Category: Security

Cord Cutting Cost Update

Unlike my lengthier Cord Cutting and Cost Cutting posts of 2018 and 2020, this is just a quick update on what I’m currently paying for streaming, internet, phone, security and other online services to help gauge how these have changed over the last few years in the greater Houston area. (Please refer to those previous posts for details, comparisons and rationales.) Monthly costs listed below include all fees and tax. A little over $200/month for all of these services is less than some friends pay for satellite or cable TV/phone/internet packages with Comcast, Verizon, or (perhaps worst of all) AT&T. So, I’m thinking cord cutting cuts costs along with improving choice.

Provider & Service NameService TypeMonthly Cost
Comcast Xfinity cable (400 Mbps)Internet Broadband$50
Apple One Premier
• Music
• TV+
• Arcade
• iCloud (2TB)
• News+
• Fitness+		Bundle
• Music
• Video Streaming
• Games
• Cloud Storage
• News & Magazines
• Fitness Videos		$32
Amazon PrimeBundle
• Fast Shipping
• Video Streaming		$11 ($120 annually)
Disney+Streaming$7 ($80 annually)
HBO Max (ad-free)Streaming$16
PBS PassportStreaming$5 (donation)
YouTube Premium Family (ad-free)Streaming$25
SiliconDust HDHomeRunBroadcast TVFree
SiliconDust HDHomeRun DVRBroadcast TV DVR$3 ($35 annually)
Audible Premium PlusAudiobooks$16
Mint Mobile (10GB/month)Mobile Phone$22 ($240 annually)
Google Voice with OBi200 (VoIP)Home PhoneFree
ADTHome Security$22
TOTAL$209
Monthly Cost Summary Table

Simply Secure

NASA and other employers have reported that cyber attacks increased dramatically with the spread of the pandemic. Apparently, internet bad guys view millions of people teleworking from home, outside protected corporate or government networks, as an irresistible opportunity for stealing data and money. So, it is more important than ever to pay attention to your own security on your phone, tablet or computer, and your most important accounts, especially bank and email accounts. Here are some simple steps you absolutely should take. (Some info is from TWiT’s iOS Today #495.)

Longer is Better

While randomizing your passwords is great, lengthening them is even better. The longer a password, the harder it is for criminals to guess, and the more time it takes even the fastest supercomputer to crack with a “brute force” attack (e.g., extending minutes or hours of computer time into years or decades, impractical). As a simple example, you could guess *** in short order, especially if you knew part of it: ca*. However, you’d have a hard time guessing ******************************, even if you knew every other letter: *a*I*T*e*a*K*o*s*L*t*b*u*T*a*! Using a long phrase like CatInTheHatKnowsALotAboutThat! gives you a long, strong password that is still easy to remember. Add dashes or underscores between words to make it even longer, and misspell some words or replace a couple letters with similar looking numbers to mix it up a bit. Just be careful typing it if you don’t use password manager software as you should (more on that later).

It should go without saying: never reuse the same long password or passphrase for multiple accounts, lest a data breach in one account open your other accounts (and thus data, identity and money) to malicious hackers. Remember that your email account is effectively the key to your kingdom. Not only is it your username for many accounts, it’s where account password reset messages usually go, so a crook who gains access to your email may easily access your other accounts/data/identity/money. Guard your email account with a long, unique password, and…

Turn on Two Factor Authentication (2FA)!

If you do nothing else after lengthening your passwords, turn on 2FA (aka 2-step) for every account possible! This includes Amazon, Apple/iCloud, Google/Gmail, eBay, PayPal, Twitter, Facebook, your credit cards, your bank accounts, your iPhone/iPad (Settings > your name at top > Password & Security > Two-Factor Authentication)…everywhere! In this context, “factors” are what you use to prove (authenticate) you are you to some other person, company or computer system. Common identification or authentication factors:

  1. Something you have, e.g., driver license, passport, military ID, company badge, RSA token
  2. Something you know, e.g., debit card PIN, password, answers to security questions (bad)
  3. Something you are, e.g., biometrics like fingerprint, face scan, retina scan

You’re probably already using 2FA in everyday life without realizing it. Your ATM card uses 2FA, because it requires you to have your card and know you PIN to get cash. My office building has cypher locks that won’t let me enter unless I have my badge and know my PIN. (Highly secure facilities may use 3+ factors, but let’s stick with 2 for now.) Modern iPhones (that you have) use TouchID or FaceID (scanning what you are) to gain access to your data. Now that you’re a 2FA expert, use it where it is most important: your online accounts that hold your credit, money and identity! A cyber thief on the other side of the planet might be able to know your password (due to a corporate data breach beyond your control, or lazy you with your easily discovered pet’s name or breed PW), but they won’t have your phone or tablet, much less your finger or face (assuming those are still attached). Thus, 2FA is a simple way to create a big obstacle for bad guys and greatly increase your online security. NYT explains how protecting your internet accounts with 2FA keeps getting easier. If you haven’t already done it, do it, now.

When setting up 2FA in your online accounts, try to avoid using just security questions. So-called “security” questions are not secure because your answers–mother’s maiden name, grade school, first car model–are more easily discovered than you may think. If you can’t avoid such questions (unfortunately still in use by some bank systems), at least make up false, silly, unguessable answers that you’ll still remember, e.g., “favorite food” = “pink elephant” (one bite at a time). Likewise, try to avoid SMS text messages for 2FA. SMS texts are unencrypted, and savvy criminals can spoof your phone number to intercept such texts and steal that 2nd factor in transit. An Authenticator app (such as Microsoft Authenticator, Google Authenticator, or Authy) on your phone or tablet is a far better option for 2FA, as are email messages, though SMS texts and even security questions are better than nothing.

Here’s a rough ranking from best (most secure) to worst (least secure) 2FA options you may look for (thanks to Leo Laporte of TWiT.tv):

  1. Hardware token, e.g., YubiKey or RSA SecureID, for pros or tech-savvy computer users
  2. Biometrics, e.g., FaceID and TouchID, for people with faces and fingers
  3. Authenticator app, e.g., Authy, Google Authenticator, Microsoft Authenticator (my pref)
  4. SMS texts (if you must)
  5. “Security” questions (boo! bogus! shame on your bank!)

Use a Password Manager

Password managers make your digital life more secure and easier. A password manager is simply a software app that securely stores all of your account credentials (usernames and passwords) in an encrypted database on your device and/or in the cloud. TheWirecutter explains why you need a password manager, and recommends 1Password, which is what I use in my Apple-centric home (iPhones, iPads, Macs, Apple TVs, HomePod). LastPass and BitWarden are also highly rated. Password managers offer many advantages over your paper notebook or unencrypted Notes app, including:

  • Securely stores all of your login credentials (usernames & passwords) in an encrypted database that you easily access from any of your devices
  • Generates and remembers long, strong passwords for you, unburdening your brain while increasing your security
  • Automatically fills in your username and passwords on most web sites, eliminating your need to type or copy-n-paste
  • Securely stores other important card or ID info including credit cards, driver license, passports, rewards & membership cards, software licenses, vault codes/combinations, etc.
  • Creates shared/family password vaults for your trusted loved ones to access

What about letting your web browser store passwords as a “poor man’s password manager”? With most browsers, this is a bad idea, because they don’t store the password securely, encrypted, while you’re browsing the web. One exception is Safari, that correctly uses Apple’s Keychain to securely store passwords, but this is only useful for MacOS and iOS users, not for Windows and Android users. It is rumored that Keychain in iOS 14 will have true password manager features, presumably a free default for Apple iPhone and iPad users.

Recap

Being simply secure–more important in this time of pandemic and teleworking–is as easy as 1-2-3:

  1. Use long, unique passwords (or passphrases)
  2. Turn on 2FA (aka 2-step authentication)
  3. Use a password manager app

Your $125 and Credit Freeze

In 2017, the credit bureau Equifax–one of the big 3 including Experian and TransUnion–admitted that it had suffered a massive security breach, exposing the personal information of nearly 145 million people, probably including you. Personal data stolen from Equifax included names, birth dates, social security numbers, addresses, drivers license numbers…basically everything bad guys need to steal your identity and open credit accounts in your name. Because their carelessness and negligence enabled the breach, and their delay in revealing the breach exacerbated danger to the public, Equifax recently agreed with the FTC to pay a settlement of $300-$700 million. Though this is little more than a slap on the wrist for a company of that size, it is better than nothing. There are many online instructions on how to claim your $125 from this settlement, or up to $20K if you suffered identity theft and resulting damages and expenses, including this ArsTechnica article, in a simple 2-step process: (1) confirm your eligibility, then (2) submit your claim online. Sure, this requires you to provide your information again to the same company that failed to protect it in the first place, but the cow is out of the barn, so you might as well get paid. As an alternative to cash, Equifax offers free credit monitoring for several years, but this is of little value given the limitations of credit monitoring services and the availability of similar free services elsewhere (e.g., Credit Karma and NerdWallet), not to mention your responsibility to monitor your own credit activity. I claimed the money.

While you claim your Equifax settlement and review your free annual credit report, you may protect yourself by placing a free credit or security freeze on your account with each of the 3 credit bureaus. This NerdWallet article explains the free credit freeze (vs a “credit lock”, which may not be free) and provides the necessary web links (and phone numbers if you’re old school). It only took several minutes for me to create accounts with each of the 3 credit reporting companies–Equifax, Experian & TransUnion–and freeze my credit with each. I created a unique PIN for each that I can use to un-freeze my credit when I need to apply for a new credit card or loan. Anyone lacking those PINs will be unable to gain approval from the credit bureaus to open a new credit account in my name. I suggest that you create your own credit freezes for much more protection than mere credit monitoring.

Strong Passwords

PasswordSecurity.info and HaveIBeenPwned.com can securely check the strength and security of a password you are using or thinking of using. If either site finds your password has been compromised, i.e., already posted by/for hackers in an online data breach, then change it immediately and never use it again! HaveIBeenPwned.com explains why you should never reuse the same password for multiple accounts. PasswordSecurity.info may find that your password has not been exposed in a data breach, but still offer suggestions for strengthening it, such as maximizing character variety (use upper and lower case letters and numbers and special characters) and password length (longer is better). The site estimates the time required for a brute force automated attack to guess your password, but I’m not sure that includes the latest NSA tools, so take it with a grain of salt.

You want your bank and email accounts to be very secure, because if a hacker gets online access to your bank account, he can transfer your money elsewhere, and if he gets into your email account, he can request a password reset for your bank account by pretending he forgot it, receive a password reset link in your (now his) email account, and gain access to your money. Treat your email account as the key to your kingdom.

1Password and LastPass are both great password managers for generating and storing the longest, strongest, most random, unguessable passwords for your accounts. You can also save credit card, medical and other sensitive information in these secure databases, but password management is the critical feature for securing your online assets. I prefer 1Password on my and Varya’s Macs, iPhones and iPads, and love that 1Password is able to use FaceID on my iPad Pro. Check them both out, pick one and use it!

I recently convinced my wife that using simple passwords on multiple accounts puts her at greater risk, as one compromised account could be a door to more accounts, which puts us both at greater risk. Similar to using vaccines, protecting yourself helps protect others. So, please use long, strong, unique passwords and password management software, and if one of the above sites finds that one of your passwords has been compromised, change it immediately!