Random Thoughts – Randocity!

How to prevent school shootings

Posted in parenting, personal security, security by commorancy on February 26, 2018

On the heels of the Parkland, Florida shooting, this question has emerged yet again. Can we prevent school shootings? Let’s explore.

Mass Shootings

In recent years, mass shootings seemingly have been more and more frequent. Or, at least so it seems. It’s not just school shootings, it also includes shootings like Las Vegas and the Pulse Club shooting in Orlando. I’d even include the mass killing by vehicle where people mow down crowds of pedestrians. While these last three examples aren’t school shootings, they do point to a systemic problem that appears to extend beyond the school into our everyday lives.

We don’t know why these mentally disturbed folks decide to pick up a weapon and point it at a crowd or drive a car through a crowd. However, I’d start by looking at commonalities. These might include medications they were taking or things they were doing in their daily lives. It might even be mental health problems.

Parkland Shooting

My heart goes out to those who have had loved ones taken away in Parkland.  However, Parkland is the most recent example of a mass school shooting allegedly committed by a former student who had apparently been expelled. What triggers these people? Though, the bigger concern is less why this student was triggered and more how this student found access to weapons. And, herein lies the problem and with it, the solution.

Weapon Access

The bigger question is, how did a 19 year old get access to the weapons he allegedly used? In many states, it’s perfectly legal for an 18 year old to purchase and possess a rifle, but not legal to purchase or possess a handgun at that age. In the case of the alleged shooter, he apparently legally bought the AR 15 rifle just weeks before the shooting. I guess the somewhat odd thinking here is that a rifle is more obvious than a handgun. This is backwards thinking. The rifle, while being obvious when someone is holding one, is obviously a more dangerous weapon… especially if it’s an AK-47 style semi-automatic rifle. This compared to a handgun which isn’t always semi-automatic, though some are.

Here’s where we have a problem. The point to an semi-automatic rifle is to point and spray. That is, to discharge as many rounds as fast as possible. These weapons are designed to dole out mass amounts of bullets and damage. This compared to a handgun which isn’t typically designed for this purpose. Here’s the first problem. Why are semi-automatic weapons allowed to be sold at all, let alone to someone under 25? These are weapons that should, if at all, only be sold to people who can pass a proper gun test and full background checks. It should also be limited to someone aged 25 or older.

If an 18 year old wants to gain access to semi-automatic rifles, join the military. For the shooting in Parkland, the alleged shooter was legally an adult at the time of the shooting, so I’ll come back to the adult age group issue shortly.

Children with Guns

In the case of younger school mass shooters, how did they get access to the weapons at all? These children can’t own weapons. This is where parental guidance fails. Many of these shooters obtained their weapons directly from their parent’s weapon stash or from a friend’s weapon stash. Of course, they might have also obtained weapons through illegal means.

In the case of parents owning weapons where the child used it in a mass shooting, the parents should be held legally accountable, at the very least as an accessory. If you own weapons and do not properly secure them from your child, then you need to be held legally accountable for how that weapon is used, particularly if it is by your child. As a parent, you need to share in your child’s legal culpability and burdens, even if the child is shot and killed after the mass shooting. As a parent of a child mass shooter, you can no longer claim to be a victim in this. You are now fully responsible for your child’s actions while using your legally purchased weapon(s). If that means the child performed a mass school shooting, as a parent, you should expect a maximum sentence including jail time.

This is the first way to stop these mass school shootings. If parents legally become an accessory to whatever is committed by the child with that parent’s weapon, then parents will then have to be much more careful about where they leave their guns. This means making completely sure that your weapons are entirely secured from your child, preferably away from your home. This means making sure your child has no way to circumvent your gun storage system and take possession of them. However, if your child does take possession and uses your weapon in a mass shooting, expect to see the inside of a courtroom and see the inside of a jail.

Making parents take responsibility for their child’s actions is the first way to stop school age child shootings. Parents of a shooter need to stop making themselves into the victim and take legal responsibility for their child’s actions.

Adult Aged Shooter

In the case of Parkland, the alleged shooter was 19 and legally purchased and owned the weapons he purchased. That’s partly because Florida’s gun laws are fairly lax. This is where if Florida’s gun purchasing laws had been more strict on this matter, this 19 year old (still mentally a child) wouldn’t have been able to buy an AR 15 weapon. Unfortunately, there is the argument that at 18, the age were everyone is considered a legal adult, you should be able to buy and own a weapon. I agree with that sentiment to a degree. It’s not that you can’t own a weapon, it’s that the states need to mandate stricter requirements before you can walk out of the shop with one. No one needs to walk into and out of a gun shop with gun-in-hand in the same day. It’s not that kind of an item. Here are some points that could have at least slowed down (or possibly thwarted) this alleged shooter:

  1. Require a permit. A permit to own a weapon means you need to file for that permit and wait until the permit arrives before a gun. This takes time and a little bit of money. It also means your name is on file with the state and authorities that you own a weapon and which weapons you own (because the gun dealer has to make a record with your permit number).
  2. Require a waiting period. In addition to the time it takes to file for and receive a permit, force every gun shop to make you wait at least 30 days before taking possession of the weapon. Not only does it force the buyer to think about their purchase, it forces the buyer to wait 30 days before that gun becomes yours. It also gives the gun shop owner 30 days to do their own research before handing over the weapon. I consider this one due diligence. No one needs a weapon overnight. It also means the gun shop might not get a pass for not doing their due diligence. Everyone involved in the sale of a gun has a responsibility to ensure they are selling that weapon to a person of sound mind.
  3. Require a mental health evaluation. This one is on the list only because it can help evaluate sound mind, but it’s also controversial. This means that as a gun buyer, you need to be evaluated by a medical professional prior to taking possession.  Or, at least, take possession of your first weapon. The problem with this is, judging someone else’s mental health is a bit of a challenge. Habitual lying sociopaths are well capable of making their lies seem quite truthful… even to a mental health professional.  This means that unless the mental health professional is able to diagnose a lying sociopath, the mental health professional could be on the hook for what that person does with the weapon after they signed off on that person’s mental health. Not sure how many mental health folks would want to take on that responsibility.
  4. Background check. A person who is looking at purchasing a weapon should go through a thorough background check. This should include social media sites and reviewing any behaviors that might seem out of the ordinary. If the person is under 25,  the person’s most recent school records and conduct must be evaluated. If a school has recently expelled that person, this should be grounds for background check failure. If a parent or sibling has been involved in gun violence, failure.

These basic checks would at least stop obtaining weapons through legal means. However, it won’t stop people from obtaining weapons illegally. It also won’t stop person to person weapon purchases. For example, in Florida, one person can legally purchase a gun from another person without notifying anyone. This is the hardest problem to solve. Is there a way to solve this? Not easily. Because person to person weapon transactions are the hardest to track and the hardest to know about, it’s almost impossible to stop these.

Failure to Investigate

In the case of the alleged Parkland shooter, this former student apparently had disturbing content on various social sites including a now infamous comment left on YouTube. Content describing the want to use weapons in the way they were used. Apparently, some folks from the school found these sites and brought it to the attention of the school authorities, the local authorities and even the FBI. Yet, none of these leads were apparently followed up on.

This is a hard section to write. If the folks who are tasked to investigate troubled teens for possible issues like this, why wasn’t this information followed up? Why wasn’t he found early? Why wasn’t he taken in and detained? Why did none of this happen? There’s a term for it…

Security Theater

What exactly is “Security Theater“. According to Wikipedia:

Security theater is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to achieve it.

What this means is that authorities set up mailboxes to catch complaints with hollow promises to follow up. In fact, these sites actually aren’t monitored and the mailboxes go unchecked. These sites are set up strictly to placate, to provide security theater.

Instead of implementing the facade of security theater, we need to actually monitor, take action and follow up on these legitimate leads. If the FBI had actually followed up on (or at least had notified the local authorities), the Parkland shooting might not have taken place. It’s one of those hindsight is 20/20 kind of deals. It’s easy to look back and see all of the mistakes. However, if at least one of those notified authorities had followed up, perhaps Parkland wouldn’t have happened?

Overall

By enforcing more strict gun purchasing laws (especially to those under 25), by eliminating the practice of security theater and by actually following up on all possible threats, it’s possible we could have prevented the Parkland shooting. Heck, car insurance has always been higher for those under 25 for a reason. The insurance companies realize how reckless that age group can be. Why not apply this same logic to gun purchasing and ownership?

These ideas won’t necessarily stop all mass shootings and wouldn’t necessarily have prevented a shooting like Las Vegas, but if these ideas can reduce the frequency of them, then that’s a win in my book.

How to protect yourself from the Equifax breach

Posted in botch, business, security by commorancy on September 11, 2017

Every once in a while, I decide to venture into the personal financial security territory. This time, it’s for good reason. Unfortunately, here’s a topic that is fraught with peril all along the way. It also doesn’t help when financial linchpins in the industry lose incredibly sensitive data, and by extension, credibility. Let’s explore.

Target, Home Depot and Retailer Breaches

In the last few years, we’ve seen a number of data breaches including the likes of Target and Home Depot. While these breaches are severe problems for the companies, they’re less problematic for the consumer in terms of what to do. As a consumer, you have built-in protections against credit card fraud. If a thief absconds with your number, your liability is usually limited to around $50, but that also depends on the card… so read your fine print.

With the $50 you might have to pay, the inconvenience to you is asking your credit card company to issue you a new card number. This request will immediately invalidate your current card number and then you have to play the snail mail waiting game for a new card to arrive. That’s pretty much the extent of the damage with retailer like Target or Home Depot.

No one wants to go through this, but it’s at least manageable in time… and you can get back on with your life. For breaches like Equifax, this is a whole different ball game, let’s even say, a game changer. Breaching Equifax is so much more than a simple credit card inconvenience.

Credit Reporting Agencies and Breaches

With Equifax breached, this is really where the government needs to step in with some oversight and regulations. What your social security number is the the government, your credit reporting file is to your personal financial health. This breach is a dangerous game… and worse, Equifax is basically taking it lightly, like it’s no big deal. This is such a big deal, you will absolutely need to take steps to make sure your data is secure (and even then, that only goes so far).

First, I’ll discuss what this breach means to you and how it might affect you. Second, I’ll discuss what you can do to protect yourself. Let’s start with some basic information.

There are 3 primary credit reporting agencies (aka credit bureaus):

  1. TransUnion
  2. Experian
  3. Equifax

Unless you’ve never had a credit card, you probably understand what these businesses do. I’ll explain for the uninitiated. These agencies collect and report on any outstanding credit card or revolving lines of credit you currently have. If you have a mortgage, these entities know about it. If you have a credit card (or many), they know. They also know lots of other data (i.e., previous and current address), what loans you’ve had in the past, what bank accounts you have, what balances are on your outstanding lines of credit, any collections activities and the list goes on and on. It also lists your birth date, social security number and full credit card numbers and account numbers.

Based on all of your credit lines, how well you pay and so on, these companies create a FICO credit score. This score determines how low of interest rates you’ll receive on new loans. These companies are not only a bane to actually exist, but they are your lifeline if you need new credit. Even just one blemish on your record can prevent you from getting that loan you need to buy your new house or new car. Without these linchpin companies, lenders wouldn’t be able to determine if you are a good or bad credit risk. Unfortunately, with these companies, consumers are at the mercy of these companies to produce accurate data to lenders (and to protect that data from theft)… a task that Equifax failed to do.

What did Equifax lose?

Equifax lost data for 143 million record holders. While that number may seem small, the damage done to each of those 143 million record holders will eclipse the damage produced by Target and Home Depot combined. Why? Because of how these credit reporting agencies actually work.

Equifax (and pretty much all of these credit reporting agencies) have flown under the radar in what they do. If you go to a car dealer, find a car you want and fill out loan paperwork, that dealership will pull a credit report from one or more of these agencies. Your credit report will contain a score and all loans currently outstanding. It also shows how well you pay your loans, any delinquencies in the past and other financial standing metrics. This credit report will be the basis of whether you get a loan from the car dealership and what what interest rate.

Hackers had access to this data between May and July of 2017. The hack was found on July 29th, but not reported to the public until September 8th. That’s over a month that Equifax sat on this news. It’s possible that they were requested by law enforcement to hold the announcement, we just don’t really know.

What was lost?

According to the Washington Post:

Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information.

According to the New York Times:

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Those dispute documents being PDFs of bills, receipts and other personally identifying information. I’ve also read, but have been unable to find the corresponding article, that the hackers may not have had access directly to the credit report database itself, but only to loose documents in a specific location. However, even with that said, do you really trust Equifax at this point? I certainly don’t.

Why is this such a big deal?

Because the credit reporting agencies have played it fast and loose for far too long. They make boat loads of money off of each credit report that’s pulled. If you pay $50 as part of the loan process to pull your credit report, the dealership will keep part of that money and the rest goes to Equifax. Because many loans applications are processed every day, some credit reporting agency is making money. Making money isn’t the problem, though.

These agencies will pull a report for anyone willing to spend money. This includes people with stolen credit cards. However, that only gets thieves so far before being caught. Instead, breaking into computers at the agency allows them to not only pull credit reports for anyone who has a record, they can get access to lots of sensitive information like:

  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Places of employment
  • Home Addresses
  • Credit card numbers
  • Dispute Documents
  • Etc..

Basically, the thieves may now have access to everything that makes up your identity and could steal your identity and then attempt to divert bills away from your house, create new cards, and do other things that you may not be able to see. If they managed to get access to your credit report, they can open cards out the wazoo. They can charge crap up on those cards. And, they can perform all of this without your knowledge.

Credit Monitoring

You might be thinking, I’ll set up a credit monitoring service and have the credit reporting service report when activity happens. Even that, while only somewhat effective is still subject to being breached. If the thieves have access to all of your identity information, they can request the credit reporting service to do things like, reissue passwords to a new email address and send sensitive reports to a bogus address. These thieves can even undo security setups like a credit freeze and reassign all of that information to their own address. You won’t see or even know about this unless you regularly check your credit reports.

This problem just barely peeks into the can of worms and doesn’t even open it fully. There are so many things the thieves can do with your identity, that by the time you figure it out, it could be far, far too late. So, don’t think that signing up for credit monitoring is enough.

Sloppy Security Seconds

In fact, it wasn’t seconds, it was almost 2 months before the breach was known to the public. A move that not only shows complete disregard for 143 million people’s financial security from a company who should be known for it, Equifax doubled down by creating a lead generation tool in their (ahem) free TrustID tool. Keep in mind that that TrustID tool is only (ahem) free for one year, after that you pay. Though, protecting against new account creation is only half the problem. The other half to which TrustID can’t help is protecting your existing accounts. Because credit reports contain every account and every account number you own, if your data was compromised (and with 143 million accounts worth of data lost, it’s very possible), you need to do so much more.

Even the Security Checking Tool (which was questionably put up on a brand new created domain???) seems to have been a sham and had its own share of SSL certificate problems leading to some browsers showing the site as a scam. Some Twitter users have entered bogus data… and, this checking tool seems to have stated this bogus data was included in the breach. The question is, does that tool even work or is it merely security theater? Yet another black eye in among many for Equifax’s handling of this data breach. To wit…

and then this tweet…

To sign up for Equifax’s TrustID premium service, you have to enter even more personally identifying data into a form of a company that has clearly demonstrated they cannot be trusted with your data. Why would anyone do this? Seriously, signing up for a service with a company who just lost a bunch of information? No, I think not. Instead, Equifax should be required to pay victims for a monitoring service with either TransUnion or Experian (where breaches have not occurred.. yet).

On top of entering even more personal information, the service requires you waive your right to lawsuits against Equifax and, instead, requires binding arbitration. Yet another reason not to sign up.

It’s not as if their credit monitoring service is really going to do you a whole lot of good here. If you really do want a credit monitoring service, I’d suggest setting it up with Experian or TransUnion instead. Then, figure out a way to get Equifax to pay you back for that service.

Can’t I reissue credit card numbers?

While you can do this, it won’t protect you fully. The level of what the thieves can potentially do with your data from Equifax goes much deeper than that. Yes, changing the numbers will help protect your existing cards from access. However, it won’t stop thieves from opening up new accounts in your name (and this is one of the biggest problems). This is why you also need to set up a credit freeze.

