TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Is Your Online Shopping App Invading Your Privacy?

Online shopping has become a common activity for many people. It’s convenient, easy, and allows us to buy items from the comfort of our homes. But with the rise of online shopping, there are concerns about privacy and security.

Not all shopping apps are created equally. Often people get excited and install an app without checking privacy practices. Apps can collect more data from your smartphone than you realize. Whether you use your phone for personal use, business use, or both, your data can be at risk. So can your privacy.

Recently, security experts found a popular shopping app spying on users’ copy-and-paste activity. This app was tracking users’ keystrokes, screenshots, and even their GPS location. This raises the question: Is your online shopping app invading your privacy?

SHEIN is the app in question, and it’s a popular shopping app with millions of users. According to reports, researchers found the app collecting data from users’ clipboards. This included any text that users copied and pasted. This means that if the user copied and pasted sensitive information, the app would have access to it.

Including things like passwords or credit card numbers.

Not only that but the app was also found to be tracking users’ GPS location. SHEIN was also collecting data from device sensors, including the accelerometer and gyroscope. This means that the app was able to track users’ movements. As well as collecting information about how they were using their device.

The app’s developers claimed that the data collection was for “optimizing user experience.” A very vague explanation that’s used by other app developers as well.

The developers stated that the collected data was only used for internal purposes. But this explanation wasn’t enough to please privacy experts. Those experts raised concerns about the app’s data collection practices.

This isn’t the first time people caught an app grabbing data without users’ knowledge. Many popular apps collect data from their users, often for targeted advertising purposes.

The popularity of the shopping app Temu has been exploding recently. Since the app appeared in a Superbowl Ad in 2023, people have been flocking to it.

But Temu is another shopping app with questionable data collection practices. Some of the data that Temu collects includes:

  • Your name, address, phone number
  • Details you enter, like birthday, photo, and social profiles
  • Your phone’s operating system and version
  • Your IPS address and GPS location (if enabled)
  • Your browsing data

Here are some tips to protect your privacy when using shopping apps.

Know what you’re getting into (read the privacy policy)

Yes, it’s hard to stop and read a long privacy policy. But, if you don’t, you could end up sharing a lot more than you realize.

Turn off sharing features

Turn off any data-sharing features you don’t need in your phone’s settings, such as location services. Most smartphones allow you to choose which apps you want to use it with.

Remove apps you don’t use

If you’re not using the app regularly, remove it from your phone. Having unused apps on your phone is a big risk.

Research apps before you download

It’s easy to get caught up in a fad. You hear your friend talk about an app, and you want to check it out. But it pays to research before you download.

Shop on a website instead

You can limit the dangerous data collection of shopping apps by using a website instead. Most legitimate companies have an official website.

Learn How To Fight Business Email Compromise

A significant cyber threat facing businesses today is Business Email Compromise (BEC). BEC attacks jumped 81% in 2022, and as many as 98% of employees fail to report the threat.

What is business email compromise (BEC)?

BEC is a type of scam in which criminals use email fraud to target victims. These victims include both businesses and individuals. They especially target those who perform wire transfer payments.

BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organization and its employees online. They gain knowledge about the company’s operations, suppliers, customers, and business partners.

The scammer pretends to be a high-level executive or business partner. Scammers send emails to employees, customers, or vendors.

These emails request them to make payments or transfer funds in some form.

The email will often contain a sense of urgency, compelling the recipient to act quickly. The attacker may also use social engineering tactics. Such as posing as a trusted contact or creating a fake website that mimics the company’s site. These tactics make the email seem more legitimate.

According to the FBI, BEC scams cost businesses about $2.4 billion in 2021.

These scams can cause severe financial damage to businesses and individuals. They can also harm their reputations.

How to fight business email compromise

BEC scams can be challenging to prevent. But there are measures businesses and individuals can take to cut the risk of falling victim to them.

  • Educate employees
  • Enable email authentication
  • Deploy a payment verification processes
  • Check financial transactions
  • Establish a response plan
  • Use anti-phishing software

Get ready for the unexpected

If your business suffers an email compromise or a ransomware attack tomorrow, do you have a contingency plan in case of any disasters? The unexpected can happen anytime, and small businesses can get hit particularly hard.

Here are ten helpful tips to get ready for anything:

  1. Create a contingency plan
  2. Maintain adequate insurance coverage
  3. Diversify your revenue streams
  4. Build strong relationships with suppliers
  5. Keep cash reserves
  6. Build strong outsourcing relationships
  7. Check your financials regularly
  8. Invest in technology
  9. Train employees for emergencies
  10. Stay up to date on regulatory requirements

Thinking Of Moving Offices Or Going 100% Remote?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Has hybrid and remote working left you and your team rattling around an office that’s too big?

If you’re now in the position of overspending on rent, utilities and cleaning, you might be thinking about downsizing to another location – or even abandoning the office completely.

That’s something that will take some planning if you want a smooth transition with minimal, expensive downtime.

Moves are always stressful, and relocating your IT systems takes a bit more thought than manhandling a desk up the stairs.

So here are our top three suggestions to make it easier to shift your IT setup to a new location.

[Read more…] about Thinking Of Moving Offices Or Going 100% Remote?

Is It Time To Ditch The Passwords For More Secure Passkeys?

Passwords are the most used method of authentication, but they are also one of the weakest.

Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks.

The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way.

61% of all data breaches involve stolen or hacked login credentials.

In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in.

You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password.

This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification.

