“What’s that password again? Wait, I changed it … Harrumph. I don’t remember!” We’ve all been there, sometimes many times a day. Password autofill on our Web browsers felt like the sun was shining on our online activity again. Sorry to tell you, but this convenience may not be entirely safe.

Most browsers will ask after you’ve entered a new password into a site or changed a password if you want it stored for you. That way, when you revisit that site, the browser can autofill the access credentials for you. It saves you the struggle of trying to keep all your passwords straight.

The problem is that some sites, including legitimate sites, can be compromised with a hidden form. You’ll never see it, but your browser will. So, it will autofill that form, and in clear, unencrypted text. This allows bad actors to capture your username and password without your knowledge.

Another risk? Irresponsible digital marketers may use hidden autofill forms to track your online activity. That’s done without your consent.

Using browser autofill with a password manager can also cause confusion, especially if your browser autofills, whereas the manager asks before filling in forms. Using both at the same time you also run the risk of duplicating passwords, which could make it difficult to track your passwords and increase the risk of security breach.

How to disable autofill

You can protect your passwords by disabling autofill on any browser you use:

On Microsoft Edge, go to Settings, then Profiles, then Passwords, and disable “Offer to save passwords.”
On Google Chrome, go to Settings, then Passwords, and disable “Offer to save passwords.”
On Firefox, open Settings, then Privacy & Security, then Logins and Passwords, and “Autofill logins and passwords.”
On Safari, from the Preferences window, select and turn off Auto-fill.

Can I keep using password managers?

A password manager, such as LastPass or 1Password, typically provides more security than browser autofill. Password managers have strong encryption algorithms to protect your login credentials, which means that even if your device is compromised, your passwords are safe.

Still, if the manager autofills your credentials, you face the same risks. Most password managers have autofill disabled by default. That’s good. Leave preemptive autofill off. You might see it called “Autofill on page load.” Keep that turned off, too.

Our advice? Use a password manager that requires you to click a box before it fills in your credentials. This action avoids your information from automatically populating a hidden form.

Securing your online activity is an ongoing challenge. Our experts can help identify ways you can protect your privacy and data online. Contact us today at (888) 234-WDIT(9348).

News of data breaches is all too common. This company apologizes for six million accounts breached. That company acknowledges hackers accessed 35,000 users’ personal identifiable information. But the question that probably matters most: Is your data breached, too?

The company should contact you if your information is in a data leak, but you can’t rely on that. You can also find out if your phone number or email address has been leaked by visiting https://haveibeenpwned.com/.

HaveIBeenPwned has uploaded various breaches and consolidated the information to make searching easy. Enter your address and get a list of breaches that compromised that email. You’ll get a summary paragraph as well as a description of data compromised in each breach.

It is not uplifting reading!

Next, the question is what to do about your breached information.

Steps to Better Security
First, change your passwords for those breached accounts. If you use that same password to access other accounts, change those passwords, as well, even if they are not listed as leaked.

Always avoid reusing passwords. Yes, it can be a hassle to remember many different access credentials, but you risk exposing many accounts if you keep reusing one email address and password combo over and again.

Make using unique passwords for all accounts easier by using a password manager. A manager can store your many passwords in one place and generate strong ones to use. You can often download an app to your mobile device, which gives you the convenience of filling in your credentials when you’re on the go, too.

The next step is to use two-factor authentication (2FA).

Understanding 2FA
This adds a layer of difficulty for hackers trying to access your accounts. Even if they had your username and password, they would need a second way to verify your identity.

Using 2FA requires you to provide one of the following before you can gain access:

• something you know (e.g. the answer to a secret question);
• something you have (e.g. your smartphone);
• something you are (e.g. your fingerprint).

A bad actor would need to have not only your leaked credentials but also your other "something."

A common approach to FA is an SMS text message or voice-based authentication. You enter your credentials, then the site follows up with a text or phone call providing a separate code you must then enter. This is not the best method, however. Scammers can hack the SIM card associated with your device, and then use your number to make and receive calls and texts.

Software tokens for 2FA are a safer solution. You’ll download and install an application on your phone (e.g. Authy or Okta Verify). It can generate a unique verification code that is valid only for 30–60 seconds.

