Keeping Your Passwords Safe and Accessible

Passwords are a necessary evil.  On one hand, we have to have them to keep our information secure.  However, on the other hand, we also have to remember them all so that we can keep access to our information.  This situation is what prompted one of my readers to email me last week asking about the best way to keep track of passwords.

Of course, it would be wonderful if we could use the same password for everything.  Unfortunately, that is no longer a secure option.  With the large number of hacks that have occurred in recent months, we can be assured that a password to one of our accounts has probably been compromised somewhere.  If that password is the same for everything, knowing your email (probably accessible from inside your hacked account options even if it wasn't hacked itself) will give others access to any accounts using that same password.

I certainly wish I could write a "best-in-all-cases" option for keeping track of your passwords securely.  Unfortunately, there is no best option.  The key is to find something that works for you.

One option is to use a password management program.  These programs will keep track of all your passwords, and many will automatically insert them in the proper places.  Some will even generate random passwords for you.  These passwords will be secure because they not only use all the general password-selection criteria (lower-case and upper-case letters, numbers, symbols, etc.), but also because you will not remember the random passwords they generate.  This prevents you from accidentally giving your password out to a phishing site that you think is legitimate.

However, there are some problems with password managers.  If a password manager is installed on your computer, you are unable to sync it with your phone, tablet, or other devices.  You will need to install a separate program on each device and then update passwords on all of them when they are changed.  An online password manager stores your passwords on a server so that they sync between all your devices.  Unfortunately, this is my least-recommended method because it can be hacked to expose all your passwords.

If you don't want to use a password manager, you can consider using a notebook to keep track of your passwords.  (Before writing down login information for work in a notebook, check with your company's IT department.  Many have prohibitions against writing down passwords.)  This works great if you primarily access the internet from home on one device.  However, if your computer travels or you use many different devices, this becomes a problem.  Your notebook could be lost, exposing your passwords, or you could leave the notebook at home and not have any way to access your information.

If you do use a notebook, do not write your user names along with your passwords.  If your notebook is stolen, someone will have quick access to your accounts if both are written down.  You can also write down your user name along with some generic hints that remind you about your password.  This way, you will know your password by reading it, but others will be unable to decipher your password from the information.

If you want to remember all your passwords and are having trouble, you can try using this simple trick.  Create a base password (to use it everywhere, make sure there is a capital letter, a lower-case letter, a number, and a symbol in it), then add the first 2-3 letters of the site to the end.  For example, I could create something like "s0cceR!uvr".  Then, I simply add "fa" for Facebook, "gm" for Gmail, and "tw" for Twitter.  Since your password is not stored on most sites (in fact, I would not trust a site that does store your password), you don't have to worry about your password system being figured out if a site is compromised.  Most sites use your computer to create what is called a hash, and then they transmit the hash to the site, where it is compared with the hash from the password you originally set up.  This is why most sites can only send you a link to change your password; they can't send you your actual password because they don't have it.

If you are wondering what I use, the only simple answer is:  "All of the above".  There are many accounts that I only access from my primary computer.  I use a password manager installed on my computer to provide me quick access and secure passwords for these accounts.  For my most-used accounts (email, Facebook, bank, etc.), I simply remember the passwords.  And I store user names and hints for all of my passwords in a password-protected file that I store in my Dropbox account, making it accessible on all my devices.

Obviously, my solution is not going to work for everyone.  Some people will find that a notebook in a desk drawer will work fine.  Some will be willing to take the risk to have the convenience of an online password manager.  Others might opt for a hybrid solution like me.  Whatever method you choose, be willing to accept the risks and inconveniences that will come with your method, and don't be afraid to try out different methods until you find the one that works best for you.

Recover Your Product Keys

Product keys are a necessary evil in our technological world.  However, they can be a problem when you need to reinstall a legitimate copy of a program, but you cannot find your product key.  Since we make so many purchases online, we have to go back to the original email we received, which is usually either buried somewhere in our inbox or long gone in the trash can.  For Windows, the product key is usually located on our computer, but the ink on the sticker can wear off, leaving you with no clue to what your product key is.

While the product keys are stored on your computer, many are in locations that make it difficult to find and identify what product the key is for.  Fortunately, KeyFinder by Magical Jelly Bean can locate many of your product keys for you.  I would highly recommend that everyone run this program and make a copy of all product keys so that you have them if you need them.

You can download KeyFinder from the following links:
Windows
Macintosh

If KeyFinder cannot find a key that you need, you can try using their paid version, Recover Keys.  You can download a demo that will tell you if the key can be recovered, and then you can purchase the program to view the full key.

Make Extra Money as a Freelancer

If you are starting a business or own an established business, you know the importance of finding new customers.  If you are looking to make a little extra money, freelancing can be a great way to do it.  However, getting started as a full-time or part-time freelancer is difficult.  Or perhaps you are on the opposite side:  you want to hire a freelancer for a task but don't know where to find one.

Either way, Freelancer is the site for you.  If you want to hire a freelancer, create an account, post the details of your project, and wait for bids to come in.  If you want to become a freelancer, set up your account, enter some profile information, and begin looking for jobs.  (The site will offer you a free trial of its plus membership, but I would recommend sticking with the free account until you know it will be something you will use.)

Another great site to check out is Elance.  You can post a request for a job and get bids on completing it, or you can search through a directory of registered freelancers.

Improve Your Wi-Fi Connection

Wi-Fi is a wonderful invention.  It is convenient, and new developments have resulted in faster speeds and larger ranges for our access points.  However, it is not without its flaws.  I have written many times about the security issues that Wi-Fi networks have, but Wi-Fi networks can also conflict with other nearby networks and devices, reducing the speed and distance of your network.  There are several issues to be aware of when configuring your wireless devices:

1) Placement is Key - Before you begin experimenting with different configurations, evaluate the placement of your access point.  Ideally, you want it to be in the center of your house and as high as possible.  This reduces interference that can be caused by the furniture and walls, and it keeps your signal from being broadcast to the outside.  If you must put the access point along the wall, try placing a curved sheet of aluminum behind it or use the "beer can/soda can" trick to reflect some of that signal back into the house.

