Getting a text message is a lot like someone calling out your name. It’s tough to ignore.

Delivery notifications, messages from your bank, job offers, and security alerts—those texts have a way of getting your attention. And scammers know it. In the U.S. alone, their text-based scams accounted for a reported $330 million in losses in 2022—nearly a 5x increase compared to 2019.

When it comes time for scammers to reach their victims, text messages are the top choice. Far more so than email or phone calls. Estimates show that up to 98% of people will read a text message. Half of them will answer it. Compare that to email, which has an open rate that hovers around 20% and a reply rate of 6%.

In all, text scams make for cheap, easy, and effective attacks. Even more so with the help of highly convincing messages scripted by AI.

Scammers simply have it easier and easier these days. Or so it can seem. Now you have an AI-powered tool that can finally put an end to those scam texts on your phone— McAfee Scam Protection.

Let’s check out the top scams out there today, and then how McAfee Scam Protection and a few other steps can make your time on your phone a lot less annoying and a lot safer as well.

The top five text scams.

According to the Federal Trade Commission (FTC), five specific text scams account for 42% of scams randomly sampled by the commission. Here’s how they stack up:

  • Phony bank alerts and messages.
  • Bogus gift offers that steal personal info.
  • “Problems” with package deliveries.
  • Job scams.
  • Amazon imposter scams.

Sound familiar, like something that you’ve seen pop up on your phone? Chances are it does. In all, the scammers behind these texts want the same thing—your personal info, money, or a combination of both. They just take different routes to get there.

Beyond the top five, the other 58% of scams put their spin on their texts. However, different as they are, these scam texts have several common signs you can spot.

First off, they usually include a link. The link might include unusual strings of characters and a web address that doesn’t match who the message says it’s coming from. Like a bogus notice from the post office that doesn’t use the official post office URL. Or, the link might look almost like a legitimate address, but changes the name in a way that indicates it’s bogus.

Instead of a link, the text might contain a phone number to call. Sophisticated scam operations run call centers that work much like legitimate call centers—although scammers design them to steal your money and personal info.

The message might employ a scare tactic or threat. Scammers love this approach because it successfully plays on people’s emotions and gets them to act quickly without much thinking.

Sometimes, the text might be a seemingly innocent message. Like, “Is this Steven’s number?” Or, “I’ll always love you.” Sometimes it’s only a simple, “Hi.” This is by design. The scammer wants to pique your curiosity, or your desire to be helpful, and then respond. From there, the scammer will try to strike up a conversation, which can lead to a romance scam or a similar con game like an online job scam.

How to spot the top five text scams.

Fortunately, scammers tend to follow a basic script. You’ll see variations, of course. Yet these texts share common elements, just as text scams in general do. That makes them easy to spot.

Be on the lookout for:

Bank scams like, “BANK FRAUD ALERT: Did you make a $4,237.95 purchase at Jacuzzi World? Please confirm!” You’ll know if it’s a scam if the text:

  • Was sent from an institution you don’t bank with. That’s an immediate sign.
  • Comes from an unrecognizable and unofficial number.
  • Requests you to tap a link or call the number—likely to provide personal info.

Gift scams like, “ATT FREE MESSAGE. Thanks for paying your bill. Click here for a reward.” First, you can note that the scammer spelled the phone carrier AT&T incorrectly. Other signs of a scam include:

  • The text involves tapping a link to claim your (bogus) prize—or calling an unknown number.
  • It involves paying a fee for shipping your (bogus) prize.
  • It similarly calls for submitting account or personal info to pay for your (bogus) winnings.
  • The payout is for a lottery or giveaway you never entered.

Delivery scams like, “We were unable to deliver your shipment. Please update your info so that we can get your package to you.” This is a common one, and you can spot it several ways:

  • First off, you’re not expecting a package. Let alone one from the “company” that sent you the text.
  • It contains a link that doesn’t look like it directs you to an official site, like UPS or FedEx.
  • If you’re in North America, look at the number of the sender. Some scammers text from an overseas location. This can result in a long phone number that contains a country code with a “+” in front of it.

Job scams like, “BE A SECRET SHOPPER. Make $500 per store! Click the link to get started!” A company that hires employees by sending thousands of spammy texts isn’t a company at all. It’s a scam. Other signs are:

  • They ask you to tap a link or call a number, once again.
  • The link looks like a string of nonsense or like a slightly fudged version of a legitimate web address.
  • The job offer seems too good to be true. (Because it is.)