Because the thieves can now officially pretend to be you, they can do such things as:

  • Pretend to be you on the phone
  • Call in and request new pin codes based on key identifying information (address, SS#, phone number, etc)
  • With your old address, they can then transfer your bills to a new address
  • They can reissue credit card numbers to that new address

You’re probably thinking, “What about the security measure my bank uses? Won’t that protect me?” That depends entirely upon how convincing the thief can be over the phone. If they can answer all of your identity information and find a representative who can bypass some of the banks security steps, they can get a foot into the door. That’s all it takes for them to basically take over your credit accounts… which is one step away from potentially hijacking your bank accounts. A foot in the door is enough in many institutions to get the ball rolling towards full hijacking.

How do I protect myself?

If your data was involved in the breach (unfortunately, the tool that Equifax provides is sketchy at best), the three bare minimum things you should do are

  1. Contact one of the three credit bureaus and ask for a free 90 day fraud watch
  2. Contact all three and ask for a credit freeze on your records at each credit reporting agency
  3. Set up credit monitoring at TransUnion or Experian

The 90 day fraud watch means they will need to let you know when someone tries to do anything with your credit report. However, this watch is only good for 90 days and then expires. The good thing about requesting this watch is that you only have to do it at one bureau. All three will receive this watch request from your contact with one of them. The bad thing is, 90 days is not nearly long enough to monitor your credit. In fact, the thieves will expect the 90 day fraud watches, wait them out, then go after it hard and heavy after these begin expiring.

A freeze, on the other hand, lasts until you unfreeze. A freeze puts a pin code on your credit record and that pin is require each time a company needs to pull a copy of your credit report. This will last far, far longer than a 90 day watch and serves to stop the thieves in their tracks. To freeze your records, you will need to contact all three separately and perhaps pay a fee of $5-10 depending on where you live.

Setting up credit monitoring means you can be alerted to whenever anything changes on your credit report. But, credit monitoring won’t stop the changes from occurring. Meaning, you’ll be alerted if a new card is opened, but the monitoring service isn’t a preventative measure.

You can contact each bureau as follows to set up any of the above services, including a credit freeze (links below):

  1. Equifax or call 1-800-349-9960
  2. TransUnion or call 1-888-909-8872
  3. Experian or call 1‑888‑397‑3742

Neither a fraud watch nor a credit freeze will impact your credit score. A freeze simply prevents any business from pulling your credit report without having your pin code. Companies for which you already do financial business or have loans established can still pull reports as needed. However, any new loans will be required to have your security pin code.  You can learn all about the details of a credit freeze at this FTC.gov web site.

Unfortunately, because the breach may have been more extensive than it appears, a thief can now contact the credit bureaus over the phone, pretend to be you and have any pin codes removed and/or reissued. Then, gain control over your credit records. This is why this breach is so treacherous for consumers. You need to be on your guard, vigilant and manually monitor your credit report for at least the next 12 months regularly. This is the part no big box media site is reporting. Yes, this is a very treacherous landslide indeed that is at work. Even if you do all of the protections I mention above, thieves can still subvert your financial records for personal gain by knowing your key personally identifying information.

How do I stop the thieves?

This is the fundamental problem. You can’t, at least not easily. To truly protect yourself, the scope of changes would include all of the following:

  1. Get a new social security number
  2. Reissue all of your credit card and debit card numbers
  3. Open new bank accounts, transfer your money into the new accounts
  4. Close the old bank accounts
  5. Reissue new checks
  6. Change your telephone number
  7. Move into a new address (or obtain a P.O. Box and send your bills there)
  8. Legally change your name
  9. Change all of your passwords
  10. Change all of your email addresses
  11. Set up multifactor authentication to every financial app / site you log into that supports this feature.

Unfortunately, even doing all of the above would still mean the credit bureaus will update your credit report with all of this new data, but your prior history would remain on the report… possibly up to and including all of the old account, name and address information. It is very, very difficult to expunge anything from a credit report.

In addition to the above, I’d also suggest closing any credit lines you don’t regularly use. If it’s not there, it can’t be exploited. None of this is a magic bullet. You just have to wait it and shut the thieves down as things materialize. Being diligent in watching your credit report is the only way to ensure you nip things in the bud early.

Tidal Waves and Repercussions

It is yet unknown the extent of their breach or the extent to which each consumer may have to go to protect themselves from this deep gash in the financial industry. Not only does this gash now undermine each account holder’s personal financial well being, it undermines the credibility of the very industry holding up the world’s economy. This is some serious shit here.

If half of the US’s residents are now available to identity thieves, those organizations who help protect the small amounts of identity theft throughout a normal year cannot possibly withstand a financial tidal wave of identity theft paybacks which could seriously bankrupt many credit organizations. In fact, if this tidal wave is as big as I suspect it could become, we’re in for some seriously rough financial waters over the next 6-12 months. By the time the holidays roll around, it could be so bad, consumers cannot even buy the goods needed to support the holiday season. Meaning, this could become such a disruptive event in the US’s financial history, many businesses could tank as a side outcome of consumers not being able to properly spend money during the most critical season of the year.

This has the potential to become one of the most catastrophic financial events in US history. It could potentially become even more disruptive than the 1939 stock market crash. Yes, it has that much potential.

Since I have no reason to believe that Equifax has been totally honest about how much data has actually been lost, this is the reason for this level of alarm. I’d be totally happy if the amount of data lost was limited to what they have stated, but the reality is, nothing is ever as it seems. There’s always something deeper going on and we won’t find that out for months… possibly at the point where the economy is hit hard.