Also, make sure that your router has plenty of room to breathe.  A router that gets even moderate use from many different devices will get hot, so it must have room for proper airflow.  If it cannot get proper airflow, it will slow down or completely shut off to keep itself from overheating.  If your speed seems fine first thing in the morning but decreases throughout the day, air flow (or a failure in the router's cooling system) could be the problem.

2) Check Your Standard - In order to ensure compatibility between devices and access points, there are a set of standards that describe how devices should communicate.  Each standard also has its own speed and distance limitations.  All wireless standards start with the numbers 802.11 followed by one or more letters.  The two original standards were 802.11a and 802.11b, and they have been followed by 802.11g, 802.11n, and most recently, 802.11ac.  (The other letters have also been used, but they describe other factors of wireless configuration or have been rolled into the major standards I listed.)

The older standards are generally slower and have shorter ranges, but that does not mean that you should go out and purchase a brand new router.  Even if your router uses the fast 802.11ac standard, you will be limited to slower speeds if not all of your devices are able to use the fastes standard.  If you want to see what standard your router is using, just hover your cursor over the network name.  In the window that comes up, you will see "Device Type:" followed by the standard that you are using.  If you are not using 802.11n or 802.11 ac, you may want to consider upgrading to an 802.11n router.  (The only reason you would not want to upgrade would be if you have an older device.)

3) Check for Interference - Wireless standards have used one of two frequencies to communicate:  2.4 GHz or 5 GHz.  802.11a used the 5 GHz standard, but 802.11b and 802.11g switched to the 2.4 GHz frequency.  The latest two standards 802.11n and 802.11ac, are now capable of communicating at either frequency.  (Some routers are "dual-band" meaning that they can communicate at both frequencies simultaneously.  Others can only communicate at one or the other.)

Older routers that used the 2.4 GHz frequency found interference from other household devices, such as microwaves, cordless phones, and Bluetooth devices, and there is less overall bandwidth for the devices to communicate.  However, the 2.4 GHz frequency can cover a greater area than the 5 GHz frequency.

In general, it is best to use the 5 GHz frequency unless you need the added distance provided by the 2.4 GHz band.  If you have a router that can use either frequency, you can try switching the frequency to see if you have less interference using the other band.  The exact procedure for changing the frequency band varies by router, so you will need to check the manual.

4) Change the Channel - Within either the 2.4 GHz or 5 GHz frequency are multiple subdivisions for communication, called channels.  If you and your neighbor are both trying to use the same channel, your networks will interfere with each other and decrease performance.  This can be a bigger problem in apartment buildings with a large number of wireless networks in a small space.  Most personal routers are configured to detect which channel has the lowest amount of traffic on it.  However, this process will not always find the best channel.

Channel selection is most important in the 2.4 GHz freqency, as it only has three channels that do not overlap:  1, 6, and 11.  If you are experiencing intermittent slowdowns on your network, you might want to try all three channels to see if one gives you better overall performance.  (Ideally, everyone in your neighborhood/apartment complex could sit down and work out a map to prevent networks from overlapping on the same channel, but this would probably never happen in practice.)

What Have We Learned From Intercept

Late last week, word came out that one of the largest producers of SIM cards for cell phones, Gemalto, had been hacked by the NSA and GCHQ (Britain's NSA-type agency).  According to the documents, these agencies stole the keys that were being used to encrypt traffic on wireless networks.

Gemalto provides SIM cards to over 450 carriers worldwide, including all of the major U.S. carriers.  It also makes the chips for many of the smart cards and passports.  Gemalto transmitted these keys with little security (sometimes, with no security), allowing governmental agencies easy access to the master lists.  Using these keys allowed them to decrypt wireless traffic it had collected.

The GHCQ figured out a way to maximize the number of keys it obtained each month by targeting specific sources.  Some estimates say that they could process over 100,000 SIM keys each month, and that by 2009, the NSA had already obtained at least 12 million encryption keys.  Not only does this allow them to decrypt the wireless traffic of a particular target, but it also allows them to look back and decrypt wireless traffic that it collected before it obtained the key.

While we do not know the exact number of keys that the NSA and the GHCQ have obtained, the fact that they obtained such a large number of keys in the time covered by these documents makes it very likely that your SIM card's key has already been compromised.  Unless you are suspected of criminal activity, it is unlikely that any law enforcement agency is actually looking at your data, but they are collecting it and probably have the means to decrypt it if they desire.

How Can I Protect Myself?

While the compromised key allows the NSA to decrypt data that is traversing the wireless networks, it will not be able to decrypt data that has an extra layer of encryption on your phone.  Most major email providers already provide this encryption with their apps, and you have this additional encryption when browsing on secure sites.  If you want added protection, you can download Firefox for Android and add the HTTPS everywhere extension.  This will ask all sites to communicate using an encrypted session.  (It does not mean that every site will be encrypted; it will only force your browser to use an encrypted session if one is available.  Many sites do not offer encryption.)

To protect your text messages, you can use a text messaging app like TextSecure or Silent Text, and you can protect your phone calls by using an app like RedPhone or Silent Phone.  (I have not used any of these apps, so I cannot recommend them, but they are the most common recommendations on the sites that I follow.)  Obviously, if the government wants to obtain your communications using one of these apps, it can target them like it targeted Gemalto.

