11 Security Tips for Tax Time

by , on

^9BF7A6421085AB644551BB47E083CF230849130298C6D6CDC2^pimgpsh_fullsize_distr

Tax time is like Christmas for cyber criminals. Their victims are busily pulling together sensitive financial information from all kinds of online sources, and many are filing using one of the half-dozen or so web-based tax-preparation services or electronical state or Federal portals. In the rush to meet deadlines and avoid the ire of the taxman, consumers are especially vulnerable to scams and identity theft. Here are some tips to keep yourself safe and sane.

  1. Update protective software. Be sure your malware and firewall protection is up-to-date before conducting any secure online transactions. Perform a deep antivirus scan before opening sensitive documents or connecting to a tax-preparation service.
  2. Back up everything. Ransomware was the fastest growing form of malware in 2016, and there are no signs its momentum has slowed. Most ransomware encrypts all the data on your hard drive and demands a ransom payment to unscramble it. The only effective defense is to have a backup, so make sure all of your sensitive financial documents are stored in at least one other place, such as a cloud service or on a USB drive. Also, protect any sensitive data on your local storage media by saving it in an encrypted folder.
  3. Don’t forget physical security. If your office is in a shared space, your security is only as good as the locks on the door. Store physical records in a safe or file cabinet with a good-quality lock. And don’t keep old tax records. The statute of limitations on back taxes is three years, although It may be as long as 10 years in some circumstances. Whatever the case, there’s no reason to keep those 2005 files around anymore. Shred them.
  4. Use strong passwords when filing online. This is no time to safeguard your account with passwords like “123456” or your telephone number. Choose a password of at least eight random alphanumeric characters, including upper- and lower-case, digits and punctuation marks. Most password managers will generate secure passwords for you and store them safely. If the tax-preparation site offers two-factor authentication, use it. Be sure any online tax-preparation service you use employs the secure “https” protocol. If you don’t see those characters at the beginning of the web address, your connection isn’t secure.
  5. Don’t use public Wi-Fi services when working with financial information. Most are unencrypted, which means that anyone sniffing the network can harvest any information that is transmitted over it. Although you may need a cup of coffee to calm your nerves at this stressful time, don’t do your taxes from the local coffee shop. Get your joe to go.
  6. File early. The IRS estimates it paid out nearly $6 billion in bogus refunds to identity thieves in 2013, and the real figure was probably higher. Tax identity theft is a growing problem. Any thief who has your Social Security number can file a false W-2 form and claim a refund in your name. Your filing then gets rejected, and you have to submit to a lengthy appeals process. It takes an average of 278 days to resolve a claim, and even then there’s no guarantee you’ll win. The best strategy is to file early, particularly if you suspect that your Social Security number has been compromised. That way crooks have a smaller window to scam you.
  7. Don’t share passwords, even with your accountant. This isn’t about trust but control. Even if your accountant is your best friend, there’s no guarantee he or she can’t get hacked. If you need to share documents,  export them and store them in a secure online vault with sharing  capabilities. It goes without saying that you never send passwords by email, right?
  8. Don’t share Social Security numbers, either. All a thief needs is those nine digits and your address to file a fraudulent return. You should only share Social Security numbers over the phone or in an encrypted email message.
  9. Don’t fall for phishing scams. Scammers love tax time because they know consumers are in a state of high anxiety about the potential for audits or fines. Phishing messages often contain alarming language or threats that are intended to scare recipients into giving up personal information. Any email that appears to be from the IRS and that asks you for personal information is a scam. The basic rules of phishing prevention also apply: Don’t click on links in email unless you’re absolutely sure of the identity of the sender.
  10. Monitor your filings for suspicious activity. When you file your taxes, the IRS provides you with an Electronic Filing Identification Number (EFIN). You can use this number to check periodically on how many tax returns have been filed in your name. This enables you to catch a breach  quickly. The IRS has more information here.
  11. Don’t fall for fake IRS phone scams.  Bad people posing as IRS agents are contacting innocent taxpayers to steal personal information, money and tax refunds.  The IRS never calls taxpayers by phone to request personal information, tax information, credit card numbers and money.  If you get a phone call from an IRS impostor, tell them nothing and immediately hang up the phone.  Then, report the incident to the Treasury Inspector General at (800) 366-4484 or at www.tigta.gov.  Thousands of taxpayers fall victim to fake IRS phone scams where the caller will demand immediate payment to release a tax lien or levy.  You can learn more about this phone scam here.


