some research first.
On your iPhone set a Screentime passcode ( not the same as your phone lock code) then set Change Passwords & Change Accounts to Do Not Allow.
Then even if a thief gets your unlocked phone he CW ‘s change your account password or even switch AppleIDs without going in and turning these options off.
I can't help thinking that the vast majority of the population won't have the first clue about any of this. Lambs to the slaughter?
Done and works ... top tip TY
I agree. We really need to see secure yet easy to use security controls be mandated. We're starting to see it with 2FA / MFA becoming the norm, and now passwordless authentication (helped by things like Passkeys) is gaining a bit of traction, but it needs some good awareness campaigns around it that focus on the benefits of this, and the other basics like password hygiene and overall awareness of risk.
That’s not computing even for me, & I have a degree in dentistry fwiw. Don’t forget that 50% of the population are, by definition, below average intelligence.
I deliberately keep a separate and anonymous email address for my Paypal account (also Protonmail). Using your normal email address is effectively giving out 50% of your credentials (well, perhaps less than 50% if you have multi-factor as well).
In the Sotadic Zone, apparently.
If you start to get unauthorised credit searches etc then a CIFAS protective registration makes any applications more difficult as extra information has to be provided by the borrower
Sent from my SM-A526B using TZ-UK mobile app
How do you do that?
I’ve heard of some people adding things to their credit files so that anyone wanting to take out a loan etc will be required to provide some specific extra info.
Some people have said they’ve requested a fingerprint or similar.
Not sure how that works though, but I like the idea.
https://www.cifas.org.uk/
Protective registration
Sent from my SM-A526B using TZ-UK mobile app
As a somewhat "typical' 75 year-old, I am not as familiar with the latest tech as Millennials and GenXers, but I'm not stupid, either. Many of the ideas mentioned above I do NOT use, but in 25 years on the internet I've never been burned.
One reason is I'm always on my guard and careful. One of my favorite things is to hover my mouse over email addresses and other links I encounter. So many of them are different from the shown link. If an email has a financial connection, I NEVER use the link in the email (like bankofamerica, for example). Too many of those links take you to a site that looks identical to the real one and asks you to "log in."
I really need a password manager and I bought one last year, but found it too complicated, and did nothing!
I don’t have a big online presence where I am identifiable and even those that do deliberately contain some false data.
I’ve been using unique email addresses and password combinations for all registrations for over two decades and change email addresses and passwords every year.
As more and more online services begin supporting physical keys for 2FA I have begun the transition over to that where possible.
Every telephone call is treated with suspicion until proven otherwise.
About a decade ago I received an unsolicited telephone call from someone claiming to be from the bank’s anti fraud team and they asked me to supply further details before they could talk to me about my account! I responded that they had called me so I required them to tell me information first before I would cooperate with them. This reached an impasse.
I finally decided to hang up the phone, call the number on the back of my bank card, and ask to be put through to the anti fraud team. Turned out I ended up speaking with the same person, so the call had been genuine, and their was no issues with the transaction being queried. It was a genuine payment to a new and trusted recipient.
I’m naturally suspicious so hope never to be caught out.
Wouldn’t any half competent spammer/scammer strip the +text before sending?
Another one that came to mind is don’t use public usb charging points, they can be modified to infect connected devices with malware. It’s better to use them to charge a power power bank, then your device if you can’t use a normal mains charger.
Just the usual stuff - a selection of email addresses and VPNs, some alternative IDs with associated passports, driving licences and forwarding addresses, a handful of burner phones and a couple of special phone numbers and codewords committed to memory in case it all goes pete tong.
Don't just do something, sit there. - TNH
Ahh safe access to ‘gentlemen’s relaxation pamphlets & videos’ without need to comply to the incoming cybersecurity bill & the need for age verification.