Amazon scams like, “TRANSACTION ALERT: Your purchase of a 65” QLED TV for $1,599.99 is confirmed. Not you? Contact us to cancel the order.” This is a spin on the bank fraud alert, with the scammers posing as Amazon’s fraud team. Aside from using the Amazon name, other signs include:

  • The text lists a big-ticket item with a big price tag to get your attention.
  • There’s a sense of urgency. The text implies you need to act quickly to cancel the order.
  • You have a number to call or a link to tap, which puts you in touch with a phony customer care rep.

Now, how to avoid text scams.

With what you need to spot scam texts, now you can avoid the damage they can do. And you can take additional steps to keep them from reaching you altogether.

1. Don’t tap on links in text messages: If you follow one piece of advice, it’s this.

2. Follow up directly: If you have concerns, get in touch with the company you think might have sent it. Manually type in their website and enquire there. Again, don’t tap any links.

3. Clean up your personal data: Scammers must have gotten your number from somewhere, right? Often, that’s an online data broker—a company that keeps thousands of personal records for millions of people. And they’ll sell those records to anyone. Including scammers. A product like our Personal Data Cleanup can help you remove your info from some of the riskiest sites out there.

4. Get scam protection: Using the power of AI, our new McAfee Scam Protection can alert you when scam texts pop up on your phone. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more.

Also, consider playing a part in the solution.

Businesses, agencies, and law enforcement work together to shut down scams. Many of them have websites and points of contact for reporting fraud. Netflix offers a good example, and so does the Internal Revenue Service (IRS) in the U.S. McAfee has a page dedicated to fraud as well.

Further, in the U.S., you can also report it to the FTC at https://www.ReportFraud.ftc.gov. Similarly, they use and share reports with law enforcement partners to help with investigations.

If you spot a clear imposter or scam, give some thought to grabbing a screenshot and reporting it.

You have what it takes to stop text scams.

Even as scammers’ attacks get more sophisticated, the tools that can beat them are more sophisticated as well. In part thanks to AI. With a sharp eye, tools like McAfee’s Scam Protection can help you steer clear of text scams.

With both in place, you can improve the chances that your next incoming text is from a friend that brings a smile to your face—instead of a scam text that leaves you shaking your head.

Introducing McAfee+

Identity theft protection and privacy for your digital life


#Hold #Phone #Wallet #Top #Text #Scams

Apple’s App Store is considered a reliable platform for downloading apps. So much so, in fact, that users often assume there’s no danger at all: what could possibly be wrong with an app that’s been moderated by Apple? App Store verification is indeed effective, and news about malicious or phishing apps on the platform is uncommon.

All the same, malware creators do occasionally sneak under the App Store’s radar. This post examines three fraudulent apps we’ve found in the official Apple store, and what precautions you can take to avoid a financial hit.

Scam apps in the App Store

The three we’ve found all share a common theme: investment. If the descriptions are to be believed, two are for tracking the current value of cryptocurrency assets. The third seems to be some kind of investment game, which, I quote, “plunges you into the world of financial decisions, making you feel like a real office worker. You will have to make complex financial decisions that will affect your character’s mood and the state of their wallet”.

Scam apps in the App Store

Scam apps we’ve found in the App Store

When the user opens any of these apps almost anywhere in the world, the program, having checked the location by IP address, shows what was promised in the description: either a simple app for tracking cryptocurrencies, or a mini-game with multiple-choice questions.

But if the user is in Russia, however, the app downloads far less innocuous phishing content. First, the victim is promised a decent income of at least $1000 a month. What’s more, you can start investing supposedly with small amounts — “from $110” — and expect your first profit “in just a few days”; access to the platform is, of course, free.

The promises of fabulous riches are followed by a rather long and detailed questionnaire. The scammers’ aim here is to get you to “invest” a certain amount of time and effort in the process; this is so that, come the key stage of the scam, the victim will be reluctant to give up that investment.

The culmination is a form asking for your first name, surname, and phone number so that “an investment platform specialist can be in touch”. Once the contact information is sent, the phishers promise to call you shortly.

And they’re true to their word. According to user reviews in the App Store, during the phone call with the “specialist”, the hapless user is persuaded to “invest” a certain amount in a highly dubious financial project. The outcome isn’t hard to predict: the fantastic payback never materializes, and the victim’s investment disappears.

Although user reviews of all three malicious apps warn about fraud, only when we reported them did the App Store moderators sit up and take notice. At the time of posting, all three apps have been removed from the App Store.