The IRS also publishes a great, 21-page guide to “Safeguarding Taxpayer Data.” Read it if you want to be sure all your bases are covered.

eWeek has shared a version of this article on their website. To read it, please click here 

 

Spring Cleaning Your Digital Life

by , on

^1AE3C5C95B55DCC139341A8A809C91681680A7474E32434685^pimgpsh_fullsize_distr

It’s spring: Out with the old!

Organizing and cleaning up your digital life has gotten easier

Spring is here, which many people will greet with determination to clean out a lot of junk – from closets, garages, desks, and so on. But what about your digital life? As it turns out, that too will benefit from some reasonable spring-cleaning. It really won’t take long, and the results may be every bit as satisfying as throwing out those smelly old running shoes growing a new form of life in your closet.

Below are some tips for sprucing up your digital life.

Don’t pass on secure passwords

What do 12345, 123456789 and 123456 have in common? They are, in order, the most commonly used passwords of some 10 million passwords analyzed from data breaches in 2016. Regardless of whether your passwords have much in common with these or not, this is a great time of the year to change them – all of them.  Research shows that, given the opportunity, nearly two out of three people use the password for all log-ins. Change them to oddball combinations of letters, numbers and symbols such that they are almost bulletproof.

Of course then you’d be left with a potentially large number of passwords that almost no one could remember. One solution to this that appeared recently suggested that you ‘write down your new passwords and store them in a safe place.’ Wrong! There probably is no safe place they can be stored that you can actually access easily and quickly. That is one of many good reasons why it makes sense to download a free password manager that will do all the work of creating complex passwords and remembering them for you.

Make mobile security meticulous

Smartphones are the most used digital device, and as such are loaded with data. Photos and videos consume huge swaths of phone storage. You may want them but do you need all of them on your phone? Download them to your computer or backup cloud service. There are lots of great, free products out there for helping both Android and iPhone users get more phone memory instantly and give a boost to battery life as well. Some of these apps can actually identify poor quality photos that you probably don’t want anyway, as well as duplicate photos.

In addition, there are more smartphone apps available than you might think – two million and counting both for Android and iPhone. Accumulating them is easy, and can consume memory. This is a great time to take stock of what you have, deleting the ones you simply don’t use any more. Even if you don’t use them, they may well be permanently connected to the Internet for notifications, consuming your mobile data and battery as they do so.

Finally, the network providers are in a state of constant flux as they jockey for subscribers with what may seem like increasingly generous data plans. Comparing these plans can be a colossal headache, but worthwhile if you can save $10 or more every month for the same or better service. This vendor-independent site and search engine can help you compare and contrast all that’s out there. And if you have an iPhone, go to settings and turn off Wi-Fi Assist, which can be a data hog. Turn it on only when you need a cellular signal at times when the Wi-Fi connection is a poor one.

Urban renewal for your digital world

Perhaps the single most important spring-cleaning task for your computer is to be certain the stuff you really want is properly backed up. Think of all the things that can go wrong – from a hard drive failure to a ransomware attack to a lost or stolen computer to a freak electromagnetic impulse. Stuff happens! Cloud backup is cheap and easy with many first class service providers. And for really important files or photos, consider secure file storage.

Other considerations: Be absolutely certain your antivirus and other security solutions are in place, currently versioned, and working. Shovel out your email by moving or deleting in-box items that have been hanging around and insuring your spam filters are functioning.

None of these common sense spring-cleaning suggestions take much time or effort for that matter. You’ll end up creating lots of new space on your devices, and you know the saying: Junk expands to fill the space available. Undoubtedly it will.

 

PIN vs. Password: What’s the Difference?

by , on

^0146E5372FBFC1EDC3D3C2AD9E5B82070B14C10F0767207690^pimgpsh_fullsize_distr

If you use Windows 10,  you may have noticed that you now have the option of signing in with a personal identification number (PIN) instead of a password. The same applies to the Apple Mac as well as many brands of smartphone. Which might lead you to wonder what exactly is a PIN and how does it differ from a password?

The use of PINS has grown with the popularity of mobile devices. Entering long usernames is a pain with a touchscreen, so a PIN presents a shorter, more usable experience. But a PIN isn’t necessarily the same as a password. Depending on the scenario, it has different applications.

There are many ways to implement PINs, but the most common is to link them to a specific physical asset, such as a computer, credit card or phone. Most of us had our first encounter with PINs when we first used an ATM card. In that case, the PIN is a form of two-factor authentication. The physical card is the first factor and the PIN provides an additional level of verification that the cardholder is authorized to use it.

PINs may be stored on a server or on the device itself. In the case of Windows 10, Microsoft uses a physical chip called a Trusted Platform Module that includes multiple physical security mechanisms and cryptographic algorithms to make it nearly impossible to compromise. The PIN is only stored on the client PC. This approach is more secure than validating on the server because an attacker would have to gain access to the computer itself to steal the PIN. Similarly, the new chip credit cards that are now being broadly deployed in the U.S. store the PIN locally so that there is no chance of a large-scale compromise at the server level.

A PIN usually consists of a string of between four and eight numbers, although variations may include letters and punctuation at the security administrator’s discretion. Why is four numbers the standard for most applications? Because the man who invented the ATM back in the 1960s found that his wife couldn’t remember more than four numbers. You can look it up.

Four numbers offers only 10,000 possible permutations, which you’d think would be a snap for a password cracker to defeat. In fact, it’s not so easy.

For one thing, PINs almost always require manual data entry. Attempting a brute force attack using a keyboard would quickly frustrate most intruders, not to mention cause painful hand cramps. Most systems that use PINs also specify a maximum number of access attempts before shutting down. For example, Apple’s iPhone gives you just six chances to enter a four-digit passcode. After that, the phone is disabled. Windows permits four incorrect attempts before requiring a restart, and multiple restarts will lock the machine.

So given four attempts to authenticate against the universe of 10,000 codes, the intruder has only a .04% chance of success. That’s why some people say PIN security is actually better than password security.

Which doesn’t mean you shouldn’t be careful. PINs demand the same level of care as passwords. Unfortunately, many people simply choose the easiest numbers that come to mind. Researchers at the data analysis firm Data Genetics found that the PINs “1234,” “1111” and “0000” accounted for nearly 20% of all the four-digit PINs they analyzed. In fact, “1234” was more popular than the least-used 4,200 codes combined. Human nature is difficult to change*.

Data Genetics also found that four-digit combinations starting with “19” rank above the 80th percentile in popularity. So using the year you were born is not a good idea.

Avoid easily guessed or researched PIN combinations, such as the last four digits of your Social Security number, your phone number or the day and month in which you were born. If you want to use a number that’s easy to remember, try an old phone number that can no longer be traced to you, or a combination of two numbers, such as your childhood street address and the grade on your sophomore year chemistry exam.

If the online services that you use offer the option of a PIN to complement your username and password, we recommend you use it. If the online services that you use offer the option of a PIN to complement your username and password, we recommend you use it. Device makers are also broadening the number of options to now include fingerprint recognition, facial recognition and voice recognition. These are often good alternatives to PINs, but we recommend against making them your primary form of authentication. Researchers have demonstrated ways to compromise fingerprint scans with wax molds, and face- and voice-recognition technologies are not mature enough to replace two-factor authentication on their own.

With so many large-scale password breaches in the news, it’s nice to have a second level of protection.

*The Data Genetics blog post is well worth reading for its interesting tidbits about password length. For example, the fourth most popular seven-digit password is 8675309 which will resonate with 1980s rock fans. The 17th-most popular 10-digit password is “3141592654.” Look it up.

TeamSIK Response

by , on

Keeper’s engineering team prioritizes the security and privacy of our customers over all feature and functionality decisions in our application.  Our company policy has a strict zero-knowledge and no-data-leakage policy and everything we create adheres to these protocols.

Recently, a team of researchers posted a report about vulnerabilities and bugs in various Android password management apps.  First of all, I think TeamSIK did a great job.  They clearly spent significant time and performed an intense and technical analysis of the applications on the Android platform. Both of the reported issues were quickly resolved and published.

The issues reported about Keeper (SIK-2016-025 and SIK-2016-026) were not vulnerabilities, but in fact just bugs, which is why they classified them as “medium” risk.  I have addressed this distinction with TeamSIK since both issues were “low” risk due to the reasons described below:

  1.  Attacker must have physical access to the device and;
  1.  Attacker must bypass the device lock screen or fingerprint and;
  1.  The app must be running in the background in an active state (where the auto-logout timer set by the user hasn’t activated yet) and;
  1.  The device must have a USB cable plugged into a computer and authorized by the device and;
  1.  The user’s two-factor device must be accessible from the same device and;
  1.  The attacker must have access to the user’s email account on the same device.

The foregoing was an extremely unlikely scenario.  No customers were affected by this issue and moreover, no data leakage was ever at risk.

Thank you for staying protected with Keeper.

Keeper Customer Profile: Salvatore Porcillo

by , on

^9414DD27DC7EE0FD0A3BF246AFEB96A1FBC1921775DC65CD4F^pimgpsh_fullsize_distr

Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.

PDF version here

When did you start using Keeper?
I believe at least 5 years ago, or more. I have communication with Keeper dating back to 12/2011.

How many passwords does Keeper store for you?
Based on a hard count, I have 474 different entries in Keeper in 13 folders. I should mention, I use Keeper for passwords, SS #’s, passport #’s, VIN #’s, etc. I like having these items at my “finger tips” if needed. I use Keeper for passwords and for securing other import information that I only have access to.

What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?
All the previously noted, plus work related passwords, etc. My Folders are: Auto, Sports (for my kids’ activities), Electronics, Financial, Health/Life Insurance, Home, Legal, Online, Restaurants, School/College, Stores, Travel and Work. So basically anything that could be associated with the mentioned folders is included in Keeper.

What is one thing you would recommend to a new Keeper user?

I’ve sold family and friends on it, I’m a big fan. I say, it’s secure and if you do it right, you’ll have any and all information that you need available to you 24/7.

Why did you decide to start using a password manager?

I think it started out as a need to store passwords, but once I understood that I could use it for other important information, I got obsessive. I have OCD (self-diagnosed), so I just started loading it with all kinds of information. I should mentioned, I carried around a Franklin Covey Planner for years, with all my password information hand written in it. At some point I realized, that wasn’t a very good idea and I needed an alternative. That’s when I started to seek out an electronic version or App to keep this information.

What are some main benefits you get from utilizing Keeper?

I have everything I need at my fingertips when I need it, it’s secure, easily accessible, inexpensive to own and it’s in the cloud so I’ll always have it, it’s password protected and most of all it’s fun to use.

 

Password Management for Dummies

by , on

^BEB15AEE7ECFE75F1660306D78DF1D27A63E58889013607BB7^pimgpsh_fullsize_distr

Nearly two-thirds (63%) of confirmed data breaches involve weak, default, or stolen passwords, according to a major study. So it wouldn’t be surprising if, upon discovering that a not-so-secure password like 123456 were compromised and led to a breach, the user of this password declared, “Boy, that was dumb!”

For people like this and for countless others who don’t want their data and systems compromised as the result of poor password management, relief is here. It is in the form of a concise, comprehensive, and free booklet written for all of us “Dummies.” And you can get your copy of Password Management for Dummies here.

Helping Dummies for 26 years

Everyone is familiar with the 26-year-old Dummies series, launched in 1991 with the now legendary DOS for Dummies. How good are the books in this series? Windows for Dummies has sold more than 15 million copies in multiple languages across the globe. More than 200 million Dummies titles are in print, with the switch well underway now to digital download for distribution.

