Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.

It's Raining Data We live in a technology-dense society. Everywhere I go, I see devices. And, I wonder… how many people realize their personal data is pouring in and out of those devices, like rain, giving life to a nefarious species of profit seekers? More and more organizations are grabbing vulnerable personal data, sowing it in AI-rich environments and harvesting the insights for money-making schemes.  Sadly, data showers do not often bring data flowers. Data weeds, on the other hand, are invasive and plentiful. Read on to learn how you can at least slow, if not eradicate, perennial data creepers from invading your life.

Rebecca We would love to hear from you! Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

May Tips of the Month World Password Day  Privacy & Security Questions and Tips Data Security & Privacy Beacons Privacy and Security News Where to Find the Privacy Professor

World Password Day May 5

Most people have anywhere from 100 to 300 passwords. That is a lot to manage. This May 5, take time to consider your passwords. How many do you have? How many of them are strong? How many are shared across multiple sites?  Many in the security community would like to see passwords eliminated. They are simply too “crackable.” And, there is a lot of innovation underway to do just that.

However, we’re not there yet. Until a better solution becomes ubiquitous, we’re stuck with passwords and need to do our best to make them as secure as possible.   Password best practices: Use a different password for each type of purpose, device or site. For example, don’t use the same password on your banking sites as you use on your social media sites. Never use your personal passwords for business/employer accounts. If possible, use a different password for every account you own.  Use as long of a password as you can, so long as it’s reasonable for you to remember or locate within a secure location. Some security vendors recommend at least 16 alpha-numeric-symbols. However, not all systems allow for that length.  Opt in for multi-factor authentication (MFA) whenever it’s offered. This will slightly offset the need for as long of a password.  Never share your passwords.  Don’t include any personal information as part of your password. Any information that can be found online (including pets’ names!), should not be within your passwords.  Avoid consecutive or repeated letters, numbers or symbols in your passwords.  Do not use any of the most common passwords. And, for goodness sake, don’t use the word “password!”. If you have other tips on creating strong, safe passwords, send them to us! We may publish them in an upcoming issue.

Privacy & Security Questions and Tips Rebecca answers hot-topic questions from Tips readers

We have gotten so many fantastic questions since the last Tips message; thank you. Keep ‘em coming!

Q: What is the difference between vishing and smishing?  A: Both smishing and vishing are types of phishing fraud tactics. Smishing occurs when scammers send text messages to trick victims into doing something that is ultimately harmful to the victim and beneficial to the crook. Smishing gets its name from the more formal term for the texting – “short message service” or SMS. SMS + phishing = smishing. Vishing attacks are launched through recorded or live-voice phone calls. The mashup of “voice” and “phishing” gives us the term.   Research shows that more people are falling for vishing and smishing scams. The best way to avoid them is to recognize various indicators within messages and to then either ignore or delete them. A few best practices to keep in mind…  Don’t answer calls from unknown numbers; they’ll leave a voicemail if it is important.  Don’t share sensitive information with unsolicited or unexpected callers.  Know scammers often pressure victims with threats, promises of wealth (e.g., “You won a bunch of money!”) and plays on sympathies (“We are collecting money for the victims of…” a terrible event).  If you receive a suspicious call or text, report it. If it happens at work, tell your cybersecurity leaders. Outside of work, report US incidents to the FTC and international incidents to the FBI Internet Crime Complaint Center (IC3), econsumer.gov and/or INTERPOL.   You can also consider sharing with friends on your social network, like my childhood friend Chris recently did (screenshots below). As you can see, his post engaged many people into a cybersecurity conversation. Well done, Chris!

Q: I am tired of answering calls that appear to be local (based on the area code) only to find a scammer on the other end. How can I stop this?  A:  While there is no way to stop 100% of these calls, there are ways to reduce the number of spoofed calls to your phone:  For Android phones From the Settings menu, look for features like “Block Numbers,” “Caller ID” and “Spam Protection.” You can block specific numbers that have come to your phone or that fit the profile of callers using spoofing tools.  For Apple phones   You can also go to your recent calls in the Phone app. If you think a call was spoofed, click the info icon and the “Block this Number” or “Block Contact.” For landlines Contact your landline service provider and request help.  Buy a call-blocking device. But first, check your landline phone. Some of the newer models come with blocking capabilities built-in.   The U.S. FCC accepts reports of spoofing incidents and also has a video resource you may also find helpful: “Spoofing: Don’t Hang On, Hang Up.”

Q: My state is offering mobile driver’s licenses. They haven’t said what they are doing to mitigate security and privacy risks. What should I ask them? A: Security and privacy risks increase anytime confidential and critical documents are digitized. Not only are they at risk of interception by hackers, there are also simple lifestyle risks, such as dead phone batteries or a lost/stolen phones that could make them unavailable when you need them the most. Another thing to consider is that giving an authority access to an unlocked phone may also give that authority access to all unencrypted data on that phone. At least eight U.S. states are currently offering mobile driver’s licenses. Below are ten questions citizens in states offering mobile driver’s licenses may want to ask of their Department of Transportation.  Can you also have a hard copy driver’s license?  If an authority asks to see the digital license, can you hold the phone while the authority looks at it?  Is GPS tracking supported by the digital license?  Is the identity or image of the person looking at the ID being recorded?  What other parties are given access to, or copies of, the digital licenses?  Does the subject of the driver’s license have control over this access?  What are the security controls the state uses, and provides to licensed drivers, for the digital licenses?   Is data encrypted in storage and transit?  Is access to mobile drivers' license data restricted to only those in a need-to-know position?  Is the software code for the mobile license apps available for the public to review for security controls?

Q: On a recent Voice America show, Rebecca mentioned she was an expert witness for cases involving the use of smart things to hunt people down. Any tips for preventing becoming a victim of an IoT user?  A: Recent research identified eleven IoT devices commonly used for domestic violence incidents, including stalking:  Tracking tiles (e.g., Apple AirTag, Tile) Smart doorbells (e.g., Ring, Next) Personal digital assistants (e.g., Amazon Echo, Google Home) Life management devices (e.g., Google Home Hub) Smart thermostats (e.g., Nest) Smart TVs Smart electric plugs Fitness trackers and smart watches Wireless systems and routers Smart locks CCTV cameras Stalkers plant portable IoT devices, commonly the tracking tiles, in victims’ clothing, wallets, cars, even toys where the targeted victim rarely checks. Some of the other devices listed above have been given as gifts to the victim or a close family member or friend. In these circumstances, the stalker sets up the account before giving the smart “gift,” so they have access to all the tracking, video, audio and other data collected by the device. Stalkers have also been known to use vulnerabilities within home and mobile wi-fi connections to track victims.  We are continuing this conversation on my Voice America show. Guest Adam Dodge will share tips for avoiding IoT stalkers on the May 7 episode, How Stalkers & Assaulters Track & Find Victims with IoT Tech.

Q:  If there was one simple data security or privacy risk you could eradicate, what would it be? A: Unsecure disposal of paper and other hardcopy media containing personal information is a centuries-old problem that continues to worsen. The same applies to old computing and storage devices that are thrown away, sold or gifted to others. It’s all too common for device owners to fail to completely remove data from devices before letting them go.

Andrew Grossman 2/13/2020

Q:  My wife died of COVID-19 in 2020. We were married 31 years. My friends are urging me to try Tinder. If I’m on Tinder, will everyone on Facebook know I’m using it? A: It is good you are thinking about this; there are many security and privacy issues to consider.  First, look at how the app is installed on your phone. Many apps prompt users at the time of download to link the app to the user’s Facebook account. Just say no to that offer. Doing so will eliminate most of the risks of having others on Facebook know you are using Tinder.  Keep in mind that people could post photos of you on Tinder to their Facebook pages. Make sure that the privacy settings on your phone’s Facebook do not allow this linkage, now or following an update. (Facebook is notorious for changing privacy settings during updates.)  We recommend accessing Facebook on your phone through a browser, not an app, to prevent many of the linkages made through the app. Facebook doesn’t want users to do this, so they try to discourage it by only allowing access to Messenger services through the app.  Related to this, if you are communicating with someone on Tinder, they may post your Tinder photo on their Facebook page; there is nothing you can do to prevent this. So that is also a risk to consider. Also, make sure your Tinder security and privacy settings are adjusted to disallow as much sharing of your data as possible. The app does not have a good track record where security and privacy are concerned. In early 2020, Tinder suffered a serious data breach that resulted in more than 70,000 images of women being shared online. Additionally, Tinder’s privacy policy is vague. This leaves the door open in many ways for them to use and share your data in ways you may not want them to do. It also fails to include a “last updated” date, so we don’t know how old or accurate the policy is.  You should also consider real-life safety issues. In March of this year, to great fanfare, Tinder announced a criminal background feature. While this feature can provide some assurance, many believe it creates a false sense of security. That’s because only 30% of sexual assaults are reported to the police. And, a small number of the people reported to police are actually convicted of a crime that would show up on a background check. Just because someone is not in the police file as a convicted sexual assaulter does not mean they’re safe. Always keep your guard up and meet in public places until you get to know the person well; trust should be earned, not given a result of a Tinder feature.

Data Security & Privacy Beacons* People and places making a difference

Adam Dodge and Ending Technology-Enabled Abuse (EndTAB) is shining a light on technologies used in physical, digital and psychological abuse and assaults. Adam is also Rebecca’s May 7 radio/podcast guest. Intel created World Password Day in 2013 and continues to promote it as a worldwide day of recognition.  NCSL created a legislator privacy guide and glossary of privacy terms. My childhood friend, Chris D., posted his smishing message to raise awareness of smishing tactics. See above. John Oliver highlighted in this recent episode the need for laws to govern how data brokers treat our personal data.  C-SPAN provided videos of hearings about privacy, including the event held February 16, 2022, “Hearing on Digital Privacy.” Identity Defined Security Alliance and National Cybersecurity Alliance hosted a well-received “Identity Management Day” on April 12. Kim Komando provided great information on how to take back control of a hacked Facebook account.  Capital One posted clearly written information about client account information security and privacy services. The bank also sends emails and text messages to clients whenever it detects a suspicious purchases. I recently renewed a couple of web domains, and each charge was the same. Capital One sent the following message to make sure I didn’t get charged twice for a single purchase. I’ve actually caught such double (and triple!) charges for a single purchase through these alerts. My other credit cards do not do this, but it would be great to see them also implement such a practice.

Check Point Research published a Brand Phishing Report for Q1 2022. Keep these brands in mind when you get emails from them; make sure they are not phishing messages. YouTube Creators sent YouTube Channels owners information on how to keep their account secure. We recently got the message below. We love seeing social media sites provide information to help their community members better secure their data and protect their privacy.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News Visit the PSB News Page often!

We continue to get great feedback on the Privacy & Security Brainiacs (PSB) News Page. Thank you! The PSB News page contains news grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.

Brand New Training Courses Clearing up common confusion around HIPAA

We are excited and proud to announce our new online class! Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to “HIPAA Basics for Business Associates 2022.”  The course includes coverage of both temporary HIPAA requirements that are still in effect, as well as proposed permanent HIPAA rules. It also covers common BA misconceptions and HIPAA compliance errors. Ask us about our deeply discounted beta testing user pricing.

"Facebook: The privacy saga continues" by opensourceway is licensed under CC BY 2.0

Where to Find the Privacy Professor

See our new Privacy & Security Brainiacs page for our business in the news! We have added several new items since the January Tips were published.

Rebecca's Radio Show If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of real-world topics within the data security and privacy realm.  Latest Episode This episode first aired on Saturday, April 2nd, 2022 Rik Farrow Unix, Linux & Dirty Pipes! Listen to the original Unix expert discuss this operating system, and compare to Linux, iOS, Android and others. What are the biggest security risks for these OS’s? Also hear his advice about current vulnerabilities, such as Dirty Pipe, related cybersecurity careers, and more! Next Episode First airing on Saturday, May 7, 2022 Adam Dodge How Stalkers & Assaulters Track & Find Victims with IoT Tech Assaulters and stalkers are increasingly using IoT tech to target, surveil, and attack their victims. What types of popular, tiny, inexpensive IoT devices are increasingly used by assaulters and stalkers for surveilling and then tracking down victims to abuse and assault? In what ways do IoT devices provide a sense of false security, that then actually makes weaponizing them to commit crimes easier? What can people do to keep from being victims of assaults through the IoT devices they use? Tune in to hear Adam Dodge, founder of Ending Technology-Enabled Abuse (EndTAB), provide answers to these and many more questions.

The Privacy Professor | Website Privacy & Security Brainiacs| Website

‌ ‌ ‌

Permission to Share If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution: Source: Rebecca Herold. May 2022 Privacy Professor Tips.  www.privacysecuritybrainiacs.com NOTE: Permission for excerpts does not extend to images. Privacy Notice & Communication Info You are receiving this Privacy Professor Tips message as a result of: 1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com; 2) making a request directly to Rebecca Herold; or 3) connecting with Rebecca Herold on LinkedIn. When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. If you wish to unsubscribe, just click the SafeUnsubscribe link below.