Tag Archives: Charlie Sanchez

Carphone Warehouse reports massive data breach

Bad news if you are a customer of Carphone Warehouse, a leading UK retailer for mobile phones and call plans. Late last week, the company announced that it had suffered a large data breach affecting as many as 2.4 million customers.

The information leaked includes names, addresses, dates of birth and bank details. While as many as 90,000 encrypted credit card details were also stolen.

In a statement, Sebastian James, group chief executive of Dixons Carphone, said:

“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.

“We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”

“We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected.”

If you think that you are potentially affected by this hack, here are two things that you should do as soon as possible to help mitigate any risk posed by unauthorized access to your bank accounts or credit cards.

Suspend your credit card

Naturally, one of the first things you should do is contact your credit card issuer and suspend your card. This means that you’re no longer vulnerable to credit card fraud if the card number has been stolen.

Your bank will issue a new credit card with a new number that wasn’t compromised in a breach.

Set up ID monitoring

I also highly recommend registering with an ID monitoring service. These scour the web searching for your credentials whenever and wherever they pop up. This allows you to take preemptive action against potential scammers.

There are instances of this being offered to data breach victims for free. Target did just that last year after their large hack. Should Carphone Warehouse contact you to say you’re information has been leaked, you should ask them about a similar service.

Beware of more scams

A word of caution, we’re likely to see some phishing attempts from fraudsters offering remedial services for data breach victims. Be very cautious about any email that arrives talking about compensation or other enticing services. Double check that any correspondence you receive is directly from Carphone Warehouse. If in doubt, contact them directly yourself rather than opening a suspicious email.

 

Introducing the new Facebook Security Checkup

Earlier in August, the world’s largest social networking site, Facebook, unveiled their new Security Checkup feature.

The aim is to create a series of simple tools that help users control which devices are logged into Facebook, receive alerts when new devices log in and tips on creating a strong password.

Video

Facebook Security Checkup

 

Let’s take a look in more detail:

 

Log out of unused apps:

If you have multiple devices linked to your Facebook account, you may be surprised to see just how many apps have access to your account. Closely monitoring which apps have access to your account is a great way to help protect your account security and the privacy of your personal information.

It’s worth remembering that apps that have access to your Facebook account also have access to a lot of your personal information. Be selective about which apps you allow.

 

Login Alerts:

Setting up login alerts is a great way to help you manage access to your Facebook account. Used in conjunction with other security features such as Two-Factor Authentication, login alerts make it very difficult for any unauthorized party to gain access to your account. I’d highly recommend implementing both this and Facebook’s Login Approvals.

 

Password strength tips:

The final tool in the Security Checkup is some advice both for creating a strong password and also password safety advice.

The advice recommends using a password unique to Facebook, never sharing your password and avoiding dictionary or identifying words.

Your password is one of the most important parts of keeping all your online accounts safe, for more information on creating a strong, unique password that’s easy to remember, check out this infographic below.

 

Making a strong password

Google Timeline knows everywhere you’ve ever been and can show you

When security experts warn us about sharing and publishing our location data, it’s easy to think that they are exaggerating the importance, and really what harm can come from “checking-in”?

I got a nasty shock this week when I found out about Google’s new Timeline feature which it launched last week.

Timeline will dot everywhere you’ve accessed Google Maps and plot it on a map. Mine, for example, looks a bit like this.

Google Timeline

 

As you can see, a couple of trips around Europe but most dots are in and around London, where I live.

This alone is quite strange to see but it gets creepier. Click on any one of these dots and it opens your journey. Here for example, is my stroll around Barcelona at Mobile World Congress last year.

Timeline 2

 

This is an exact map of where I went, which roads I took and how long I stayed at each location. Very surreal to see, given that I wasn’t even sure I was actively using my phone to navigate.

Google Timeline allows you to search for your location by date, so if I wanted to know everywhere I went in October 2013, or even on a specific day, I can find out.

Timeline 3

 

Google Timeline also arranges these journeys for me by calling them useful things like “Day Trip to Cambridge”.

Timeline 4

 

This is a brand new feature and one that has certainly made me reconsider how much data I leave behind in my everyday life.