Finally, a new technology, called Perfect Forward Security (PFS), would help protect communications in the future.  PFS would use unique, one-time encryption keys to better protect your communications.  It would not stop the NSA or any other agency from decrypting your wireless traffic in real-time, but it would prevent them from going back and decrypting traffic it obtained previously.  Unfortunately, this requires mobile phone companies to adopt PFS for their networks, something that no carrier has yet done.

I've Been Hacked! - Part 3

Today is our final day covering what to do if your information is compromised in a data breach.  If you've read the first two parts, you already know that the first step is to learn exactly what was stolen, because the proper response to these breaches will vary based on what data was compromised.

In part one, I discussed what to do if your username, password, or other contact data is breached, and in part two, I discussed what to do if your credit card or bank account number is stolen.  Today, we examine the worst scenario:  your social security number has been compromised.

Part Three:  Social Security Number Stolen:

Of all the breaches, this is definitely the worst.  While it is possible to obtain a new social security number, the process is so complicated that it is only advisable if you are having long-term problems with identity theft.  Fortunately, our social security numbers are not connected with nearly as many accounts as our credit cards, so this makes this type of heist more rare.  Unfortunately, this data was compromised by the recent attack on Anthem, so do not assume that your social security number will always remain safe.  If your social security number is compromised, here are some steps to take:

1) Place a Fraud Alert or Credit Freeze - Contact one of the three credit bureaus (Experian, TransUnion, or Equifax) and place a fraud alert on your account.  They should notify the other bureaus, but it never hurts to notify all three yourself.  The fraud alert will notify potential lenders that you may be the victim of identity theft, and they will take additional precautions before opening any new accounts.

You may also want to consider paying to have a credit freeze placed on your account.  This will stop any account from being opened in your name, whether you want it or not.  Do not place this type of freeze if you know you will be wanting to obtain a loan or opening a new credit card in the future, as you will likely have to pay again to lift the freeze (and then pay a third time to put the freeze back in place, if you still want it).

2) Request a Credit Report - While you are placing your fraud alert or credit freeze, take the time to request a copy of your credit report.  Review it for accurate information and dispute any inaccuracies quickly.

3) Notify Your Bank - Even if your current accounts were not compromised, your bank will want to be extra vigilant with your accounts if your social security number has been compromised.  They may require extra verification before certain events, like a change of address or opening a new account.

4) Keep Your Address - Contact the Social Security Administration and the Internal Revenue Service to make sure that they have an accurate address for you, and notify them that your social security number has been compromised.  An identity thief may try to change your address in order to have official documents containing personal information mailed to another address.

5) Beware of Scams - Once again, make sure you don't complicate things further by falling for a scam involving a data breach.  Someone can find out a large amount of information about you by knowing your social security number, so do not trust someone just because of the information they know.

If you know that you have been a victim of identity theft (regardless of whether or not your social security number was involved in a mass breach), then there is one extra step you will want to take:

6) File Reports - If you know that your information has been used to open a new account, file a report with your local police department and the FTC.  This will be necessary as you clean up the mess an identity thief has made.

I've Been Hacked! - Part 2

With all the high-profile data breaches recently, it is a good idea to have a plan of action if your account is compromised.  I know for a fact that my information was compromised in two recent breaches:  the Chase breach revealed late last year and the Anthem breach announced earlier this month.  Knowing what to do if your information is exposed will greatly reduce your stress and hassle as you try to keep yourself safe.

As I mentioned yesterday, the first step is to learn exactly what was stolen.  The proper response to these breaches will vary based on what data was compromised.  You don't need to pay to completely freeze your credit if an attacker only got your address and phone number.

In order to keep these tips to a manageable length, I am splitting up my suggested responses based on what information was compromised.  In part one, I discussed what to do if your username, password, or other contact data is breached; today's part two contains what to do if your credit card or bank account number is stolen; and part three will list actions to take if your social security number is compromised.

Part Two:  Credit Card or Bank Account Information Stolen:

Obviously, this is much worse than just losing your password, but unlike a social security number, these account numbers can be changed to stop fraud.  Most of these suggestions will deal with a compromised credit card number, but they are equally applicable to a stolen debit card or bank account number.  If your credit card or bank accounts have been a part of a breach, here are some steps to take:

1) Contact Your Bank - If you have even the slightest suspicion that your credit card number may have been involved in a hack, contact your bank right away using the 24-hour number printed on the back of the card, even if there are no suspicious charges.  This serves two purposes.  First, your bank will examine your transactions more carefully for signs of fraud.  This may help them catch transactions that might not have been flagged otherwise.  Second, your bank may decide to go ahead and issue you a new card, even if your card has not been used.

As a side note, it is a good idea to store the bank's contact number in your phone in case your card is ever lost.

2) Follow Up - While the phone call is a good first step, you should always follow up your phone call with a letter.  Make sure to include the date and approximate time of the call, the name of the agent you spoke with, and the matters you discussed.  Make a copy for your records, and record the date you put it into the mail.  If you want to be extra vigilant, send it using priority mail with a tracking number, and record the tracking number and a copy of the website information showing that it was delivered.  It is fine to discuss business over the phone, but if you want to have a legally-provable way to show what you discussed, it needs to be put in writing.

3) Monitor All Your Accounts - You have no way of knowing for sure how the attackers got your credit card number.  If you know your card was used at a company that was breached, you can be relatively confident it came from that attack, but it could have come from spyware on your computer, instead.  If one account is compromised, be extra vigilant in monitoring your accounts for the next few months.

4) Accept--But Don't Blindly Trust--Credit Monitoring - If a company offers you free monitoring in the wake of a breach, sign up for it!  They will help keep an eye out for suspicious activity and can even complete much of the process of reversing damage that occurs.  They can also give you excellent advice on what to do in the event your card is used or your identity is stolen.  However, do not allow credit monitoring to take the place of personal vigilance with your accounts.  Keep a close eye for unusual activity on all your accounts.  Attackers will also know how long the monitoring will last, and they may decide to sit on the data for the 1-2 years your credit is being monitored, and then use it once the free credit monitoring has expired.

