Sunday, August 28, 2016

New iPhone 7

As September 7 approaches and the impending announcements from Apple, they are in an unprecedented situation. While the company doesn't give a whit about market share, they have been declining steeply.  For the first time in its short history, the iPhone sales are in decline. Why? What's going on? More importantly to the company, product, and investors, what will they announce in the 7 to reverse the trend?

I've said many times that Apple is the choice of people who are concerned about digital security and privacy. I've also said its the company for people who like an ecosphere of products that work together. But when push comes to shove, it appears most people want just a smart phone, and one that appears to be innovative. Never mind if the innovation is internal, or geared toward app developers. 

So the rumors that usually pan out say the 7 now removes the audio jack, has the same dimensions, but no real clues as to what's really new. The Apple Watch is also rumored to have an upgrade at the same time. But so far this hasn't impacted iPhone sales noticeably. 

So is Apple in trouble? Far from it. The Mac is still selling strongly, and even though down iPhone sales are good, and profits are good. But truly it is challenging to restore growth to their flagship product. 

Tuesday, March 8, 2016

My AT&T Account was Hacked - How could we have avoided it?

Last week, our AT&T Wireless account was hacked on the web site.  The way they got in, was they probably guessed or stole the password for my wife's login from some other website, and tried it on a variety of carriers until it worked.  We got a text message from AT&T last week that the security questions had been changed.  When I went to look at it, they hadn't.  I immediately called the AT&T Fraud department, and they told me that no updates had been made, and no changes to the service, and that the system must have sent the message to me in error.

Yesterday, I got another text message on my phone, that my billing address had been changed.  It had been changed to a Miami Beach address.  At about that time, my wife called me from our kid's phone, saying that her phone no longer worked.  Neither did one of our other phones.  At that point, we realized that a new user had been authorized on the account, and that a new phone number had been added last week, and one of the phones (out of contract) had been used for an upgrade.  AT&T showed that the new phones had been picked up at the Apple store on Broadway, in New York.

Apparently this is very common, for thieves to use stolen credit cards, pay online on a hacked account, and pick up a phone from the store.  Once they do that, they sell the phone as quickly as they can, and pocket the cash.

Meanwhile, it took about 5 hours with AT&T Advanced Technical Support to get our phones restored, and with the Fraud department to get everything else straightened out.

The worst thing about all this was, it could have (and should have) been prevented!  How?  Let's look at the perfect storm of everything that went wrong:
  1. AT&T Account Security provides a phone number, e-mail address, and generated access ID to log in and manage your account.  3 different ways of logging in.  Simplify it, give us 1!
  2. AT&T Account Security has the option of requiring a PIN that you specify, for "any and all account changes that will cost you money."  Apparently that is misleading.  We turned on that PIN feature last year and set the PIN, however it only works for in-store purchases.  The web site does not require the PIN, and this is something they are aware of, and have not yet rectified.  Shame on them!  If they had required the PIN, then simply using the login stolen from somewhere else would have not been enough.
  3. Simple Password Login - my wife (who will remain unnamed to prevent embarrassment) used to use the same password for everything.  Everywhere.  This practice is still rampant, and I strongly discourage it.  As I've recommended several times (1, 2), you should not know the vast majority of your passwords.  You should have a super secret master password that you only use one place, for your password vault, and have all others be randomly generated long alphanumeric with punctuation marks.  Thieves know that people like to use passwords that are easy to guess (by the way, if your password consists of a word, even if you change letters to numbers or add numbers at the end - it is extremely easy for computer software to guess), and use the same passwords everywhere.  Software is specially designed to exploit the patterns we use ($ for S, 0 for O, 1 for L, etc.) and crack the passwords within minutes (average is 6 minutes or less).  So even if thieves hack a system you logged into and steal encrypted passwords, they can decrypt it within minutes.
  4. Text Confirmation PIN - Apple and many other companies send text messages to known, pre-registered devices to confirm identity.  For example, if I log into iCloud, it sends a PIN to my phone, which I then have to enter (after username and password) in order to access my cloud account.  This is simple and very easy, and should be done by AT&T and all mobile carriers to confirm something as basic as adding, removing, or upgrading a line.
  5. Multifactor authentication - whenever this is available, turn it on and use it.  This means, instead of just asking for username and password, some other thing is asked for to prove you are legit.  For example, a lot of systems use Google Authenticator.  This is like those RSA secure keys you may have seen, which generate a new number every 30 seconds.  When you log in, you have to enter name, password, and the number - which follows a predictable pattern only known between your device and the site you are logging into.  Another example, is not just asking for name and password, but some other random mix of questions that you define, and answers you set up.  For example, "What was your first car?"  "1981 DeLorean" - if you set up 3 to 5 Q&A, then it randomly selects one, and you have to answer that plus name and password to log in.
Luckily, we caught this quick.  Chances are very slim it was quick enough to catch this thief, or even quick enough to prevent him from selling the phones he stole.  We lost a bit of peace of mind, and time spent dealing with it.  But other forms of identity theft can be much more damaging, and you owe it to yourself (and the efforts of law enforcement to catch these criminals) to learn what you can do, and prevent these from happening.

