January 01, 2015

Don’t Be a Victim

Jeffrey M. Allen

One of the most frequent requests I get for information relates to limiting one’s exposure to identity theft and privacy invasion in the cyberspace age. Unfortunately, seniors, who generally came to the Internet late in life, often subject themselves to needless risk as a result of their lack of understanding of the way things work or of how they expose themselves. The rules for seniors and for younger people are pretty much the same. The difference is that younger people, who grew up using the Internet, generally have a better awareness of the rules and a better sense of how to protect themselves and/or pay more attention to and/or put more effort into doing so.

In the best of all worlds, you will know everything discussed in this article and employ that knowledge in your daily personal and professional lives. If you do, you are well ahead of the game. The more of it you know and the more regularly and consistently you employ that knowledge, the better off you are. Unfortunately, the questions that members of the Division regularly pose to me suggest that many of you do not know all the things that I will discuss in this article and that some of you who have a basic understanding of the subject have not taken it seriously enough to maximize your protection. For that reason, I will repeat some advice I have previously shared with you and provide some new suggestions as well.

First of all, those of you who have continued to resist the Internet may as well give up that fight. The Internet is here to stay. More and more commerce and personal activity takes place on the Internet, and it has become and will continue to be harder to avoid using the Internet. Banks and other vendors regularly pressure you to make use of their Internet access and even to accept and pay bills online (many of us have almost completely stopped writing checks, using online bill paying capabilities to stay current in our payments). Some merchants have no brick and mortar stores. You can only shop them online. Increasingly large amounts of our business and personal communications (written, verbal, and video) use the Internet. Family members have set up photo streams online to share pictures of each other and their children, grandchildren, and great-grandchildren.

Each of these conveniences carries with it a certain amount of risk—some more than others. Business communications over the Internet carry more risk than talking to your grandchildren. Using email for business purposes carries more risk than emailing a friend to arrange a golf match. Financial transactions carry more risk than simply surfing the net.

When you go online, you have risk from several different sources. You have risk from hardware susceptibility, software susceptibility, and operator error (poor judgment). All of these problems relate to the ability of unauthorized parties to obtain access to your information, enabling them to do things you do not want them to do, whether it consists of stealing your information, stealing your identity, stealing your money, or simply impairing your ability to work. Each foray into cyberspace carries risk, more for the unwary. At each level of involvement with the Internet, however, you can take steps to minimize your risk. I will devote the rest of this column to telling you about some of the things you can do.

A Chain Has Only the Strength of Its Weakest Link

Passwords are one of the weakest links in the chain maintaining computer safety. We use passwords for the purpose of protecting access to our accounts, our hardware, and our information. Unfortunately, passwords also pose a continuous and constant source of frustration to most (all) of us. Just as they create a barrier between our information and the bad guys, they also create a barrier between us and our own information. We react to that barrier a number of different ways; almost all of them bad. Many opt for simple, easily remembered passwords. The bad guys can generally guess those passwords without great effort. For example, common passwords include: “password,” “12345,” “ABCDE,” and other similarly transparent choices. Many compound the risk by using the same password for most (all) of their access. That problem increases as we need more and more passwords to access more and more accounts. Some people simply store their passwords in places where they can easily be stolen (a Post-it note on the computer monitor, for example).

While some devices have moved to biometric access (such as fingerprint scanners), we still rely primarily on passwords, particularly after we have gained access to our devices. Until we come up with a better system than passwords, we can reduce the risk posed by the passwords by following some simple rules. First, do not use the same password for multiple accounts or access to devices. Second, do not use a simple, easily guessed password. Third, longer passwords or phrases work better than shorter ones. Fourth, use “strong” passwords; a strong password is at least eight characters long; includes alphabetical, numeric, and symbolic characters; and uses upper – and lowercase letters. Fifth, because most people cannot reliably remember multiple strong passwords, use a password database to securely store your passwords on your devices to make sure that they are protected and still available to you. That means you will only have to remember the password to your device and the password to your database. If you do that, however, do not set the database software to unlock itself and leave itself unlocked as soon as you enter the password once. You will want to inconvenience yourself and the bad guys by requiring password entry each time you access the database.

Please remember to password protect your devices as well as your data.

Public Wi-Fi Is Not Your Friend

When you access public Wi-Fi, you expose yourself to risk that someone will access your information or your device. Public Wi-Fi does not only mean the free Wi-Fi at Starbucks. It includes the Wi-Fi you get at hotels, in airports, on airplanes, in shopping centers, etc. Public Wi-Fi means that people you do not know and trust can get access to it; the fact that you pay for it (like in a hotel) does not render it private. You dramatically reduce your exposure by not using that type of Internet access. You protect yourself more by acquiring a password-protected cellular hotspot of your own and using that for Internet access. It costs a little, but may save a lot.

Don’t Trade the Cow for Magic Beans

P.T. Barnum has received credit for saying, “There’s one born every minute,” allegedly referring to suckers. While he probably did not say that, it may well have been true back then. In today’s world, that statement might well refer to scammers. We do have a lot of them. They are all over the lot. Here is an example of an email I received trying to induce me to give them personal information:

To: undisclosed-recipientsReply-To: tom_reeves@yahoo.co.nz
Subject: Transfer of your US$200,000.00
Attn: Sir,
We have just recovered an amount of US$200,000 in your name from Financial Clearance House London under your name.
This amount is a reward from Western Union Money Transfer for those who receives and send money using their service.
Therefore, kindly send your banking details in order for me to transfer your money immediately without delay.
Your Bank name:
Your Account name:
Your Account no:
Your Bank Swift Code:
Your Bank address:
Your Cell phone number:
Waiting for your urgent reply.
Tom Reeves.
Sun-Trust Bank Director.
Phone: +48 729 539 962
Fax: +48 729 539 960

Now, you ask, how did I know this was a scam? Several things gave it away. First, I questioned the existence of Sun Trust Bank of Poland. Second, when I looked at the associated email address, it was briannmorney@gmail.com. Even if I assumed that someone with an Irish name worked for the Sun Trust Bank of Poland and that the bank actually existed, they would not have sent email using a private email address. Third, the sending email address had no relationship to the reply-to address. Fourth, the reply-to address was also a private email address (yahoo). Fifth, the private email address was based in New Zealand, not Poland. Sixth, the email was addressed to “undisclosed recipients,” not to me personally. Seventh, I never use Western Union Money Transfer. Eighth, I am always suspicious about grammatically incorrect emails purporting to come from financial institutions. Ninth, I have never seen an email from a financial institution that did not include the institution’s logo (and institutional logos are easily copied and inserted in an email anyway, suggesting that the mastermind behind this scheme was not all that bright).

I received another email today from “FedEx Delivery,” which really came from mark@sarua.org, was addressed to “Recipients,” and read: “We have an International Cashier Bank Draft/Cheque package worth the sum of $800,000.00 USD in your name at our office. Open attachment for more details.” Again, this one lacked a logo (Federal Express correspondence that I have received—and many poor fakes—all have logos). I have never seen a legitimate communication from Federal Express without one. I am inherently suspicious when email senders’ names don’t match the email address. Additionally, that it was addressed to “Recipients” and not to me personally made me suspicious, as it did not make sense that they got a whole bunch of $800,000 checks. As a general rule, never open attachments you get in emails from unknown and untrusted senders. It is a very common scheme to use email attachments as Trojan Horses to carry malware into your computer.

I could spend a lot of time taking a variety of these emails apart for you; but I think you get the idea as to the process and what to look for in emails. Before getting completely away from emails, however, one more word of advice: even if you think you have a legitimate email from a financial institution, do not respond to the inquiry by calling a phone number it provides or clicking a link it includes. If the email is about a credit card, pull out the card and call the number they provide on the card. Tell them about the email and resolve the problem with them that way. Alternatively, without clicking the link, access the institution’s site using an address you know to be correct (e.g., www.bankofamerica.com).

Stay Current

Most responsible companies issue updates to correct weaknesses in their programming that make the software or devices using it susceptible to attack. If you do not regularly check for and install the most current updates to your software (and in particular your operating system and your browser), you leave yourself open and unnecessarily vulnerable to attack. If the publisher declares a program or an operating system so old that it will no longer support it (as Microsoft recently did with XP), you need to move to a more current system, as the discontinued one will grow more and more susceptible to attack along with any equipment that runs it. Accordingly, if you were a Windows user who eschewed Vista and Windows 7 and Windows 8, choosing to stick with XP, it is time to move on up to a newer system (if you are planning on upgrading, I would go right by Vista to Windows 7 or 8).

Keep It Clean and Keep Up with the Bad Guys!

Acquire good antivirus and antimalware software and run them regularly. Be sure to regularly check to make sure you have downloaded and installed the most current versions of those programs, as the good ones regularly update their virus and malware definitions to enable better detection and removal of virus and malware infestations.

Get a Magic Decoder Ring! (Just Kidding)

Seriously though, do not send your data unprotected into the cloud, whether for storage or transmittal. For that matter, if you have confidential information or other information that you want to make sure does not get out (such as your personal financial data), encrypt it. Encryption effectively encodes the data into a file that cannot be read without first entering the decryption code. Current encryption algorithms generally use 128-, 256-, or 512-bit encryption keys. For most purposes, 128-bit will probably suffice. The military uses 256-bit encryption, and many people take the position that if it works for the military it works for them. Although 512-bit keys exist, they have not yet been generally adopted. Although you can still find encryption keys using less rigid standards than 128-bit keys, you should stay away from them, as they offer significantly lower levels of protection.

Jeffrey M. Allen

Jeffrey M. Allen is the principal of Graves & Allen in Oakland, California. A frequent speaker and writer on technology topics, he is editor-in-chief of GPSolo magazine and GPSolo eReport, an editorial board member of the ABA Journal and Experience magazine, author of jallenlawtekblog.com, co-author of Technology Solutions for Today’s Lawyer (ABA 2013) and iPad® for Lawyers (West 2013), and a liaison to the ABA Standing Committee on Technology and Information Services. In addition to being licensed as an attorney in California, he has been admitted as a Solicitor of the Supreme Court of England and Wales. He is an associate professor at California State University of the East Bay. He also works extensively as an arbitrator and a mediator.