Category Archives: Internet

Do Yourself A Favour, Use A Password Manager

Back in 2010 I wrote about improving your online personal security, which included some tips and tricks to consider to reduce your risk – one of which was to consider using a password manager.

Password Managers provide an encrypted storage vault to keep all of your username/password combinations for the different websites in a single place. Firstly this is helpful so that you don’t forget the passwords and need to constantly use the password reset functionality that websites provide. However, most importantly – because you’re absolving yourself of the need to remember the passwords, it allows you to use unique, highly complex passwords for every website.

The statistics on password reuse and complexity are frightening. The majority of us use the same very limited set of passwords over and over again on different websites. The passwords used most are things like ‘password’, ‘love’, simple dictionary words or a pattern of numbers like 12345. When hackers go out to attack a website, they can literally walk through passwords like the above using brute force tactics like an unlocked door.

By setting unique, highly complex passwords for each website – firstly your password is infinitely harder to crack but more importantly, if your password does get cracked or a website you use gets hacked and passwords are stolen – the hackers can only get into that one website, not any other websites you might use such as your internet banking.

To clarify, high complexity passwords will be at least 10 characters long, use lower and upper case letters, numbers and symbols such as ‘AdD7Dc&@ds*!1_8’.

Why Now?

This month it was announced that a core cryptography library named OpenSSL, used by approximately 2/3 of all websites on the internet that use Secure Sockets Layer (SSL), more commonly recognised as HTTPS in your browser address bar, have been vulnerable to undetectable attack for the last two years via an exploit named Heartbleed.

Of course the likelihood that your particular password or private information were compromised as a result of this exploit are quite remote, however it should serve as a stark reminder that despite the fact that industry wide security technology is peer reviewed and heavily scrutinized – the software engineers and cryptographers writing it are still only human and as such, fallible.

What Next?

Go and install a password manager such as LastPass, it is free to use and if you pay a whopping $12/yr – you can install it on every computer, laptop, tablet and phone you own so that you’re never left high and dry without your passwords.

Once installed, your next job is to allow it to import all of your stored account information on your computer. This part of the process is going to scare you, as it will import dozens or in my case hundreds of pieces of account information.

Remember, if the password manager could extract all of your account details, so could a virus, trojan or malware and send it off to some nefarious hacker on the other side of the world. Make sure you allow the tool to delete all of your stored passwords on your computer at the same time, just so that doesn’t happen in the future.

After it has imported all of your stored accounts, in the case of LastPass there is functionality for it to audit or perform a security scan against the account information. This is the next scary part, you thought you were doing an okay job with your passwords – let’s be realistic, you and I both know that we both sucked at it.

Now start going through your most important accounts first and change the passwords that they use to a unique, highly complex passwords. In case you were wondering how to generate strong passwords, LastPass has a password generator within it that you can configure with various options to increase/decrease the complexity of the passwords.

Each time you update the password to a shiny new hard to guess password, your online security is improving, one password at a time!

Suncorp Bank Anti-Fraud Department Saved Me $686.73

For the first time in ten years, I’ve been a victim of credit card fraud to the tune of $686.73!

I first became aware of it this morning when I received a phone call at work from Suncorp informing me that they suspected that there was fraudulent credit card transactions on my account. That was after they called home & left a message because Claire couldn’t answer the phone and then followed that up with a call to my mobile but I was driving to work. You’ve got to appreciate their persistence to call three different numbers trying to get a hold of me.

I don’t keep an eagle eye on my bank account, so I probably wouldn’t have noticed that transaction sitting on my credit card for a week or more but the Suncorp credit card protection system picked it up the day after it happened, which I think is great.

The Suncorp representative that called me at work gave me the run down on what had happened, also said they’d tried several other transactions as well but they were declined for some reason. They immediately set about cancelling my credit card and lodged a dispute about the charge for me.

Claire checked back through out past transactions to make sure nothing else was on there and it doesn’t appear as though there were. I called Suncorp back to check about what will happen next and was given case numbers for the cancellation & the transaction dispute to follow up on if required.

I’ve been really impressed with Suncorp customer service of late, like for instance sending me warning emails about large money transfers automatically. Now I’ve had them tell me about a fraudulent charge on my credit card and it’ll be resolved within the next few days and my replacement credit card will arrive mid next week.

Great to see them going out of their way to keep a customer informed about their money.