And seriously, spywear is a becoming ever easier to install onto a target smartphone with things like malicious USB cables and charge points mentioned by Captain Morgan. Once a Remote Access Trojan is installed the user is very unlikely to know anything about it, and data is extracted unencrypted. Using a VPN or Signal, etc. will not make a difference. The RAT also has remote control of the microphone and camera and GPS info. Check out Droidjack for an example. Don't trust your Smartphone!
The Pegasus RAT can be installed entirely remotely, no cables required. This recent Storyville is well worth a watch: https://www.bbc.co.uk/iplayer/episod...in-your-mobile
Don't just do something, sit there. - TNH
Be wary of the "recipient" address in any email you get - especially on gmail. Learn to read headers if you have the time, for any email that requires action from yourself.
Explanation:
john.smith@gmail.com, from gmails perspective, is the same as john...smith@gmail.com, john.sm.it.h@gmail.com, and johnsmith@gmail.com. Its a stupid feature they insist on using, and maybe more providers do it because of Google's insistence.
However 3rd party services do not marry up. Theoretically Barclays for example could distinguish johnsmith@gmail.com and john.smith@gmail.com as two separate users, and I could create an account with a variatin of dots and have the genuine user think action was pending from a legit email address.
This is not just a theoretical exercise - this has happened in the past and has been exploited, by Netflix no less, not some cowboy outfit. See: https://www.bitdefender.co.uk/blog/h...shing-attacks/
I've lost count of how many full stops are in my Gmail but I do love getting constant discounted new customer offers for Now TV.
Apologies. My underlying point is there are emerging technologies that make security stronger and at the same time easier to manage. The days of having just a password are coming to an end. Passwords put all the onus on you as the user to manage, ie make them complex, unique, change them regularly, remember them, etc.
For obvious reasons, people don’t reliably do this. There is a trade off between convenience and security and most people choose the former.
The increasing use of 2-factor authentication (or multi factor) improved this. Your convenient password is no longer enough on its own.
The next step will be to replace the password entirely, or at least make it less relevant. Instead, something physical will replace it. For example, Passkeys allows you to use your physical phone, or another compatible physical object, to login to services without having to enter your password. Nobody can ask you to give over your credentials via a dodgy phishing email if the authentication relies on something physical.
Im talking very generally here of course, but the overall point in making is we need to see these things become common place, and then we need public information and awareness campaigns to increase people’s awareness of methods of protecting their security. We can’t expect your average person to work it out for themselves.
Disposable email addresses have got a lot easier with "hide my email" and iCloud.
I generally disable the created email address after completing setup and only ever reactivate if I have to use it for password resets.
It really can become something of a rabbit hole if you let it.
I posted a thread a while back pointing out that a number of cheap Chinese android tv streaming boxes, the kind you see a lot of in the fraudulent IPTV space surprisingly had security compromises built in.
I don’t use one (IPTV box, I do use IoT devices) but I’ve always been aware that these various IoT devices we hang on our home networks are really Linux computers & often left without updates, unpatched & open to infection for years, so a couple of years back I made the decision to segregate those devices & move them off of my trusted network, now I can instigate communication from trusted devices to IoT ones but the IoT can’t establish new connections back to trusted devices, in essence they can only talk to my phone/computer if I have started the conversation & it stays on topic.
I’ve also got a pihole equivalent to block suspect dns requests & fw rules that force any dns traffic to my dns server, it’s surprising how many devices (I’m looking at you google & amazon) have hardcoded dns server addresses built into there os, is it an attempt at performance management preventing the use of poorly managed dns servers or a attempt to prevent dns blocking…
Anyway I’m sure I’ve put you all to sleep so I’ll toddle off now.
Last edited by Captain Morgan; 6th May 2023 at 13:21. Reason: Clarity
Here's the ever engaging Ken Munro on the IoT. His more recent talk on smart sex toys is a real eye-opener... you'll find it on YouTube.
Don't just do something, sit there. - TNH
Sorry, but that just isn't true (fwiw).
I think that you are being mean.
Don't just do something, sit there. - TNH
Indeed!
When you look long into an abyss, the abyss looks long into you.........
