Gone Phishin’

About ten years ago, I met one of my closest friends through a mutual acquaintance.  Other than a love for sports and food, we have very few other interests in common, but we are still great friends.  I am the white collar part of the friendship.  I have a background in computers, but I am not mechanically inclined.  The most important thing I learned in wood shop and auto shop was that I should leave anything that gets your hands dirty to the professionals.  My buddy, Jim, is the blue collar part of the friendship.  He likes to attempt his own repairs around the house and would never stoop as low as to hire a contractor.  On the other hand, his self-taught computer skills are seriously lacking.  This is only compounded by his complete trust of anything he sees in his email or on the internet.  “I’ll just click on this and see what happens!”

One day Jim comes to me in a panic.

Jim: “Somebody just called from Wells Fargo to let me know there are a bunch of suspicious charges on my account.  They said they think I was fishing or something.”

Me: “They mean phishing which is spelled p-h-i-s-h-i-n-g.  They think you clicked on a link in an email that took you to a fake web site.  Once there, you logged in with your user ID and password and the thief now has access to your real account.  They were ‘phishing’ and hooked you.  Am I right?”

Jim: “NO!  … well  … maybe.  I don’t know!  I got an email from Wells Fargo that says I needed to update my personal information or I would lose access to my account.  Was that it?”

Me: “Yup.  What did the bank say?”

Jim: “I have to go to the bank tomorrow and get all new bank cards.  What a hassle!  I am not happy with Wells Fargo!”

Me: “I think you have this all wrong.  Wells Fargo saved your ass.  They are the ones who called you to say you had been hacked.  You should be thanking them.  They will likely have you change your password for your online account.”

Jim: “Why?  They are the ones who sent me the bogus email in the first place!”

Me: “No.  That email was created by the thief who is trying to pilfer your account.  It must have looked pretty good since you clicked on it.”

Jim: “I don’t get it.  Why would anyone take the time to do that?”

Me: “Think of it as bait and you are the fish.  They got you which made it all worth their time.  Bottom line… never click on a link in an email that requires you to login to a web site.  Just assume they are all bad.”

Jim: “Where is all this information… in my computer manual?  How am I supposed to know that?”

Me: “I know it doesn’t seem fair, but you got taken.  Let’s sit down one night and I’ll teach you about phishing, viruses, malware, hacking, and all the other dangers of computing.  No offense, but you use your computer like a teenage girl uses a car.   You need to do the care and feeding work so you don’t get taken again.”

First off, I am not ‘better’ or ‘smarter’ than Jim.  I know about a lot about this stuff because I work in the industry and… I have fallen into the same traps myself.  Yes, I too have clicked on phishing links and inadvertently shared my logon and password with… ‘phishermen’.  And yes, I have also had to spend time on the phone with my bank, closing out credit cards and having them reissued.  I then had the pleasure of contacting all the vendors who had my old credit card on file so I could have that information updated.  It was time consuming, frustrating, embarrassing, and… a great lesson learned.  Jim needed the little lecture I gave him just as he would have given me a similar lecture had I not changed my oil or checked the tire pressure on my car.

Since that time, Jim has experienced the pain of phishing more than once.  I think my teaching sessions were helpful, but he still has that ‘tinkering’ gene in him: “What happens if I click here?”  It is people like Jim that the phishermen are counting on.  They prey on your trust and ignorance.  The aftermath shows an angry customer (Jim) trying to clean things up with vendors, banks, and ISPs.  In the end, who is responsible for making sure Jim is educated in how to use his computer and the internet?  I believe there is joint responsibility amongst the vendors who sell on the internet, the ISPs who provide internet access, and the customer to protect each other from the threats.