But how did they even get there in the first place? We can’t give a definite answer, of course — only Apple itself can do so after a thorough investigation. We can only assume that when the apps were being moderated, they only displayed harmless content since they were designed to download the phishing questionnaire from the internet as a regular HTML page. And then, after the apps had been approved and placed in Apple’s official store, the scammers modified the uploaded content.

How to stay safe

The iOS architecture is built to keep user apps as isolated as possible from the rest of a device’s system and also user data. Because of this, there’s no way to create a “classic” antivirus for iOS: it simply won’t have the necessary access to other programs and data running in the system. Apple works on the assumption that App Store moderation protects against malicious apps such as these. But, as we now see, its safeguards can be bypassed by substituting uploaded content with phishing once the app is approved. And because the App Store currently hosts around two million apps, the moderators simply don’t have time to respond quickly to user complaints.

Therefore, the next line of defense becomes all-important. Kaspersky: VPN & Antivirus for iOS with Plus and Premium subscriptions analyzes traffic and promptly detects attempts to open phishing sites on your device. Dangerous pages get blocked straight away and a warning is displayed.

How Kaspersky: VPN & Antivirus for iOS protects against scam apps

Here’s how Kaspersky: VPN & Antivirus for iOS responds to an attempt by a scam app in the App Store to download phishing content

And although all the scam apps we found this time around singled out users in Russia, the same technologies could just as well be used to target any audience in any country in the world — the only question is when. So, as you can see, iOS needs protection just as much as Android.


#Beware #scammers #Dangerous #apps #App #Store

Perturbing highlights from the latest Avast Threat Report indicate scammers aren’t just stealing from your computer—they’re working to take it over entirely.

In a vast world of online threats, certain terms can stand out for their mysterious nature and vague implications. They sound technical, jargony, and are often dismissed as too hard for us to get into. Today we’re offering a guide, a sort of compass, to help simplify a few of those terms, and enable you to navigate around some of the latest dangers from the Avast Threat Report 

(lebih…)

I have a confession to make – I so wish ChatGPT was around when my kids were younger. I realise that it’s not perfect but in my opinion, it’s like having a personal digital assistant to help you wade through those super heavy parenting years. Imagine how helpful it would be to have your ‘assistant’ develop a personalised bedtime story for your 6-year-old or, work out what you can cook with just the ingredients in your fridge!! I am so sure I would have been a more relaxed mother if I had ChatGPT working for me!!

How Does ChatGPT Work?

ChatGPT is an amazing website that allows you to have human-like conversations with a chatbot that is driven by Artificial Intelligence (AI) technology. The chatbot can answer your questions, compose emails and essays, translate text, develop code and more. At the time of writing, there is a free version of ChatGPT available which gives the user unlimited access however the paid premium version of $US20 per month gives priority access during peak times, faster response speeds and exclusive access to GPT-4 – a smarter and more capable chatbot!

If you’d like to know more about it, check out my Parents’ ChatGPT Guide which will help fill in the blanks.

How ChatGPT Can Make You A Better Parent

There are so many ways ChatGPT can reduce the stress of parenting and give you some much-needed head space. Here are my top 5:

1. What’s For Dinner?

If I look back at the super intense parenting years when I was working full-time with 4 kids, one of the greatest causes of my stress was dinner. I often wouldn’t have the physical energy to read a recipe book or stop at the shops after an afternoon of school and extra-curricular pickups so I would be scrambling to feed a bunch of ravenous boys. Imagine how good it would be to have your digital assistant, aka ChatGPT, devise a recipe based on what you have in your fridge and pantry? Nothing short of life-changing, in my opinion. And it can even factor in dietary restrictions! So clever!!

2. Can You Tell Me A Bedtime Story

My boys loved bedtime stories – preferably personalised! I know, very demanding!! Now, with 4 separate stories to deliver every night, you can only imagine how much mental energy this required. But if I had ChatGPT working for me, this would take just seconds to solve. Simply enter the name and age of the child (no surnames), the setting, the names of other characters that should be included, and then a theme e.g. hero’s journey, determination, friendship, and wham bam – you’ve got something ready to go!

3. Your Next Holiday – Sorted!

When things are so hectic, it is often the thought of a vacation that can keep you going. However, let’s be honest, successful holidays take quite a bit of planning to get right. Well – that’s where your digital assistant can help. If you ask, ChatGPT can develop itineraries with activity suggestions. It can also recommend hotels – simply ask it for suggestions within a specific location e.g. close to the Eiffel Tower. And it can also tailor its recommendations based on your budget. After planning and managing family holidays for my clan of 6 for well over 20 years, this is a life-changing feature!

4. The Best Birthday Party Checklist Ever

Far out, birthday parties can be stressful experiences. Invitations, themes, venue, entertainment, kids’ food, lolly bags, parents’ food, parents’ drinks, the list goes on and on. But if you haven’t already put ChatGPT to work as a party planner – then you’re missing out. Simply type in the age of the child and it can give you an entire plan. It will also give you 20-25 top tips that I guarantee will ensure you have everything covered!

5. Homework Help

If you’ve got a tribe of kids who are all at various levels and need homework help, then staying up to date with maths and science can be quite exhausting – particularly after a long day at work! Simply entering ‘explain’ or ‘explain so a 10-year-old can understand’ into ChatGPT will provide you with enough smarts to get that homework done. Of course, fact-checking ChatGPT is essential but what it will provide is some momentum in the right direction.

But A Word of Caution

ChatGPT can absolutely make your life easier as a parent but there are a few things to remember before you start typing into that chat box.

1. It Doesn’t Always Get Everything Right

It’s important to double-check everything. Ensure your kids also appreciate that everything online needs to be double-checked.

2. Be Mindful of Your Privacy When Using It

For a full explanation of its impact on privacy and how you can protect yourself, check out my recent blog post about . But to summarise: be careful what you share in the chat box, stay anonymous, and consider deleting your chat history.

3. Consider How You Use It With Your Kids

One of the biggest negatives of ChatGPT is its potential impact on creativity and thinking skills. Some schools and universities have banned its use while others have specialised programs that supposedly can detect whether a student has used it. While it does sadden me that our kids won’t need to struggle over complex maths questions or English essays like we did, I am a realist and believe that whether we like it or not – it is here to stay. My prediction is that the school and university systems will adapt because generative AI will be a part of our kids’ world. Our role as parents and educators is to teach them how to use it safely and with a critical-thinking mindset.

So, if you’ve dreamed about hiring a personal assistant (I do regularly!) then you so need to check out ChatGPT. It will help you get through your ‘to-do’ list, save you so much time and energy which means you’ve got more time to spend with your kids – or by yourself under a tree. You choose!!

Till Next Time

Stay Safe Online

Alex

Introducing McAfee+

Identity theft protection and privacy for your digital life


#ChatGPT #Happened #Family

Over the first 23 years of this century, the Linux operating system has become as ubiquitous as Windows. Although only 3% of people use it on their laptops and PCs, Linux dominates the Internet of Things, and is also the most popular server OS. You almost certainly have at least one Linux device at home — your Wi-Fi router. But it’s highly likely there are actually many more: Linux is often used in smart doorbells, security cameras, baby monitors, network-attached storage (NAS), TVs, and so on.

At the same time, Linux has always had a reputation of being a “trouble-free” OS that requires no special maintenance and is of no interest to hackers. Unfortunately, neither of these things is true of Linux anymore. So what are the threats faced by home Linux devices? Let’s consider three practical examples.

Router botnet

By running malware on a router, security camera, or some other device that’s always on and connected to the internet, attackers can exploit it for various cyberattacks. The use of such bots is very popular in DDoS attacks. A textbook case was the Mirai botnet, used to launch the largest DDoS attacks of the past decade.

Another popular use of infected routers is running a proxy server on them. Through such a proxy, criminals can access the internet using the victim’s IP address and cover their tracks.

Both of these services are constantly in demand in the cybercrime world, so botnet operators resell them to other cybercriminals.

NAS ransomware

Major cyberattacks on large companies with subsequent ransom demands — that is, ransomware attacks, have made us almost forget that this underground industry started with very small threats to individual users. Encrypting your computer and demanding a hundred dollars for decryption — remember that? In a slightly modified form, this threat re-emerged in 2021 and evolved in 2022 — but now hackers are targeting not laptops and desktops, but home file servers and NAS. At least twice, malware has attacked owners of QNAP NAS devices (Qlocker, Deadbolt). Devices from Synology, LG, and ZyXEL faced attacks as well. The scenario is the same in all cases: attackers hack publicly accessible network storage via the internet by brute-forcing passwords or exploiting vulnerabilities in its software. Then they run Linux malware that encrypts all the data and presents a ransom demand.

Spying on desktops

Owners of desktop or laptop computers running Ubuntu, Mint, or other Linux distributions should also be wary. “Desktop” malware for Linux has been around for a long time, and now you can even encounter it on official websites. Just recently, we discovered an attack in which some users of the Linux version of Free Download Manager (FDM) were being redirected to a malicious repository, where they downloaded a trojanized version of FDM onto their computers.