When setting up a Proton email account it asks for an optional recovery phone number or email address. I presume that if you're setting the account up for banking use, then from a security point of view you'd not want a recovery (back door) option?
Good reading, this is certainly a minefield though!
My biggest fear is someone stealing a laptop, getting into it and then accessing all my accounts as the passwords are saved on Google Chrome.
How is anyone mitigating against that? I know many have MFA now, but not all.
I do sessions on things like this where I put the audience into the role of scammers to show what cyber and real crimes can be committed against you.
The current biggest trend in 2023 is around the information people put into the public domain through social media (open source intelligence).
Disk encryption (BitLocker on Windows, FileVault on Apple Mac's) and a sensible login password will help protect your laptop.
But the data is in your Google account, so make sure you have a good password, MFA, and setup recovery information just in case. Regardless of your laptop, if somebody gets into your Google account they can simply setup a new profile in Chrome and everything will synchronise for them, so protecting that account is key. Google are pretty good at guiding you through this sort of thing, look at the Security section here: https://myaccount.google.com/
Thanks for the post RobM. Well I made a start. I have set a password on the laptop!
Also accessed the Google security page. Seems they have it in order largely, as you say. I have verified my other email, which apparently wasn't verified. Still plenty more on the list to consider at some point.
I retired start of COVID and now work from home a few hours a week for a major retailer, I help customers who have been hacked or have been victims of online fraud.
Apart from those who just used simple passwords with their email account and they then claim it's been hacked, ( not really hacking is it if you used 123456 ) all the rest , and I mean everyone, wasn't hacked. They simply replied to a scam email or phone call and gave their details to the scammers.
The elderly customers all complain about how unsafe the internet is so I always point out it's safer now and no company , bank retailer whoever will call you and ask for details, not even email. They will ask you to sign into your account via email or expect you to call in to them.
Stolen identity is common as well and that's also usually paired with poor online security.
You just wouldn't believe how many people give their bank deets out over the phone and then blame 'the internet' as being unsafe.
I use spam filters as designed and third party password manager, took a few days to go through every online account and change to 2fa or otp where offered and every password to 8+ and unique . Been online with same email and phone number since 1994, spam folder fills every couple of days , Google deals with it well. Mostly pay online with a credit card or PayPal.
Life's too short to obsess about these things but just take common sense precautions and strong passwords. Only use phones and laptops supported with updates and I use a hotpot shield when out and about.
Had one customer who bought MacAfee off Amazon. Got a code, within minutes of entering the code he got a call asking for his bank details claiming he needed to pay a little bit extra for full access. He gave his details and they emptied his bank account. This was because he 'trusted' Amazon to only sell legit. He wasn't thick, was just elderly and was obsessed with security as he's been told many times the internet isn't safe. Then just gave his bank details over the phone. Even after we secured his account he was still saying 'its the internet think I'll close everything down'.
In my experience they target elderly customers who are trusting of anyone who calls them.
Although I know a builder in his 40s who fell for the scam call from the bank, lost 5k
Sent from my Pixel 7 using Tapatalk
Last edited by Daveya.; 7th May 2023 at 14:44.
Ps I use Dashlane, 50 quid a year I think, it's a phone app but also has a chrome extension
Sent from my Pixel 7 using Tapatalk
Like you, I save passwords in Google Chrome. BUT...I never save passwords or usernames for financial sites. My bank, my PayPal, my retirement accounts, my credit cards, etc., I don't save to Google Chrome. These I save in a password-protected Word file with a nondescript name, like SanDiegoTennisCourts.docx. Then, within that document I use my own code/shorthand for entering the username and PW. Very low tech but it's worked for 25 years.
Why don't the spammers simply strip the +text?
I think it's because the collection and use of email addresses is automated, and the scammers never "see" the thousands of addresses they're sending to.
Surely this could be automated too.
Dunno...
john daht doe at gml daht kom
Posting Permissions
Reply With Quote