The Unforgettable Password

I recently reviewed for a second time an email joke sent my way a few months ago.  Initially, it got the intended chuckle out of me, but now that I am reading it again, it reminds me very much of my mother who works very hard to make all this ‘new technology’ work for her.  First, let me tell you the joke and then I’ll tell you how it applies to my mom.  Picture two grandmothers, Mildred and Betty, sitting on a park bench and having a nice chat about their everyday life.  The subject eventually comes around to computers.  Betty says, “My memory really sucks Mildred, so I changed my password to ‘incorrect’.  That way when I log in with the wrong password, the computer will tell me… ‘Your password is incorrect.’”

Betty is pretty sharp!  She has a built-in password reminder!  Betty reminds me of my own mother in so many ways.  My mother is in her mid-70’s, but wants to participate in the new technology and tries hard to understand ‘this new way of thinking’.  As I taught her computer basics back in the late 90’s, she decided that she would only need an email program, a web browser, and a word processor.  It was hard for me to argue.  I loaded up her laptop with just those programs she needed and she used them for several months. During my next visit, we sat down to talk about security and the initial conversation went something like this:

ME: “Mom, I think you should use a user ID and password to protect your computer.”

MOM (looking at me like I am from another planet):  “Why do I need a password?  If my computer gets stolen, how is a password going to help me get it back?”

ME: “We are not attempting to prevent your computer from being stolen.  Just like your TV, if it gets stolen, you likely won’t get it back.  The password will protect any personal data that you put on the computer so that it doesn’t fall into the wrong hands.”

MOM (increasingly annoyed):  “What personal data do I have on the computer?  What could a thief do with any of that stuff?  I thought this was all going to be easy!”

ME:  “Have you purchased items from web sites before?  Have you shared personal information with others like your Social Security Number, your credit card number, and your Driver’s License information in your emails?  Are you worried that any of this will fall into the wrong hands?”

MOM (snickering):  “I would worry more about your father getting into the computer and mucking things up.  The last thing I need is for him to try to use the computer.  I’m sure he’ll break it and then I won’t be able to find my things anymore.”

ME (laughing):  “I guess I can see why you think he is your threat to national security, but you really have bigger problems.  If a thief gets your credit card information, they can start making online purchases in your name and there is nothing you can do about it.”

MOM (surrendering):  “Fine!  What do I have do?  It better not be complicated!   I don’t have all day to learn this stuff.  I want to get in, do my stuff, and get out.”

ME (sarcastic): “Yes, I certainly wouldn’t want you to enjoy your experience.  Don’t worry… I’ll set you up a user ID and password.  You’ll enter those once each day when you start up your laptop.  It will take you five seconds.”

MOM:  “Smart ass!  What if I forget these things?  How will I get to my stuff?”

ME: “Write them down and store them in a safe place away from your computer.”

MOM (incredulous):  “Why would I do that?  Why wouldn’t I keep them right next to the computer for when I need them?  I just can’t see digging around looking for this stuff every day.”

ME: “If you store your user ID and password right next to the computer, it is like leaving the keys to your car stuck in the door!  You are making it easy for the thief.”

MOM:  “Okay. . . I get it.  Let’s get this over with.”

We finally got her new security features in place and she assured me she understood the need and would be diligent moving forward.

Upon my next visit a few months later, I found a sticky note on her laptop with the user ID and password written upon it.  I decided that I would ignore the sticky note and enjoy my visit.  I had done what I could.  My mother and Betty have a lot in common.

More Things I Gotta Remember

I don’t need to tell you that if you do any shopping online, you have had to go through the process of setting up an account for yourself at each vendor you shop at.  Initially, this made sense to me.  I can store my personal information in a protected area so that the next time I come back to shop, all my information is there and I can check out faster.  By putting in the extra time the first time I shop at Bob’s Beef Emporium, all my future visits would be made more convenient for me.  Bob’s Beef Emporium cared enough about me to make my shopping experience less painful.