Want to learn more about password management and soft-token 2FA. We’re here to help. Contact us today at (888) 234-WDIT(9348).

If you play the popular SIMS life-simulation video game, you could think SIM jacking means someone takes over your characters, but the reality is even worse. SIM jacking is a type of identity theft targeting your real-life identity via your phone.

In SIM jacking a bad actor uses the subscriber identity module (SIM) card associated with your cellphone number to make calls, send texts, and use data. This has several potential negative outcomes:

• Your phone bill goes off the charts with international calling and data usage fees.
• They might impersonate you by sending texts to scam your friends and family.
• They can sign up for new email and social media accounts using your phone number.

Most importantly? They can use your phone number and SIM card to sign into your personal accounts. Many of us use text messaging for authentication. That’s when a site, say your bank, sends a code to your phone to confirm it’s you.

Now, imagine the criminal has access to your bank account through a leaked password. Whereas they couldn’t get in before because of two-factor authentication, they now have your SIM card, too. That means the SMS to authenticate your account also goes to them. They’re in, and you’re out.

How Does SIM Jacking Work?
Typically it starts, as so many cyberattacks do, with phishing. You might get a text or email that looks like it is from the cellphone carrier that asks you to click on a link. It might tell you there’s been suspicious activity on your account or that your bill is past due. It’s usually something that will make you anxious and feel the need to act urgently.

You’re taken to a fake website where you provide your name, address, cell phone number, and date of birth. With the right information, the scammer contacts your phone carrier and asks for a new SIM card. Once they have that in hand, they access your account and take over your cellphone. If they pair that with leaked credentials, they can really do damage.

If you’ve been SIM jacked, you’ll find out after the fact. You will no longer have a signal connection, so you won’t be able to send texts or make or receive calls. You may also have difficulty signing into the hacked accounts.

If you do think you’ve been SIM jacked, contact your carrier ASAP. Also, change your passwords and let your friends and family know. Otherwise, they might fall victim to a malware attack that appears to come from you.

Protect Yourself from SIM Jacking
Be careful with your personal information. Be wary of any requests to share your sensitive information online. Avoid taking action based on text messages or emails from people you don’t know and trust.

Protect yourself by using an authentication app such as Google Authenticator or Authy. Do this instead of using text messages to authenticate yourself online.

Always update the applications on your smartphone. Yes, it seems like there are constantly new updates, but they can be protecting you from vulnerabilities.

You might also get a request to restart your phone. This is a common sign your SIM card has been hacked. If you do it, you’ll lose control of your SIM card. So, call your carrier first.

It’s also a good idea to regularly review your phone bills for any charges that you don’t recognize.

Want to protect your online activity? Our IT experts can help update your applications and identify any vulnerabilities. Contact us today at (888) 234-WDIT(9348).

The holidays are busy. We’re trying to get work done to have some fun, and we’re hosting family and friends. Plus, parents that have the holiday Elf tradition must remember to move the doll every night. It’s a lot, and it can make us more likely to fall for scams that can lead to data theft.

Hackers like to take the path of least resistance. Why work harder than they have to for their ill-gotten gains? Instead, they’ll use social engineering to get you to give them your data or download their malware. Look out for these top holiday scams.

Parcel delivery scams
More people are expecting packages this time of year. Bad actors take advantage of this with what’s called a smishing scam. It’s a particular type of scam using text/SMS messaging. You get a message from a known service telling you a delivery needs rescheduling, or that there’s an outstanding fee that needs to be paid.

Recipients, who are already expecting a package, are quick to fall for the request. Clicking on the message link, they enter personal information or download malicious software.

Tip: Go to the source of the package you’re expecting and see what they’re saying about your package delivery.

E-card scams
Another common holiday season scam takes advantage of our enthusiasm for money. Scammers send e-cards to your email. When you click on the link, you’ll download a virus or other malware (e.g. ransomware).

Tip: Check the credibility of any e-card sender before downloading the “gift.”

