RECOMMENDED: LastPass

Like many of our clients, we run a small business. We apply a great deal of rigor in assessing and selecting our vendors and systems.

Of course, you’d expect that since we do the same thing on behalf of our clients. From time to time, we share our insights on how we analyze, select, implement, or use those vendors and systems.[1]

Today: The Practical Side of Cybersecurity

If you’re a fully Cyber-aware soul, then I can simply say “Sign up for LastPass and use it.” You don’t need to keep reading.

More likely: you’re aware of the risks of getting hacked, you’ve read up on identity theft and your logical brain keeps telling you that you’re vulnerable to cyber attack. But, there’s that lazy devil on your other shoulder telling you that you’re really not interesting enough to get hacked, and you think you’re so under the radar that you can run naked through the virtual street and no one will notice.

Au Contraire

At ReGroup, we’re always on the lookout for ways to make cybersecurity risks real to C-level decision makers of investment advisers and their employees. Enter stage left: an episode enticingly entitled The Russian Passenger by one of my (many) favorite podcasts, Reply All, which starts with a cyber-mystery:

Upon return from your vacation, Uber notifications start showing up on your phone in Russian. Your bank account has been charged for two rides in Moscow that took place while you were on a plane. You assume someone has hacked your Uber account and gotten your password. Nope. That would be too easy.

When you open your Uber app, it doesn’t recognize you. Since it’s nearly impossible to phone Uber, you email them the facts; they respond that they have no record of an account with your email address. Despite having credit card evidence of paying Uber, they keep sending you the same stupid computer-generated emails. You’re stuck in Uber-loop hell.

When you finally connect with Uber through sheer tenacity, they attempt to trace your account with the same credit card number used that morning on a ride in Moscow. They still cannot locate any record of that credit card in their system. Now it’s getting creepy. How did this happen? Did you do something wrong? Has there been a data breach at Uber?

Turns out, it’s more common (and more complicated) than it appears. Listen to the podcast episode for an interesting introduction to the dark web—where your stolen Uber account gets sold for $4 via a credential stuffing strategy.

HAVEIBEENPWNED?

Do you want to know whether your info is on the internet? Yes, you do. HaveIBeenPwned.com is a free service that searches the dark web for data that’s for sale, including your email and passwords.

Simply go to haveibeenpwned.com and input any email address. Yep, it’s that easy and it’s free. Try your work email and your personal email(s).

My work email was clean, but my personal email was listed in 4 data breaches. To fix that, I either closed the account OR changed the password to something unique which I then saved to my LastPass password manager account. Note that LastPass automatically recognized my new account data and collected it via a Chrome extension.

The Punch Line: Password Reuse

The reason credential stuffing works is because you, and zillions of others, use identical passwords for different accounts, which is an invitation to credential stuffing. They more you do it, the more vulnerable you are.

Your To Do List: Get a Password Manager

LastPass is our favorite and we’ve used it for years. With a password manager, you’re more likely to use a unique password for each account because you don’t need to remember them – the password manager can even auto-generate, store, and auto-populate unique and random passwords for each and every account at your request. You can also share account login information with family or colleagues so they can use your credentials without seeing the password. LastPass can store other important data like credit card information, passport data, and social security numbers. Interestingly, you can also set it to provide access to a next of kin in the event of your death or incapacity. It’s also $1/mo. Seriously: it’s less expensive than a Netflix subscription or one specialty coffee. Not surprisingly, LastPass has their own insanely complex security and turned up at the top of the list at the Wirecutter.

Resources

REPLY ALL podcast: #91 The Russian Passenger, March 16, 2017
Have I Been Pwned
LastPass
The Wirecutter: great product review site with a comprehensive article on password managers, and The Best Password Managers
Gmail account access logs: myaccount.google.com/device-activity (this makes sense if you listen to the whole podcast)

[1] THIS IS NOT A PAID OR SPONSORED POST. No company identified in this post asked us to review or recommend their products, we were not compensated in any way, and our insights are entirely independent. ReGroup complies with all FTC endorsement guidelines and will disclose any instance of paid or sponsored content in its posts.

< Return to Field Guide

Recommended, Risk ManagementAnn OglanianMay 30, 2017

Subscribe to our mailing list