All of the nearly 3,000 titles in the Dummies series have one thing in common: They make the complicated very easy to understand and put into practical use. Password Management for Dummies continues with this noble and time-tested tradition.

The beauty of Password Management for Dummies is its conciseness and simplicity. The meat of the booklet is contained in 18 pages, and it is organized into five simple chapters. Perhaps the essence of this booklet’s importance is captured in the introduction, where it states, “No matter how much you have to do to protect your (digital) assets, it’s still much easier to prevent problems up front than it is to clean up the resulting mess if you are attacked.” When it comes to cyber breaches, truer words were never written.

A source for businesses and individuals

Further, the booklet is written both for individuals seeking to prevent unauthorized access to personal files and records, as well as for small and midsize businesses. The booklet guides each of these different user constituencies through a simple risk assessment before diving headlong into a broader understanding of the importance of passwords in protecting data. Bad passwords are an open door to cybercriminals and the root cause of a majority of affirmed cyber breaches. Much of this section is reflected in a blog published earlier this year.

Given all the risks associated with poor password management by individuals and employees, Password Management for Dummies offers a candid assessment of the reasons behind bad password practices. In essence, it is just too difficult if not impossible for anyone to remember dozens of different, complex passwords needed for all the systems and sites people access without resorting to bad practices, like writing them on sticky notes or in spreadsheets.

What to look for in a great password manager

That is where Password Management for Dummies delivers its most valuable message, articulating the benefits of a trustworthy, established password management solution as well as the attributes to look for in such a system. Among these attributes are:

  • The option of using two-factor authentication, such as a password and a mobile phone alert PIN or biometric impression
  • Ability to keep track of all passwords and to automatically generate highly complex passwords that are virtually impossible to crack
  • Automatic encryption of passwords that extends to any data and files in transit that might be breached, such as videos, photos, and digital certificates
  • An encryption key that is available to the user and only to the user
  • Support for a broad range of operating systems and platforms such that the purchase of a new smartphone or laptop doesn’t necessitate using a different password manager
  • For an SMB, a management dashboard that enables an administer to quickly and easily determine the relative strength of passwords employees are using without ever having actual access to those passwords
  • The ability to safely and securely share passwords among different employees
  • Help justifying the cost of a business password management system (they are broadly available free for individuals), based largely on reduced helpdesk time resetting forgotten passwords

Cyberthieves count on a continuation of bad password practices. Keeper Security analyzed 13.5 million passwords compromised in data breaches in 2016. The three most common were 123456, 123456789, and 12345. An easy path to far better and easier and cybersecurity is just a click away.

How to Keep your Smart Phone Safe and Personal

by , on

Keep your Smart Phone Safe

George Orwell’s 1949 classic 1984 painted a dark picture of a dystopian society in which a malevolent government monitors everything its citizens say and do through a ubiquitous network of “telescreens.” What was science fiction In Orwell’s day is reality now, thanks to technology that billions of people carry around in their pockets.

Smartphone are capable of all the scary surveillance scenarios Orwell envisioned, and many more. With their built-in GPSs, cameras, microphones and connectivity to a world of cloud services, they are the best snooping devices ever invented. Knowing the scope of the threat they can pose can help you protect yourself.

Mobile devices haven’t been considered a major threat factor until recently because criminals could make more money breaching credit card and health care databases. But with the street price of those records plummeting, criminals are now turning more of their attention to attacking individuals. The explosion of ransomware attacks in 2016 is evidence of that.

While there have been few reported incidents of cyber attacks on individual smartphones so far, the threat is real. The issue gained prominence recently with the news that President Donald Trump was using an old, consumer-grade Android phone during his first week in the White House. Wired noted that a single click on a malicious link could have caused the phone to be “infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.”

Andrew Hoog, CEO of NowSecure, a mobile security company, has been demonstrating for the past three years simple ways is to compromise a phone and download contacts, intercept and respond to text messages, activate the camera and microphone and track the device’s whereabouts to within a few feet – all without the owner’s knowledge.