Christmas hamper scams
Everyone wants to be a winner, but don’t fall for the scammer calling or emailing to say you’ve won a Christmas hamper. They’ll claim to be from a legit organization and have some of your personal information already. That helps them make it all seem genuine. Then, they’ll ask for you to provide more personal details to collect your prize or gift.

They may ask only for your full name, address, and phone number (if the request was emailed). They’ll be collecting this information for a more focused attack in the future.

Tip: Use strong passwords and be careful about what personal details you put on social media.

Fake websites
Many people shop sites that are unfamiliar to them at this time of year. Grandparents (even parents) know nothing about that latest trendy shop! Bad actors will set up fake sites offering gifts and services. They're looking to get your personal details and money.

Tip: Prefer secure website addresses starting with “https” and displaying a locked padlock.

Shopping scams
Every season has its in-demand items. Scammers take advantage of this and set up ads for amazing deals on those items. Desperate to get this year’s toy for your toddler, you might be hooked. Or they’ll ensure people click on their ads by offering ridiculous deals. If you do get the item purchased via these ads, it’s likely to be a sub-par counterfeit.

Tip: Shop with retailers you know and trust.

Bank scams
This scam operates year-round, but bad actors have an edge in the holiday season when people spend more. Fraudsters typically call, text, or email as your bank having noticed suspicious activity. They get you feeling anxious and then urge you to take action (e.g. click a link or share personal details) to address the issue.

Tip: Remember that banks never use unsolicited calls to ask for personal details, pressure you to give information, or tell you to move your money to a safe account.

Protecting yourself this season
The tips shared throughout this article will help. At the same time, setting up password managers and antivirus software can also be useful. We can help you secure your online activity year-round. Contact us today at (888) 234-WDIT (9348).

Changing your email is never fun, but it can be necessary. When you need to make a change, there are several things you need to consider. Follow this checklist to ensure you don’t lose data, keep up with your old contacts, and avoid security risks.
There are many reasons someone might decide to endure changing their email address. These include:

• losing access to the old one and not being able to recover that account;
• changing your internet service provider (ISP);
• having to stop using a professional email for personal messages too;
• falling victim of identity theft;
• deciding to give yourself a more professional email by changing your address from yourbusiness@yahoo.com to you@yourbusiness.com;
• not feeling as proud of your hotbabycakes@hotmail.com address now that you’re above the age of 14.

Whatever prompts your move, try these tips to avoid missing mail and risking account compromise.

Notify your contacts of the change
You will probably be amazed at the number of people you have in your contacts folder. Still, you can make the change easier by letting your friends and family know that you have a new email address.
When you send out a message to your contacts, respect people's privacy. Send your update with their names in the blind carbon copy (BCC) line.

Migrate your old inbox
Most domain providers make it simple for you to migrate your old emails and contacts. Once you set up the new account, you’ll typically be able to go into Settings and find an option to import your old data. You may have to migrate the inbox and the contacts separately.

Don’t move on too quickly
You may be ready to move on, but don’t delete that old email address too soon. It’s a common mistake. Instead, try to hold onto your old email as long as possible. You don’t have to continue using it, but if you still have access, you can:
set up forwarding so that any emails to your old address will go to your new one;
see what emails are still coming to identify accounts you might have forgotten to change.

Inventory all accounts using that address
Use a password manager? We recommend its convenience. Plus, you can search there for accounts using the old address. The password manager can be a landing page for you to jump to all those accounts and make the necessary changes.

Inspect your trash and old emails
To help you think of other sites connected to the old email address, review your trash and sent emails.
Think also of accounts that may use that email address for recovery. For instance, you may have set the old account as a backup for PayPal, online banking, or streaming services. If you don’t change the recovery address, you might have difficulty regaining access to that account.
You might wonder why you should bother doing this. If you don’t, someone could claim your old account and gain access to your connected accounts. If you press a recover password link on a banking site, for instance, that email will go to that person instead of to you!

Get help making the email move
The many little things to take care of when you change your email can make this a big deal. Our IT experts are here to help. We can set you up for simple, secure email communications in the future. Contact us today at (888) 234-WDIT(9348).

The average individual has 100 passwords to remember, according to a NordPass study. Apparently, no one has studied how many we actually remember versus how many we reset over and over. No matter. New developments could save us from having to remember passwords altogether, as major players are moving to a single passkey sign-on approach.

What is passkey sign-on?Apple, Google, and Microsoft have joined forces to support “passwordless” sign-in across all their mobile, desktop, and browser platforms. The initiative, announced in May to coincide with World Password Day, is expected to roll out in 2022/23.

What does passkey login involve? Users choose a physical device to use to authenticate them on apps, websites, and other digital services. For many of us, this would be a mobile phone. You’d unlock the phone as you normally do. Then, you could enter a PIN, draw a pattern, or use your fingerprint to sign into the digital services you need.

To put it simply, it’s a four-stage process:

1. You navigate to the site or app or service you want to use.
2. You approve access using your passkey device.
3. A public passkey (mirroring the private one on your device) is shared.
4. Login is completed.

You don’t need a password, because the login is done using a cryptographic token (the passkey). Your selected device shares that passkey with the website, app, or other online services.

Advantages of the passkeyUsing a passkey means you need to remember only the one PIN or pattern to unlock access … or have fingertips! And you don’t have to come up with a complicated passphrase either, which means no more frustrating upper and lowercase character, number, and symbol combo.

The passkey sign-in method is touted as more secure. Passwordless authentication makes it more difficult for hackers to compromise login details. After all, they would need access to the physical device you use to access digital services, apps, and websites.

You keep personal information safe and cut password vulnerabilities that plague us today:

• Phishing attacks, which use fake websites to capture login details, won’t work.
• Brute-force attacks, which use trial and error to guess credentials, won’t get anywhere.
• Spoofing your device will no longer work, as the passkey device must be near the computer.

Another plus? Passkey security is being set up to offer multi-device authentication. You’ll be able to sign in to an app or service from almost any device, and it won’t matter what platform or browser you’re using. So, you could sign in to Google Chrome and run Microsoft Teams using your iPhone, for instance.

Making the most of multi-factor authenticationPasskey security will use a FIDO standard to authenticate you in different contexts. This is a passkey protocol already supported in some online environments, but major players are now coming together to make it more widespread.

With a passkey that is unique to you, you’ll no longer have to worry about keeping track of multiple passwords.
​
Still, until this technology is available, you’ll want to protect your online activity. Our experts can help secure your home networks and set you up with a password wallet. Contact us today at (888) 234-WDIT(9348).

​All of us like to think we are unique. That thinking extends to our passwords too, right? We’re special and distinct, so no one could guess our chosen collection of letters, numbers and symbols. Well, it’s surprisingly easy for algorithms to determine passwords and to do so extremely quickly. So, a password manager is a smart move, as you’ll have more complex, different passwords stored. Still, it’s important that your master password for that manager be 100 percent original.

Sure, your password may be difficult for a human to guess – it would take forever. But, computers can run through the possible combinations in seconds. Password Depot found that a password consisting of five characters (three lowercase letters and two numbers) can be hacked in 0.03 seconds.

Add characters and the volume of possible configurations increases, and that adds time. A seven-character password (one capital letter, six lowercase letters) will take approximately nine minutes. At eight characters (four lowercase letters, two special characters, and two numbers) things get more complicated. Trying all the possible permutations will take 2.6 days.

That’s a data-driven argument for complex passwords with many letters and numbers. But the problem is that they are so much more difficult to remember, and that’s why it’s a good idea to use a password manager.

The power of a password manager

A password manager offers top-notch encryption to protect passwords. You can use a password manager as a vault for all your passwords. When you want to log in online from your desktop, it can prefill your username and password. Often, there is also an app that allows you to do the same on mobile devices.

Industry-leading password managers also notify you if credentials are weak or get compromised. They may also flag that you are repeating access credentials, which is not a good idea.

Don’t forget your master password

Part of the appeal of a password manager is its zero-knowledge approach. They are set up so that they can’t see your stored passwords. The password is encrypted before it reaches the manager’s server and can’t be deciphered.

This means you have to be careful not to forget your master password. The master password is the one you use to access the password manager. Without it, you’ll have to try to recover your account using several stages of authentication.