Naturally, all of this information is private and only visible to me, but I strongly suggest you access your own Google Timeline and see whether you are comfortable with what information is being stored.

 

Here’s how to switch it off:

Turning off your location tracking is simple. In Google Timeline, click the cog at the bottom right corner and select Pause Location History.

Timeline 5

You’ll see the following message

Timeline 6

Click “Pause”.

 

Within the options, you can also delete all stored location history and even download your history.

The UK gets ready for automated vehicles

Earlier this July, the British government published “The Pathway to Driverless Cars: A Code of Practice for testing”, a fourteen page document clarifying the legislation around driverless vehicle testing in the UK.

As expected, the document is heavily skewed towards safety, with stipulations for operator overrides and emergency service procedures among others.

That’s not the part that I found interesting about the guidleines. That came later, and was more focused on data collection and cyber security.

As we have come to expect from our connected devices, data collection is inevitable. The government’s outlines mandate the following as minimum data recording functionality on the vehicle.

As a minimum this device should record the following information (preferably at 10Hz or more):

  • Whether the vehicle is operating in manual or automated mode
  • Vehicle speed
  • Steering command and activation
  • Braking command and activation
  • Operation of the vehicle’s lights and indicators
  • Use of the vehicle’s audible warning system (horn)
  • Sensor data concerning the presence of other road users or objects in the vehicle’s vicinity
  • Remote commands which may influence the vehicle’s movement (if applicable)

 

Add to these minimum prerequisites some other specific datasets such as location (for traffic updates etc.) and you begin to get the picture. Very soon our connected, driverless cars will become a hive of activity, bringing convenience to our daily lives but documenting it like never before.

In fact, immediately following the data collection requirements, the document then went on to establish expected behavior for handling this data.

“Testing is likely to involve the processing of personal data. For example, if data is collected and analysed about the behaviour or location of individuals in the vehicle, such as test drivers, operators and assistants, and those individuals can be identified.”

Will our own cars present a privacy risk to us in the future? Thorough data logs of everything we do and everywhere we go suggest that it might. Who knows, perhaps we’ll see an optional “incognito mode” like we see in some web browsers, where you can drive “off-record” for a limited time.

I was also pleased to see the inclusion of some basic cybersecurity standards included in the document. As our digital world rapidly merges with the offline, it becomes ever more important to safeguard the things that matter most from attack.

The document stipulates:

“Nevertheless, manufacturers providing vehicles, and other organisations supplying parts for testing will need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.”

This is hardly comprehensive but it does make developers consider cybersecurity from the outset.

While time will tell just how ready the people of Britain are for driverless vehicles, but it’s good to see that the government is addressing safety concerns both on the road and online.

Why you should change your Skype password now

The advice comes as a response to users complaining in the Skype forum that they have been apparently receiving malicious links from friends.

This sort of attack, where attackers either gain access or can mimic an authentic account is known as spoofing and can be very successful due to the level of trust that people have in their own contacts.

Skype Spoofing

 

If you think that you or someone you know has been a victim of spoofing, here are three things that you should you do.

 

Don’t click

Normally, spoofing or phishing emails will contain a link to a site. Don’t click on it, especially if it is a shortened link as seen in the Skype forum example. If you believe it could be genuine, hover over the link and your browser will reveal the final destination of the link.

 

Get protection

As cyberattacks get ever more complicated and better disguised, it can become difficult to stay protected. That’s why it’s important to get the best possible antivirus solution that can help keep you safe not just from viruses and malware but additional tools like AVG’s LinkScanner technology can scan links and attachments to check whether they are safe even before you click on them.

 

Changing your password

Just as Microsoft advised on the Skype forums, if you believe you’ve been a victim of any kind of spoofing or account fraud, it’s important to change your password. If someone has access to your account you should put a stop to that as soon as possible.

Take a little time when developing your new password and make sure that it gives you as much protection as possible.

For help doing this, take a look at the graphic below that will help you create a strong, unique password in three simple steps.

Making a strong password

How to tell if an online review is trustworthy

When it comes to planning a purchase online, customer reviews can be a great source of information and a crucial part of the decision making process. But with cases of businesses doctoring their online reviews emerging, how can you be sure that the review you’re reading can be trusted?