Equifax Aftermath

Because the US is so pro-business, Equifax will likely get a slap on the wrist and a warning. Instead, this company should be required to close its doors. If it is not providing adequate data security measures to protect its systems, then it needs to shut its doors and let other more capable folks handle this business. This sector is far too critical of a service and that data too risky if lost to allow flippant companies like Equifax to continue to exist in that market.

Tagged with: , , , ,

Security vulnerability: Apple Watch, iPhone and Apple Pay

Posted in Apple, security by commorancy on March 6, 2016

apple-watch-passcode-screenIf you own an Apple Watch, there is a security vulnerability that could compromise your Apple Pay cards. Let’s explore.

Watch Stolen?

Let’s say you’re on vacation and you decide to visit that cute little patio coffee shop. Naturally, you’re sitting, sipping and enjoying your coffee. Your wrist adorned with your new Apple Watch is sitting on top pretty wrought iron fence. Someone comes along and grabs your Apple Watch off your wrist and runs away. What do you do? Chase after them to get it back? Oh, but they’re already gone. So then, try to disable the watch on your iPhone? So, here’s the dilemma (and the vulnerability). As soon as you unlock your iPhone, your watch is now quite vulnerable thanks to Apple.

Unlocking your iPhone

Apple has recently pushed an update that automatically and, by default, unlocks both your Apple Watch and your iPhone merely by unlocking your phone… so long as the watch is on anyone’s wrist (it doesn’t have to be your wrist). And herein lies the vulnerability.

So now, that thief who has just stolen your Apple Watch is standing close enough to still get a connection from your iPhone. The thief already knows what will happen after you unlock your phone. So, they patiently wait until you unlock your phone. Then, they get access to your stolen watch’s data until you A) Mark as Missing or B) remove all your credit cards from your wallet. It’s doubtful you can unpair the watch once they have taken it out of range of the Bluetooth/WiFi, but you can mark it as missing.

The thief will wait just long enough to get the watch unlocked and then run for it to get out of connection range. This may allow them to get access to the Apple Wallet and skim your cards from NFC. They could even still do it while in range of your phone, especially if you somehow hadn’t noticed the watch was missing (i.e., you had taken it off and placed it in your bag).

Fixing the Vulnerability

It’s quite amazing that this exists, a stupid security feature from the same company that’s trying to defend itself from unlocking a terrorist’s iPhone for a judge. Hypocritical much? No no, mustn’t unlock a phone for a judge. But, it’s perfectly okay to give thieves access to Apple Pay credit cards by enabling this dual unlock feature. First thing I’d immediately recommend is going into the Watch app on your iPhone and disabling this feature pronto! You’ll find that the Apple Watch itself also has this setting available under Passcode, but thankfully it can only be enabled or disabled on the iPhone.

However, this feature should not be available at all, Apple.

Preventative Measures

While you are still in possession of both your Apple Watch and your iPhone, you should immediately disable this feature. On the iPhone, it’s under Watch app=>My Watch (Screen)=>Passcode=>Unlock with iPhone set to OFF.

You’ll need to perform this while you are in possession of both devices, before your watch is stolen or misplaced. If you fail to make this change now, you cannot make this change after it is stolen. You can only mop up the mess.

Reactive Measures — My Apple Watch has been stolen!

If you leave the Unlock with iPhone setting enabled, anyone wearing your watch will see it unlock as soon as you unlock your iPhone if they are still in connection range (possibly 30 feet or so, but could be farther). So, you realize your watch is missing and the first thing you do is think, “I need to delete my Apple Watch from my phone”. However, merely by unlocking your phone, you may have just now given the thief access to your watch and to anything on that watch including your Apple Pay credit cards. This means they can activate the NFC on the watch and skim those card numbers off or even use them to charge in shops around the area, possibly even for the entire day until you remove the cards from the wallet. This gives the thief access to wallet and your credit cards until the watch runs out of battery or it locks again once taken off. Or, until you have taken measures to remove the cards from Apple Pay and have marked the watch as missing.

It’s very important to understand exactly how exposed you are by using the Apple Watch with the Apple Pay when enabling the Unlock with iPhone feature. But, you have to know that it’s stolen to take these measures.

Protecting Yourself

What do you do after it’s stolen?

Assuming you know that the watch has been stolen, the first thing you should do before unlocking your iPhone is disable Bluetooth and WiFi. How do you do this? At the > Slide to Unlock screen do not unlock the phone. Instead, swipe up from the bottom of the screen to the top. This will bring up the quick access menu that lets you manage items like WiFi on/off, Airplane mode on/off, Flashlight on/off and, yes, Bluetooth on/off. From the quick access menu, you need to disable both WiFi and Bluetooth before ever unlocking your iPhone. Because Apple Watch relies on Bluetooth and apparently an adhoc WiFi connection, the signal that you’ve unlocked won’t be sent to your nearby watch. It doesn’t seem to send this signal when your phone is on a carrier LTE or 4G data network. However, disabling Bluetooth or WiFi alone is not enough. The Watch can still connect to the cloud if close to a WiFi network it knows about. If you’re out on the street, that’s not likely. If you’re in or near your hotel, it might.

If you are not sure where your watch is, you should disable WiFi and Bluetooth before unlocking your iPhone. Once you’ve disabled WiFi and Bluetooth, go into Watch app=>My Watch=>Apple Watch and then Mark as Missing (making sure you have access to an LTE or 4G data network). You will not be able to disable the Unlock with iPhone feature while the watch is locked even if you reenable both WiFi and Bluetooth.  In fact, if you do enable WiFi and Bluetooth, the app seems to remember the last unlocking for some period of time and will pass that unlock to the watch to unlock it. You don’t want to do this.