“We always tell customers to assume that your mobile platform is exploitable,” Hoog noted in this webinar. He said iOS and Android are equally vulnerable.

Hacking phones still isn’t all that difficult. The BBC last year challenged two cyber security experts to rig up code that let them activate the microphone on a compromised Android phone and automatically transcribe overheard conversations. They met the challenge in less than two days.

Google and Apple have acted quickly to catch many of the most obvious vulnerabilities, but they can’t stop risky user behavior or third-party applications. NowSecure’s 2016 Mobile Security Report found that nearly one quarter of mobile apps it audited include at least one high-risk security flaw and 35% of communications sent by mobile devices are unencrypted, meaning that they can be intercepted by an intruder.

Phones present a variety of unique vulnerabilities that aren’t common to laptop or desktop computers, and new features create new tripwires. Last year a team of researchers figured out a way to embed garbled voice commands in YouTube videos that could command the phone to perform certain risky actions, such as downloading malware. With voice-enabled virtual assistants now ubiquitous, this is another scary new vulnerability point.

This video shows in frightening detail how simple it is for an attacker with root access to an Android device to use Metasploit, a popular brand of penetration testing software, to full control over the full set of phone functions, including sending text messages, capturing photos and initiating chat sessions. All in less than two minutes.

So is it time to ditch the phone, go off the grid and move to a cabin in Montana? Don’t panic yet. The cyber underworld hasn’t seemed very interested in exploiting these opportunities, at least not yet. But that could be changing. Ransomware attacks targeting Android phones grew 50% in 2016, according to ESET, LLC. There are some basic steps you can take to foil all but the most determined attackers.

Enable password security. This seems like a basic practice, but a recent survey of 1,000 mobile device users by Keeper Security found that 32% don’t enable password protection at all. Failing to take this basic step with a device that is easily pilfered from a pocket or purse is as bad as going on vacation and leaving your front door standing open. An even better practice is to enable two forms of security, such as a password accompanied by a PIN or fingerprint.

Don’t install applications from untrusted sources. This is particularly important for Android users, since protection can be turned off with a single switch. Limit downloads to known app stores or branded organizations that you know and trust.

Check permissions before installing an app. Some ask for a ludicrously high level of access compared to the functionality they provide. Should a flashlight app really have access to your phone? Think before you permit.

Don’t click links in texts unless you know the sender. Smartphones are uniquely vulnerable to phishing attacks because a sender can transmit a link by sending a text to the victim’s phone number, thus evading spam filters. Attackers may pretend to be trusted sources, such as your bank or pharmacy. If you aren’t certain of the source, don’t click the link.

Use Encrypted Messaging Services for Private Conversations – There are several free applications available for both iOS and Android that permit you and those close to you to send and receive text messages protected by powerful encryption. If your conversations may involve sensitive personal information, download and install one of these apps and ask your friends to do the same.

Don’t conduct sensitive transactions over an open Wi-Fi network. You have no way of guaranteeing that banking or credit card information is encrypted. Use public Wi-Fi only for browsing.

Don’t use public charging stations. Once you plug your phone into a USB port, an attacker can download files, install malware and monitor your keystrokes. A recently discovered threat called “video jacking” even enables them to get a peek at your phone’s display and to record everything you tap, type or view. You can avoid this risk by investing $30 in your own portable charging device.

Don’t make your Bluetooth connection discoverable. This opens you up to the risk of “bluesnarfing,” which enables the attacker to gain  access to any information or service on the device without your permission.

Orwell envisioned 24X7 surveillance as something to be imposed from the top down. He probably never envisioned that we would make ourselves vulnerable to intrusion so willingly. That would have been too strange even for science fiction.

Keeper Mobile Survey Finds Security Awareness is High, but Use of Security Apps is Lagging

by , on

Users approach security in a similar way as they do on their desktop computers. This can be a problem, given the unique vulnerability of a smartphone – the small computer that fits in your pocket.  Today, nearly 2.3 billion people use a smartphone.

Keeper conducted a detailed survey of 1,000 smartphone users to determine how they protect their devices and sensitive data. Our findings indicated that password reuse across different applications is frequent, average password strength for mobile applications and websites is low and that most users rarely changed passwords. Additionally, survey respondents rated their overall “trust” in the security of mobile carriers as being low.

Here are the highlights of the survey in an infographic.

The good news is that the risky practice of sharing passwords with others – a bad idea regardless of the platform – is relatively rare. Nearly 64% of respondents said they never share passwords, and another 29% said they share them with no more than two people.

We were also surprised to find that the practice of resetting passwords is quite common. More than 80% of responders said they have reset a password at least once within the last 60 days. Frequent password resets are considered one of the best ways to foil prospective intruders

But the practice may be driven more by necessity than by security awareness. We were surprised to find that 52% of respondents said they store passwords by remembering them. While that tactic is neither reliable nor secure, it’s better than writing passwords down on paper, a practice employed by a sizable 23% of our survey-takers.

When they forget a password, more than three-quarters of mobile users told us they can usually access their account in four or fewer attempts. Ten percent reset their password every time they log on, an awkward but effective practice.

Use of social media authentication – also called Open Authorization or “OAuth” – is common. More than three-quarters of the users we surveyed use OAuth on at least one service, and 45% use it on three or more. While OAuth rocks for convenience, it also may potentially expose personally identifiable information to third-party applications, so be careful.  

Technology is there to help, but many people don’t use it. We were surprised to find that 55% of smartphone owners have never downloaded protective software. Of the 45% who have, more than half have used an antivirus or anti-malware solution.

Reuse of the same password across multiple applications is quite common, with nearly 84% of users telling us that they access at least two different applications or websites with the same credentials. We commend the 16% who said they never engage in this practice. On the other hand, the 24% who reuse passwords across a whopping five or more applications are playing with fire. We’re also concerned about the 32% of respondents who said they don’t password-protect their phones at all. This is particularly risky behavior because hackers can turn compromised phones into listening devices or use them to track the location of the phone’s owner via the integrated GPS.

People are generally aware that they’re responsible for protecting their own information. A 46% plurality said their mobile device is the least secure device they use, followed by computers at 41% and tablets at distant third at 17%. By that logic, you would expect that people would regard tablets as their most secure devices. But that honor falls to computers, which 52% regard as their most secure device. Strangely, tablets came in a distant third here as well, at 15%.

Bottom line: Mobile devices require just as much security vigilance as desktops. Our survey indicates that people know that, but they’re not getting of the mobile tools that can guarantee peace of mind.

Limited Time Offer: Get 50% Off Keeper Unlimited as Part of the iTunes App Store Promotion

by , on

Apple has selected Keeper for a 50% off worldwide promo, on all of its app stores in all countries.

Plans covered include Keeper Unlimited and the Keeper Family Plan. Here’s how to take advantage of the promotion:

Step 1: Download Keeper on the iTunes App Store

Step 2: Upgrade via iTunes for 50% off

Hurry – this 50% off worldwide offer with Apple expires on March 4th at 6 pm PST. 

Keeper is Not Affected by Cloudflare Issue

by , on

This week it was revealed that the content delivery service provider, Cloudflare, was affected by a systemic vulnerability that leaked sensitive information from secure HTTPS connections. While the actual manifestation of the bug that caused the leak at first glance may seem relatively small, affecting an estimated 0.00003% of all requests to the Cloudflare service, this still represents a relatively large amount of data considering that Cloudflare serves traffic for over 5.5% of all websites.

To make matters worse is that some of this data has been leaked for months and some data was cached by Google, Yahoo, Bing and other search engines. The impact of this vulnerability on Cloudflare’s customers and users could stretch on for months or years as more leaked data is discovered by both cybersecurity researchers and hackers alike.

Keeper does not utilize Cloudflare or any other distributed content delivery network for the delivery of encrypted user data and, therefore, was not impacted by the Cloudflare vulnerability. Keeper is a zero-knowledge security provider – the keys to decrypt your data are always derived on the end-user device from the master password and are never transmitted over the internet. This helps ensure that, even in the event of a data leak occurring in the transport layer, your data will remain secure.