Comparison Shopping Websites, A Consumers Best Friend

Claire & I have recently been on the look out for a new compact digital camera, to replace our aging Canon Ixus 65. During our research process, we’ve looked a countless cameras on the internet, via the manufacturers’ websites, consumer electronic web sites such as cnet and read countless reviews.

When it came time to actually buy a digital camera though, we were going to buy it in person at a local Gold Coast retailer such as Harvey Norman, The Good Guys or similar. What we found was, while they had prices that were better than the recommended retail price by the manufacturer and some were going to be flexible on price, they were still quite expensive.

Inevitably when people start researching online for a product, they’ll start with a search engine with looking for the best compact digital cameras. The results will yield sites such as a digital camera product round up on cnet and a number of companies will be paying for advertising on Google & co. as well. While possible, it was going to take a lot of time to sift through all those sites to find the best deal and this is where the comparison shopping websites become the consumers best friend!

Comparison shopping web sites crawl over literally tens or hundreds of different ecommerce web sites, cataloging what they find and how much each product costs. Of course, the comparison shopping websites aren’t just for digital cameras – you can buy all manner of things via them from fridges to perfume, pet supplies to furniture, there aren’t a lot of things you can’t find. As a consumer, you enter the product name or product category into these sites and see dozens of different companies selling the same product, with wild variances in price.

In Australia, the three most prominent shopping comparison websites are probably:

  1. Getprice
  2. Shopbot
  3. My Shopping

They all have a similar feel about them, however the interface and how the products are cataloged and organised differs by site – which makes some easier to use then others. In the case of the Canon Ixus 200 IS digital camera we purchased, it retails for approximately $600 for the bare camera chassis. Claire bought it via Shopping Square, a massive online store that we’d never heard of before but discovered by the comparison shopping sites. For less than half the retail price of the camera on its own, we managed to get the camera, a 16Gb memory card & prompt postage.

Next time you’re looking for a product that you can buy online, I highly recommend that you do yourself and your wallet a favour and visit one of the above sites before you spend a whole lot more money than you need to.

Suncorp Bank, Looking Out For Clients

Last week I unexpectedly received an email purporting to be from Suncorp Bank. In the last year or so of banking with Suncorp and using their online banking system countless times, I don’t ever recall receiving an email from them about anything.

It doesn’t surprise me that I haven’t received an email from Suncorp before, given the prevalence of phishing attacks these days. For those unaware, phishing is an attempt to fraudulently acquire personal information from someone by getting them to enter it into a web site that looks familiar, that is in fact just a shallow replica of a real site. Phishing attacks are one of the reasons you’ll read and hear major institutions state that they will never ask you for your username and password, ever.

Just to checkout what the latest phishing attempt looked like, I thought I’d investigate the email to see if the spammers had gotten any smarter over the years. First thing I noticed was it was from an email address that was clearly related to their online banking system and at the correct domain. Secondly, the subject had to do with BPay – so I though how fantastic that the spammers now use brands or products related to the local country to garner trust with the user.

After opening the email, I suddenly realised that the email was legitimate and I couldn’t believe it! It turns out that Claire had just paid our rates online, through the Suncorp internet banking web site using BPay. The email was a notification, to let me know that a large payment had just been processed and if I hadn’t arranged it to call them immediately.

What I love about the email though:

  1. The subject was clear, it was a BPay notification
  2. They sent it to both of the email addresses I’d provided Suncorp, not just my primary one in case I didn’t check it immediately.
  3. It was a plain text email, so no fancy images or design – just the message. That meant that you needed to read the content of the email to see what it was about and not blindly clicking on something because it used the familiar Suncorp branding.
  4. The first line stated what it was about (high value BPay transaction), the second contained what action to take (phone Suncorp) and for full details you could check the transaction on their site.
  5. Suncorp include their business name, address, ABN, contact information in the footer
  6. Most importantly, there isn’t a single hyperlink anywhere to be seen in the email. As such, you can’t just ‘click the obvious link’ to go to their site.

A lot of the things above seem pretty small things to a lot of people, however I’m really impressed that they’ve chosen a lot of those options – especially the plain text email. Nefarious individuals and companies that use phishing attacks prey on people reacting to a familiar company and brand, such as from their bank to take an action. By providing it in plain text, it removes the familiarity aspect away to make you read the email. By not providing any hyperlinks, you need to open your browser yourself and go to their web site.

All round, a great email from Suncorp and they should be congratulated for doing their part in helping keep their clients information private and their money safe. If I were to make a single change to it, it’d be to remove the phone number and direct the user to their web site (no hyperlink) to get the phone number if they don’t already have it on hand. That way, all of the contact information needs to be entered by the user on their own behalf, which would all but remove the risk of a phishing attack.

Google, All Your Base Are Belong To Us

Recently Hungry Beast from the ABC released a short video about Google which highlighted just how massive they are in the internet ecosphere. The video takes you through a raft of facts and figures about the company and draws a number of, what I would consider wrong conclusions, based on their actions as a company.

The majority of people wouldn’t be aware but Google have had a mantra from their early roots as a company of don’t be evil. That mantra was placed on a pedestal and at every meeting or business event – it was used to challenge the decision to see if that particular action contravened their mantra. If their proposed action was deemed evil, they would take a different tact or bin that decision or change all together. Throughout the video, Hungry Beast make a lot of statements and none of them are qualified with fact and come with a large number of assumptions and a lot of personal opinion. Following are a few points that I thought were worth addressing, there are more but I don’t have the time to retort every statement:

  1. Google wants to own you in the digital world
    Looking through the video, all 2m46s of it – it is easy to come to that conclusion given the vast array of products that Google provide the public. From an outsiders view, it could be seen that it was a calculated activity from Google to release the slew of products they have and to some degree, I’m sure it was. What wasn’t mentioned within the video, is that a large number of the products Google offer were born out of the 20% time system that they provides their employees. The 20% time system allows a Google employee to spend 20% of their work time (if they want to), working on things that interest them which may not necessarily be work that Google have specifically tasked them to do. As it turns out, a number of their biggest products such as GMail were conceptualised and developed in this manner. While Google do have an impressive number of products and services they offer, they also believe in a user being able to easily put their data into and out of various Google products. To that end, Google have a data liberation team within the company who has the sole job of making sure you can get as much of your data in and out of Google if you so desire.
  2. Google wants your health care data
    The United States of America are undergoing a health reform. Amongst that reform, the government opened up the option for people to access their own health records digitally. Google released an aptly named product, Google Health, that tapped into the health care network and allowed people to view and control their own health care records. This isn’t Google wanting to control your health data, you could choose to hook into your records using any number of service providers and the information is controlled and governed by the highest level of security and scrutiny.
  3. Google wants your DNA
    In the last 10 years, Google have purchased over 30 different companies and invested into a number as well. Among those investments was a company named 23andMe, founded by the Anne Wojcicki, the wife of Google co-founder Sergey Brin. 23andMe provides a DNA profiling service, where you can provide a sample of your DNA (cheek swab) and pay a relatively small amount of money for them to profile your DNA and let you know what medical conditions you may or may not be susceptible to. It isn’t Google that provides the service, it is 23andMe – so this was an unfair comment.
  4. Google wants to control the power grid
    Since Google was founded, they have been relentlessly seeking ways to make their business more efficient – whether it be improving the speed of a simple Google search to optimising every element on a search results page. Along the way, power consumption was identified as a major cost to Google because of its massive computing infrastructure spread around the world. To reduce their costs and impact on the environment, Google have developed a slew of new technology, soft and hard – such as data centres that don’t require active cooling and high efficiency computer power supplies. The next step was optimising the supply of power to their infrastructure, as they think they can do it better than it is currently being done. This recent development has nothing to do with providing power to consumers and everything to do with Google controlling its own destiny.
  5. Google have invested into different markets
    Hungry Beast are criticising Google for their choice in investments, such as software, green technology, bio technology and more. Unfortunately for Google, their business is all capital and they have very few assets outside of their staff and computing infrastructure. As such, when you have a market capitalisation of over USD$200 billion dollars and you post nearly USD$2 billion dollars in profit in the fourth quarter of 2009 alone – you really do need an outlet for that money.

While I am ever mindful of lumping all your eggs in one basket, however I also find it hard to resist the temptation of doing so with Google because they provide so many quality products. Not only is their range of products excellent, but their continued improvement on sharing data from one application to another in a seamless manner is making them easier and easier to use.

Do you care and to what extent, about using various products or services from the same company? For instance, do you care about using a lot of different products provided by Google, Yahoo! or Microsoft? Which one of those three or others that you can think of might be better or worst in your eyes?