Whatever you do, don’t enable WiFi and Bluetooth until you’ve selected Mark as Missing under the Apple Watch menu. The last thing you want to happen is the iPhone to send an unlock signal to your watch.

Didn’t notice the watch was missing?

If you’ve left the watch in a hotel room or at pool or on the beach, you may have inadvertently unlocked the watch for a thief while you did not know the watch was missing. In this case, you should immediately Mark as Missing (see above). The second thing you will need to do is go into Wallet and Apple Pay is remove all credit cards from this area. This will deauthorize the card from Apple Pay and prevent the watch from making any further purchases with your cards.

Because Apple Pay creates a unique new Apple Pay card ID for each card, the thief won’t get access to your actual card number. But, a thief can still skim these unique numbers from the NFC and continue to use the numbers as long as you have not removed the card from the Wallet and Apple Pay menu. See ‘Thievery at its finest’ below for a caveat on skimming of NFC Apple Pay card numbers.

You should also call all of your credit card companies and let them know the period of time the watch was lost. While replacement of the cards is not necessary due to the way that Apple Pay registers new card numbers for use, it might still be a good idea just to be safe.

Forever losing things?

If you’re one of those people who is prone to losing or misplacing your stuff (especially things like Watches), then you need to head back up to Preventative Measures and disable Unlock with iPhone while you still have both your iPhone and Apple Watch in your possession. In fact, you can do it now while I wait here… patiently… for you to open up Settings on your iPhone… and disable Unlock with iPhone. Yes, you. Go do it now.

Okay, so now that that’s done. You did go do it, right? Okay, just checking. Assuming you didn’t lie about disabling it, there is no way a thief can get access to your Apple Watch by being in proximity of your iPhone if stolen or lost (i.e., like at the beach or at a pool).

If you are the type of person who loses things regularly, you might not even want to enable Apple Pay on the watch at all. Though, if you have a credit card on file for iTunes, Apple tries to be nice and imports this card into your watch on your behalf after its first setup. You should immediately go into the Watch app on your phone and remove that card. You can always add it back if you like.

Thievery at its finest — (the thief who returns most of what is stolen)

If you take your watch off by a pool, at the beach or any place where you might not want your watch damaged, a would-be thief could ‘borrow’ your watch just long enough to NFC skim all your cards off of the device (after waiting for you to unlock your phone). Then, carefully return the watch to you. He now has all your cards and you aren’t even the wiser that the watch was even missing.

Before this happens to you, you should disable Unlock with iPhone. Though, if you’re concerned about the credit card situation at all, you might just want to delete all the cards from your Apple Watch entirely and not use the watch for Apple Pay. Even if a thief attempts to skim your card data from your watch, they won’t be able to do it if the cards aren’t even there. However, if you do choose to use Apple Pay with your watch and as a security measure, I’d suggest removing and re-adding the cards once every couple of months. Better, once a month. This forces your bank to issue a new unique Apple Pay card number for each credit card. This will invalidate old Apple Pay unique card numbers that may have skimmed from your watch.

You should always remove and re-add your cards if your Apple Watch has been out of your possession for any period of time.

The Takeaway

Hopefully, by reading this article someone doesn’t end up taking more than your Apple Watch from you. The takeaway from this article should be to secure your device by undoing stupid Apple counter-security measures. Disable Unlock by iPhone in the Apple Watch app. Remove unnecessary cards from Apple Pay. Better, don’t use Apple Pay on the watch if you’re prone to losing things. If you’re planning on wearing the watch, don’t take it off your wrist.

I can’t even believe that Apple would stoop to putting in such an obvious security hole onto a device capable of storing credit card information (even if the numbers are unique to Apple Pay). If an Apple Watch could identify my wrist differently from someone else’s reliably 100% of the time, then this feature might be worthwhile. Because the Apple Watch can’t detect who’s wrist it is currently sitting on, this is a security compromise just waiting to happen.

Amazon Kindle: Buyer’s Security Warning

Posted in best practices, computers, family, security, shopping by commorancy on May 4, 2012

If you’re thinking of purchasing a Kindle or Kindle Fire, beware. Amazon ships the Kindle pre-registered to your account in advance while the item being shipped. What does that mean? It means that the device is ready to make purchases right from your account without being in your possession. Amazon does this to make it ‘easy’. Unfortunately, this is a huge security risk. You need to take some precautions before the Kindle arrives.

Why is this a risk?

If the package gets stolen, it becomes not only a hassle to get the device replaced, it means the thief can rack up purchases for that device from your Amazon account on your registered credit card without you being immediately aware. The bigger security problem, however, is that the Kindle does not require a login and password to purchase content. Once registered to your account, it means the device is already given consent to purchase without any further security. Because the Kindle does not require a password to purchase content, unlike the iPad which asks for a password to purchase, the Kindle can easily purchase content right on your credit card without any further prompts. You will only find out about the purchases after they have been made through email receipts. At this point, you will have to dispute the charges with Amazon and, likely, with your bank.

This is bad on many levels, but it’s especially bad while the item is in transit until you receive the device in the mail. If the device is stolen in transit, your account could end up being charged for content by the thief, as described above. Also, if you have a child that you would like to use the device, they can also make easy purchases because it’s registered and requires no additional passwords. They just click and you’ve bought.

What to do?

When you order a Kindle, you will want to find and de-register that Kindle (may take 24 hours before it appears) until it safely arrives into your possession and is working as you expect. You can find the Kindles registered to your account by clicking (from the front page while logged in) ‘Your Account->Manage Your Kindle‘  menu then click ‘Manage Your Devices‘ in the left side panel. From here, look for any Kindles you may have recently purchased and click ‘Deregister’. Follow through any prompts until they are unregistered. This will unregister that device. You can re-register the device when it arrives.