Here are some signs to watch out for to make sure you don’t get the wool pulled over your eyes.

 

Check out the reviewer

Your first point of reference should be the person who left the review. They are more likely to be a legitimate person if the following checks out:

  • They have been using the site for a long time before leaving the review
  • They have left reviews for other products
  • They have friends or belong to a network (on Yelp for instance)

All of these point to the behaviors of a real person who can be deemed impartial. If the review has only just joined the site or only left a review for the product or service in question, then you may want to consider basing your purchase on their advice.

Profile

 

 

Verified customers

Many websites run employ services such as Revoo to help provide transparent and authentic feedback on their products. The review is actually part of the purchasing process so that you can be sure that only those that actually purchased the product have left a review.

Confirmed Purchase

 

Shop around

If you’re shopping for a big ticket item or booking at a pricey hotel, it is definitely worth checking reviews on many different sites and even social networks.

If something has great reviews on Yelp or Google Reviews, may have a bad rating on Trip Advisor, Amazon or another service. If the reviews differ significantly, it is certainly worth investigating a little further into them.

A quick search on Facebook or Twitter doesn’t hurt either. Check out any mentions of the product name or if a restaurant or hotel, visit their Twitter page to see how people are engaging with them. If there’s a lot of angry customers complaining, you may want to think twice before booking!

Do you have any tips to get trusted review online? Let me know on Twitter or on Facebook.

One-Time passwords: What you need to know

Most of us have dozens of online accounts, each of which should have its own unique password. Remember them all can be a bit of a headache, which is why some people have turned to password managers.

However, events in the last few months have shown that not all password managers are entirely secure, leaving people at odds when it comes to securing their online lives.

One trend that has been steadily gaining momentum is that of the one-time password. Forget having to remember your login for each account and instead have a strong, unique password sent directly to you whenever you need to log in.

When you want access to your account, a link is sent to you via email, SMS or in app and that can be used to log in. No password required.

Yahoo! Become one of the first household names introduce one time passwords a few months ago and you can see my colleague Tony Anscombe’s views on their implementation on his blog.

More recently, blogging site Medium has just rolled out the feature. They believe that one-time passwords are stronger than traditional means of authentication as they explain on their blog:

It sounds counterintuitive, but this is actually more secure than a password-based system. On most services, if someone guesses or cracks your password, they gain access to your account until you change your password, which might not be for a long time. You might never know that they have access. With this email-only system:

  • You’re automatically notified when someone tries to sign in.
  • The sign in link expires after a short amount of time.
  • The sign in link can only be used once.

 

Medium

 

Are there any downsides?

One-time passwords do a great job to help avoid many of the common issues with real passwords such as:

  • Weak passwords
  • Reusing passwords across multiple sites
  • Writing passwords down
  • No warning when someone else has access to your password/account

 

There is some room for vulnerability in the current system.

Encryption – Emailing a link that can provide unlimited account access, should of course be done in an encrypted fashion. However, this isn’t always possible and transmitting it in plain-text over email or SMS could be a major security vulnerability.

Degrades security – A potential downfall for one-time passwords, especially with Mediums implementation, is that any one-time password account is only as secure as your authentication email account.

For example, it would be useless to manage every one of your online accounts with a one-time password, but only secure your email with a weak password (as many people do). Remember, your email password should be the strongest of all your passwords as it can hold the key to the rest of them. One-time passwords make this even more pertinent.

Forwarding – Obviously it is unlikely, but with the current implementations, anyone with the link would be able to access the account. If you forwarded an email by mistake or pasted the link in the wrong place, then this could leave you vulnerable.

Some verification that the link is being clicked within the correct email account would be an added bonus so that the link would be a big bonus.

 

Alternatives

So while it is up to you whether or not you want to secure your online accounts with one-time passwords, if you are looking to improve the security of your online accounts I can recommend deploying Two-Factor Authentication.

Two-Factor Authentication is perhaps the simplest way to prevent unauthorised access to your online accounts and is very low risk. For more information on Two-Factor Authentication, check out the video below:

Video

What Is Two Factor Authentication

Snapchat rolls out two-factor authentication

The feature, known as ‘login verification’, is a way that users can help protect the privacy of their Snapchat accounts.

Two Factor Authentication is a way to help secure your online accounts by adding another step when you login. With Two-Factor Authentication, your regular password won’t be enough to gain access to your account. You will also need a code which is sent to your mobile device, either in form of a text message or via an app.

In Snapchat’s case, the first time an account is accessed from a new device, Snapchat will require a code sent via SMS to the mobile number registered on the account. This code can then be used to access Snapchat normally. Afterwards, the authorization will not be required on that device again (unless you instruct Snapchat to ‘forget’ the device.)

Login

 

For more information on two-factor authentication, check out the video below from AVG Academy.

Video

Two Factor Authentication

 

How to enable login verification on Snapchat

As detailed in Snapchat’s support page, here’s how to enable login verification in the app:

  1. Tap the ghost icon at the top of your camera screen
  2. Tap the Settings gear in the top right hand corner of your Profile screen
  3. Tap ‘Login Verification‘ under the ‘My Account’ section
  4. Tap the ‘Continue‘ button
  5. Enter the verification code sent to your mobile phone and tap ‘Continue

Once you have completed the login verification process, your device will remain a verified device until you elect to forget it.

 

Are you using a password that’s a decade old?

In the study by Telesign, web users had on average six passwords protecting 24 online accounts, another cause for concern. Using old or weak passwords across multiple sites can leave people vulnerable to attack.

Using the same password on multiple sites is one of the biggest mistakes that people can make in terms of Internet security. If a password for one account gets compromised then it can start a chain reaction that leaves other online accounts vulnerable to attack. With high profile data breaches regularly in the news, this is not as farfetched as it may sound.

Good password practice

There are three basic steps that we can all follow to help keep our online accounts safe:

Use a strong password

Creating a strong and memorable password doesn’t have to be difficult, we’ve outlined three easy steps in our password guide.

In the meantime, here are four common password mistakes to avoid.

Video

Password Mistakes to Avoid

 

Use a different password for each account

Here to explain why it’s always a good idea to use site-specific passwords, here is AVG Security Awareness Director Michael McKinnon:

Video

Use A Different Password for Each Site

 

Use Two-Factor authentication

Lastly, I suggest using two-factor authentication whenever it’s available. Two-factor authentication means that your password alone isn’t enough to access an account. Instead you’ll need a code sent to your phone or generated by an app to validate your identity.

Watch the video below to learn more:

Video

What is Two-Factor Authentication

Three reasons to be excited about: Windows 10

Cortana

Voice recognition has been a major area of development across the industry in the last few years and Microsoft look to continue that momentum with further integration of its voice activated assistant Cortana.

In Windows 10, Cortana will be your go to assistant for finding files and information both on your device and online. The smart technology also allows you to use real language to find what you are looking for or complete tasks.

In this demo video, Cortana is asked to “call Mikey” and understands that it needs to open Skype, search Mikey in the contacts list and place the call. Pretty neat.

Video

Cortana in Windows 10

 

It’s not hard to imagine how this implementation of Cortana edges us closer to an interactive, responsive and voice activated operating system that intelligently understands our needs.

 

Project Spartan browser

For those of us not quite ready to make the leap to a voice activated web experience, there is still plenty to be excited about, not least the Project Spartan Browser.

Project Spartan is a brand new browser been built from the ground up with speed and performance in mind. Optimized for the rich media environment of the modern web,  the new browser could very well be a must have for surf addicts.

Check out this video from The Verge.

Video

Project Spartan

 

Universal Windows Apps

One of the most exciting pieces of news is that Microsoft have unveiled ‘Windows Universal apps’. The idea being that any app purchased through the store will work across every Windows 10 device, from phone, to tablet and PC.

Windows 10

This is not only incredibly convenient for users, it also helps greatly from a security point of view. The centralized app stores operated by Google and Apple for their mobile devices have made a huge difference to the amount of pirated and malicious software available.

The traditional, PC, software market was essentially a free for all with no authority acting as quality control. The shift towards one central app store, will help Microsoft to curb the malware so often distributed online.