Wednesday, June 20, 2018

Web Secret 524: Robocalls

I absolutely loathe robocalls.

So imagine how not surprised I was when I came across a New York Times article that confirmed what I already knew: robocalls are proliferating because it is so damn cheap to send them out by the thousands.

Better yet, the Times had a companion article "Robocalls Flooding Your Cellphone? Here’s How to Stop Them."

Let me summarize it for you:

Rule No. 1: Do not answer numbers you don’t know. If you do answer, don’t respond to the invitation to press a number to opt out. That will merely verify that yours is a working number and make you a target for more calls. Turn to the government

Rule No. 2: Turn to technology.Download apps such as Truecaller which will block the calls. YouMail will stop your phone from ringing with calls from suspected robocallers and deliver a message that your number is out of service. Many of these apps are quite pricey. Hiya is free.

Rule No. 3: Turn the tables. The Jolly Roger Telephone Company turns the tables on telemarketers. This program allows a customer to put the phone on mute and patch telemarketing calls to a robot, which understands speech patterns and inflections and works to keep the caller engaged.

The robots string the callers along with vocal fillers like “Uh-huh” and “O.K., O.K.” After several minutes, some will ask the callers to repeat their sales pitch from the beginning, prompting the telemarketers to have angry meltdowns.

Rule No. 4: Watch what you say. One recent scheme involves getting consumers to say “yes” and later using a recording of the response to allow unauthorized charges on the person’s credit card account, the F.C.C. warned in March.

When the caller asks, “Can you hear me?” and the consumer answers “yes,” the caller can gain a voice signature that can later be used to authorize fraudulent charges by telephone.

Best to answer with “I can hear you.”

The future: The callers are evolving. Some have numbers that appear to be from your area code; others employ “imitation of life” software in which the robocall sounds like a live person, complete with coughing, laughing and background noise. This artificial intelligence can be programmed to interact in real time with a consumer.

I'm scared too.

Wednesday, June 13, 2018

Web Secret 523: Cybersecurity - part 5

This is the last in a series of 5 posts about cybersecurity.

Do you ever host or attend conferences or meetings? Rhetorical question.

There are cybersecurity best practices to consider, as I discovered after plowing through "The Cybersecurity Challenge", an article which I summarized for this post.

Registration puts financial information at risk. If you are storing any personally identifiable information and collecting credit card payments, you must comply with the PCI (Payment Card Industry) data security standard. There are companies that can help you with that.

Every assemblage of human beings includes a large mobile devices. It is not unusual for attendees to have a smartphone, a tablet and a laptop.

A large risk facing planners and attendees is the ill-advised use of free or “public” Wi-Fi networks in the destination. A large number of destinations have taken measures to prevent rogue Wi-Fi networks tricking attendees into connecting to them, however it’s still a common threat to take into consideration.

It is a relatively straightforward task for bad guys to generate a Wi-Fi signal that is going to look equal to or better than a real one. And they might even tailor it to your meeting and say, ‘Attention EAPA convention attendees — free Wi-Fi available to you.’ Such a hoax is called a “man in the middle” attack. It means the bad guys now have unfettered access to your computer.

Some experts advise clients to inform meeting attendees they should never use the free Wi-Fi networks in a Starbucks or any other public place.

We’ve gotten people to the point that when they are at a hotel or convention center, they expect free wireless internet. That is what has created the vulnerability that everybody now faces.

The typical meeting attendee, however, is not aware of the risk. And a big part of the problem, is that meeting attendees don’t read their program or background material. And the people running the meeting don’t make announcements telling attendees not to use unofficial free Wi-Fi networks.

Not even the safety of the Wi-Fi network at a hotel or convention center should be taken for granted. You must make sure that the provider is using secure equipment and that it has secure connection from its technology to the internet. You also need to make sure that the people involved in running it have been backgrounded and vetted.

The good news is that there is a simple recommendation to mitigate risk. Before attendees head out to your meeting, send them an email that is about just one thing, online security. It should say, "We are concerned about your cybersecurity, so we are informing you that the official Wi-Fi network for the meeting is named XYZ. That is the only network you should connect to. If you connect to anything else, we cannot promise that you are secure.”

Another option is to make a formal announcement at the meeting. For example, at the beginning of an opening general session.

A more elaborate step is to use a virtual private network, or VPN. A VPN is a computer program that creates encrypted connections. And because of that, it’s much harder for someone to intercept your signal. The technology is widely available and inexpensive today. It can be acquired for just a month to cover the meeting dates, then canceled.

Pay attention, people!

Wednesday, June 6, 2018

Web Secret 522: Cybersecurity - part 4

This is part 4 of a 5 part series on cybersecurity.

What can mental health providers and institutions do to protect themselves from a cyber attack?

Even a one person private practice or a smaller company can implement cyber safeguards.
  1. Become knowledgeable about technology. Mental health clinicians are notoriously tech adverse. However, unless you are living and working off the grid, ignorance is no longer acceptable.
  2. Educate yourself and your employees about the threat of cyber-attacks and ransomware. Education needs to be an ongoing process.
  3. Use two factor authentication and encrypted email for sensitive information. Hushmail is a secure email utility. 
  4. Make sure your website is HTTPS (HTTP Secure), e.g. https://www.mycompany.com. In HTTPS, your website is encrypted by a layer of security and thus is less vulnerable. 
  5. At the Forum, we were told that 95% of malware can be addressed by anti-virus software. So deploy anti-virus and update as needed. 
  6. When Apple or one of the major tech companies you use (e.g. Microsoft) sends you an update patch, download it.
  7. Use complex passwords.
  8. Over and over the experts at Yale talked about the need for “good cyber hygiene.” Establish standards for cyber literacy, and other necessary protocols.
  9. Have a workplace social media policy.
If you aren’t sophisticated about things computer, hire an expert.

As we said good-bye, one attendee said, “and now I go back in my car and drive away while using Waze to find my route and Spotify for entertainment, giving up my privacy and leaving myself wide open to hacking.”