After the past few weeks of fun and excitement on the Web, I have decided to practice what I preach by starting to decrease my Electronic Footprint. The Heartbleed Bug will mean that we must all go and change all of our passwords and such to get back to a less vulnerable stance (sorry I have been watching MI-5 on Netflix).
One of the first steps I have taken is to minimize financial issues, and I had a small account with Mint.com, which was mostly to just try things out, that I have deleted. The account was not being used, all it did was tell me once a month that one of my credit cards has a balance, but no longer.
The reasons for cancelling this part of my electronic footprint:
- The account was not being used and all it could do was act as a gateway for “bad folk” to break into my financial life and crap all over the place.
- Mint while an interesting service, can cause a great deal of consternation with your financial providers as well, if your account is cracked and used for bad things. I am not sure if your bank could do anything, but I don’t think you want to expose yourself to any possible jeopardy from sharing your banking information.
- It is one less password and user id to remember or worry about.
I actually have a very long list of user ids and passwords that I will now be going through to decide to either:
- Change the password to something new
- Delete the account because I can’t justify having this “possible security hole” still existing
Oh, and understand that a lot of accounts if you “DELETE” them, they don’t actually go away (e.g. Facebook), so remember to read carefully what happens if you try to DELETE an account.
No, not sin, Social Insurance Numbers, that SIN.
If the Social Insurance Number is simply a number given out each time a Canadian asks for one, the Maximum number of encodings is simply 999,999,999 codes. That seems like a very large number and why would anyone worry about running out of numbers in this program? The Social Insurance Number has become the de facto standard for identification in Canada (especially financially), and a number to be guarded closely, so each number is very important.
Some points to think about this number:
A very Fake Social Insurance Number
- I don’t think anyone has the Social Insurance Number 000 000 001 or anything like that encoding, so there aren’t as many numbers as we think. Is the exact number of available SINs published anywhere? I don’t think it is, but maybe I missed out on that.
- From 1973 to 1994 the three digit prefix (the first three numbers) increased by about 265 (if I compare my SIN to my children’s SIN), so not an insignificant increase. From 1994 to 2005 the prefix digits increased by 035. This assumes that the numbers are allocated in an increasing order.
- There are no more plastic SIN Cards being made, you simply get a letter with your SIN and that is it!
- Given 900 SIN were lost with the Heartbleed bug, how many more digits are lost due to identity theft and such?
- Is there a recovery program for digits after someone dies? I don’t think so.
- Temporary SINs have 9 as the first digit, and depending on where you apply your leading digit will reflect that (see Wikipedia for this)
- There is a checksum to easily figure out if a SIN is real or bogus.
Am I just fear mongering now? It’s possible, but I just wonder if we are going to hear in about 20 years that the Social Insurance Number will go from being a 9 digit number to either:
- A 9 digit hexadecimal number (base 16) (e.g. DEA DBE EF9 )
- A 12 digit regular number
Those would be simple fixes I suppose, except then every and any program that used the SIN for identification would need to be recoded (can you say Y2K ?) .
Yes you should really care about this large hole in an allegedly secure internet world. Can you do something about it? That remains to be seen.
Someone either wrote bad code, or built in their own back door in the OpenSSL product which is the basis for many (read LOTS) of “secure internet” applications that are used on the Web and elsewhere, and created the Heartbleed Bug with this change. This is so interesting, there is a Heartbleed Bug web site! Do you really want a detailed explanation, read Bruce Schneier’s explanation (he says on a scale of 1 to 10 in terms of bad, this is an 11).
How serious is this problem? Well the CRA closed down Netfile’ing for now, because they weren’t sure if they were victims of this problem. My bank didn’t shut down their Web Banking, so they either don’t think this is a big issue, or they know they did not use that code.
What should you do about it? I have seen lots of folks screaming that we should all be changing our passwords right away, which might be a good idea, except if you then use it on a site that has not been “fixed” yet, your new password is now available to Evil Hackers as well.
It might be best to find out which sites you use that might have this “software flaw” in it, and once the site declares it is safe, then change your password there. If you have a common password which you use everywhere, you might want to change it everywhere as well. You can test a site here, but I also am not sure if that site’s findings are (1)believable (2) to be trusted.
The good news is that this bug has been around since 2011? Does that mean no one noticed this before, or it has been exploited for a long time and now it is becoming well-known? I have no idea, but this is another argument about why you should regularly change ALL of your passwords, especially for on-line banking and such.
So I kept noticing on the On Line TD Banking home page a mention of protecting your computer with McAfee, and on Saturday I investigated further. The short answer is: yes, it does seem that they are giving away McAfee Anti-Virus if you are a TD client. I haven’t actually installed the “Free” software, but I have registered for it, and it does seem to be a real copy of the software (if anyone has done this, please leave me a comment on your experience).
At first blush this is a bit annoying (for me) if it is a real copy of the software, as I have already updated my software (now I got it very cheap on sale, but I still paid money, for something I could have received for free which always annoys me). No Alanis that is not Ironic, just really annoying.
The second thing that I noticed was that after I registered the software with my existing McAfee account, this “Free” software asked me to update my credit card information (since I let it lapse), and the “Free” subscription would not allow me to continue until I gave a valid credit card number with a valid expiration date. This seems odd to me since I am not paying for this “Free” software, so why do they need a credit card?
Why you may ask indeed, and after I finished the registration process the system noted (in a side column, where I might not have looked) that the “Free” software had Auto-Renewal set to ON, so that I wouldn’t lose my “security experience”. To quote George Costanza, “A HA!!!!!!!“, now I get why they wanted an up to date credit card, so they could auto-renew it some time in the future and charge me $75 for the year (also remember George’s comments about “… sticking it to me!”).
To stop the auto-renewal is a simple matter of finding the auto-renewal page, and turning auto-renewal to OFF, however, I would guess many folks who would not go looking for that (or even notice that auto-renewal was on).
Why does computer security software marketing tricks seem solely based on Used Car Sales and Carnival Games of “Skill” trickery?
Do you have a magic list of passwords for all of your various on line profiles? Do you have a system for changing your passwords often? Do you have the same password for all of you on line profiles?
If you answered Yes to the last question, allow me to say, “DON’T DO THAT!”, for the love of MyDoom, if any of the many sinister nasty folks on the Interweb get into one of your accounts, suddenly they are into all of them. I have talked about Financial On Line Security before, but this was triggered by yet another interesting discussion with Mrs. C8j.
Security Needs to be Watching
There is actually a very long list of different financial on-line profiles with user ids and passwords, but Mrs. C8j pointed out that she really should have access to this information in case of an emergency. My guess is that a solution to this will be to actually print out this information and put it in a safe deposit box or somewhere safe for her.
This is actually a terrible solution, because:
- You should not have a file with this information on a computer anywhere (unless you have it under some kind of heavy encryption, but even then, that may not be that safe).
- Printing it just means that it will be even less safe (paper is much easier to pilfer).
- Printing the information means she has a snapshot, at that moment, however, when I change those passwords, the list is suddenly useless.
The other ideas like putting it on your cell phone is bad, because the phone is easily stolen, and putting it “in the cloud”, just makes it easier to find.
What is the best way to keep this information secure, while being able to share it (securely) for the “what if” scenario.