To pull off this trick, the attackers hacked into the FDM website and injected a script that randomly redirected some visitors to the official, “clean” version of FDM, and others to the infected one. The trojanized version deployed malware on the computer, stealing passwords and other sensitive information. There have been similar incidents in the past, for example, with Linux Mint images.

It’s important to note that vulnerabilities in Linux and popular Linux applications are regularly discovered (here’s a list just for the Linux kernel). Therefore, even correctly configured OS tools and access roles don’t provide complete protection against such attacks.

Basically, it’s no longer advisable to rely on widespread beliefs such as “Linux is less popular and not targeted”, “I don’t visit suspicious websites”, or “just don’t work as a root user”. Protection for Linux-based workstations must be as thorough as for Windows and MacOS ones.

How to protect Linux systems at home

Set a strong administrator password for your router, NAS, baby monitor, and home computers. The passwords for these devices must be unique. Brute forcing passwords and trying default factory passwords remain popular methods of attacking home Linux. It’s a good idea to store strong (long and complex) passwords in a password manager so you don’t have to type them in manually each time.

Update the firmware of your router, NAS, and other devices regularly. Look for an automatic update feature in the settings — that’s very handy here. These updates will protect against common attacks that exploit vulnerabilities in Linux devices.

Disable Web access to the control panel. Most routers and NAS devices allow you to restrict access to their control panel. Ensure your devices cannot be accessed from the internet and are only available from the home network.

Minimize unnecessary services. NAS devices, routers, and even smart doorbells function as miniature servers. They often include additional features like media hosting, FTP file access, printer connections for any home computer, and command-line control over SSH. Keep only the functions you actually use enabled.

Consider limiting cloud functionality. If you don’t use the cloud functions of your NAS (such as WD My Cloud) or can do without them, it’s best to disable them entirely and access your NAS only over your local home network. Not only will this prevent many cyberattacks, but it will also safeguard you against incidents on the manufacturer’s side.

Use specialized security tools. Depending on the device, the names and functions of available tools may vary. For Linux PCs and laptops, as well as some NAS devices, antivirus solutions are available, including regularly updated open-source options like ClamAV. There are also tools for more specific tasks, such as rootkit detection.

For desktop computers, consider switching to the Qubes operating system. It’s built entirely on the principles of containerization, allowing you to completely isolate applications from each other. Qubes containers are based on Fedora and Debian.


#Linux #home #protect #Linux #devices #hacking

I have a confession to make – I so wish ChatGPT was around when my kids were younger. I realise that it’s not perfect but in my opinion, it’s like having a personal digital assistant to help you wade through those super heavy parenting years. Imagine how helpful it would be to have your ‘assistant’ develop a personalised bedtime story for your 6-year-old or, work out what you can cook with just the ingredients in your fridge!! I am so sure I would have been a more relaxed mother if I had ChatGPT working for me!!

How Does ChatGPT Work?

ChatGPT is an amazing website that allows you to have human-like conversations with a chatbot that is driven by Artificial Intelligence (AI) technology. The chatbot can answer your questions, compose emails and essays, translate text, develop code and more. At the time of writing, there is a free version of ChatGPT available which gives the user unlimited access however the paid premium version of $US20 per month gives priority access during peak times, faster response speeds and exclusive access to GPT-4 – a smarter and more capable chatbot!

If you’d like to know more about it, check out my Parents’ ChatGPT Guide which will help fill in the blanks.

How ChatGPT Can Make You A Better Parent

There are so many ways ChatGPT can reduce the stress of parenting and give you some much-needed head space. Here are my top 5:

1. What’s For Dinner?

If I look back at the super intense parenting years when I was working full-time with 4 kids, one of the greatest causes of my stress was dinner. I often wouldn’t have the physical energy to read a recipe book or stop at the shops after an afternoon of school and extra-curricular pickups so I would be scrambling to feed a bunch of ravenous boys. Imagine how good it would be to have your digital assistant, aka ChatGPT, devise a recipe based on what you have in your fridge and pantry? Nothing short of life-changing, in my opinion. And it can even factor in dietary restrictions! So clever!!

2. Can You Tell Me A Bedtime Story

My boys loved bedtime stories – preferably personalised! I know, very demanding!! Now, with 4 separate stories to deliver every night, you can only imagine how much mental energy this required. But if I had ChatGPT working for me, this would take just seconds to solve. Simply enter the name and age of the child (no surnames), the setting, the names of other characters that should be included, and then a theme e.g. hero’s journey, determination, friendship, and wham bam – you’ve got something ready to go!

