Credit Union Geek

Learn Marketing & Strategy Insights, You Will.

Tag: privacy (Page 2 of 3)

Digital Security Lock

Passwords. A Revisit. (Updated for 2021)

October 30, 2018 / / 0 Comments

Originally published on CUInsight.com

It’s a topic you’ve seen here before. Time and again. Of course, it’s still pertinent since we keep using them. Passwords are a bane of the tech world. Unless you can invent a simple way to authenticate yourself with any service, they’re going to stick around for a while.

That doesn’t mean we need to despise them, though. In the past, we have discussed the problems on both ends, from policies that lead to creating awful passwords, to people insisting on using “love”, “*dogname*”, and “!23456”.

Grab your favorite password and…throw it in the trash (sadly, even “CorrectHorseBatteryStaple“). Because we’re back.

Password Confusion

Like the question of eggs being healthy or your worst nightmare, passwords see a wide variety of advice as the years go on. Some of it is due to a long period of terrible advice (which we discussed before, and, I’ll admit, my own suggestions evolved, too).

Thankfully, this is changing…slowly. The other part is based upon processing speed increases; it’s easier than ever to parse billions of possibilities (using databases of common passwords from leaks combined with dictionary analysis). So what’s the current solution?

Password Managers

It’s lurking in plain sight, on all your devices. The best password is one you never create. Every modern platform supports strong password suggestions. Then, they save these passwords in a secured database, so you don’t have to put a note in your drawer (it’s ok, you’re not alone).

Depending on the system, there might be a master password, or, it can combine with biometrics. Make this be your big, strong password, then never use it. Rely on the fingerprint scanner, FaceID, or other verification system.

On iOS & iPadOS , all current versions have automatic strong (Apple calls them complex) password creation and storing capabilities. That means, when a site asks to create a password, your phone already filled in a really good one. Then it saves it so you never even bother thinking of something.

To log back in, your phone just asks for verification through TouchID or FaceID (depending on device). This is new; auto-fill now has security, too. Yes, you still have to create a unique username. Sorry, MarioKartKing is taken.

Apple Creates “Password Manager Resources”

This automatic password creation isn’t perfect. If you used this system for any length of time, you ran into this situation:

  • Go to site to create account
  • Enter username
  • Fill in good password
  • System gives an error
  • Try again with a new random password
  • Error again

Why? Your password was “too complex” for their platform. Whether using “unusual characters” (like hyphens) or simply too long, their site won’t accept it. What do you do then? If you’re like most, you just make up your own.

This one won’t be as good. Sorry, it’s just reality. So Apple is doing something about it. Their new open-source project Password Manager Resources seeks to end that scenario. How?

The project will let developers build site-specific criteria. That way, when your device creates a password, it will know the limitations of that site. So your strong password will also work.

As a new system, I look forward to it doing two things:

  1. Letting people mindlessly create complex passwords on any site.
  2. Encourage sites to adopt a better password policy.

Changing Password Regularly…Or, not?

There’s another side of this revisit: Updating your password. I know, I know, I spoke strongly against this practice in the past. My position is unchanged. If you change your password, make it for a good reason.

A brilliant website called haveIbeenpwned.com checks your e-mail address or usernames to see if they were included in any breaches. If so, it shows which and to what degree.

Then, you know it’s time to update those passwords (and anywhere else you shared those credentials). That password auto-suggest is looking mighty nice right now.

They partnered with Firefox so you can get alerts for any new breaches involving your information. With a Firefox Account, you can add as many e-mail addresses to this monitoring. Then, you can go through the list and “resolve” those you’ve already changed.

So, changing passwords regularly is unnecessary. Creating strong ones that are unique to each site is essential. Then, use a service that tells you if any sites are compromised. Simply change that password and you’re good to go!

Email Aliases Too?

An extra level of protection on top of that is creating email aliases for each of these accounts. That way, if the email is leaked, prospective hackers won’t be able to link it to other accounts.

In a sense, there’s no technical reason why we can’t have unique everything for every account nowadays. Apple’s iCloud+ has a feature to Hide My Email, automatically creating aliases for each account, along with a 2FA code.

Gmail has long supported aliases. Just use a “+” after the username part of your email (before @gmail). In this case, hackers could easily figure out your original address by doing an automated removal of the +aliaspart, but it’s something.

Use a Password Manager

Here’s the bottom line: With password managers so prevalent and easy to use, there’s no excuse to still create your own passwords. It’s putting you (and the data within) at unnecessary risk. It also saves time.

When I read of a breach on a service I use, I just go in, update that password, and get back to my life. Since it won’t be shared with any other system, I don’t care what someone does with the information.

Granted, if passwords were stored in a way someone could access them, I’d be questioning the utility of said service, given their poor security practices.

Bottom line of the bottom line: Complex, random strings of characters, stored in a quality password manager, is the best way to ensure your personal (or corporate) information remains only in the hands you want.

Resources (A non-exhaustive list of password managers)

OS Based:

3rd Party:

  • Firefox Sync
  • LastPass
  • 1Password
Joe Winn with Mazda Miata and Mazda6

Data Security: Car Edition. Really.

September 12, 2017 / / 0 Comments

Originally published on CUInsight.com

Update November 2023: Most new cars now also include cellular connectivity. Even if you don’t activate the service, it’s chatting with the manufacturer and an unknown number of companies. That’s a privacy minefield and needs regulation to control.

When you hear “data security”, what comes to mind? Your laptop? Phone? Internet of Things “smart” oven? (I’d hate to let a hacker know how badly I burnt that casserole)

Anything else? How about your computer on wheels?

Modern cars are rolling supercomputers. They have dozens of systems collecting unique data to make your driving experience safer, more enjoyable, and sometimes more distracting. For example, the traction control computer collects information on road conditions hundreds of times a second. However, it’s probably not a source of identity theft (though what could be learned from its records would surprise you). Nor is the network of proximity sensors to help you navigate tight areas.

Your car does contain a number of personalized systems. Let’s look at the big ones:

GPS: Your car knows where it is at all times, where it has been, the paths you take, and even the speed at which those drives were made.

Bluetooth: When you pair your phone, it does more than share a 4-digit code. To automatically reconnect, the car remembers your phone’s unique ID. This isn’t a huge privacy issue on its own, but today’s cars save far more. To make dialing easier, a lot of systems import your contacts and synchronize your text messages. No big deal, just your entire phone book and call/text history.

HomeLink: Do you have buttons on your mirror or visor? Do they open your gate/garage? Then you have HomeLink. These can even support turning on/off lights, though new smart integrations have made that a bit redundant. Combined with the GPS history, this is the biggest privacy risk in your car. The former tells anyone in the car where your house is located. The latter Opens. Your. Home.

Those are the big three. Others vary by manufacturer and features. Things like a custom entry code (many Ford vehicles still use this feature…do not choose a birthday!) are seen on occasion. App integration is becoming more common, making your phone an advanced car key.

So, what of all these features? I’m a huge fan of integrations which make sense, and I use them often. However, I also know there is a level of security necessary. To add a small degree, I never program my actual home address into the GPS. The “point” is around the entrance to my community, not in my driveway. Do you really need those last 4 turns? Granted, someone could just find my address on the registration, but I’m hoping a potential thief is just too dumb to consider such an option. Why make it easy? Note: My garage opener doesn’t reach from the home “point”.

It’s good to know what these features can reveal while you have the car, but what about when you sell it?  Given the privacy/security risk inherent, I find it almost criminal that an easy “I’m selling my car, delete everything” button is not available in every car. For mine, I’ve had to do the following:

  1. Delete my phone pairing from the car.
  2. Remove the “Home” location in my GPS.
  3. Remove all recent waypoints in the GPS.
  4. Reset the HomeLink buttons.
  5. Cancel/transfer satellite radio service (technically, with an active Radio ID, one can use a phishing strategy to get my personal information from SiriusXM)

You’re right, there is no direct credit union guidance in this post. However, given my recent experience in buying a new car, I felt it necessary enough to share. Be honest, how many cars do you think are traded-in with the prior owner’s home address and garage code?

Help protect your staff and membership by sharing this with everyone! (And along with every booked loan)

Image credit: That’s me, while owning two cars.

Data Tunnel

Billions of Dollars for Data? You bet!

June 13, 2016 / / 0 Comments

You may not have seen, but Microsoft just wrote a check few can imagine. In pursuit of a comprehensive business platform, they are acquiring LinkedIn for a staggering $26.2 billion. In cash.

It would be the largest acquisition in company history, far exceeding the $8.5 billion they paid for Skype. So what can a social media platform for job hunters, executives, general employees, and recruiters possibly have to offer for a software and services firm like Microsoft? I mean, they have Office. What else could they want?

Big Data. Hold on, let me rephrase that. #BigData. Because knowing the trends behind it helps to better understand the rationale. Remember that article CU Insight shared of mine about your members’ data? It’s truly big business, and whatever you aren’t doing, someone else is. Besides, it’s really about better serving your members, and using the information you already have is the best way forward.

I cannot stress enough the importance of embracing data to further your personalized offerings. And once again, you don’t have to be working with millions of people or data points. Just a few carefully-selected points helps you draw incredible conclusions. Sure, it will raise important conversations about member privacy. That’s a good thing. But you have to be doing it.

I’m here to help. Feel free to contact me here (the old-fashioned way) or on Twitter @JoeCUGeek. I promise your credit union can take substantive steps for less than $26B. Trust me, I’m a geek.

« Older posts Newer posts »

Brief Bio

Geek. Environmentalist. CU Marketer.
Learn More.

Powered by

Sci-fi & Disney references

You thought I was going to say WordPress or something? Sure, it is, but that’s what really keeps this site going.

© 2024 Credit Union Geek

Theme by Anders NorenUp ↑