Make your master password unique, and don’t use it anywhere else. Repeating passwords, as mentioned above, increases your risk of getting hacked. If the other site is hacked, the bad guys could try that same password on other sites, too. It’s low-hanging fruit for them.

The current best practice as far as passwords go is to use a passphrase with a mix of alpha-numeric symbols. This gives you a length of between 20 and 30 characters. You can use a variety of uppercase and lowercase letters, numbers, and symbols. Some examples of passphrases include:

• My_Fave_Person_is_My_Fish_761
• Mytrip-2-Paris-Was-Magnifique
• YouRemindMeoftheBabe!!

The passphrase means something to you, so it is more memorable. Yet it isn’t easy for hackers to crack. Also, you’re not using specific personal details that you may reveal on social media (unless you are constantly posting pics of your fish, and its name is actually 761).

Protecting your online identity
​
Want to know more about protecting your online identity? Need help with setting up security procedures for your home computer and network? Our tech experts are available to help. Call us today at (888) 234-WDIT(9348)!

You may remember playing Duck, Duck, Goose on the playground when you were young. But have you heard of DuckDuckGo? Many haven’t. So, we thought we’d share an introduction to this privacy-focused search engine.

DuckDuckGo promises to let you “search the Web without being tracked.” The search engine site touts a simple privacy policy: “We don’t collect or share any of your personal information.”

You can use DuckDuckGo on their iOS or Android app or extension by adding a private Web search to your favorite browser or by searching directly at DuckDuckGo.com. The site’s privacy browser extension blocks trackers and offers encryption for every device.

Why use DuckDuckGo?

Google is the obvious heavy hitter in search. The problem? The company keeps your search history forever. Plus, they are tracking everywhere you go online. Their trackers are on millions of websites.

Think about it: Ever looked at a new sweatshirt and decided against it only to find it following you in digital ads for days to come? That’s because of tracking. DuckDuckGo promises there are no trackers on its search engine. It even blocks Google’s and other company’s trackers, as well.

You might think you are achieving anonymity in Incognito Mode. But this doesn’t stop Google from saving your history. Companies, internet service providers, and governments can also continue to track you.

DuckDuckGo does not store IP addresses or other unique identifiers in its search logs. This means that they cannot create a search history or data profile on you or any other individual.

Does DuckDuckGo work?

The big question, of course, is how the private engine’s search results compare to competitors. The company claims it provides “truly private search results without tradeoffs in result quality.” DuckDuckGo says it offers “everything you’ve come to expect in your online search experience” including:

• maps;
• weather forecasts;
• local search;
• news;
• images;
• videos;
• shopping;
• definitions;
• Wikipedia references;
• currency conversions;
• flight information;
• calculator;
• timer;
• sports scores;
• Q&A reference.

Can DuckDuckGo compete?

Since its founding in 2008, DuckDuckGo has steadily gained users. On January 13, 2022, the search engine announced it had surpassed 100 billion all-time searches.

According to public traffic statistics in the same week, the highest daily number of search queries DuckDuckGo had seen was 110,439,133. Just a year ago, on January 11, 2021, the company announced hitting over 100 million searches daily.

Those numbers are impressive, yet as Search Engine Land puts it, “DuckDuckGo remains a very niche competitor.” Google has a huge market share (as much as 87.57 of searches). Bing, the next biggest competitor, accounted for 6.31%, Yahoo 3.25%, and DuckDuckGo 2.5%, according to statcounter.com.

Protecting your privacy online

DuckDuckGo is an attractive and useful option for people who want a higher level of online privacy.
There are many other ways to protect your identity online and secure the data on your residential computers. Contact our IT experts today at (888) 234-WDIT(9348) to learn more about the best solution for your personal needs.
​

Nine out of ten times today when you visit a website you’re asked to sign in. To add convenience, many sites offer the ability to sign in using a Facebook or Google account. Sure, it’s simpler, but this article will share three key reasons why you might want to avoid this easy route.

It’s estimated that we each have an average of 100 passwords. That’s a lot to remember, especially as we need unique logins for every site to lower our risk of cyberattack.

At the same time, every website wants us to set up an account. It helps them get to know their users. This can help them to target marketing and product development efforts. They might also share the information with third parties as another source of income.

Still, the website wants to keep its users coming back, so they allow you to sign in with Google or Facebook accounts to streamline the process. Weigh the value of that added convenience against these three considerations.

#1 You’re giving away more data
​
By using Google or Facebook to sign in on other websites, you are giving the sites greater access to information about you. Now, they not only know what you do on their sites, but you’re also allowing them to build out their picture of you with data insights from the shared sites.

Google and Facebook have powerful tools to dig deeper into your online activity, and other websites can also extract data from your Facebook and Google accounts. If you don’t read the privacy policies, you may not know what sensitive data the platforms share.

#2 You could lose access

You may join those who are deciding to quit Facebook or leave Google in favor of another platform. If you do so, and you have used that account to access other sites, you’ll have to create new logins.

Even if you’re not ever going to do away with your Facebook or Google account, you could still lose access. If there’s a major outage at one of those two sites, you won’t be able to log in at any of your connected sites either. The other websites won’t be able to authenticate you until Facebook or Google is back up and running.

#3 Your attack surface gets bigger

If you have one, unique login credential for a website, you risk your data there only if that site gets hacked. However, if you use Facebook or Google login, and bad actors compromise that account, they can access any shared sites.

Think of it like dominos. The Facebook or Google account is the first to fall, but all those other accounts you “conveniently” login to using those credentials will come tumbling down soon after. Don’t think the attacker won’t bother looking for other connected accounts. All they have to do, once they breach one account is go into your settings to see what you have connected.

Social media accounts are also a prime target. Don’t believe us? Bet you’ve seen a post from a Facebook friend (or ten) telling you to ignore strange activity due to a hacked account.

Protect your online identity

Account compromise is a top cause of data breaches worldwide. Protect your online identity by following best practices for cyber hygiene.

Need help with password security? Our IT experts can set you up with a password manager or provide other online security help. Contact us today at (888) 234-WDIT(9348)!

The main advantage of a password manager is obvious to anyone with more than one account online (i.e. everyone). Instead of remembering all 100 usernames and passwords, the password manager autofills them. It’s a boon. But it’s not the only reason to use a password manager. This article shares several more unexpected benefits.

Password manager programs generate, manage, and store many different passwords. You may be concerned about whether a password manager is safe to use. But, the cybersecurity industry consensus is “yes, it is.”

A password manager uses top-notch encryption to protect passwords. Plus, they take a zero-knowledge approach. They can’t actually see the passwords they store and prefill on sites. The password is encrypted before it reaches the manager’s server and can’t be deciphered. This is why you need to be so careful not to forget your master password!

That said, the password manager offers more than a vault for encrypted credentials.

More Benefits of Password Managers

For one thing, many password managers have apps for download onto mobile devices. Then, you can use the password manager to prefill forms on those, too. This gives you the advantage of convenience not only on your desktop computer but also on the go.

Some password managers offer added security benefits, as well. They might:

• warn you of weak password and login credentials;
• remind you to change your passwords;
• notify you if your passwords may have been compromised in a breach;
• advise you against repeating access credentials if you’re about to do so.

Another advantage is that you can conveniently share passwords with others. Maybe you want to give family members shared access to streaming accounts or allow a work colleague access to applications you’re using remotely. A managed password sharing feature can allow them to see selected passwords. You aren’t showing everything: you can pick what you make available. Plus, when you change your credentials, the password will change on their end, too. This doesn’t need to be permanent either. You can easily revoke password sharing.

You can also use a password manager to secure other important information. You might store things such as credit card numbers or other personal identifying information. Keeping that kind of data in an unencrypted note on your desktop or mobile device is unsafe, but you can take advantage of password manager encryption to safely store those precious details.

Secure your passwords with a manager
​
You can’t expect to remember all your unique passwords. Yet the days of writing down passwords on Post-it notes are over. Use cloud-based password management to secure your passwords and do more.

Contact our IT experts today to find out more about password management. We’re happy to suggest the best solution for your needs and set it up, too.

Call us now at (888) 234-WDIT(9348)!