Posts by admin2fsa

What Your Smart Phone Told Your Rental Car

If you are accustomed to using your smart phone with your own car, you may not think twice about connecting it to a “smart” rental car with an infotainment system. However, the Federal Trade Commission (FTC) warns that connecting to a rental car, even just to charge the phone, may transfer your personal information to the car—information that stays there even after you have returned the car. That means that anyone who later has access to the infotainment system will also have access to your contacts, call logs, messages and GPS locations, including where you work or where you live. Of course, one way to protect your data is not to connect. However, you do not have to forego using the navigation system, making calls or listening to your favorite music in the car to protect your privacy. The FTC suggests the following steps to keep your personal information safe: If you only need to charge your phone, do not use the car’s USB port. Use a charger connected to the cigarette lighter (when available) because just connecting to the USB port may transfer data automatically. Additionally, an article in USA Today recommends using an auxiliary cable to connect the headphone port on the phone to the car’s audio system instead of using Bluetooth pairing. Check your permissions. When connecting your device to a car, the system may give you options regarding what information it may access. Only grant access to the data you believe is needed. It does not need to access your contacts to play music, for example. Delete your data from the car’s system before you return the car. Access the infotainment system’s settings menu, locate your device on the list of paired devices and delete it. Or look for an option to delete all user data or reset to the original factory settings. USA Today recommends clearing your history from the car’s navigation system. Our interconnected devices are convenient, but we need to be mindful of who is allowed to access our personal information and where it is...

read more

Staying Secure in the Cloud

Storing personal data in the cloud using Google Drive, Apple iCloud, Dropbox and other services has many advantages, but it also comes with risks. You can access your files from almost anywhere, but are they also more vulnerable to hackers and other bad actors? The first step in cloud computing is choosing the service that meets your needs. Boston University Information Services & Technology makes the following recommendations: Determine what their security standards are. Are you willing to trust them with your data? Decide how much storage space you need. Most charge based on the file volume you store. Make sure that your browser or app requires an encrypted connection before you upload or download your data.  Look for the “https://” or the padlock beside the URL in your browser. Read the terms of service to learn if your data will be stored encrypted. If it is stored on the cloud server without encryption, anyone with high level access to that server will be able to read your files. This may not be an issue for many files, but you should carefully consider what kind of information you are storing in the cloud and whether you are comfortable with the possibility of persons you don’t know accessing it. Sensitive or legally protected data should not be stored in the cloud unless it is encrypted and only be you or your representative can decrypt it. Understand how access to your cloud folder is shared. Several cloud storage providers allow you to share access to your online folders with other people. Be sure you know in detail how this works. Can they read only or can they change the file? Will you know who changed a file last?  Does the service allow you to make files public?  If you do make files public, are your personal details (name, account, email, etc.) attached to that file if a stranger looks at it? Ask what your options are if the cloud provider should be hacked or if they lose your data. In most cases, the terms of service give you little or no recourse if something bad happens. Know what the terms of service are. Tech consultant Triona Guidry suggests that some consumers may wish to use “Do-It-Yourself Clouds,” setting up their own servers and accessing their data however they choose. Although Guidry says that the necessary hardware is “available at any big-box electronics store,” setting up a cloud server (and bearing full responsibility for the security of the server) may be more than most consumers want to take on. It is an option, though, for tech-savvy consumers who want full control of their data. Once you have decided to store data in the cloud, you need to establish strong security for your files. The SANS Institute suggests that you follow these guidelines to keep your data secure in the cloud: Use a strong, unique passphrase to secure your account. If the provider offers two-factor authentication, use it. When you share files make sure you know who will have access, and only provide access to those who require it. Do not enable sharing by default. Although some cloud services allow you to give access to files by providing a web link, this is not secure. When you send someone a link to a file in your cloud account they can share it with others without your knowledge or consent. It could even show up in search engine results. Understand the available security settings and use them appropriately to control who can access your files and what they can do with them. Do you want users who share access to your files to have read only access, or will they be able to modify the files as well? Keep a current version of antivirus software on any devices used to share your...

read more

What the IRS is Doing to Protect You From Tax Fraud

The good news for taxpayers is that the Internal Revenue Service and private companies are making changes that are successfully thwarting tax fraudsters. IRS Commissioner John Koskinen reported that the number of people who reported being victims of tax identity theft was down more than 50% through the first nine months of 2016. This was due to a combination of changes in tax filing software that prevented fraudulent returns from being submitted and security practices put in place by the IRS to authenticate returns before issuing tax refunds. Even better news is that steps planned for 2017 should reduce the incidence of fraud even more. Tax refund fraud had been increasing year after year, primarily because it was easy to pull off. According to Fraud magazine, “Thieves can simply make up phony wages or other income, submit the information electronically and receive the fraudulent refund via mail or direct deposit within a month. Of course, the IRS keeps records of earned wages and other types of taxable income reported by taxpayers’ employers and other organizations. However, the IRS doesn’t match these records to information submitted electronically by identity thieves until several months after it issues refund checks.” Information sharing by the IRS and state tax agencies, as well as private tax preparers and software companies, enabled the IRS to stop many fraudulent refunds from being issued and even stop fraudulent returns before they were filed. That process will be expanded with the launch of an Identity Theft Tax Refund Information Sharing and Analysis Center which will enable the IRS, state tax agencies, tax practitioners and software companies to share information and identify trends in identity theft. Even more changes are in store for 2017 when “trusted customer” practices will be implemented, including: Thirty-seven new data elements will be transmitted by the tax industry with every tax return. These data points will provide authoritative proof that a tax return is being filed by the real taxpayer. The specifics of these data elements will not be announced to the public. Tax preparers will also transmit 32 data elements from business tax returns to extend identity theft protections to business filers as well as individuals. More than 20 states are working with the financial services industry to create a program to flag suspicious refunds before they are deposited into taxpayers’ accounts. They are improving efforts to be sure that refunds go into the real taxpayers’ accounts and not to fraudsters. The Form W-2 Verification Code initiative, which was started by the IRS last year, will expand to 50 million forms in 2017 from 2 million in 2016. This involves entering a 16-digit code to verify Form W-2 information when the return is prepared by the taxpayer or tax preparer. Software password requirements will continue to be improved by software providers for individual taxpayers and tax preparers, providing additional safety before the return is filed. Some taxpayers may experience a delay in receiving their refunds due to increased scrutiny of tax returns, especially those claiming the Earned Income Tax Credit or the Additional Child Tax Credit. IRS Commissioner John Koskinen said tax filers and tax professionals, “should file as they normally do, so they don’t add to any delay already in the...

read more

How Webcams and DVRs Took Down Netflix and CNN

In October 2016, hackers exploited unsecure networks and used webcams, DVRs and other Internet-connected devices to launch a massive Distributed Denial of Service (DDoS) attack that brought down nearly 80 websites including Netflix, CNN and Pinterest. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. This attack was unusual in that it used tens of millions of IP addresses to attack a Domain Name System (DNS) company that directs users to major websites instead of directly attacking the targeted websites. DNS converts the website name entered into a browser (e.g., http://www.netflix.com/) into machine-readable Internet IP addresses such as 52.72.161.241. These hackers used devices infected with the Mirai botnet to carry out the attack. According to Wired, “Mirai is a type of malware that automatically finds Internet of Things (IoT) devices to infect and conscripts them into a botnet—a group of computing devices that can be centrally controlled. From there this IoT army can be used to mount DDoS attacks in which a firehose of junk traffic floods a target’s servers with malicious traffic.” The Internet of Things (IoT) connects everything from cameras and DVRs to thermostats and smart lightbulbs to the Internet, often with little or no security. This lack of security, and the fact that there are billions of these devices connected to the Internet, makes the IoT a powerful weapon for the bad guys. Many of the IoT devices used in this attack were made by a Chinese company called XiongMai. These devices use a default password which is easily compromised by malware, a trait shared with many other IoT devices. Although it is probably not possible to stop all IoT devices from being compromised, there are steps consumers can take to protect their devices. NextAdvisor recommends that users always change default passwords when connecting a new device to the Internet, always use a password-protected Internet connection and pay attention to recalls of IoT devices. According to KrebsOnSecurity, even these steps will not solve the problem in many cases and it will be up to manufacturers to make devices that are more...

read more

Cyber Security Awareness Month

October is Cyber Security Awareness Month.  Financial Services Association  is sharing the U.S. Department of Homeland Security “Stop. Think. Connect.” campaign to raise awareness of cyber threats and provide practical tips and tools to improve online safety and make you, your family, and your workplace more secure. At work and at home, one of the first lines of defense is a strong password.  Here are some tips to create strong passwords: Don’t use passwords that are based on personal information that can be easily accessed or guessed. Don’t use words that can be found in any dictionary of any language. Develop a mnemonic for remembering complex passwords.  Such as “My son went to Harvard in 2012!”.  That password would be MswHi12! Use both lowercase and capital letters; use a combination of letters, numbers, and special characters. Throughout the month, look for additional communications that will outline ways to protect yourself and Affinion.  For more information on Cyber Security Awareness Month, visit http://www.dhs.gov/stopthinkconnect or http://www.stcguide.com/.    ...

read more