Not Everyone is Who they Seem on the Internet

When my youngest son discovered the power of the Internet back in high school, he trusted everyone to be who they said they were. I didn't and felt the innocent young woman my son started chatting with might really be some middle-aged man. My son didn't believe me but agreed he couldn't definitively prove me wrong and stopped talking with her.

I have had a lot of experience with people not being who they say they are. It is pretty easy to fool someone into thinking you are significantly different than you really are. Don't believe me, look at the number of anecdotal stories of people showing up on first dates with connections that don't look anything like their picture. I'll be honest, if I needed to create an online dating profile, I might Photoshop myself some hair. Fortunately I am happily married and don't need an online-dating profile.

In the past, I have also received e-mails from a number of African royalty asking for help recovering significant assets. Fortunately we all know that these e-mails are scams and not to be trusted. That doesn't stop certain criminals from trying new tactics that are just variations on this theme. Perhaps you have received an e-mail from a name that looks familiar and asking for help. My dad recently got an e-mail from a supposed grandchild that didn't exist. While there are a lot of grandchildren in the family, there are not so many that my dad doesn't remember them all.

Lately there are a lot of criminals posing to be law enforcement. Perhaps you have seen an e-mail telling you there is a warrant for your arrest. The message goes on to say that you can get out of trouble by paying a fine using gift cards. Should you ever be asked to pay a fine with a restaurant or store gift card, take a second to stop and think about it. Nobody ever asks fines to be paid with gift cards. You can ignore the message.

Some past scams have been obviously fake but criminals are getting more clever. All it takes is a fact or two to convince you someone really is who they say they are when that could be false. That is why it is so important to guard your personal information. Treat it like gold as that is how cyber-criminals view it. I also recommend a healthy amount of skepticism as there are a lot of fakes on the Internet. It is in your best interest to challenge identities and ask for more information from someone simply to verify his or her identity. If the answers don't match reality, it is okay to stop communicating.

Digital Privacy

This afternoon I checked my personal e-mail and received a message claiming to be from my company. While I work for Sony, my personal e-mail is through a domain that I own and it looks like another company. The message claimed to be from the admin account and said that I had 3 undelivered e-mails because they were SPAM. My e-mail account has a different filtering mechanism and I would never get an e-mail from the "admin". I had a link I could have clicked but I'm sure the results would have been nefarious. This is what is known as a Phishing attack. Paying attention helps ensure I don't inadvertently install a virus or malware on my computer. This has the potential of releasing all sorts of personal information to bad actors that can steal my identity, drain my bank account, and ruin my credit.

Your digital privacy is very important and you should do everything you can to protect it. Being aware of potential phishing attacks is only one step of many. I also limit the information I share with various websites where I have login accounts. I never provide my social security number nor do I provide my birthday. There are many websites that require a birthday simply to verify age. I use the same fictitious date for such occasions and avoid providing my real birthday if I can help it.

Another trick to maintaining your digital privacy is to limit your payment information. There are a lot of websites that want to make purchases as simple as possible and so they offer to store your credit card information. Then you just have to hit the "purchase" button and it automatically bills your credit card. I actually have my primary credit card memorized and re-enter the information every time I make a purchase from infrequent accounts. It only slows me down a few seconds but gives me piece of mind every time I receive an e-mail about websites being hacked and payment information stolen.

One final word of caution is to severely limit who has access to your bank account information. This includes debit cards. Once someone gets into your bank account, it is very difficult to get your money back once it is gone. By using credit cards for all payments, you have a level of protection that ensures you don't lose any money. You just need to notify your credit card company about fraudulent transactions and they will credit your account while they investigate. You may have to provide additional documentation but most credit card companies will catch the invalid purchases before you do.

Unfortunately there are some thieves out there and the ubiquity of the Internet makes it easy for a small number of bad guys to inflict harm on a large number of good ones. Taking your digital privacy seriously will help reduce damages. I just wish there was a sure-fire way to keep yourself 100% secure.  

Two-Factor Authentication

A few days ago I received an e-mail from my credit card company asking if I had made a certain charge. I had not and so they cancelled my card and overnighted me a new one. In the 30 years I have had that credit card, I had never had a single fraudulent charge. Unfortunately the e-mail I received was the second such e-mail in about a month's time. That means someone used my card a month ago and somehow received my new credit card number and pertinent information to do the same thing again. How do I know it was the same person or organization? Well both fraudulent charges were to the same company, which is more than a coincidence. Fortunately my credit card company caught the theft and I didn't have to worry about disputing the charge.

I find it very interesting that a credit card I have had for 30+ years suddenly became compromised. It had me concerned about all of my other financial interests. After all if someone could get my credit card number so easily, what about my other cards or my bank account. The first thing I did was to enable two-factor authentication for all of my online financial accounts. That means that even if someone is able to break my fairly complicated password, they won't be able to get into my accounts unless they also manage to steal my mobile phone.

Two-factor authentication relies on two methods of verifying you are who you say you are. The first locked door is your password. The second locked door is associated with a physical device such as your phone or computer. When I log into my bank account, I can't complete logging in until I provide a very temporary unique code that has been sent to one of my phones. Should I get a notification on my phone that I didn't initiate, I can immediately lock my account before anything nefarious happens.

With online theft happening more and more, I highly suggest setting up two-factor authentication for all of your online financial access. This includes banks, credit cards, brokerage accounts, and any other account that has access to your money. While it is not foolproof, it is another layer of protection that could save you some serious heartache.

Online Security

This afternoon I spent several hours reading through computer and online security policies for my company. They are not different from what you would find at any company concerned about making sure sensitive information remains so. While there is a lot that I read, the interesting point I would like to share today is with passwords.

I am going to start by saying that I hate my company's password policy. My company laptop password has to be a minimum of 12 characters, contain upper and lower-case letters, contain at least 1 number, and can optionally contain symbols. Furthermore I have to change the password every 90 days but cannot change it within 2 weeks of creating a new one. Why? So users don't just cycle through difficult passwords until they get back to their familiar one. We cannot use the same password again for a really long time. That means our password system remembers quite a few of our old passwords and won't let us re-use them. Of course, we are not allowed to write our passwords down. While this all sounds cumbersome to me, it actually has merit and should be adopted by others concerned about security.

Instead of looking at long passwords as being difficult to remember, I now look at them as ways of creating short sentences. For instance, when I have to create a password for someone and give it to them with the instruction to change it immediately, I always use something funny like "MattIsT0tallyAwesome!" It is longer than the 12-character minimum and is filled with upper and lower-case letters. I have also replaced one of the letter O's with a zero so I get a number in there. Then I end with the exclamation point which is an optional symbol.

The other thing that can get confusing is having to change my password so frequently. While I have come up with a short sentence for my first password, in 3 months I will have to change it again. Instead of coming up with a new password, I simply create a follow-on sentence. One example might be "YesHeReally1s!". Notice how all the rules are followed again with the number one replacing the capital letter I in the word "is". Once again I have used an exclamation point at the end but could have used another symbol just as easily. By the time I have changed my password 10 or 20 times, I have a fairly funny dialog that has been going on. The only trick is remembering which sentence I am on for my current password, but that is much easier than remembering a bunch of random characters.

For the record, I have never used either of my example passwords and they only serve as ideas. After all, what good is having a clever password if you post it somewhere for everyone to read?