3. Your Next Holiday – Sorted!

When things are so hectic, it is often the thought of a vacation that can keep you going. However, let’s be honest, successful holidays take quite a bit of planning to get right. Well – that’s where your digital assistant can help. If you ask, ChatGPT can develop itineraries with activity suggestions. It can also recommend hotels – simply ask it for suggestions within a specific location e.g. close to the Eiffel Tower. And it can also tailor its recommendations based on your budget. After planning and managing family holidays for my clan of 6 for well over 20 years, this is a life-changing feature!

4. The Best Birthday Party Checklist Ever

Far out, birthday parties can be stressful experiences. Invitations, themes, venue, entertainment, kids’ food, lolly bags, parents’ food, parents’ drinks, the list goes on and on. But if you haven’t already put ChatGPT to work as a party planner – then you’re missing out. Simply type in the age of the child and it can give you an entire plan. It will also give you 20-25 top tips that I guarantee will ensure you have everything covered!

5. Homework Help

If you’ve got a tribe of kids who are all at various levels and need homework help, then staying up to date with maths and science can be quite exhausting – particularly after a long day at work! Simply entering ‘explain’ or ‘explain so a 10-year-old can understand’ into ChatGPT will provide you with enough smarts to get that homework done. Of course, fact-checking ChatGPT is essential but what it will provide is some momentum in the right direction.

But A Word of Caution

ChatGPT can absolutely make your life easier as a parent but there are a few things to remember before you start typing into that chat box.

1. It Doesn’t Always Get Everything Right

It’s important to double-check everything. Ensure your kids also appreciate that everything online needs to be double-checked.

2. Be Mindful of Your Privacy When Using It

For a full explanation of its impact on privacy and how you can protect yourself, check out my recent blog post about . But to summarise: be careful what you share in the chat box, stay anonymous, and consider deleting your chat history.

3. Consider How You Use It With Your Kids

One of the biggest negatives of ChatGPT is its potential impact on creativity and thinking skills. Some schools and universities have banned its use while others have specialised programs that supposedly can detect whether a student has used it. While it does sadden me that our kids won’t need to struggle over complex maths questions or English essays like we did, I am a realist and believe that whether we like it or not – it is here to stay. My prediction is that the school and university systems will adapt because generative AI will be a part of our kids’ world. Our role as parents and educators is to teach them how to use it safely and with a critical-thinking mindset.

So, if you’ve dreamed about hiring a personal assistant (I do regularly!) then you so need to check out ChatGPT. It will help you get through your ‘to-do’ list, save you so much time and energy which means you’ve got more time to spend with your kids – or by yourself under a tree. You choose!!

Till Next Time

Stay Safe Online

Alex

Introducing McAfee+

Identity theft protection and privacy for your digital life


#ChatGPT #Happened #Family

By now, as the end of the first quarter of the 21st century draws near, everyone is surely aware that user passwords are digital gold, and that protecting them is a key aspect of ensuring data security and privacy. Yet despite this, not all companies store passwords properly still.

In this post we look at how NOT to store user passwords, and what methods are used by services that take security seriously.

The wrong way: storing passwords in plaintext

The simplest method is to store passwords in an unencrypted database. When a user tries to sign in, authentication is just a matter of matching what they enter against what’s in the database.

But there’s always a risk that attackers might steal this database one way or another — for example, by exploiting vulnerabilities in the database software. Or a password table might get stolen by an ill-intentioned employee with high access privileges. Also leaked or intercepted employee credentials could be used to steal passwords. Put simply, there are plenty of scenarios where things can go pear-shaped. Remember: data stored in open form is precisely that — open.

A slightly better way: encrypted passwords

What if you store passwords in encrypted form? Not a bad idea at first glance, but it doesn’t work great in practice. After all, if you store encrypted passwords in the database, they have to be decrypted each and every time to compare them with user input.

And that means the encryption key will be somewhere close by. If that’s the case, this key can easily fall into hackers’ hands along with the password database. So, that defeats the whole purpose: the cybercriminals will be able to quickly decrypt this database and get passwords in plaintext, so we end up back where we started.

As cryptographers jest in all seriousness, encryption doesn’t solve the problem of data privacy — it just makes it a problem of secure key storage. You can come up with some sort of cunning schemes that may reduce the risks, but in general it won’t be possible to reliably secure passwords this way.

The proper way: storing password hashes

The best method is not to store passwords at all. If you don’t have something — it can’t get stolen, right?

But how to check whether a signing-in user has entered the correct password? That’s where hash functions come into play: special cryptographic algorithms that scramble any data into a fixed-length string of bits in a predictable but irreversible way.

Predictable here means that the same data is always converted into the same hash. And irreversible means that it’s completely impossible to recover the hashed data from the hash. That’s what any online service does if it cares about user data even just a tiny bit and values its reputation.

When a user creates a password during registration — not the password itself but its hash is stored in the database along with the username. Then, during the sign-in process this hash is compared against the hash of the password entered by the user. If they match, it means the passwords are the same.

In the event of a database leak, it’s not the passwords that the attackers get hold of, but their hashes, from which the original data cannot be recovered (irreversibility, remember?). Of course, this is a vast improvement security-wise, but it’s still too soon to rejoice: if the cybercriminals get their hands on the hashes, they might attempt a brute-force attack.

The even better way: salted hashes

After obtaining your database, the hackers might try to extract the passwords through brute force. This means taking a combination of characters, calculating its hash, and looking for matches across all entries in the database. If no matches are found, they’ll try another combination, and so on. If there’s a match, the password that was used to calculate the hash in the database is now known.

Worse still, the process of cracking hashed passwords can be sped up considerably by means of so-called rainbow tables. Rainbow tables are huge data arrays with precalculated hash functions for most frequently met passwords. As such, they make it easy to search for matches in the stolen database. And it’s all done automatically, of course, so the password-cracking process becomes too quick for comfort.

However, there is some good news: it’s impossible to calculate the hashes of all possible character combinations in advance — a complete rainbow table for any hashing algorithm will take up more disk space than there is on the planet. Even for the not-overly-reliable MD5 algorithm, such a hypothetical table would contain (deep breath) 340 282 366 920 938 463 463 374 607 431 768 211 456 records. Which is why only the most common combinations get included in rainbow tables.

To combat the use of rainbow tables, cryptographers came up with a solution that utilizes another important property of hash functions: even the tiniest change in the source text alters the hashing result beyond all recognition.

Before a password hash is computed and written to the database, a random set of characters (called a salt) is added to it. This way, the databased hashes are modified to the extent that even the most basic, obvious and frequently used passwords like “12345678” and “password” cannot be brute-forced with rainbow tables.

The simplest variant uses the same salt for all passwords. But the most hack-resistant one creates a separate salt for each individual record. The beauty of this approach is that salts can be stored in the same database with no additional risk: knowing the salt does not make the attackers’ task much easier. To crack the hashes, they will still have to apply pure brute force — go through every single combination.

The more online services adopt this non-storage of passwords method, the less likely a mass theft of user credentials (and the subsequent trouble associated with account hacking) will occur.


#properly #store #user #passwords

Most of us have a digital identity, and it’s more valuable than you might think

They say everyone is likely to have a living, breathing Doppelganger. Whether you believe that or not, this is for certain: if you’ve ever used the internet to do something as simple as create an email account or social media profile—like most of us have—then voila, you do have a Doppelganger! However, instead of an identical twin made of flesh and bone that may exist in the real world, it’s actually you that thrives in the digital one. What’s more, that version of you has a digital identity, and it’s worth more than you may think.

Digital identity explained

The concept of digital identity might sound complex, but it’s pretty easy to grasp. Digital identity is essentially any personal data existing online that can be traced back to the real you. For example, photos you’ve uploaded to social media, posts you’ve created or commented on, your online bank account, search engine history… and yes, if you’re a gamer, your Steam account, too.

That said, we ourselves are largely responsible for providing the content and data that creates our online identities. What’s more, with a whopping estimation of 4.2 billion digital Doppelgangers thriving on the net—and especially when looking at it from a cybersecurity perspective—that’s just as many opportunities for exploitation to occur.

Your online identity can make others rich

As mentioned previously, your digital identity holds considerable value. There’s a host of outsiders that would love to get their hands on your personal data and will take various measures to do so. While the classic image of a hooded hacker clacking away on a laptop comes to mind—and it is true that cyber criminals are a threat—it might shock you to learn that Internet Service Providers (ISPs) can be just as deviant.

ISPs can sell your private browsing logs to ad companies who will pay top dollar for such information that helps refine their marketing objectives. Even famous game apps like Angry Birds have been found guilty of a similar practice. The point is, it’s not just individuals lurking in the shadows that are hunting for our digital identities, it’s big companies with public profiles that are cashing in at our expense.

Taking control of your digital identity

Digital identities are here to stay. As long as your online Doppelganger exists, there will always be someone hoping to exploit it. However, there’s good news: you can take a few steps right now to quickly and easily decrease the chances of that ever happening.

  1. Change to a search engine that respects privacy. Avast Secure Browser comes with advanced security that’s built directly into your browser, allowing you to browse, shop, and bank safely on any website while protecting your privacy.
  2. Protect your passwords using password managers. Simply put, password managers put strong encryption on your passwords and allow you to manage them in one place. In addition to several other cool things they offer, there’s an audit feature that checks for weak, duplicate, and old passwords. 
  3. Always use a VPN. A virtual private network (VPN) is software that establishes a secure connection between you and the server. Information moving between this connection is encrypted and cannot be read by your ISP. While this is a great start to concealing your browsing activities from your ISP, it does not hide the fact that you’re using a VPN. You can push that level of concealment even further if you use Avast Secure Browser’s built-in mobile VPN which makes itself appear to be just an ordinary site. Shout out to our engineering team for that one!

    Updated on September 25, 2023 with new updates and information.

#Digital #Identity #Avast

When I was growing up, I never gave much thought to the communications between my parents and my teachers. Typically, there was a back-to-school night; if ever I did something wrong, the communication was made in a phone call from the teacher or principal; and there were letters/results that needed to be signed by my parents.

Now, if you were raised in the 80s/90s and are a little bit like me, there’s a chance that your parents didn’t always see these letters/results and the letters maybe had a forged signature or two. To be fair, karma caught up with me on a few occasions and my son wrote a note to his teacher once as well signing it with “Love, name redacted’s Mom”.

While my son’s note gave all involved a chuckle, in all seriousness, technology has now enabled communications between parents and teachers and also teachers and their students. Likewise, there are multiple ways for students to connect with other students. With all these tech-enabled communications for school, there are multiple “human element” fail points – so being a security company with a blog, we’d be remiss not to offer some tips to keep you and your kids safe and sound.

Parent to teacher

Who remembers the pandemic? You know, the one that introduced us to the lovely world of remote learning. At the time, it was nice to see how the educational system was flexible enough to embrace technology quickly and assure that the kiddos’ education could continue.

Fast-forward a few years to today and the technology still has a firm grip within the school systems. As a resident of the U.S., my children are now using Chromebooks vs textbooks and there are various apps that the teachers use to keep us up to date on progress. There are a number of these apps and they’ll vary from case to case, but ours are Remind and Google Classroom.

While these platforms are very integrated and easy, they still also tie into emails. So parents should be extra careful to make sure that the sender and the links within mails aren’t malicious.

Student to teacher

The above-listed apps are also used for students to communicate with teachers; however, they also have the added level of an internal email that could be used to communicate with the teachers directly. While email in Google’s ecosystem should be locked down and be more of an internal messenger, it’s good practice to let kids know they should be cautious of what they’re sending to teachers, as well as the links that teachers are sending along that direct them outside their school’s ecosystem.

Student to student

Perhaps the most tricky part of kids going to tech-enabled school is that we live in a tech-enabled society. This means that (almost) everyone has a smartphone or other connected device and the ills that come with them – including messaging apps, social networks, a camera and SMS.

Perhaps the biggest risk that we have when discussing schools and tech is the phones within the pockets of our little ones. There are simply too many avenues for sharing that our kids can take advantage of. As parents, we need to make sure that we have them set up with a device that’s secure. And before you say it, NO – the device is not secure out of the box, despite marketing messaging. You should make sure that you install a reliable security solution on any device your kids use to help add in a layer of extra protection. Here are some tips that can help further securing the phone.

Sharing is not always caring

This final tip is for both parents and kids. Repeat after me: Sharing is not always caring.

While many applications provide the ability to share what you’ve received via various channels, when it comes to schooling, this should be avoided. Also, as mentioned, our phones are the biggest risk to us.

We literally have at our fingertips the ability to broadcast our opinions, thoughts, pictures, videos…  even what we’re doing on the toilet in real time and to the whole world. Sure, this is empowering, but it is also something that could come back to hurt us.

This is a lesson we need to remember as parents and also to impart to our children. Being prudent is a huge part of life: not everything needs to be shared. We all need to take a minute to take a step back and think about what we’re doing before hitting send.

Now, before I preach to the choir, I’ll admit that I often post stupid things: you can see this on my X, for example; however, I still think before hitting send. As parents, we need to let our kids know that the stuff they post could not only get them in trouble (broadcasting fights, illegal activity, etc.), but also that there are things that could hurt them well down the line in the employment space. As they say… the internet never forgets!


#protect #childs #privacy #social #networks #IMs