Next came the advent of online theft and vendors had to respond.  Soon I was asked to perform additional steps to gain access to a store.  Simply providing my user ID and password was no longer enough to gain entry.  At some online stores, I had to identify a previously selected picture as the one of my choosing before I was asked to enter anything else.  They explained to me that if I couldn’t identify the ‘red coffee cup’ or the ’yellow horse’ as the item I selected during my account setup, then I could be logging into a fake storefront.  That’s kinda scary!  Thieves could be farming my personal information by imitating an online vendor.  At other stores, I had to select security questions and provide the answers.  Why?  These could be used to provide an added layer of protection to prevent my account from being compromised.  Remember when I talked about convenience in the last paragraph?  Now this was starting to become a hassle.  Still, all things considered, I decided that shopping whenever I want from wherever I wanted still outweighed the hoops I was being asked to jump through.

Recently, another one of those ‘layers of security’ has popped up on some sites.  Kohl’s department stores are becoming more and more prevalent in California these days.  They offer low-priced quality clothing, bedding, kitchen ware, and other home items.  They are always having sales and reward their frequent shoppers with steeper discounts.  Being on the internet was a natural progression for them.  Even if you live close to Kohl’s, sometimes they offer better deals on the web.  When you first get to Kohls.com, you get to set up an account just like any other site.  This is called your ‘Shopping Account’.  As with most sites, Kohl’s encourages their customers to ‘Go Green’ and eliminate the need for them to send you paper statements each month.  Being a good citizen, I comply. Kohl’s then emails me to inform me I need to set up a second internet account… my ‘Charge Account’.  This is the account I use to pay my bills.  It is separate from my ‘Shopping Account’ and requires a separate user ID and password.  The ‘Charge Account’ requires that I duplicate all the personal information I have already entered in the ‘Shopping Account’.  I cannot pay my bills via my ‘Shopping Account’ and I cannot make purchases via my ‘Charge Account’.  What?  Really?  Why? … to provide another layer of protection,

I still think the internet is the place to shop, but the scales are tipping back in the other direction, the one where I actually go to the store.  The vendors say they are adding all these layers of protection for my benefit and safety, but how much is too much?  At Kohl’s, I get to remember the details for two separate accounts and several security questions.  What’s next … fingerprinting and eyeball scans on my touch screen?  I just want to buy a pair of socks!

The Lost Wallet

If you have never lost (or had stolen) your purse or wallet before, congratulations!  You have either been super lucky or incredibly diligent in looking after your possessions.  Those of you who have been through this tragedy before are more the norm.  For whatever reason, the vessel that contains your ‘life’ is no longer in your possession and you are now awash in feelings of panic, fear, and anger.  In my case, all of the following thoughts raced through my mind:

  • How long do I keep looking for my wallet before I give up and start trying to replace items?
  • What was in my wallet to begin with… debit/credit cards, driver’s license, social security card, cash, pictures, memberships, punch card at the yogurt shop?
  • Who do I call regarding each item in the wallet?
  • Will the credit card companies forgive any charges made by thieves?
  • How long will it take before I get replacements and what do I do in the meantime?
  • How was my wallet lost or stolen in the first place and what stupid actions or inactions on my part led to the event?

Once I made the determination that the wallet was indeed gone, it took a week or two before things were back to something near normal.  Separate calls were made to credit card companies, the DMV, Social Security, and any places issuing membership cards.  Most were sympathetic of my plight while others poked fun at or issued warnings about my liability.  The calls took up my time and, in most cases, only added to my frustration and anger.  I was mad at myself and vowed to make sure this never happened to me again.

Before I ventured out again with all my replacements cards, I decided to do an honest assessment of what actually needed to be in my wallet.  I did need my driver’s license for obvious reasons.  I did need a primary credit card or debit card, but not more than one.  Did I need all the department store cards?  My assessment was no.  It would now be incumbent on me to remember to bring those cards if I chose to shop at JC Penney, Macy’s, Sears, etc.  Add in cash, some pictures, and a few membership cards and my wallet was noticeably lighter.  No longer would my ass hurt on one side from sitting on a packed wallet and I could rest easier that fewer cards were at stake in the event of loss or theft.

