Cyber, Internet, and Pharmacy System Security Part II-Personal Security
- Jonathan Jacobs
Personal Security – Part II
In the first part of this four-part series, we covered your pharmacy’s system security and some proper social media habits for you and your employees to attract less attention to you and the inner systems of your store. In this second piece, we will go through your own ‘personal security’.
Today, most of us use the internet with various devices in multiple settings and have overlapping security protections at our hands. Whether you are using them effectively or at all is an issue we will discuss. Normal browsing through your desktop, tablet, or laptop computer puts you and your personal info at risk. Here are a few considerations regarding some methods most often employed by hackers and possible solutions to protect your personal security.
Cyber attacks are nothing new and with the arrival of the pandemic, they have increased a lot. The reason for this is simple, businesses have gone further down the digitization path with outdated security measures.
It’s been more than a year and a half since the beginning of the pandemic. Many employees prefer to continue telecommuting while companies continue to invest the same OR LESS in their cybersecurity plan, despite being an easier target for an attacker.
Some Security Lies We Tell Ourselves
- Our workers know about security.
- We have very good security policies
Self-delusion is great for cybercriminals.
Clearly, a company must have security and user policies. But they must be reviewed and updated every time changes are made or new devices are connected to your network. Experts say the best way to verify these policies, is to do planned tests of them, and of your disaster recovery plans as well.
More importantly, policies need to be communicated, especially the rules of the road for your staff. If no one knows your policy, how can they adhere to it?
According to the State of Ransomware 2021, 22% of organizations believe they will be affected by ransomware in the next 12 months. Why? Because it is difficult to prevent end-users from compromising security.
The easiest techniques used by attackers are phishing emails and social engineering. Many times these messages appear ‘handwritten’ and addressed to the right person. Will a worker really know how to detect that message among the thousands that can reach him per month?
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organization and sends thousands and thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’. Alternatively, they might use the organization’s name in part of the email address (such as firstname.lastname@example.org) in the hopes that the sender’s name will simply appear as ‘PayPal’ in your inbox.
There are many ways to spot a phishing email. As a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.
There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
- Their name
- Place of employment
- Job title
- Email address
- Specific information about their job role.
Whaling attacks are even more targeted, taking aim at senior executives or store owners. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be more subtle. Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information like names, addresses, Social Security numbers, and bank account information.
Smishing and Vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is similar to that of email phishing). Vishing involves a telephone conversation. A common vishing scam involves a criminal posing as a fraud investigator (either from a card company or a bank) telling the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
Angler Phishing / Social Media
Social media offers a number of ways for criminals to trick people. Cloned websites, fake URLs, posts, tweets, and instant messages (essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware. Criminals also use the data that people willingly post on social media to create highly targeted attacks.
In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post (Facebook Fake Friends…). The messages were initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension onto the user’s computer. When the user next logged in to Facebook using the compromised browser, the criminal hijacked the user’s account. They were able to change privacy settings, the user’s password, steal data, and spread the infection to the victim’s Facebook friends.
In general, if you get a friend request from someone you thought you were already friends with – reach out via another medium before accepting. They may have been hacked and not even know it. Report any of these that are not the actual friend to Facebook using one of their feedback/reporting methods.
We used Facebook as the example here. Obviously, similar diligence should be used with other social platforms.
Changing your email.
Changing an email address is a hassle. Yet sometimes we need to do it. Perhaps it’s time to cut the cord from your cable TV provider that included a free email address. You may be moving to a new city where your provider is not offered, or just freeing yourself from a spam-ridden account and starting fresh. Regardless, making the switch effectively is worth the effort. You need to have a plan so you don’t lose your contacts – and a whole lot of history.
Let’s first discuss browsers that you could or might use. There’s a lot of malware, hackers, and data thieves on the internet. A good browser needs to be able to protect you from:
- Phishing sites — deceptive websites that mimic legitimate popular websites to trick you into giving away personal info.
- Web trackers/cookies — internet scripts that track your browsing habits from site to site, sharing this data with advertisers (and sometimes even hackers).
- Spyware/adware — malware that embeds in your browser and captures your data and redirects searches to unwanted sites.
- Screen-loggers/keyloggers — malware used to take screenshots of your computer or steal your keystrokes.
- Malicious ads — pop-ups that can direct you to unsafe sites.
Microsoft’s Edge and Google’s Chrome are by far the most popular browsers available today. As far as personal security, they are often not the best or most secure products.
Some browsers commonly recognized for their level of security
- 1. Firefox — Most secure overall, highly flexible, and easy to use.
- 2. Tor — Best for privacy and maintaining maximum anonymity.
- 3. Brave — Very fast speeds, with ad and tracker blocking.
- 4. Pale Moon — Highly customizable and open-source.
- 5. DuckDuckGo — Privacy-focused mobile browser for Android and iOS.
- 6. Brave – Browse privately. Search privately. And ditch Big Tech.
In no way are we endorsing or advocating for any one product, just listing them for discussion.
All of the above listed browsers offer different levels of protection and privacy. They all try to limit malware, fingerprinting, phishing, and collection of your personal information and tracking where you go on the internet. With traditional browsers, every time you navigate to a website, your browser sends an unencrypted plain-text query over the internet — so it’s very easy for third parties to track your browsing history.
Antivirus software works to keep you safe from the online world. The best antivirus software is the one that acts as an essential tool for identity protection — especially now that there’s so much personal information on your computer that’s at risk. Antivirus software is crucial for anyone with a Windows PC, helping protect you from cyber criminals or viruses that make it through your ordinary defenses.
Keeping your personal data safe and guarding your privacy extends beyond virus protection, and that’s where third-party antivirus tools shine. These tools can monitor your Windows operating system as well as MacOS, iOS, and Android devices. They may also include a password manager, secure online backup, identity theft protection, a VPN, parental control, webcam protection, protection against phishing and malicious websites, and more. Some of these things were probably not on your radar as potential risks.
Your devices… Your cell phone
SIM-swapping frauds are on the rise. SIM swapping is a type of account takeover scam where hackers take control of your phone number to access all kinds of personal information. They can even use it as a way to co-opt two-factor authentication and one-time passwords (OTP). It requires only minor tech skills for an attacker to target your cellphone number, which is why it has become popular with younger, less sophisticated hackers completely unaware of even the phrase, personal security.
Sim swapping is not just an inconvenience. Once someone has taken over your phone number, they can use it to impersonate you or log into your online accounts. They can get instant access to any two-factor authentication codes you receive through text messages, the PIN that an institution texts you to verify your identity. Once they do this they can virtually go anywhere and get into any of your most personal places such as your bank account!
Protecting yourself against these types of attacks goes back to how you browse and the amount of personal information you provide to the world and the internet. Social media rules as we discussed in Part I come into play.
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.
- If a company reaches out to you from a particular institution asking for account details or personal information, call them back on a line that you are familiar with to be sure they are who they say they are. Spoofing numbers makes pretending someone calling you from a familiar number may not actually be from that company.
- Avoid posting personal information online, such as mobile phone numbers, addresses, or other personally-identifying information. This is a huge no-no when it comes to your personal security.
- Use a variety of unique passwords longer than 8 characters with upper and lower case letters, numbers, and some special symbols to access online accounts.-please see our link below as well. Don’t use the same passwords across different platforms. If one is compromised, they will have your password to try on other platforms.
If your phone suddenly stops working, especially with regards to SMS messaging, it could be a sign of a SIM swapping attack. Contact your cellular provider and your bank as soon as possible to ensure that you are not ripped off.
According to Security Magazine, the average business user has 191 online passwords. A non-business internet user has around 23. These can include everything from your email password to those you use for online banking, Amazon, Netflix, Facebook, Instagram, Grubhub, student, work, or medical portal, etcetera etcetera.
If these numbers seem high to you, it’s likely because you’re not used to typing in your password. Thanks to password chains and browser-based autofill features, we rarely have to enter our passwords in order to access our accounts. There’s no doubt that these features make life easier, but they can also be dangerous—they make us complacent about updating our passwords and therefore more susceptible to cyberattacks and identity theft.
Gather the family around one Sunday afternoon. Discuss what personal security is all about and how to protect this information for the entire family. Change ALL your passwords to all the sites you visit regularly and have accounts for. Make all your passwords unique. If you have a hard time with this, there are apps that will help you like 1password or LastPass and others.
Change your passwords on a regular basis.
Stay and be secure!
We at Point of Care are pleased that at present the Covid-19 Pandemic appears to be waning. Please, where applicable maintain social distancing and wear a mask when mandated.
Below are a few listings of articles we’ve previously posted for Pandemic and pharmacy related information.
Additional article related information: