Credit Union Geek

Learn Marketing & Strategy Insights, You Will.

Tag: hacking

Digital Security Lock

Passwords. A Revisit. (Updated for 2021)

October 30, 2018 / / 0 Comments

Originally published on CUInsight.com

It’s a topic you’ve seen here before. Time and again. Of course, it’s still pertinent since we keep using them. Passwords are a bane of the tech world. Unless you can invent a simple way to authenticate yourself with any service, they’re going to stick around for a while.

That doesn’t mean we need to despise them, though. In the past, we have discussed the problems on both ends, from policies that lead to creating awful passwords, to people insisting on using “love”, “*dogname*”, and “!23456”.

Grab your favorite password and…throw it in the trash (sadly, even “CorrectHorseBatteryStaple“). Because we’re back.

Password Confusion

Like the question of eggs being healthy or your worst nightmare, passwords see a wide variety of advice as the years go on. Some of it is due to a long period of terrible advice (which we discussed before, and, I’ll admit, my own suggestions evolved, too).

Thankfully, this is changing…slowly. The other part is based upon processing speed increases; it’s easier than ever to parse billions of possibilities (using databases of common passwords from leaks combined with dictionary analysis). So what’s the current solution?

Password Managers

It’s lurking in plain sight, on all your devices. The best password is one you never create. Every modern platform supports strong password suggestions. Then, they save these passwords in a secured database, so you don’t have to put a note in your drawer (it’s ok, you’re not alone).

Depending on the system, there might be a master password, or, it can combine with biometrics. Make this be your big, strong password, then never use it. Rely on the fingerprint scanner, FaceID, or other verification system.

On iOS & iPadOS , all current versions have automatic strong (Apple calls them complex) password creation and storing capabilities. That means, when a site asks to create a password, your phone already filled in a really good one. Then it saves it so you never even bother thinking of something.

To log back in, your phone just asks for verification through TouchID or FaceID (depending on device). This is new; auto-fill now has security, too. Yes, you still have to create a unique username. Sorry, MarioKartKing is taken.

Apple Creates “Password Manager Resources”

This automatic password creation isn’t perfect. If you used this system for any length of time, you ran into this situation:

  • Go to site to create account
  • Enter username
  • Fill in good password
  • System gives an error
  • Try again with a new random password
  • Error again

Why? Your password was “too complex” for their platform. Whether using “unusual characters” (like hyphens) or simply too long, their site won’t accept it. What do you do then? If you’re like most, you just make up your own.

This one won’t be as good. Sorry, it’s just reality. So Apple is doing something about it. Their new open-source project Password Manager Resources seeks to end that scenario. How?

The project will let developers build site-specific criteria. That way, when your device creates a password, it will know the limitations of that site. So your strong password will also work.

As a new system, I look forward to it doing two things:

  1. Letting people mindlessly create complex passwords on any site.
  2. Encourage sites to adopt a better password policy.

Changing Password Regularly…Or, not?

There’s another side of this revisit: Updating your password. I know, I know, I spoke strongly against this practice in the past. My position is unchanged. If you change your password, make it for a good reason.

A brilliant website called haveIbeenpwned.com checks your e-mail address or usernames to see if they were included in any breaches. If so, it shows which and to what degree.

Then, you know it’s time to update those passwords (and anywhere else you shared those credentials). That password auto-suggest is looking mighty nice right now.

They partnered with Firefox so you can get alerts for any new breaches involving your information. With a Firefox Account, you can add as many e-mail addresses to this monitoring. Then, you can go through the list and “resolve” those you’ve already changed.

So, changing passwords regularly is unnecessary. Creating strong ones that are unique to each site is essential. Then, use a service that tells you if any sites are compromised. Simply change that password and you’re good to go!

Email Aliases Too?

An extra level of protection on top of that is creating email aliases for each of these accounts. That way, if the email is leaked, prospective hackers won’t be able to link it to other accounts.

In a sense, there’s no technical reason why we can’t have unique everything for every account nowadays. Apple’s iCloud+ has a feature to Hide My Email, automatically creating aliases for each account, along with a 2FA code.

Gmail has long supported aliases. Just use a “+” after the username part of your email (before @gmail). In this case, hackers could easily figure out your original address by doing an automated removal of the +aliaspart, but it’s something.

Use a Password Manager

Here’s the bottom line: With password managers so prevalent and easy to use, there’s no excuse to still create your own passwords. It’s putting you (and the data within) at unnecessary risk. It also saves time.

When I read of a breach on a service I use, I just go in, update that password, and get back to my life. Since it won’t be shared with any other system, I don’t care what someone does with the information.

Granted, if passwords were stored in a way someone could access them, I’d be questioning the utility of said service, given their poor security practices.

Bottom line of the bottom line: Complex, random strings of characters, stored in a quality password manager, is the best way to ensure your personal (or corporate) information remains only in the hands you want.

Resources (A non-exhaustive list of password managers)

OS Based:

3rd Party:

  • Firefox Sync
  • LastPass
  • 1Password
Car Connectivity

How can I tell if my car has been hacked?

August 11, 2015 / / 0 Comments
  • When you drive, does your GPS talk back with more attitude than normal?
  • Do you find your car going on late-night ice cream runs?
  • Has your car strangled you or your family? More than once?
  • Will your car refuse to perform rolling stops or turn right on red?
    • Probably for the best, given the latter results in many pedestrian crashes

If you can say “yes” to any of these, then your car may be hacked. But don’t panic! It’s equally likely your car has just been possessed by a hungry ghost.

We are all acclimated to the security risks on our computers and phones; you update often, avoid sketchy websites, and don’t download questionable software. However, the king of the open road has never dealt with these challenges. Our cars were a sanctuary. The only risk was of being involved in one of 10.8 million accidents per year. But hacking? Leave that to the computers!

Today, your car is a computer as well. In fact, it’s more computer than your computer. Besides the OBD2 service plug under your dashboard, it is a veritable treasure trove of calculating machines. Anti-lock brakes, stability control, airbags, roll compensation, variable headlights, lane guidance, and more all run computations hundreds of times per second. Not to mention the entertainment systems which are more tightly integrated into car operations each year.

News stories describing vehicle hacking sensationalize the event, making it difficult to know whether the problem uncovered is a true risk. Perhaps, then, we cannot blame people for being afraid of their next car being the victim of hackers. A recent survey conducted by Kelley Blue Book put numbers to the suspicions. Of note, nearly half (41%) would consider vehicle security provisions during their next purchase. Over half (58%) felt a permanent solution to the problem will never be found.

That group is correct. If computer code is more complex than “Hello, world!”, it has bugs. Just as your body has a variety of protections against sickness, from skin to an immune system, sometimes both our bodies’ and our computers’ code gets “colds”. The concern is in severity. A small rash might be an inconvenience, but the flu can put you out of commission for days. Same too with the computer. If the bug is serious enough, and a hacker (like a virus) can infect deeply into the system, then the system can be taken over.

The key to ensuring car hacking does not become a safety issue is in the ability to get fixes to the vehicles. Tesla designed their Model S (and all future vehicles) with a wireless update capability, much like your phone. When it’s plugged in and charging, it checks for updates, which can fix security and stability bugs, as well as add new features. Your next drive is then more secure. The Jeep Cherokee you heard was hacked (luckily by good guys) has no such feature, and must either be driven to a dealership or manually updated with a USB drive.

Luckily for Chrysler, people don’t yet see their cars as they do their phones. From a technical standpoint, they’re the same; Internet-connected devices that you depend upon to just work. In the aforementioned survey, 64% would elect to drive to a dealership for a security update to be installed. Would you drive to the Apple Store, wait in line, then wander around the mall for an hour while the latest update is set up on your phone? Of course not. You’d demand better. It’s only a matter of time until this migrates to cars.

Your credit union (you didn’t think I’d get to you, but I did!) has strong security features in place. Your members’ personal and financial information must never fall into the wrong hands, or any other hands, for that matter. But vulnerabilities exist and there are always those looking to exploit for their own ends. Does your IT team ensure both technical problems and human error cannot compromise your core LOS? What about your members? If your last security notice to them was a red bar on your website, they didn’t understand. In the same way you provide financial literacy education, help your members keep a safer digital life. Share the procedures in place at your own branches…does anyone use “password” as their password?

In today’s always-connected society, you are likely the most security-conscious entity your members directly encounter in their daily life. Help them be as great as you at conducting safe online practices. Consider yourself the wireless updates for your members’ security features.

But watch out for that moody GPS. Your delightful British accent isn’t fooling anyone!

Update: Another report has surfaced that the OBD2 port mentioned above connects to an inherently insecure platform, the CAN bus. It’s ok, it’s only on every car made in the last 20 years. However, devices that give the port wireless capabilities, like OnStar or insurance monitoring attachments, put your vehicle more at risk. Me? I’m keeping that port empty, especially given all the self-driving systems on my car. 

CUbit computing

Hacking a Tesla and A New CUGeek Category!

August 6, 2015 / / 1 Comment

The media drives me crazy. And I don’t mean the media players on my computer (Will it play this format? Duh, should have used VLC). If you follow any subject in the news, for any length of time, then you’ll feel that same desire for authenticity. When did the drive for clicks and ad impressions outdo the motivation for accurate reporting (at every phase, including headline…I’m looking at you, original “yellow journalists”)?

A credit union industry publication once called me an “industry watchdog”. Woof woof! (Is that what watchdogs say? I’m a cat person.) It’s time for me to take my assigned role and run with it!

Today, I’m introducing a new category to my blog called CUbit. Why yes, I am referencing the Biblical form of measurement equal to around 46 centimeters, how did you know? 46 centimeters isn’t a great distance, about one and a half feet. So, arms length.

Is it also a play on words? Naturally! You may notice the resemblance to qubit, a quantum bit that’s used to measure computing capacity on quantum computers.

And, of course, CU represents you, credit unions! Posts with the CUbit tag will be short, outside schedule blasts on trending (or soon-to-be trending) media topics of interest to the industry.

The first CUbit? Hacking a Tesla Model S. Well, that’s what TIME says. The reality is that some good guys with mad computer skills (they’re known as “white hats”, while bad guys are “black hats”) plugged their laptop into a Model S (yes, with a cord) and were able to override the main computer. They could do anything a normal person would do in a normal vehicle…change speed, open the moonroof, shut off the motor, etc. But not without a really long cord, because their system only worked with a wire.

OH MY GOSH! TESLA IS DOOMED!

Again, not really. The security issue was reported to Tesla, who already has a fix in place and will be sending it out to every car wirelessly tonight (Thursday). So by the time you read exaggerated articles about this issue, the cars will already be fixed.

Hacked Tesla? Yes and no. Can yours be remotely controlled? No. Is the issue widespread? No, it’s fixed. Was there an update necessary? Yes, though Tesla planned ahead with wireless updates while the car is charging in your garage.

So, false crisis averted, new category created, and you’ve finished the first CUbit! Thank you for your continued readership and support. If you have any suggestions, please feel free to contact me.

Update: TIME has updated their article to elucidate the points made above. Kudos to their editing. A shake of the head to them for ever posting the original version.

Brief Bio

Geek. Environmentalist. CU Marketer.
Learn More.

Powered by

Sci-fi & Disney references

You thought I was going to say WordPress or something? Sure, it is, but that’s what really keeps this site going.

© 2024 Credit Union Geek

Theme by Anders NorenUp ↑