Summertime and travel are around the corner! Please be reminded to safeguard your devices and information stored thereon when traveling. Remember that your mobile devices are personal computers and should be secured and safeguarded as such. For recommendations, please see the following blog post entitled Information Security Tips for Travel. The following are some supplemental recommendations:
Avoid public charging stations at airports and hotels and avoid connecting your device to public computers. Once a mobile device is connected to a public computer or charging station it may be exposed to malware. Additionally, sensitive data on your device could be compromised once a device is connected to public systems.
Safe WiFi & Bluetooth Usage
To prevent your devices from auto-connecting to open networks, and to prevent unknown Bluetooth-enabled devices from connecting to your device, disable WiFi and Bluetooth when not in use. Optionally, you can set your device to “Ask to Join Networks” so you can approve/select a WiFi connection. To safeguard your data and your transmissions, use of password protected WiFi networks is recommended. However, WiFi networks for which passwords are publicly displayed are not secure. Additionally, be sure to confirm both the name of the WiFi network and password with an employee/staff member of the organization before connecting. If you access accounts on an unfamiliar network, it is recommended that you later change the associated passwords using a secure personal device that is in your control.
Avoid online shopping, banking and conducting personal business when connected to public WiFi networks. Malicious actors can intercept network traffic and steal sensitive/confidential information. If you must perform a transaction or check an account balance, it’s recommended that you turn off WiFi and use your device’s cellular data internet connection. Additionally, only transact on secure sites, sites that begin with “https://”.
Safeguard Your Devices
Protect yourself from shoulder surfing by using screen guards on your devices. Make sure that your devices are always in your sight or your your grasp as device theft is a common occurrence. Please be reminded that the theft of any NYU provided mobile device must be reported to NYU Public Safety.
There has been a noted general uptick in social engineering attacks, which are designed to manipulate individuals into taking an action, such as divulging confidential or sensitive information. These attacks commonly take the form of phishing (attacks via email), smishing (attacks via text message) and vishing (attacks via phone). Common tactics include crafting messages that appear to be from trusted entities or people, which contain familiar logos/branding and use expected language. These messages often convey a sense of urgency and seek immediate action of some kind from recipients.
For example, recent vishing scams include callers purporting to be from the IRS, FTC, U.S. Department of Treasury or other government entities. In the FTC scam, callers seek remote access to your computer on the pretext that they are providing benefits in connection with the FTC’s Advanced Tech Support refund program. Scammers even told people to call if they had questions, but the phone number they supplied was not legitimate. This scam is also known as a tech support scam in which scammers seek to install malware on your device or sell you worthless software as a pretext for obtaining your payment information. Scammers may even direct you to a website with fake customer testimonials.
Please be reminded of the following best practices when evaluating the communications you receive:
- Never open attachments or click embedded links in unsolicited/unexpected messages, including email, text messages or social media messages.
- If in doubt of the legitimacy of a communication, contact the sender independently via a trusted phone number to confirm. Remember that scammers can spoof email addresses and phone numbers, so the sender’s contact information may appear legitimate when it is not.
- Never provide personal or payment information in response to unsolicited/unverified communications of any kind.
- Never provide remote access to your device to an unsolicited/unverified party.
- Limit what you share about yourself and others online as scammers use social media to gather information to use in targeted attacks.
Social Engineering Attacks and How You Can Protect Yourself, https://wp.nyu.edu/connect/2015/03/13/social-engineering/
Phishing, Spear Phishing and Whaling, https://wp.nyu.edu/connect/2017/03/01/phishing-and-whaling/
Learn to Spot a Phony: Detecting and Avoiding Phone Scams, https://wp.nyu.edu/connect/2017/09/19/learn-to-spot-a-phony/
Safe Social Networking,
Safe Social Networking
In the following blog post from last week, https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html, Twitter disclosed that due to a bug, user passwords were inadvertently stored as plain text in an internal log. Passwords stored in plaintext are unmasked, so in this instance they were visible to Twitter employees vs. masked via a hashing process. Twitter states that they have no evidence that the data was leaked or misused. Although they have corrected the issue and are implementing processes so this will not occur again, they recommend that you change your Twitter password(s). If you use the same password(s) on any other accounts/services, which is not a recommended practice, you should change those passwords as well.
To change/reset your Twitter password, please see the following Twitter Help Center page: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset. Please note that Twitter further recommends login verification via two factor authentication as a way to further protect your Twitter account as it will add a layer of security by requiring that you enter a six digit code sent to your mobile phone following your login with your password. Twitter calls two factor authentication “[T]he single best action you can take to increase your account security.” For instructions on how to set up Twitter login verification, please see the following Twitter Help Center page: https://help.twitter.com/en/managing-your-account/two-factor-authentication.
For password best practices and recommendations, please see the following Connect article, Under Lock and Passphrase.