Discover Offers Security Advice Regarding Equifax Data Breach

[Source: The following announcement from Discover was sent to customers via email on 5 Oct 2017.]

What you can do with Discover:

  1. Check your Social Security number and New Account alerts. You’ll get an alert if we find your Social Security number on any of thousands of risky websites, or if any new accounts show up on your credit report. [View Page]
  2. Track your FICO® Credit Scorecard for free. [View Page]
  3. Switch your account on or off with Freeze it® to prevent new purchases any time you misplace your card. [View Page]
  4. Keep your mobile phone number and email address up to date so we can alert you of any suspicious activity.

And remember—no matter what—you’re never held responsible for unauthorized purchases on your Discover card account.

Additional steps you can take:

1. Order and review your free annual credit reports. [View Site]
2. Update your passwords. [View Resource Page]
3. Use alerts and other security benefits on all your current accounts, not just Discover.
4. Restrict access to your credit file with the credit bureaus. [View Resource Page]
5. Learn more about identity theft and other ways to protect yourself at IdentityTheft.gov or the Consumer Financial Protection Bureau.

Misguided Internet Privacy Concerns and Virtual Private Network (VPN) Services

What We’re Being Told

According to national news coverage, due to regulatory changes, we’re told that internet service providers can now track our personal web browsing, save it indefinitely, and sell this information to the highest bidder. As a result, increased concern about internet privacy has prompted a rise in advertising for Virtual Private Network (VPN) services. Top security firms and analysts are warning that this threat is real and consumers should be very afraid.

Common Sense

Let’s take a step back for a moment and apply some common sense here. What’s being reported in the news is that your internet activity is tracked based on the IP address of your computer, and the fact that your name is on the internet service account.

As someone in IT for over 30 years, I’m telling you this just doesn’t make sense. Watch how quickly this unravels.

First of all, if you’re like 95% of consumers, your ‘computer’ doesn’t have a public IP address. Your cable modem or DSL modem has an IP address, but not your computer. If you live in a household, apartment, dorm, or are visiting a coffee shop or hotel, in all of these situations, you’re likely sharing that same modem/router IP address with other people using computers, phones, and tablets. When guests are at your home, they are sharing your modem and router. How is an Internet service provider going to know who is who? They won’t.

Will the data they gather ‘about you’ be of any value to advertisers? No.

Even more precise cookie tracking ads only seem to be able to show you ads for products you’ve already purchased. Such ads are a waste of money. We don’t want to see ads for websites and products we already know about. That advertising is a waste of money for advertisers.

Your internet browsing isn’t all done from home, it’s spread across multiple service providers including home, work, school, public transit, free public wifi, the coffee shop wifi, using your phone as a hotspot, browsing while visiting a friend’s home. You’re not going to be tracked based on IP address.

In addition to all of the above issues, many of the websites we visit today have SSL encryption. Sites that use https rather than http, like banks, online stores, and millions more, encrypt all communications between our browser and the site, hidden from our Internet service provider and hackers. So, the information exchanged is private.

If you’re visiting a lot of anarchist websites, sites about manufacturing drugs, or websites that are primarily engaged in illegal activities, you and others sharing your modem may become ‘persons of interest’ but even then it would be difficult to discern between research done for a high school writing assignment and someone intending to break the law.

When you run all of your internet traffic through a single third-party VPN service provider, you’re handing over all your internet activity to one business — rather than anonymously to many. Why would you trust that business with your internet activity and not another?

Presumably with a VPN, much of your activity will appear to be from a single IP address which makes you easier to track and identify.

So, the privacy concern that’s being propagated in the mainstream media is misrepresented, and the solution they are prescribing makes the problem worse.

How We’re Actually Tracked Online

The ways that our activity is tracked online doesn’t really have much to do with an IP address. Cookies track what sites we visit, and our computing devices each have a kind of fingerprint. The triangulation of operating system, screen size, browser we use, and other factors begins to narrow down our unique devices regardless of how we get to the Internet. You’ve no doubt noticed that ads appear on websites that seem relevant based on products you’ve recently shown an interest in. This isn’t based on your IP address, it’s based on cookies and other factors. You can start paying for a VPN service, but those ads are still going to appear, and you’ll still be tracked. With mobile devices, you’re also tracked based on your location. A VPN service won’t prevent cookies, GPS tracking, and other privacy invasion issues.

When AntiVirus Software Advertises

One of the promises of today’s internet security software is to remove annoying pop-up ads caused by malware. Yet, sometimes antivirus software can be the source of misleading or confusing ads. Over the years, Avast has been one of the better antivirus programs available and even their free version ranks high in reviews. However, recently they’ve been looking for more ways to get consumers to buy additional services. For example, their antivirus software will report a frequent alert and warning about system performance issues. When you respond to the alert, they suggest buying their system cleanup software. Even on a computer with a fresh installation of Windows, and no other software installed except Avast, the error about system cleanup needed will appear. This is similar to what’s referred to as “scare-ware” which is software that scares consumers into buying when perhaps no serious threat exists. Avast software alerts users to passwords saved in browsers as a way of selling their password manager.

The ad below is an example of how Avast is now pushing out pop-up ads for their SecureLine VPN service. This pop-up ad began on 6 April 2017 and has been showing up daily. So, Avast is basically using their antivirus software as a way into your computer for purposes of advertising additional products and services. Unfortunately, the Avast SecureLine VPN isn’t rated well based on the cost and features it offers.

20170408sa1637-avast-ad-vpn-secure-private-web-browsing-internet-service-provider-912x624.jpg

Do VNP Services Really Offer Privacy?

The list of advantages provided in the Avast pop-up advertisement above offers an itemized list of benefits that VPN services supposedly provide. This just isn’t true. Take a look at the following claims:

  • “Surf 100% anonymously every time”
  • “Hide your online activity from hackers” 
  • “Leave no trace of your activities” 

These claims aren’t exactly true. Your searching activity will be known by the owners of websites you login to. Also, browsers save your searching history and may be storing that information in the cloud. Malware on your computer could be tracking your internet activity as well as login passwords. As explained above, there are many other ways to track a person’s browsing history that have nothing to do with a specific IP address.

Avast SecureLine VPN claims that you can “Access region-locked content easily.” That’s true. People visiting China or other restrictive countries may have trouble accessing some U.S.-based websites. VPN services can help by giving you access to content censored in some countries. However, that’s irrelevant for most consumers.

How Can We Protect Our Online Privacy?

The greater threats to privacy will come from malware, hackers, viruses, and security breaches like the 1.5 billion Yahoo accounts that were hacked, or the 11 million government military and cyber personnel files, criminal records, and health records that were recently stolen. The websites you visit are not your greatest concern.

Here are a few steps you can take to have greater privacy:

  • HTTPS Everywhere. Consider using the free HTTPS Everywhere browser plugin to encrypt your visits to websites. (Thanks to SJ for this suggestion.)
  • Limit Social Media Use. One of the problems with sharing so much personal information through social media is that hackers can use that information to guess passwords. Crooks know when you’re on vacation and plan robberies accordingly. Identity thieves can take all your online photos, and create imposter accounts, then commit fraud with your friends and family. (Thanks to NJ for the suggestion to add these cautions).
  • Mobile Hotspot. Rather than taking a chance with unsecured public networks, consider using the built-in mobile hotspot on your phone. Use your mobile device as a hotspot and stay off any networks that you don’t trust.
  • VPN. It should be pointed out that VPN services could be helpful when using unsecured public wifi hotspots at hotels or coffee shops. Using a VPN could help encrypt all your traffic to any local hackers who might be monitoring local network traffic at the packet level. Additionally, while communications is secure with SSL sites, it could be helpful to encrypt what websites you visit — at least not make it public to your internet service provider. (Thanks to Tim at FriendlyTechie.net for making this additional point.)

We’re Already Giving Away Our Privacy

Millions of people have relinquished their right to personal privacy with social media sites like Facebook, allowing companies to know our friends, interests, and many details of our life. This has inspired movies like “The Circle” — see trailer below.

Facebook: Be careful when accepting friend requests from people you know.

Problem Summary

We’re all familiar with the warning to be cautious when accepting emails or social media requests from people we don’t know. Now it’s important to use caution when accepting friend requests from those we do know. Here’s why.

  • Scammers will setup a fake ‘imposter’ Facebook account using your friend’s name and maybe two or three of their photos. Then they will send you a friend request.
  • Because the friend request comes from someone you know, you’re less likely to be skeptical about it.
  • Additionally, because a few of your common friends will have already been duped into the scam, when you see the request come in,  you’ll see that you have several friends in common and that will further reassure you that the request is legitimate.

At this point, the snowball effect begins. The people behind these scams seek to build massive databases of names and personal information for identity theft, social engineering, and hacking into accounts.

You and those you know, who may have their Facebook content marked as ‘viewable by my friends and their friends’ are exposed to having all their content and list of friends stolen and misused.

So, for this reason, be VERY careful when accepting friend requests on Facebook even from people you know.

What To Do if You’re the Target

If someone has setup an imposter account pretending to be you, don’t post a message saying “my account has been hacked” because then your friends won’t know which account to trust. Explain that your account hasn’t been hacked, but that someone setup a new ‘fake / imposter’ account in your name and that you’re reporting it. Then follow the instructions on this page to report it and have it shut down.

Identification and Prevention – 3 Easy Steps

Here are three easy steps to identify and prevent fake accounts. (source)

  1. Take a few seconds to look and see if you are already friends with that person. If so, the new one is likely fake.
  2. Glance at the profile for the person making the request. Does it look legitimate? Often the fake accounts have only a few simple posts.
  3. Communicate with the person making the request. Send a message: “Hi ____, I’m just making sure this is really you.” If they reply by telling you that Facebook is giving away a million dollars, it’s probably fake.

If it’s fake, take a moment to report it quickly before the scam spreads. Use the steps below.

How to Report and Shut Down Imposters

Because this is becoming a very prevalent problem, Facebook has improved the mechanism for reporting it. Follow the instructions shown below. Click the image for a larger view. In step 4 you can indicate whether someone is pretending to be you or someone  you know.

20160910sa0700-how-to-report-fake-imposter-facebook-accounts-1024x1500

Further Reading

Here are some additional articles on the topic of Facebook safety and how to avoid Facebook scams.

Facebook has an official ‘how to report things‘ page.

You can view all Facebook support requests in your support inbox, including reporting of user accounts.

Tech Q&A: Why do scammers create fake Facebook accounts?

Q: Why do scammers create fake Facebook accounts?

A: They have a few goals:

  1. To build fake personas on Facebook which can be sold on the black market for big money.
  2. To buy or use fake personas on Facebook to sell or promote things.
  3. Once trust or acceptance is garnered, they use the profiles to post links to malicious websites that will infect people’s computers and/or steal passwords.
  4. To launch social engineering campaigns via Facebook asking friends to ‘answer these ten questions about yourself’ — in order to gather personal information about people for the purpose of identity theft or hacking into people’s accounts.

There may be other reasons as well.

What You Can Do

Fake users may ask to be friends with you on Facebook. Even if you have friends in common, be careful not to friend anyone until you’ve spent at least a few minutes checking their profile. You may want to send the person a message and ask them why they were wanting to connect. If you identify a fake account, click the three dots menu icon and select Report to report the user account as shown below. By spending a few minutes, you can protect hundreds of social media friends and contacts.

20151030fr1045-facebook-report-user

Identifying Fake Profiles

Here are signs of a fake profile:

  • Their profile has only a few posts on the timeline.
  • There are spammy advertising-like posts on their timeline.
  • Their About page has very little information.
  • They claim to work for Facebook on their About page.
  • Although you supposedly have friends in common, you’ve never heard of the person.
  • You’re a middle-aged man and the person you’ve never met who wants to friend you is an attractive girl in her 20s or 30s.
  • The person has only a few profile pics.
  • The profile pics are suggestive.
  • The person has multiple profile pics, but of different people.
  • Their Facebook friends have unusual or seemingly fake names.

Alessandro Acquisti Ted Talk Video About Privacy and Technology

Published on Oct 18, 2013

The line between public and private has blurred in the past decade, both online and in real life, and Alessandro Acquisti is here to explain what this means and why it matters. In this thought-provoking, slightly chilling talk, he shares details of recent and ongoing research — including a project that shows how easy it is to match a photograph of a stranger with their sensitive personal information.

TEDTalks is a daily video podcast of the best talks and performances from the TED Conference, where the world’s leading thinkers and doers give the talk of their lives in 18 minutes (or less). Look for talks on Technology, Entertainment and Design — plus science, business, global issues, the arts and much more.
Find closed captions and translated subtitles in many languages at http://www.ted.com/translate

Follow TED news on Twitter: http://www.twitter.com/tednews
Like TED on Facebook: https://www.facebook.com/TED

Subscribe to our channel: http://www.youtube.com/user/TEDtalksD…