I thought I had come up with a pretty good plan to mitigate against another wallet misadventure, but I would soon find out all was not perfect.  Remember that I chose not to carry the department store cards thinking that I would retrieve those when I made planned trips to those stores.  Sure enough, I found myself in Macy’s one day without my card.  I was finally going to replace all the hand-me-down cookware I inherited with a nice matching set, but how would I pay?  I could have paid with cash or a credit card, but I wanted to take advantage of a discount offered to those who used their Macy’s card.  I explained to the salesperson that I did not have my card with me.  She said that it was no problem and she just had a few questions for me.  With a crowd of shoppers around me within earshot, I had to provide information like my Social Security Number, phone number, and address.  It suddenly occurred to me that this wasn’t the greatest idea anymore.  If I had the card or at least my account number with me, I wouldn’t have had to share my personal information with the gaggle of strangers around me.

It seems to me that many of us are caught between a rock and a hard place on this issue.  We need our account information with us to make purchases and prove identity, but if it is with us, then others have unprotected access to the same information.  Even if a credit card company is able to deny an unauthorized purchase made on your card, you will still likely need to replace the card with a new one… and the vicious cycle continues.

Technology on TV

I am one of those people who look forward to the fall TV season to see what fresh new shows have been scripted.  Out of a lot of stinkers, there are always a few gems.  I can handle an absurd premise if the writing is good so I give as many shows a chance as possible.  One that caught my eye this year is called ‘Arrow’.  It is a retelling of the story of the comic book hero, Green Arrow.  Even though it is running on the CW network, notorious for thinly developed characters, I was intrigued by how they would handle the material.  I am several shows into the season and have been pleasantly surprised so give it a look if you can.

High praise aside, I must say I was screaming at the screen the other night during a scene in an episode of ‘Arrow’.  The family patriarch discovers his wife has rerouted company funds to build a secret complex to hide something belonging to her deceased first husband.  He locates the building, but finds it is protected by a keypad security system.  He decides he can defeat the security system by typing in the first names of each member of his wife’s family.  Son Oliver . . . BEEP!  Daughter Thea . . . BEEP!  Ex-husband Robert . . . KA-CHING!  Hi-tech security system defeated in 15 seconds!  Gimme a break!  This lady commissioned a $3 million dollar complex to hide something and used her ex-husband’s name as the password!  I screamed at the TV.  The writers had let me down and reverted to CW standards.  Or had they?

I got to thinking about the choice of passwords made by the TV character and asked myself how others in my life might handle the same situation.  Without a technical background, most technology users are ill-equipped to choose a safe password.  They don’t understand why passwords need to be a certain length or contain numbers and special characters.  They see the password like a key to a door.  They certainly don’t want to lose that key.   Losing the key in this case means forgetting the password.  They need to keep the password simple so they can easily remember it.  It doesn’t occur to most that somebody else might be able to easily ‘duplicate’ their key.  I realized almost every member of my immediate family would behave much like the characters in ‘Arrow’.  I offer my apologies to the writers of the show.  You got it spot on.

In sharp contrast to the folks on ‘Arrow’, you do see TV shows with very technically capable characters.  Shows like ‘24’, ‘Covert Affairs’, and ‘Burn Notice’ depict computer geeks of the highest magnitude.  Breaking encryption algorithms and passwords are a part of their everyday life.  Yes, this is a bit extreme, but the point is, we users should not make it simple for those who might want access to our data.  Those of us in the technical world know that passwords should contain letters (both upper and lower case), numbers, and special characters.  We also know that we shouldn’t be writing down these passwords in plain view of others.  Hopefully my family will watch these shows.  I sound like my Dad when he used to say, “Sure it’s entertaining, but you might learn something too!”

Back to ‘Arrow’… What was in the security complex now that the password was broken?  I’m not tellin’.  You have to watch the show!