5) Consider Contacting the Credit Bureaus - Contact one of the three credit bureaus (Experian, TransUnion, or Equifax) and ask that a fraud alert be placed on your account.  (This is a completely free process.)  This will notify prospective lenders who run your credit that you suspect you may have been a victim of fraud, and it will also prevent certain types of accounts from being opened without contacting you directly.  All three bureaus have online forms where you can submit the information, or you can also contact them by phone.  The three bureaus will share the fraud alert information with each other, but if you have the time, it never hurts to notify each one individually.

While you are there, it would be a good time to request your free credit report from each organization if you haven't received one in the past year.

6) Beware of Scams - Obviously, this one applies no matter what has been compromised.  Attackers will always be on the lookout for ways to trick people into giving up their personal information.  After a breach of any kind, there will be a multitude of phishing emails going out pretending to be the breached company.  Make sure you don't fall victim to these scams and add to your headache!

I've Been Hacked! - Part 1

It seems as though we are constantly hearing about new data breaches at various companies.  Usually, by the time the media has exhausted its coverage of one breach, there is a new breach revealed for the media to cover.  While the media has done an excellent job at keeping everyone up-to-date on where these breaches have occurred (and who has been affected), we hear very little about what to do if your information is stolen.  Most of the time, companies respond by offering identity protection--certainly a benefit you should accept--but identity protection will only help you clean-up after your information is used.  There are many more concrete steps you can take to protect yourself after you learn of a breach but before your information is used.

I have personal experience as a victim of several recent data breaches.  I shopped at Home Depot during the period where their systems were compromised, but I only shop there occasionally and generally pay in cash, so I cannot say with certainty that I was a victim of the Home Depot hack.  However, my information was compromised by the Chase hack revealed last year, and again in the Anthem breach earlier this year.  (Ironically, the insurance program for state employees in Kentucky switched to Anthem at the beginning of the year, and just over a month later, they had to inform us of this breach.)

The first step is to learn exactly what was stolen.  The proper response to these breaches will vary based on what data was compromised.  For example, in the Chase hack, no account data or passwords were compromised; the only information taken was contact data for customers.  The steps you take in this case are radically different from the ones you would want to take if your credit card or bank account numbers were exposed.

In order to keep these tips to a manageable length, I will be splitting up my suggested responses based on what information was compromised.  In part one, I will discuss what to do if your username, password, or other contact data is breached; part two will contain what to do if your credit card or bank account number is stolen; and part three will list actions to take if your social security number is compromised.

Part One:  Username, Password, or Contact Information Stolen:

Obviously, no data breach is ever good, but if some information is going to be stolen, this is the type of breach you want.  Most of these suggestions only deal with compromised user names and passwords.  If only your contact information (name, address, phone number, email, etc.) is stolen, your account online is probably still secure, but you could see an increase in phishing attempts and other scams.  If your password or other information has been stolen, here are some steps to take:

1) Change Your Password - This should be a no-brainer.  If your password has been stolen from a site, change it as soon as possible!  In many cases, it may be best to change it twice:  once upon the first reports of the breach, and then again once the company has strengthened its security.  The first password change will not lock attackers out of your account if they are still exploiting the breach and grabbing more data.

2) Check Your Information - If someone else has your username and password, they might be able to log in and change personal information, such as your address.  If you are not careful, you could quickly place an order using your account and find that it was set to ship somewhere else during the time your account was compromised.  (Obviously, sites clearly show you the shipping address to prevent this, but if you click through without checking, it could be a possibility.)

You will also want to know what other information might be available to someone who snooped inside your account.  Sure, your banking site may have only had its user names and passwords compromised, but someone can use that information to log in and see your account numbers.  If you can access any of this information from the user interface, assume that it has also been compromised.

3) Use Extra Caution with Email - Have you ever thought about how much access our email accounts grant us?  If your email account has been compromised, review what information you might have stored in your inbox.  Also, check accounts that use that email address for signs of tampering.  If someone has access to your email, they can use the "Forgot my password" link to change your password to many other sites.  (Some sites are becoming smarter about this and requiring more information before sending a link to your email, but many are slow to follow this increased security.)

4) Enable Two-Factor Authentication - Two-factor authentication requires more than just a user name and password to log in.  In most cases, this will be a code you will receive via email or text message.  My bank requires two-factor authentication the first time you log in to an account from a particular device, and then it places a cookie in your browser identifying your device as a trusted device and permitting you to log in with just your user name and password.  If an account offers two-factor authentication, it is a good idea to turn it on, even if your account details haven't been compromised.

5) Watch Your Accounts - If your account has payment information stored with it, it is possible that someone could have placed an order with your account and charged it to your stored payment method.  Review your bank statements and your order history with the site to see if there is any suspicious activity.

6) Review Your Personal Password Policy - We all know we shouldn't use the same password for multiple sites, and we have all probably broken this rule.  A smart attacker will make checking for reused passwords one of the first activities after obtaining your password.  Additional accounts could be compromised using this technique, and you might not realize it until after damage has been done.  (As a follow-up note, someone recently shared an excellent tip with me about how to manage and remember your passwords, and I will share this with you next week.)

7) Beware of Scams - Less than 24 hours after the Anthem hack was announced, emails came out asking people to click the link and verify their Anthem account information.  The scam could come through a variety of methods:  email, phone, postal mail, or even text message.  In many cases, attackers will simply send out batches of emails mentioning that your information has been compromised on a particular site.  (I received one for Skype last year, even though I have never used or had an account with Skype.)  However, attackers are starting to launch more personal attacks with the data they have obtained.

Imagine that your password was compromised at some company.  An attacker could use that to log into your email (which used the same password as the hacked company's site), and see that you placed an order with Amazon for a new vacuum on January 27th.  Now that they have your name and address from the receipt, they can do a simple search to get your phone number (if it wasn't also listed on the receipt) and call you with a "customer satisfaction survey."  Since they ask you specific questions about "your order from January 27th" and "your new Hoover WindTunnel vacuum", you have no doubt that they are actually from Amazon, and you give them your password when they say they need you to "confirm your identity".  You never suspect anything until you see charges on your credit card from Amazon, where you had saved your card number for convenience.  It might sound complex, but an experienced attacker with some software help could probably have the orders placed in less than 10 minutes.

Is That Photo Real?

Have you ever seen a picture and wondered if it was real or if it had been manipulated?  In a previous tip, I showed you how to use an image search engine to find out if a photo was available on the internet.  (You can read that tip again here.)  However, an image search won't tell you if a picture has been altered.

However, Foto Forensics can help you determine if an image has been photoshopped.  It will analyze an image to determine if it shows signs of modification.  Upload the photo from your computer or enter the picture's URL, and Foto Forensics will provide a substantial amount of data about the photo.  It will not give you a simple yes or no, but it will help you analyze a photo for inconsistencies in the rendering that indicate it was modified.  If you are not sure what to look for, scroll to the bottom and check out the link for the tutorials.

Like a forensics officer for a police department, you will have to do some work to draw any conclusions.  Plus, you may come to a point where you have to say that you cannot make a conclusive decision.  However, since most people are not expert image manipulators, you will likely be able to catch most fake images.

Four Places You Shouldn't Use a Debit Card

Most of you know that I don't care for debit cards.  (If you didn't know that, you can read why here.)  For a summary, debit cards have much fewer legal protections (although my bank's policy extends all of its credit card protections to debit cards) and for fraudulent charges, you are stuck fighting to get your money back instead of just fighting to get the charge off of your bill.  I have cut out almost all of my debit card use; I make a few small purchases each month in order to keep my account from getting a service charge, and use cash or my credit card for everything else.  However, there are a few places I never use my debit card, simply because there is an increased risk of fraud:

1) Gas Pumps - Card skimmers have become cheaper to make and easier to install.  However, the biggest problem is finding a place to install them.  Gas pumps make an excellent target because they are relatively free from employee surveillance and no one will question why you're standing around near a gas pump.  In under a minute, someone can attach a card skimmer to the gas pump and drive by every few days to download the data it collected via wireless.  Your transaction will go through just like normal, but your card will be copied and sent to an additional destination.

2) Restaurants - Restaurants are one of the few places where we accept that our card will leave our sight for an extended period of time.  Unfortunately, restaurants have not been able to come up with a practical solution for this problem.  If you wouldn't walk up to a stranger and hand him or her your debit card, why would you give it to someone you don't know at a restaurant?  Yes, the vast majority of waiters and waitresses will not try to steal your information, but you have no way of picking out the one or two people in your city who are working there for other reasons.

3) The Gym (And Other Places with Automatic Payments) - It might sound like a great idea to have your automatic payments deducted from your checking accounts.  But will you remember to deduct it from your records each month?  If you forget, you will be facing overdraft charges.  Plus, hearing stories of people who were charged for a recurring payment after the payment was cancelled should be enough to make you want those charges to go on your bill instead of coming out of your checking account.

4) Online - It seems that hackers are getting into everything these days.  In fact, I sometimes wonder if it is even safe to buy anything online these days.  However, if you are going to make a purchase online, it will be much safer to keep the number that accesses your checking account off the internet.

While it is true that your credit card is just as vulnerable as your debit card at these locations, your credit card will be much better protected and you won't be without your money until your bank completes its investigation.  Cash is obviously best, but it is inconvenient at the gas pump and impossible to use online, so when you must swipe a card, credit is your safest alternative.

As a final note, I have had a couple people tell me they are concerned about overspending on their credit card and not being able to pay the bill when it comes due.  Fortunately, there is an easy solution:  transfer the money from your checking account onto your card as soon as you make a charge.  This way, you get the safety of a credit card while preventing a large bill at the end of the month.

Set Your Facebook 'Legacy Contact'

One of the problems many people have had with Facebook was the lack of a way to pass your accounts on to others.  Yes, you could give someone else your password (or leave a list of your passwords for someone to find), but that is difficult to maintain if you like to change your passwords (which you should do on a fairly regular basis!)

Until yesterday, Facebook's only option for your page was to convert it into a memorial page, which basically froze the page, but kept it alive as a way to remember the deceased.  Now, any Facebook user in the United States can designate a "legacy contact" who will have permission rights over some parts of your page.  (Facebook will also honor statements naming someone as a "digital heir" for online accounts, even if you do not list a legacy contact on your profile.)

The legacy contact will not be able to edit or delete posts you have made, but he or she will have the power to write a memorial message at the top, change the profile picture, and accept friend requests.  If you grant permission, the contact will also have the power to download all your posts and photos or to delete your account.  If you do not set a legacy contact, Facebook will continue to freeze your account as it did before.

There are a few complications that may need to be adjusted.  Currently, Facebook is only allowing for one legacy contact--no backups or splitting the duties--and the legacy contact responsibility cannot be passed on to someone else.  This may create a tough situation for couples who travel together frequently:  they might want to designate someone else in case of a problem on their travels, but a surviving spouse would then be locked out of the other spouse's page completely.  Plus, the legacy contact has no ability to change much of the content of the page.  If the person's final post is not something they would want to be remembered by, the legacy contact has no power to change it.

Regardless, this is certainly a step in the right direction.  This is a change many have wanted for a long time, and it will definitely be adjusted over time.

To set your legacy contact, go to the "Settings" page and select "Security".  The section to control your legacy contact selection is at the bottom.