If you’re concerned that your child may make unauthorized purchases, either don’t let them use your Kindle or de-register the Kindle each time you give the device to your child. They can use the content that’s on the device, but they cannot make any further purchases unless you re-register the device.

Kindle as a Gift

Still a problem. Amazon doesn’t recognize gift purchases any differently. If you are buying a Kindle for a friend, co-worker or even as a giveaway for your company’s party, you will want to explicitly find the purchased Kindle in your account and de-register it. Otherwise, the person who receives the device could potentially rack up purchases on your account without you knowing.

Shame on Amazon

Amazon should stop this practice of pre-registering Kindles pronto. All Kindles should only register to the account after the device has arrived in the possession of the rightful owner. Then, and only then, should the device be registered to the consumer’s Amazon account as part of the setup process using an authorized Amazon login and password (or by doing it in the Manage devices section of the Amazon account). The consumer should be the sole responsible party to authorize all devices to their account. Amazon needs to stop pre-registering of devices before the item ships. This is a bad practice and a huge security risk to the holder of the Amazon account who purchased the Kindle. It also makes gifting Kindles extremely problematic. Amazon, it’s time to stop this bad security practice or place more security mechanisms on the Kindle before a purchase can be made.

Tagged with: , , ,

Stupid Security Measures: autocomplete=off – How To Turn Off or Disable

Posted in banking, security, technologies by commorancy on April 16, 2012

While I’m all for some browser related security, this one feature is completely asinine because it’s so unpredictable, uncontrollable and stupidly implemented. This is the complete opposite anyone should expect from a quality user experience. Let’s explore.

What is auto-completion?

Most browsers today will automatically fill forms and password fields from locally saved browser login and password information (usually the field is yellow when automatically filled). This is called autofill or autocompletion. While I admit that storing passwords inside a browser is not the smartest of ideas, specifically if it happens to be connected to your bank account. With that said, it is my choice. Let me emphasize this again loudly. Saving passwords IS MY CHOICE! Sorry for yelling, but some people just don’t listen or get this… hello Chrome, Firefox and IE, you guys (especially Chrome) need to take notes here.

So what’s this autocomplete=off business?

As a result of autocompletion, the browser creators have decided to give web site creators the ability to disable this mechanism from within their own web pages. So, when they create forms, they can add the tag “autocomplete=off” to the form which prevents the browser from storing (or offering to store) passwords or other sensitive information. This is fine if the browser would give the user the choice still. It doesn’t.

I’m fine with browsers trying to prevent stupid behavior from users, but always provide an override. Never implement features like this, however, at the expense of a frustrating and inconsistent browser experience. This is exactly what autocomplete=off does. Why? The browser doesn’t give the user control over this web page mechanism nor does it even warn of it. If the site sets this flag on their form, the browser won’t offer to store anything dealing with this form. That’s fine IF I can disable this behavior in the browser. I can’t. As I so loudly said above, this is MY choice. Make this a preference. If I want to store logins and passwords for any site on the Internet, it’s my choice. This is not Chrome’s choice or Wells Fargo’s choice or any other site’s choice. If you offer to store and save passwords, you need to let me do it under all conditions or don’t offer to do it at all. Don’t selectively do it based on some random flag that’s set without any warning to the user.

Inconsistent Browser Experience

When autocomplete=off is set on a form, there is no warning to the user that this value is set. The browser just doesn’t save the password. You have no idea why, you don’t know what’s going on. You expect the browser to offer to save and it doesn’t. This just makes the browser look broken. And, frankly, it is. If the browser can’t warn that autocomplete=off is set by the site through changing the color of the bar, flashing, an icon or some other warning mechanism (like the lock when https is in use) the user experience has been compromised and the browser is broken. This affects not only Chrome, but IE, Safari and Firefox. Yes, and this is extremely bad browser behavior. It’s also taking a step back in time before web 2.0 when the browser experience became more positive than negative. We’re heading back into negative territory here.

Browser Developers Hear Me

Not warning the user that the experience is about to change substantially is not wanted behavior. For auto-completion, we already have mechanisms to shut it off entirely. We have mechanisms to exclude sites from saving credentials. Why do we need to change the browser experience just to satisfy Wells Fargo or some other site? I’m all for letting these sites set this flag, but just like overriding bad certificates at https sites, users should be able to override autocomplete=off. There is no need to break the browser experience because you want to allow sites stop saving of passwords. No, again, hear me, it’s MY CHOICE. It’s not your choice as a developer. It’s not Wells Fargo’s choice. It’s not PayPal’s choice. It’s MY CHOICE. If I want to save passwords into my browser, allow me t0 always override this setting.

Hacks Galore

Yes, there are browser hacks available as browser extensions (Chrome or Firefox) to disable autocomplete=off on forms on sites. While these hacks work, they require updating, can break on browser updates and can be generally problematic under some conditions. No, this is an issue that firmly needs to be addressed in the core browser, not through clever browser add-on hacks. Let the sites set autocomplete=off, that’s fine. But, warn me that it’s turned on and let me override it. I shouldn’t need a hack to fix a bug in the browser.

Always Warn of Browser Experience Changes

Why am I going down on this issue so hard? Because this is a completely crappy implementation of this feature. Why? Because it breaks the user’s browsing experience without any warning. If this the page is attempting to prevent me from saving credentials, then this information should be marked clearly in the browser somewhere. Perhaps by adding a special icon to the address bar indicating that credential saving is not allowed on this site. Then, when I click that small icon, I should be able to override this behavior immediately. Again, this is my choice to store or not store passwords to the browser. There should never be any defacto security mechanisms which cannot be overridden by a user control. Never!

