Checklist 170: A Great Big List + Home Insecurity
On this week’s Checklist, we’ll take a look at someone else’s checklist of security tips, plus we’ll talk about what happens when companies that don’t specialize in security decide to get into the security business.
This week it’s:
Lifehacks for a hack-free life
The online magazine Lifehacker recently published a “complete guide” to avoiding scams. It’s a solid list — and regular listeners of The Checklist will probably recognize a lot of the advice, since it echoes things that we often say on the program. In what follows, we’ll take a look at the Lifehacker list and consider eatch point in turn, noting a few places where you might want to take their advice a step further than they suggest, and drawing attention to a couple of items that we found especially interesting.
Never click on a link from your bank or financial institution
The stakes are definitely higher where money is concerned, and so it’s a good idea to be especially cautious about emails from the bank. But we’d go so far as to say it’s best to avoid clicking on any links in unsolicited emails. You should definitely be wary of an email or text message that comes with a password reset link: If you didn’t request one, just delete it right away. If you need to get into the settings or messages area of an account, the best thing to do is to navigate to the website on your own in a new tab and then log in there, bypassing the link altogether. If you need to update your phone number or read a message from the customer care team, you’ll be able to do this from inside the secure account area. Even if you only click on links from people you know and trust, you should still be careful, since hackers will sometimes compromise people’s email or social media accounts and use them to send out phishing links to their contacts list.
Don’t give out your passwords
This one may seem a bit obvious — and yes, please don’t give out your passwords to anyone; they’re supposed to be kept secret for a reason. But keep in mind that this doesn’t just apply to strangers who call you claiming to be from the IRS. It also pertains to sharing passwords for online services with family and friends, which is something many people do without thinking twice about it. While your brother may be eager to watch the hot new series on Netflix, sharing login credentials is never a good idea. It increases the risk that these credentials may one day be lost if your friend or family member’s own computer is compromised, and it’s very difficult to know whether or not someone else is taking cybersecurity as seriously as you do!
Use strong passwords and secret questions
The importance of following best practices for passwords is something we’ve talked about numerous times. If you’ve listened to the Checklist before, you know that you should be using strong, unique passwords for all of your accounts. If you haven’t already gotten a password manager, give one a try — they’re life-changing. If available, you should also consider using two-factor authentication in order to make your accounts even more secure (and if a service doesn’t offer 2FA, bring the issue up with their customer service and feedback team and see if you can encourage them to do so).
When it comes to secret questions, it’s probably best to avoid anything that a hacker could discover by searching through public records or websites. Things like your mother’s maiden name or your first pet aren’t good answers to secret questions at all. You may want to consider providing fake answers to common security questions in order to prevent someone else from figuring out the answer with a simple web search. This advice comes with a warning: Make sure that you yourself don’t forget these answers! Either write them down somewhere or pick something that someone else is unlikely to guess, but that you aren’t likely to forget — perhaps the first name of your favorite president.
Don’t buy anything from unsolicited emails
Most of us know not to buy discount Rolexes and sketchy weight loss supplements from strangers on the Internet. But you should also be careful about offers that appear to come from legitimate, well-known companies, because hackers have become remarkably adept at impersonating famous brands in their phishing schemes. Just because an email contains the familiar Amazon logo, color palette, and fonts, this doesn’t mean that it’s really from Amazon. Here again, the best thing to do is to navigate to the company’s website in your browser and look for the discounted products or special offers there.
Watch out for job postings that seem too good to be true
This one stood out to us as something that doesn’t get talked about enough. Unfortunately, there are some truly unscrupulous characters out there who are willing to prey on people who are just looking to do some honest work. The bad guys post ads for fake jobs that sound great, but turn out to be scams in the end. One telltale sign of these scams is that the “company” wants to do something seriously out of the ordinary for a legitimate employer, such as paying you through a money order or wire transfer. And if they ask you to make an initial deposit in their account in order to get paid, run the other way!
Don’t give anyone your Social Security number
This is good advice, in general. An online retailer should never have any reason to ask for your Social Security number. Banks and government agencies may, but you should still proceed with caution, as malicious actors may be attempting to use your Social Security number and other personal details to commit identity theft. If you receive an email claiming to be from a bank or financial institution that contains a link asking to re-enter your Social Security number, that’s a pretty good sign that you’re dealing with a scam. Once again, the best thing to do is log in to the bank or organization’s website on your own, and then provide any required information from within the legitimate site’s settings or account information area.
Use your browser’s security features
Look at the lock icon in the address bar when you’re online to see if the website is protected by encryption. You can click the icon to check out the details of the site’s security certificate: Make sure the certificate belongs to the domain that you’re actually trying to visit! If you find a site with an out-of-date certificate, you may be at risk. Expired certificates may simply be the result of forgetfulness or an overstretched IT department, but you have no way of knowing if it’s something more serious, so don’t send any sensitive information over that site until they update their certificate.
Your browser can also warn you about potentially risky downloads and help you avoid blacklisted sites known for malicious activity. If you see a warning from your browser telling you that a site you’re trying to visit may be a security risk, take it seriously!
Ignore pop-ups telling you that your computer has a virus
This is good advice, and we’d probably extend it to include all pop-ups: Nothing good is likely to come of clicking on them. If you encounter pop-ups trying to scare you by telling you “YOUR COMPUTER IS INFECTED!”, don’t click on them! These kinds of pop-up ads are common delivery vehicles for malware. The best way to deal with pop-ups is to get a good ad-blocker so that you can go online in peace, without being harassed by malicious pop-ups (or intrusive ads). Lastly, get a good malware detection and removal tool so that just in case you do click on a sketchy pop-up by accident, you’ll be protected.
Home security threats (mergers and acquisitions edition)
Charter Spectrum will be shuttering its home security business in early February, leaving many homeowners scrambling to find a replacement service in time.
Spectrum Home, a business acquired by Charter Communications as part of a 2016 merger, never seemed to be of much interest to the giant conglomerate — but this week Charter made it official with their end-of-service announcement.
As a result, devices purchased by former Spectrum Home customers — including cameras, motion sensors, window and door sensors, and touchscreens — will no longer support monitoring or remote access.
Spectrum is offering promotional deals to its customers with home security providers Abode and Amazon Ring. The latter option may hold limited appeal, however, due to the numerous privacy and security concerns about Ring — as well as Amazon’s recent admission that it had to fire several employees for attempting to access customer video data without authorization.
Apple’s HomeKit may one day provide a better alternative, but for the moment, it still lacks several compatible smart home devices that many consumers are looking for, like thermostats and doorbells. The limited range of products available to HomeKit users may be, in part, a result of Apple’s own rigorous standards: the development bar set by Cupertino may simply be too high for many device manufacturers.
All of this is a good reminder of two very important things to bear in mind when shopping for “smart” home security services.
First, as the case of Ring shows us, remember that any time you’re relying on a cloud-based service to process and store sensitive data, that data is potentially visible to the company’s employees. It pays to consider a company’s culture, track record, and commitment to privacy when deciding to trust them with your data — especially if it’s something like video of your home.
Secondly, the case of Spectrum Home is a good lesson in the importance of doing a sanity check when purchasing services or products involving networked devices. In particular, think about the likelihood that the company may one day decide to discontinue support for your smart things, leaving you with a “dumb” device with limited functionality. For things like home security, a dedicated provider specializing in that service may be a better long-term bet than a company which only recently decided to add security to its offerings. It’s also worth asking whether or not the devices provided by a company as part of a security service are potentially compatible with other devices and services. If they are, then at least if your provider ever decides to close its doors, you may still be able to use your IoT things with someone else.
That brings us to the end of this week’s Checklist, but we have much more in store in the weeks ahead, so be sure to join us and, as always, write to us if you have a security question or would like to hear something discussed on the show.