Stop Google from Using Your Face

Imagine that you are doing a Google search for a product, and underneath that product is a picture of your best friend with a review he wrote last year.  Would you be more likely to purchase that product?  Of course, you would!

That's why Google updated its privacy policy last year to allow it to use your public images and reviews to try to sell more items.  Although your name and image must be publicly available and they will only be shown to your friends, this still feels like an invasion of your privacy.

Google calls these Shared Endorsements.  If you are over 18, Google has enabled permission to use your name, picture, and review in its ads by default.  However, you can disable this permission by unchecking one box.  Head to the Shared Endorsements page, scroll to the bottom, uncheck the one check box, and click save.

This permission applies based on your Google account.  If you have set up multiple Google accounts, you will need to follow these steps for each account.

Scan Your Machine for Security Issues

Do you know if your computer is secure?  Have you applied all updates?  Are you using strong passwords?  Are administrator accounts only in use for people who should have that privilege?  As you can see, there is a lot to keeping your computer safe.

Fortunately, Microsoft has a free tool that will analyze your computer for security issues with Windows and Office programs.  It will make sure each program is properly patched, check for strong passwords, and check to see if users have too many permissions.  It will then provide you a comprehensive report listing any problems found.

However, do not just implement every change.  Sometimes, you need certain changes for programs to operate correctly.  If you are not sure of what you are doing, do not change anything without checking with a computer technician.

If you want to try out a free security scan, check out the Microsoft Baseline Security Analyzer here.

Spot Fake Product Reviews

The ability to leave product reviews is a great part of our online shopping experience.  Even if you plan to purchase a product in a store, you can still check the reviews as you decide whether or not to buy.  However, many product reviews are fake.  Companies pay marketing experts to add positive reviews for a product, and some companies will even leave negative reviews on their competitor's products.  The key is to filter out the fake reviews and find the ones you can actually trust.

Here are a few tips to find the legitimate product reviews:

1) 2-4 Stars - Fake positive reviews will almost always have five stars, and fake negative reviews will almost always have one star.  Reviews that fall in the middle are much more likely to be legitimate reviews, and they are also more likely to have a balanced look at the pros and cons.  This is not to say that all one and five star reviews should not be trusted, but you should be much more careful trusting these reviews

2) Facts and Opinion - Many fake reviews will consist of opinions that lack facts to back it up.  "Amazing!  Purchasing this product was the best decision I ever made!" doesn't give you any information about the product itself.  However, fake reviews can also go in the opposite direction:  instead of sharing "opinions", they simply summarize the product information without describing what does or does not work well.  The best reviews will have a balance of both facts and opinion.

3) Good and Bad - If you are being paid to make a company's product look good, you're not going to say anything bad about it.  And if you are being paid to make another company's product look bad, you're not going to say anything good about it.  Just like real reviews are more likely to contain a balance of facts and opinion, real reviews are also much more likely to contain a balance of the good and bad sides of a product.

4) The Same Thing - If you check multiple sites for reviews on a product and you see the same review posted on multiple sites, that is a sign that it has been placed there by a marketing company, especially if it meets other criteria above.

5) Don't Trust Just One - Never base your decision to purchase a product on one review, or even on the star rating.  Read through as many reviews as you can to get a feel for the areas where this product excels and the areas where the product needs some work.  Then, make your decision based on what you see mentioned often.

Stay Safe on Facebook

Facebook is a great tool to keep in touch with people, but it is not without its drawbacks.  Like any other site, one wrong click can quickly take you places you don't want to be.  Here are four ways to stay safe while Facebooking:

1) Watch Out for Scams - There are a multitude of scams on Facebook.  Some promise to give you a free iPad or Xbox, some let you see the latest "shocking video", and some promise to change your profile or let you see who viewed you.  They are all scams!  No one is going to give you a free iPad for filling out a survey, and Facebook has been very clear that no app can change your profile or let you see who viewed it.  And while there are plenty of videos available on Facebook, you probably don't need to install any updates in order to view them (especially if you are able to view videos on other sites).  If you are unsure if a video is legitimate or a scam, try doing a search for the video's title.  If you can't find it off of Facebook, it is probably a scam.

2) Don't Overpost - Do you completely trust every friend you have on Facebook?  While I have plenty of friends I would trust, I also have many Facebook friends who are acquaintances from work or from my days in school.  If your friends list is composed like mine and you post that you are leaving for a two week vacation tomorrow, the fact that your house will be vacant could end up in the wrong hands.  (Even if someone will be there, your house-sitter might appreciate you not letting others think your house will be vacant.)  On the same note, don't post pictures from your vacation or tag yourself at various landmarks until you have returned home.

3) Don't Use Your Credit Card - Facebook is free (and they say it always will be), but they offer the opportunity to purchase gift cards and other products through the site.  Adding your credit card makes this process more convenient.  However, connecting your credit card to your profile could leave you vulnerable if you forget to log out of your profile on a public computer.  Plus, there is no guarantee that Facebook could not suffer a data breach.  Unless you are using this feature regularly, it is best to keep your card number away from Facebook.

4) Address and Phone Number - As I mentioned earlier, not every Facebook friend is an actual friend.  Therefore, not all of my Facebook friends need to be able to see my address and phone number.  Anyone who needs either of these can always message me or get in touch with me some other way.  Unless you tightly control your friends list, leave your address and phone number off and let those who need it ask for it.

Reduce Computer Eyestrain with a Simple Program

If your day is anything like mine, you spend a lot of time looking at your computer screen, sometimes late into the night.  The glow from your monitor can make your eyes think that it is daytime, even at 10:00 at night.  This can make it more difficult to get to sleep when you do finally turn in for the night.

Fortunately, there is a program that can solve this problem. F.lux is a program that will adjust your monitor's brightness based on the current time.  After you enter your location, your monitor will gradually brighten throughout the morning, and then dim as the sun goes down in the evening.

The f.lux icon will sit in your taskbar so that it will be easy to disable it if you need to do color-sensitive work on your computer.  If you need to do photo or video editing, you can quickly disable it for one hour, or if you want to watch a movie, you can put it into movie mode, which disables it for 2 1/2 hours.  If you know you will be working on a project for a long time, you can also choose to disable it until the next day.

I can tell you from personal experience that this program works for those who use a monitor for long periods of time.  Since both of my jobs require heavy use of my eyes, I have had eyestrain problems for several years.  However, since installing f.lux, I have found that my eyestrain has decreased.

Three Steps to Secure Your Home Network

Wireless networks are wonderful.  We can take our laptop, tablet, or phone and sit anywhere in the house while we surf the web.  However, having wireless access in your home also means that someone sitting in their car across the street can use your internet unless you take steps to block that person out.  And while you might just think that you are being generous by allowing others to use your bandwidth, any activities (including illegal ones) performed by a person on the network will be connected back to you.  You may be able to clear yourself eventually, but you will end up with many hassles and legal bills before that happens.

Fortunately, it is simple to secure your home's wireless network to block out intruders.

1) Add a password - This is the most basic security step you can take.  When someone tries to connect to your network, they will be forced to enter the password you set up.

To set up your password, you will need to access your router's control panel.  To access this panel, you will need to go to a web browser window and enter your router's network address.  (The network address will be listed in your router's documentation, or you can look up the address for your router online.  It will begin with 192.168.)  Next, you will need to enter the user name and password.  These have a default setting, so if you have not changed them, look up the defaults in the documentation or online, as well.  Then, you will need to navigate to where you can change the password.  The exact procedure will differ based on your router, but for my router, I click on "Wireless" and then "Security".  For the best security, you will want to use WPA2 security unless you have a device that cannot connect with WPA2.  On my router, this is changed under "Authentication Type".  Underneath that option is a place for the "Passphrase".  This is obviously where you will enter the password that you want.

While this step will keep most people off your network, a determined person will still be able to get around your security if all you do is add a password.  To stop these people, you need to do more:

2) Change your SSID - The SSID is a name that identifies your wireless network.  By default, it will usually contain the brand name of the router.  Remember how we could access the control panel earlier by looking up the router's address online?  If your router's brand is listed in your network name, anyone on your network could look up that address and access your control panel.  Even if the model number is not in the description, most manufacturers use the same one or two addresses for all their routers.  Once on your network, it would not take long to be inside your control panel.

To change your SSID, you will once again go to the control panel and search for an "SSID" option to change.  On my router, I can access that by simply clicking on "Wireless".  Once there, think of a creative name for your network.  You can use your last name, your address, or even change it to "FBI Surveillance Van".  (Yes, I know of at least two people who have done that!)  This is not a password, so there is no need to be concerned about coming up with a complicated name.  The critical factor is that your router's brand name is gone!

If you want to be extra conscious about security, you can disable SSID broadcasting.  This will cause your network to appear as something like "Unidentified Network" or "Unnamed Network".  Then, in order to connect, you will have to enter the network name along with the password you set earlier.  While this provides a little extra security, it also adds the inconvenience of having to remember and enter the network name along with the password.

3) Change your Access Password - Remember how we had to enter a user name and password to access the router control panel.  Because so many routers use the same default address, it would not take long to guess the address of most routers.  Once the person has done this, they will almost always have access to the model number of your router (it is usually displayed on the login page).  If your user name and password to access the control panel is still the default, they can look it up just as easily as you can!  Once inside your control panel, they can make all kinds of changes to your network, including blocking you from accessing your own router.

To stop this, change your router's access password.  (Some may also allow you to change the user name, but others may not.)  This may take a little time to find in your control panel, but it is worth it.  You can also attempt to look up directions in your documentation or online.  Make sure you write this password down!  You will most likely use it infrequently, so you want to have it written down where you can find it when you need it.

Are Your Files Really Deleted?

You've selected your file and hit the delete key, and then you've gone to the recycle bin (or trash can) and emptied it. Your file has now entered the world of electronic oblivion, right?

Not so fast. Every single piece of your data is still there. Obviously, this is good news if you accidentally deleted a file that you now want back, but it not good if you are planning to sell or dispose of your computer and do not want your personal information in the wrong hands.

To understand this, your hard drive is divided into small sectors. When you save a file, it places it in one of these sectors. If it is too big for one sector, it will fill the first sector, and at the very end will be code telling it where to look for the next sequence of data. Very large files may fill tens or hundreds of sectors. The file system in your operating system (Windows, MacOS, Linux, etc.) contains a list of the files saved and where to look for the first sector of the file. When you open a file, the computer looks in the file system for the first sector, loads that sector, and then continues the process with each sector the file is using.

At the very beginning of each sector is a single bit that tells the computer whether or not it is allowed to write data into that sector. When you empty the recycle bin, it simply deletes the reference to the file in the file system and changes all these bits so that the computer knows it can write new data into that sector. However, the data is actually still there! Over time, much of it will eventually be written over by new files, but until the computer decided it needs that sector for new data, your old data will still be stored there.

However, you can make sure your files are actually gone. If you are planning to sell or dispose of your computer, I would recommend using the program CCleaner. The free version contains a Drive Wiper. Once it opens, click on tools on the left side, and then select drive wiper. Choose to wipe the free space (wiping the entire drive requires taking the drive out of your computer and putting it into another computer), and then choose the security level: the number of times that the program will write junk data into each empty sector. A single pass will be enough for most purposes, but if you have highly-sensitive data, you may want to choose more passes. Then, select the drive you want to clean, and click Wipe. The process will take a while, but the protection you will receive is definitely worth it.

Seven Security Programs You Need On Your Computer

If you have a Windows computer, you probably know that you need an antivirus.  But did you know that you need more security software than just an antivirus?  Here are seven types of security software you should have on your computer:

1) Antivirus - We'll start with the most obvious one.  Antivirus software is designed to protect you from threats trying to get onto your computer.  Antivirus software actively scans to protect you from the latest threats.  In addition to performing regular scans of your hard drive, it will usually scan websites and downloads.  If you do not have an antivirus on your computer, Avast and AVG are the two free programs I recommend.  Make sure you only have one antivirus program that is actively scanning your computer.  Running more than one program will cause conflicts that may allow viruses into your computer.

2) Firewall - A firewall uses rules to determine which network connections to allow.  Without a firewall, anyone who knows or guesses your internet address (known as an IP address) can send you messages.  While we can't stop them from sending messages to your IP address, we can stop those messages from ever reaching your computer.  Most firewalls are configured upon installation to work with your computer, but you may need to enter exceptions to allow programs to connect to the internet.

Fortunately, Windows has a built-in firewall that runs automatically unless it detects another firewall, so you probably already have a firewall running.  To check your firewall settings or enter exceptions, simply type "Windows Firewall" into a search box.  If you want to use something other than the Windows Firewall, I recommend ZoneAlarm's free firewall.  Just like antivirus software, you should never run more than one firewall on a computer.

3) Emergency Cleanup - It doesn't matter how good your antivirus is, it will not catch everything.  When something slips past your antivirus software and a full scan still won't catch it, it is time to call in some backup!  These programs scan like antivirus software, but they do not actively scan everything in the background and they are designed to work alongside your primary antivirus.

My preferred program is Malwarebytes Anti-Malware.  Malwarebytes is totally free (although it will offer you a free trial of its premium version).  Hitman Pro is free to scan.  If malware is detected, it will offer you a free 30-day trial license to remove it.  If you have already used the 30-day trial once, you will need to purchase a license in order to remove any malware.

4) Emergency Boot - Malware is continually finding ways to make it harder to remove.  I dealt with a computer recently that blocked the download of just about any antivirus software.  Fortunately, I already had software downloaded onto a flash drive!  Recently, there has been an abundance of malware that stops the boot process.  The FBI scam is the most notable example.  Instead of booting to your desktop, your computer is taken to a screen claiming that your computer has been locked by the FBI and requiring a MoneyPak code be entered to pay your "fine".

These emergency boot programs will bypass your computer's normal boot process in order to allow you to run their scanner.  My preferred emergency boot program is made by the same company that I recommend for emergency cleanup programs:  Malwarebytes Chameleon.  Both programs contain instructions on how to set up a flash drive with the software for your use.

5) Website Reputation - When you conduct a search on Google (or some other site), the pages are ranked in order of the search engine's perceived relevance to your search terms.  However, there are companies that specialize in getting websites to the top of your search results.  If these companies are able to manipulate search engines to get to the top of your results, don't you think that the bad guys know the same tricks to get their pages up there, too?

When you get a list of search results or even visit a site, do you know what pages are safe and what are not?  Fortunately, there are products that specialize in providing analysis of pages.  My favorite is Bitdefender Traffic Light.  It will analyze each page you visit and give you a green light (appears safe), a yellow light (appears questionable), or a red light (not safe).  The traffic light appears at the top of your browser window and also next to your search results.  Bitdefender Traffic Light is available for Chrome, Firefox, and Safari, but it is not currently available for Internet Explorer.

6) Ad Blocker - For years, I refused to use or recommend using an ad blocker.  I felt that advertising was the price we had to pay for the availability of free content on the internet, and I still hold that opinion today.  However, recent stories of advertising networks allowing malicious software to be transmitted through their ads has changed my opinion on ad blockers.

I now use AdBlock Plus to block advertising.  It is available for all major browsers, and it offers a great compromise between my feelings on internet advertising and security by not blocking non-invasive advertising (the criteria for this determination is set out on their website).  If advertising networks are not going to keep us safe, then we will have to take the necessary steps to do it ourselves.

7) Privacy Protection - Websites are getting sneakier at tracking everything you are doing online so that they can give you "relevant" ads.  Recently, it was revealed that two of the most popular cellular providers were using "supercookies" that were difficult to remove in order to track users.  It seems like everywhere you go, there is someone wanting to watch you.

To assist in protecting my privacy online, I use Blur (formerly DoNotTrackMe).  This will stop secret data collection on your devices.  It also has the ability to mask your email address with a disposable one and generate and store secure passwords for all your accounts.  (I do not currently use the password feature and I rarely use the email feature.  I primarily use it to block tracking.)  Blur is available on all major browsers and also for your mobile devices.

Block Piggybacking Programs

Have you ever installed a program you downloaded and found that you unknowingly gave the installer permission to install other programs or change your home page and search defaults?  It has happened to me before.  I like to call these "piggybacking" programs.  Companies have made it increasingly difficult to find the check-boxes you need to click on in order to avoid these installations.

The latest thing has been to offer the option of a "Standard Installation" or a "Custom Installation".  The standard installation will install the extra programs, and you only see the check boxes that stop the installation after you have chosen to do a custom installation.  If you never choose custom installation, you never realize that you are giving permission for these programs to be loaded on your computer.

These programs used to just be annoying, but now they are becoming malicious.  I recently downloaded one program to try, and I found out that a company that produces adware was going to be installing its software alongside this program.  (I chose not to install the original program I downloaded, either.)

Fortunately, there is a program that helps clear these check boxes:  Unchecky.  Unchecky will work in the background and automatically uncheck most of these boxes for you.  Unchecky does a good job, but it is not perfect, and it does not replace watching the installation process yourself.  However, it will work as a great sidekick to help defeat annoying and malicious piggybacking software.