If the user chooses to do something stupid, that’s the user’s choice. No, it’s not a bank’s, chrome’s or any other company’s responsibility to ensure the safety of user data. It’s entirely the user’s responsibility and those choices should be completely left up to the user to decide, for better or worse.

[Update] Safari is now warning when autocomplete=off is set on a page. Safari now tells you that the site you are visiting doesn’t allow saving of passwords. Bravo to at least Apple for getting this one right.

I have also found that Firefox with the Greasemonkey plugin and this Greasemonkey script works best for completely disabling all pieces of autocomplete=off.  While the above plugins do at least allow saving passwords, the plugins don’t always allow autocomplete to work.  This means that if you want to see your credentials autopopulate into the fields on page load, you may have to use Greasemonkey instead. I have found that the Greasemonkey solution is the most complete at disabling autocomplete=off.  The reason this works is that Greasemonkey actually removes this autocomplete=off pieces from the page before Firefox renders it. The other plugins just tweak the browser to ignore the setting for password saving, but it still exists in the page source and, thus, the pieces that manage the autocomplete parts are left unhandled.  So, these pieces still don’t populate the fields.

Security tip: Don’t sign-up for sites without ‘delete account’ function

Posted in data security, security by commorancy on April 2, 2012

As security of data becomes more and more important and as security breaches become more and more frequent, the ‘delete account’ link becomes very important.  So many sites today allow you to import information such as credit cards, birth dates and other sensitive information, but many times they don’t allow you to delete that information (or your account) easily.  In some cases, you can’t delete your data at all.  It’s important to understand why it’s critical to have the option to delete your account (and all data associated with it). Let’s explore.

Account Security

Few people consider account security when signing up for an internet service like Facebook, Twitter, MySpace or even Yahoo or Google.  As more and more sites become victims of security breaches, without deletion of old dormant accounts, your data is sitting out there ripe for the picking.  In some cases, these accounts may have stored credit card, social security or other potentially sensitive or revealing data.  So, when you begin that sign-up process, it’s a good idea to check the help pages on how to delete your account information before you sign up.

Old Dormant Accounts

We all have them.  We signed up for a site 4 years ago and then either never used it or used it only a few times. Don’t leave old dormant accounts sitting unattended.  Delete them.  You don’t need some random hacker gaining access to the account or, worse, obtaining the password through a break-in to that site.  If they obtain an old password, it’s possible that they may now have access to all of your accounts all over the net (assuming you happen to use a single password at all sites).

If you are using a single password, change them to all be unique.  If you can’t do this, then find the delete button on all these old accounts.  If you can’t remember what you’ve signed up for, then that’s beyond the scope of this article.  Still, deletion is the best option at avoiding unintended intrusion into other important accounts, so delete old accounts.

No Delete Function?

Two ways to handle this one.

  1. Delete all data that you can from the account, then find a random password generator and change the password to a randomly generated password.  Do not keep a copy of the password and never use it again.  Basically, you have locked the account yourself.  If someone does access the account through the web, they won’t get anything.  If they break into the site and gain access to the passwords, they will get a randomly generated password that leads them nowhere.
  2. Contact the site administrator and ask to have the account completely deleted without a trace.  Sometimes they can, sometimes they can’t.  Depends on how the site was designed.  It’s always worth asking.

New Accounts at New Sites

When signing up with new accounts, if you cannot find a way to delete the account, then contact the administrator and explain that you would join the site, but you cannot find a way to delete the account when you no longer wish to have one.  If they state that there isn’t a deletion function, explain to them that until they implement this function, you can’t use the site.. and walk way.  Note that there is nothing more important than your own personal data security and you have to be the champion of that security because no one else will.  If sites refuse to implement deletion functionality, then don’t use the site.  There is no site functionality that is more important than your data security.

No Reason for Lack of Delete Function

In fact, there is absolutely no reason, other than sheer laziness, to not implement a delete function in any internet web site.  If it can be added, it can be deleted.  It’s very simple.  I know, some developers are going to say, “Well, it’s not that easy”.   That’s a total crock.  It is that easy.  If you have developed software that is incapable of deleting user account information, then you are either seriously inept as a programmer or you simply don’t understand what you are doing.  There is no excuse at all for not adding a delete function to any site (including deletion of a user account).  To my knowledge, there is no operating system or database that does not have the ability to delete data.  Not adding this feature is just not acceptable.  Always demand this feature if you cannot find it.

Pre-existing Site Accounts

I know that some of you may have joined sites ages ago when data security breaches were less common than today.  Back then, account delete functions may not have been available.  This may have been carried forward and these sites may still not have delete functions.  Demand that the developers add this functionality.  If you are an avid user, you should always demand this functionality.  You never know when something may change that may require you to delete your account at that site… like a data breach.  Security is important and your personal ability to delete your account is your right and should not be undermined.  Again, always demand this feature from the sites you frequent if it is not present.

I challenge you to visit all of the sites you regularly use and locate the delete account function.  I’ll bet that more than 50% of the time, it’s not there.  Demand that this feature be implemented if, for nothing else, than your own personal peace of mind in case you need it.  It’s like that insurance policy you buy, this is the same.  The delete account feature is your insurance policy to prevent unauthorized access whenever you need to exercise this option.  However, you cannot delete your data if the functionality is not there, so always make sure the delete feature exists before you sign-up.

%d bloggers like this: