Author: Jamie Glennon

If you read my material, listen to me talk or see my comments on any number of the social networks out there you will clearly know that I have a strong belief that every single one of us on the planet has already had our personal identity information compromised, stolen or breached in some form. We are already ALL victims and it is only a matter of time before our “number is up” and someone takes a run and taking over our identity. Sorry to be the bearer of bad news there.

The Equifax breach in 2017 is really just the tip of the iceberg and I hope that it is a wakeup call for those that feel they are not at risk or have the belief that it will “happen to the other guy”. WRONG! You are the other guy, and so is the other guy, and the other guy, and the other guy ….

Feel free to email me when you find out one day someone has taken control of your life through identity theft. It’s going to happen, unless of course appropriate actions are taken by the organizations that have a chance of “helping” the situation. Not “fixing” but helping. There is no fix to the largest enemy and risk people face of falling victim to identity theft. That enemy of course is themselves!

In the absence of being able to reprogram peoples brains to do simple things like manage passwords properly and not share every detail about their lives on the social media, the governing bodies responsible for the foundational establishment of identity and the associated identity information of people need to step up and take control. This of course being GOVERNMENTS.

Today in the physical world government is on the hook to manage and protect the identities of individuals whom are in their jurisdictions. This is done from birth through death and is managed through “government issued identification”. There are mature and well understood procedures, standards and governance frameworks around the issuance and acceptance of government issued ID and although it is not foolproof it is at least something to build upon.

In the digital world everything is just a “click away” and every person, place and thing is wired (future post on the privacy issues of this, but let’s save that one) which amplifies the requirement. Governments worldwide need to move to protect their citizens in the digital context in the same way they have in the physical.

Hence we need priority on the development of “GOVERNMENT ISSUED DIGITAL ID”.

The foundation for this needs to be based on the fact and acceptance that we are all breached. We have been exposed. No information is sacred and we can expect that not to change in the future.

The simple question that governments need to answer is ” If everything is exposed and available for misuse, how do I know it’s actually you when you are legitimately representing yourself ?” (Hint: The question is simple, the answer is not).

We as a society need to assume that everything about us is completely opaque. I would even suggest that we could just go ahead and make everything available since it is already. Heck, it could even put a damper on the “dark web” where the identity information of a person can be bought and sold then used for fraud and identity theft. Of course I don’t really think we should do that, but you get the point.

How we electronically identify that it is the the actual individual presenting their information digitally should be top priority for national, state and provincial governments whom generally are the managers and governors of identity information of their citizens.

Technology, processes and governance needs to address this in the digital context just like in the physical context. The thing that is missing of course is that one thing that always seems to get in the way : COST. That is a difficult one to overcome because of the massive investments in legacy systems, processes and procedures that would need overhauling, but we do need to start somewhere.

I can tell you from experience having worked with governments to initiate these types of things that there is no where near enough resources being allocated to this problem. Some countries are addressing the problem with national initiatives but they are few and far between and are having mixed results.

The private sector can assist with this problem, but as we have seen it is within the private sector that the majority of the problems are actually occurring. The largest data breaches that have occurred in recent months have been non-government organizations. Private sector companies collect, retain and store identity information in the interest of delivering sought after goods and services to those very citizens we are discussing, thus they operate on a different playing field than governments. That of course is why  the governance and controls really need to be put in place.

Until such time that we have a ubiquitous digital government ID, I suggest 3 things:

1.) Do not share your personal information with any company unless you have to and when you do, share the minimum.

2.) Contact Equifax or TransUnion and get a copy of your credit file annually. You are generally entitled to a free one annually and don’t need to subsribe to their monthly service. You just may need to dig up the free application on their site. Search for something about “Consumer Disclosure”.  Links below to help.

3.) PLEASE CHANGE YOUR PASSWORDS regularly and if you hear about something called a “security key” or “second factor” or “two-step”login”, please do yourself a favour and learn how to use it. Email me at jglennon@glennon.ca if you want tips on that.

Jamie G

Click the follow to be taken to Consumer Credit Report access:

TransUnion Free Consumer Disclosure

Equifax Free Consumer Disclosure

 

 

I regularly hear complaints from people about the hassle of having to answer those pesky security questions every time they setup “yet another” account on the internet. These questions can be referred to as any of the following:

• Security Questions
• Challenge Questions
• Account Recovery Questions
• Password Reset Questions

Regardless of how they are described they serve a common purpose. They are meant to help an individual provide some form of evidence that is them in the event that the service needs to verify that it is them. This is done for many purposes of which the most common for online services is to reset a forgotten password.

To call them “security questions” is almost an oxymoron based on my experience. The questions that are asked are often far from secure, and may in actual fact create opportunity to hack accounts far easier than password cracking.

To be clear about this, let me make a statement that people may not understand. On many websites, a “hacker” does not have to have your password to compromise your account if they can figure out your security question answers. They will actually use the security questions to change your password and let themselves in. If there isn’t a second step to do this (like sending a code to a cell phone) then you could be in for quite a surprise even if you have taken my advise and made a strong password.

This also becomes a problem if you have been hacked even if you have taken the steps to have secondary checks on login. For example, if it is set up with an account (let’s say an online banking account) that login from a new and/or unknown network requires a “security question” it isn’t very secure if it asks you what city you were born in, your high school name, your mothers maiden name or your favorite sport. The answers to those questions are likely publicly pasted all over the internet on your social media accounts or social media accounts of your friends. It is quite possible that the “hacker” may already be into your social media account if they have hacked a password (remember, don’t reuse passwords).

Because of this, it is paramount that the answers you give to these ‘pesky’ security questions not be overlooked and I am going to give you the best piece of advice I possibly can on this. For all of those questions you are asked for LIE!

If you were born in Toronto, make the answer London. If your mothers maiden name is Jones, answer Smith, etc. Of course, YOU need to know the answers the questions and that won’t be hard if you are consistent with the answering. Just make sure you keep it a ‘secret’.

Security questions are an important part of the verification process when conducting transactions online and you really need to take them seriously. You usually have the choice of questions, so as long as you LIE on the answers there is nothing wrong with picking easy questions like those noted above. Just make sure you remember the answers.

Picking easy questions with real answers because they are easy to remember for you means they are also easy for a hacker to figure out.

Stay safe.

Jamie G

If you just recognized 1q2w3e4r  as your password and you are shocked that I called it out, you should be aware that you are not alone. Not only do I know this is your password but so does pretty much every hacker on the face of the earth. Your tricky keyboard pattern for a password isn’t as tricky as you thought after all.

It’s the beginning of 2017 which means all of the organizations that do research in the Information Technology security space are starting to release their statistics for 2016 and the lists of most common passwords found in data breaches.

For a person like me who talks a lot about these things and is working with government and industry to help fix the problem, this is where I gather a lot of my data. This information shows up in my blog posts, presentations, seminars and my rants to people that cross my path in person.

Let me start by saying what I have said so many times before, people are lazy. When I speak of this, I don’t mean in terms of a Netflix binge versus doing the dishes or leaving your grass to become a forest over the course of the summer. In this case I am specifically talking about the lack of effort people take to do the “simple” things that are required to protect themselves from identity theft and potential financial and personal hardship.

Yes, again I am talking about password management.If you don’t think it’s important, let me know how things are going after you have had your identity stolen.

Let’s review the four main points I always  like to focus on:

1. Use ‘reasonably’ difficult passwords. Click here for some help on this. 
2. Do not reuse passwords on multiple sites. If you are hacked on one site, you are hacked in them all. Ever notice your Amazon ID is your email ID? (hint hint)
3. If you ignore item number 2, make sure that your primary email has it’s own unique password and not used anywhere else. Email is the doorway to your life. Same holds true for you online banking. Make those “special” and different from all others.
4. If at all possible, enable some kind of two-step or second-factor login on your important accounts. Information on enabling this on your Google account can be found by clicking here. 

I am willing to be somewhat lenient on number 4 because it does take a bit (not a lot) of effort and a little bit of understanding of how to link your phone or a USB device to your account, but number 1 and number 2 should be mandatory and number 3 should be written in law. Not taking the time to do these is essentially welcoming identity theft into your life. I can assure you that the time it takes to do these actions is far less than the years of hardship you may suffer if you become a victim of identity theft.

Also of note, if you don’t know where the 1q2w3e4r password in the title of this post came from  have a look at your keyboard and type it out. Any form of simple pattern on the keyboard is right at the top of the list with hackers.  Same holds true for QWERTY, QZWXECRV , `1234567890-= and many others.

In this hyper connected world you are already on the identity theft attempt schedule. If you have been clear so far, your number just hasn’t come up yet. I suggest you don’t assist the people that are trying to make your life a living hell that could take years to recover from, if ever.

Jamie Glennon

www.safeidentitycanada.com

As a person who makes a living trying to help government and citizens protect themselves from hackers and criminals online, I spend A LOT of time talking about passwords. If you know me well, you are more than aware of my feelings in this area. See my other blog posts or chat with me in person sometime. 

Today after a couple of days away working with one of those “government” clients mentioned above I opened the Delta Optimist newspaper to find an article that lit me up like and over pressured flamethrower.

Password changed, but not easily remembered

 

 

It goes without saying that if something sounds fishy, it probably is. I have written before about scammers calling  being very aggressive and saying they are the CRA. There has also been calls to people and business owners in the same context saying that they are BC Hydro and are shutting off their power in 5 minutes unless they pay their bill with Visa Gift Cards. All scams.

The CRA nor any other reputable organization will ever ask you to pay a bill with gift cards. Nor will they ever phone you out of the blue demanding money. If you haven’t had several letters from the CRA looking for payment on taxes, you will not receive a call. Even if you do owe back taxes and they contact you, they will look for a payment in a calm and normal manner. Just make sure you are open and up front with them and you can easily work out a payment schedule. They will warn you not to miss a payment without contacting them first. If you don’t call them and you default on your committed schedule they still won’t call demanding payment. They will  go straight to your bank with the appropriate authority to garnish wages and withdraw from your assets. At that point you will get a call from your bank. 

The person in this article actually listened to the proclaimed CRA caller and purchased $20,000 in iTunes cards to pay their alleged taxes owing by giving the iTunes card number and activation code over the phone. I am hoping that people reading this would hear LOUD alarm bells going off all over the place with that one. 

Calgary CRA iTunes Payment Scam
If you actually do get a call from someone looking for payment and you aren’t sure about it, kindly tell them you are busy at the moment then follow up immediately with the “claimed” organization through a way that you know is legit. 

If you get a call from someone claiming to be from the CRA or other organization and they are being a completely aggressive jerk, hang up immediately! You can then call the CRA or whomever and report the incident. You can find more information on the RCMP

RCMP Canadian Anti-Fraud Centre

Jamie G

As many know I am working with government and standards organizations to help the Digital World eliminate passwords through the use of easy to use alternatives that involve mobile phones and other wearable devices. In the not too distant future you will use your mobile phone (or smart watch perhaps) to login to your PC, MAC, email or bank account amongst other things. You will need the actual physical device (phone) in hand to access your account. No passwords floating around the Internet to be hacked and stolen. A hacker would need to actually steal your phone AND be able to unlock it. 

No sense it denying it though, it will be a while before that becomes ubiquitous across the Digital world. We are stuck with passwords for a little while still.

I found an online service that is really quite useful for the average person to check to see how strong their passwords are. If you have seen any of my past posts here or elsewhere you know I am an advocate of coming up with passwords that are meaningful only you, but to others look like a scramble of characters. 

http://www.passwordmeter.com

In review, here is an example of what I do for passwords that is secure and easy. I make up sentence and turn it into a password inclusive of some random special characters

Here is my sample sentence: “I run for seven kilometres per day”

Here is my derived password from that : Irun4:7Kmpd

As you can see from the password I have used only the word “run” which you could still just use an ‘r’ and still meet the usual minimum 8 character requirement for passwords, but I used the full word to make it 10 characters while keeping the sentence not too long. I use the first letter of words,  mix in some capital letters and thrown in a random character “:”. It really is a lot easier to remember this than some crazy random generated password for us normal humans with too many things on our mind creating all kinds of short term memory loss. It is also SIGNICANTLY more secure than what most people are using today.

So let’s test this with our password meter. 
  
Let’ s now contrast that to using your dogs name with a couple of numbers attached to it like most people do (you know who you are) to make up the usual 8 character requirement:  fluffy123

 

Note that fluffy123 is particularly weak because of the repeated characters and in actual fact a lot of applications may not even let you use this. You may be forced to do something like make at least one character a capital letter or add a special character. I did want to use it to make my point though. 

Passwordmeter is really quite easy to use and works well in conjunction with my sentence based method.  

With Internet crime being so prevalent it would seem that everyone should be doing this at minimum. However, most people tend not to react till they are hacked and even then, they may change fluffy123 to Fluffy321 thinking that they have fixed the problem. Nope. Wrong. Last year Russian Hackers gained access to about 1.2 Billion passwords a lot of which are just sitting in their databases waiting to be used. They are sold on the black market and have the potential to do a lot more than just look to see who you are friends with on Facebook or Snapchat. Most people use the same password on GMAIL and their bank account. And as it turns out, the hacker finds out who you bank with by looking at your email.

http://www.cbc.ca/news/world/password-hack-affects-1-2-billion-accounts-more-at-risk-1.2728865

In a future post I will talk about password management tools like LastPass and 1Password. But if you want to take a look now at home to manage the 100+ passwords you already have you can look now at these products. Google “Password Management Software” and you will get lots of information. I use 1Password for my 160 passwords. 

In the meantime, change your password and don’t use the same one on every site you access and make sure to use unique ones for the most sensitive sites like your online banking and email accounts. 

Jamie G
Info on Passwordless technology can be found at : https://fidoalliance.org/about/overview/

This is a pretty short video but it gets the point across. One thing that is in there that I can’t stress enough is not to give anyone your personal information unless you are absolutely sure who they are. Just because someone calls you and tells you and knows your name and some of your personal information does not mean they aren’t scamming you. A lot of standard information like name, address phone number and information on your wife and kids isn’t hard to find on the Internet.

A key thing to remember is that if someone  calls you and asks ‘you’ for your account number or something similar, that should be a red flag right there. If they are calling you, they should have that information.

Never hesitate to say you will “call back” or are busy and then turn around and call your bank or the CRA to verify that they are trying to get hold of you. And as I have said in the past, the CRA and most banks will always send a letter (or several) before ever calling you at home for any reason.

Be safe.

Jamie G – Safe Identity Canada

 

 

 

I have posted about this in various different forums in the past but thought I would do an actual blog post on what has been a long standing scam on the internet.

I got an unsolicited call today from a fellow with a really heavy Indian accent stating that my computer has downloaded some malicious code and he is going to help me with it. He claimed to be from the “Windows Technical Department”.

If you want to read another post from almost 5 years ago you will get the just of the call. The irony is that it is clearly the same person and even uses the same CSLID code. If you Google “CSLID” you will get all kinds of scam links come up.

http://www.infosecisland.com/blogview/15066-Cyber-Criminals-Just-Came-A-Callin-At-My-House.html

It goes without saying that you will never get a call from some random company that has information about your computer being infected. You will note that I started asking questions and he simply diverts them by changing the topic. I had exactly the same call last year and aggravated the caller (who may have been the same guy) to the point that he hung up.  He asked me the name of the computer and I told him it was “Wombat 37” which was a name I totally made up. He said that he thought that was the right computer. I asked him the IP address of the computer that was acting up and he told me it was ‘illegal’ for him to know the IP address. That is a funny one. He said that is why the CLSID is there because of that.

Today I just kept him hanging and optimistic perhaps that he had a ‘live one’ until I finally got bored and told him that the “Royal Canadian Mounted Police Cybersecurity website” kept popping up. At that point, he got suspicious and I ended the call.  Here listen to the audio if you want to hear what these calls sound like:

More information on the various cyber scams can be found on the RCMP Cyber Crime website:

http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm

Have you every had one of those calls that gets you all bent of of shape because you think your are in trouble but something just doesn’t sound quite right? Have a listen to this call below I received today from the “Canada Revenue Agency” stating I am under investigation. Note that the call doesn’t actually say who they are calling, and also doesn’t leave a call back number.

If the Canada Revenue Agency were to be contacting you about a problem they would do so via Canada Post (snail mail) several times before taking the action of calling you. They would also actually say who they were calling for and would leave the CRA Call Centre number.

The ‘scammers’ who are doing this (much like the “You have won a Westjet Holiday” calls) are harvesting for vulnerable people to take advantage of. In this case they will tell you aggressively that you owe money and have to pay now or there will be legal repercussions. They may even say that the fastest way to pay is with “prepaid” credit cards. THAT is definitely a sign of a scam no matter who you re talking to.

You will NEVER receive a call from CRA or a financial institution and have them ask you to verify who you are by giving them your personal information. You will receive a letter in the mail stating that you need to contact them (sometimes with a reference number) at which point they will be able to verify it is you who is calling.

Best thing to do is just hang up on these scammers. However, if you feel you have been scammed, call your local police and file a report and immediately contact your bank. They will likely provide you assistance. You will want to contact Equifax Canada and TransUnion Canada whom are the two national credit bureau’s and register a fraud alert with them.

Contact the Canadian Anti-Fraud Centre

The following is directly from the Canada Revenue Agency “Protect Yourself Against Fraud” web site.

Know how to recognize a scam

There are many fraud types, including new ones invented daily.

Taxpayers should be vigilant when they receive, either by telephone, mail, text message or email, a fraudulent communication that claims to be from the Canada Revenue Agency (CRA) requesting personal information such as a social insurance number, credit card number, bank account number, or passport number.

These scams may insist that this personal information is needed so that the taxpayer can receive a refund or a benefit payment. Cases of fraudulent communication could also involve threatening or coercive language to scare individuals into paying fictitious debt to the CRA. Other communications urge taxpayers to visit a fake CRA website where the taxpayer is then asked to verify their identity by entering personal information. These are scams and taxpayers should never respond to these fraudulent communications or click on any of the links provided.