A Cautionary Tale

What follows is a cautionary tale about technology from a guy who knows just enough to be dangerous. When the internet started to become another way to purchase goods, I was on board with the concept almost immediately. I wasn’t too concerned with the security issues as I figured the vendors must be doing their due diligence. The advantages to buying on the web were endless in my opinion. Sure, you didn’t have to pay sales tax and you can buy at any time of day. And yes, you could see full product descriptions. But those weren’t the big selling point for me. You see… I don’t mind shopping, but I just don’t like people all that much. There are the rude shoppers who stand in the middle of aisles. There are the rude salespeople who push a product on you and hover over your every move. And finally, there are the traffic and parking issues that are mostly caused by people who shouldn’t be allowed anywhere near a steering wheel.

Now that we have established why I am a bitter old man, let’s move on with my cautionary tale. As soon as they could, all the big vendors were on the internet and selling. As soon as I could, I was on their sites and ready to buy. My first few purchases went smoothly, but there was an awful lot of typing… name… street address… city… state… zip… telephone number… cell phone number… fax number… email address… credit card number… expiration date… three digit code that nobody understands… shipping address if different from billing address… favorite color… names of unborn children… you get my drift. All done! Order sent! Item received! Then a terrible thought sets in… heaven forbid I want to order again from the same vendor two weeks later because if I do, I get to enter all this stuff again. Oh joy! This was not something my fat ass was ready to do.

Our friendly vendors on the internet heard our cries for help and established the concept of an account on their web sites. You have now provided me a place in your virtual store to put all my personal information so that I can reuse it over and over again. I love you all even more now! How do I access my information once I am on a vendor web site? I just need two simple items. The first is my user or logon ID and the second is the associated password. Done and done. I’m off and running as I create an account on every web site I would consider doing business with. To save time and brain cells, I make my user IDs and passwords the same for every account I create. Why shouldn’t I? It’s not like Lowe’s talks to Home Depot. They hate each other!

I am now replete with the knowledge that I have created a process which will preclude me from having to enter a mall ever again. In addition, I won’t have to worry that these mitts I call hands will continue to shame the folks at “Mavis Beacon Teaches Typing.” The good life follows as I get to buy what I want when I want it. I save money and time while avoiding the frustration that the common folk must continue to deal with. I am master of my domain.

My first few years of internet buying proceed without incident, but my blissful ignorance is about to be compromised. One day I received a call from my credit card company asking me to confirm a suspicious purchase made with my card. Apparently, I had purchased an Xbox at Amazon.com and had it shipped to my new address in Rye, New York. I live in California. I don’t know anybody in Rye, New York. I don’t even know where Rye, New York is. I assured the credit card representative that I had not made said purchase. For some reason, I felt compelled to explain why it couldn’t be me since I don’t even enjoy gaming, but I’m pretty sure the rep didn’t find that a credible reason to reject the purchase. She explained that the transaction appeared fraudulent, but wouldn’t explain why. I suppose I didn’t care as long as I didn’t get stuck with the bill. Disaster averted!

Two days later, another credit card rep calls to confirm that I have purchased an Xbox from Best Buy and again had it shipped to my summer home in Rye, New York. Why the hell do I need two Xboxes? If I did need two Xboxes, why did I buy them from different stores online? And finally, why would anyone summer in Rye, New York? All good questions, but none of them mattered to my credit card rep. He explained that the transaction looked fraudulent and that he wanted to confirm the transaction. I went through the same explanation that I had made two days earlier and the rep assured me I would not be charged and that the shipment would not take place. My new bestest buddy went on to ask me if I was using the same user ID and password on more than one web site and that if I was, I could expect several more Xboxes at my new summer home. Crap!

For those of you a little lost by my story, remember that within each account I created, I stored my credit card information. The card information is partially obscured… usually only the last four digits are shown… but all the thief has to do is select the credit card he/she wants to use and they are good to go. How did all this happen? Somehow, someway, I inadvertently shared my user ID and password with someone. I probably clicked on some email I wasn’t supposed to and logged into a fake web site with my user ID and password. Once the thief had success on one web site, they likely tried another site to see if the same information worked. It did! They probably laughed at the fool who was too lazy to set up different user IDs and passwords for each site. What moron would do that? That would be this moron!