And whatever you do, don't believe it when a guy calls saying your PC has reported problems to their server!

Thursday, February 18, 2016

Did you know that PC Security Services can "help" fix your computer problems?

I got a call from a guy named Harry (yeah, right, this guy with a middle-eastern Indian-sounding accent's name is Harry), who claimed that he got my number because my Windows was reporting problems to his  server, and he was calling to help me out.  Good thing too, Harry!  (Interesting choice of names - this was Peter Parker's friend who turned out to become a super villain...but that's a different universe.)

I asked him how he got my phone number.  Harry told me that everyone who has a Windows computer has a unique computer license ID number (TRUE), which is automatically registered with them (FALSE - it is only registered with Microsoft, and they do not share their customer registration information with any third party companies).  And that they receive reports at their technical server that goes to their R&D center, and notifies them of issues.  (FALSE: Nobody would do this without a service contract that would bill you periodically.)

He then told me there were a bunch of problems with my Windows computer (I held off, not telling him I have Macs).  I decided I would play the dumb user, so I went along with him.

First, he wanted me to run the Event Viewer.  OK, harmless enough.  Then, he showed me a log of errors that Windows keeps.  He had me look at the count of errors, and whatever number I gave him, it was too much (it was 8,232).  [FACT CHECK:  During the normal operation of any computer system, it will log errors.  This is fine - some non-essential part of the computer failed to do something the way it expected, it logs an error.  Typically, this is nothing to be concerned about.  If you are concerned, take it physically to someone you trust, not to some guy who calls up over the phone.] Then close that window, and run MSCONFIG.  This tool shows startup jobs, as well as services.  He had me look for any services by Microsoft Corporation that were stopped.  There were a lot, and he said this is bad.  [FACT CHECK:  There are always some stopped, by the way - not every service is turned on.  In fact, I had specifically gone through just a few months back and disabled some more non-essential services, to improve performance of my system, but he didn't know that.]

So, he said that the bad software I get from e-mails and browsing the web, disabled important Microsoft services.  [FACT CHECK:  This is typically the way bad software gets on your computer, but this is the way that the antivirus security software checks and protects most often.]  Then, he wanted me to go to a web site,  This one failed to come up, so I can only guess that the domain has been blocked by net monitoring.

So, he had me go to, and wanted me to click Connect to Technician.  [FACT CHECK:  This is the kind of attack that is harder to protect against.  They get you to run something over the web browser, or install a program remotely with your permission, during a time when they have obtained your trust.]

This is where they get you.  I had played dumb with Harry, stringing him along, and pretending I didn't understand ("how do I find the Control key?  Oh, the CTRL key!").  After half an our of having this guy patiently explain to me how to minimize a window, find the CTRL key, and find the Windows key, let alone type in the commands he wanted (all the while I was Googling the stuff he told me, came across this warning by Microsoft), I asked him if the Connect to Technician will fix my problem.  I said, because I have a big problem, I have too much money in my bank account, and wanted someone to steal it from me to help me with the problem.

The dude didn't know what to say.  I told him I had been a Windows expert for 30 years, and now have Macs, so I don't even have Windows at home.  And, that I would be reporting the phone number and web site to the FBI and FTC.  Ah, so much fun making the guy squirm in his chair when I asked "Where is the Control key?" - if only I could see his face.