The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

More secure

One advantage of passkeys is that they are more secure than passwords.

Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data.

Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location.

This makes it much harder for hackers to gain access to your accounts.

More convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming.

Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds.

Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password, or worse, writing it down.

Phishing resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account.

They click on a link that takes them to a disguised login page created to steal their username and password.

When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

What Is Push Bombing And How Can You Prevent It?

In the fast-paced digital landscape, businesses both big and small face a multitude of challenges. One such emerging threat that has garnered significant attention is “push bombing.”

This practice involves bombarding a company’s push notification system with fraudulent or malicious requests, causing disruptions, overwhelming server capacities, and undermining user experiences.

Small companies, in particular, are vulnerable to the detrimental effects of push bombing as they often lack the resources and expertise to swiftly counteract such attacks.

Understanding push bombing

Push bombing refers to the deliberate act of flooding a company’s push notification system with an excessive number of requests, typically generated by automated scripts or bots.

These requests are intended to exhaust server resources, disrupt normal operations, and degrade the performance of legitimate notifications.

Push bombing can lead to a series of detrimental consequences for targeted businesses, including increased server costs, diminished user experience, loss of customer trust, and even reputational damage.

Small companies often face a unique set of challenges when dealing with push bombing attacks.

Limited budgets, scarce technological resources, and a lack of dedicated security personnel make it difficult for these businesses to respond effectively. Unlike larger enterprises, small companies may not have the financial means to invest in robust security systems or hire specialized personnel to address such threats.

Consequently, they become attractive targets for push bombing perpetrators seeking vulnerabilities to exploit.

Preventive measures for small businesses

While it may be challenging for small companies to completely eradicate the risk of push bombing, there are several key, low-cost preventive measures they can take to minimize the impact of such attacks:

Implement rate limiting: By setting thresholds for the number of push notifications allowed per second, small companies can regulate the flow of requests and prevent overwhelming their systems.

Rate limiting helps distinguish legitimate user requests from automated ones and ensures a more balanced distribution of server resources.

CAPTCHA implementation: Employing CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) in push notification sign-up forms can effectively deter automated bots from inundating the system with fake requests.

CAPTCHAs require users to complete a challenge, thus confirming their human presence and preventing malicious activities.

Monitor traffic patterns: Vigilant monitoring of network traffic can help small companies identify abnormal patterns indicative of a push bombing attack.
Employing security tools that provide real-time alerts and anomaly detection capabilities can enable proactive response and mitigation.

Two-factor authentication (2FA): Implementing 2FA for push notification subscriptions can add an extra layer of security. By requiring users to verify their identities through a secondary authentication method, such as SMS codes or email confirmations, small companies can significantly reduce the risk of unauthorized subscriptions by bots.

Collaborate with security experts: Small companies can benefit from partnering with reputable cybersecurity firms or consultants.

These experts can assist in conducting security assessments, implementing protective measures, and providing guidance on responding to push bombing attacks, thus augmenting the company’s overall security posture.

As digital threats continue to evolve, it is crucial for small companies to remain proactive in safeguarding their push notification systems against push bombing attacks.

By implementing preventative measures such as rate limiting, CAPTCHAs, traffic monitoring, 2FA, and seeking professional guidance, small businesses can fortify their defenses and mitigate the risks associated with push bombing.

As technology advances, it is essential for companies of all sizes to prioritize cybersecurity to maintain the trust and confidence of their customers, ensuring smooth operations and sustained growth in an increasingly digital world.

The Transformative Power Of Cloud Computing For Small Businesses

Small companies face numerous challenges, including limited resources, budget constraints, and the need to stay technologically relevant. Thankfully, advancements in technology have leveled the playing field, empowering small businesses with tools and solutions that were once only accessible to larger enterprises.

One such technology that has revolutionized the way businesses operate is cloud computing.

Cost savings

Traditional on-premises IT infrastructure can be expensive for small businesses, requiring significant upfront investments in hardware, software licenses, and maintenance.

Cloud computing offers a more cost-effective alternative. With cloud services, small businesses can leverage scalable resources and pay only for what they use, eliminating the need for infrastructure investments.

Collaboration and remote work

The ability to collaborate effectively is essential for small businesses to thrive.

Cloud computing facilitates seamless collaboration by providing a centralized platform accessible to employees from anywhere with an internet connection.

Cloud-based tools such as project management systems, document sharing platforms, and real-time communication apps enable teams to work together efficiently, regardless of their physical location.

This capability is especially valuable for small businesses with remote workers or distributed teams, fostering productivity and efficiency.

Data security

Protecting sensitive business data is a critical priority. Cloud computing offers robust security measures, including data encryption, regular backups, and advanced authentication protocols.

Storing data in the cloud reduces the risk of data loss due to hardware failures, theft, or natural disasters.

Cloud service providers typically have dedicated security teams and advanced threat detection systems, ensuring a higher level of data security than many small businesses can achieve on their own.

Flexibility and accessibility

Cloud computing provides small businesses with unparalleled flexibility and accessibility. Employees can access critical business applications and data from any device with an internet connection, enabling remote work and enhancing productivity. This flexibility also extends to the ability to quickly scale resources up or down based on business needs.

Cloud-based services also ensure that software and applications are regularly updated, eliminating the burden of manual updates and ensuring access to the latest features and security enhancements.

Competitive advantage

Adopting cloud technology can provide small businesses with a significant competitive advantage.

It allows smaller companies to access enterprise-level tools, applications, and infrastructure that were once exclusive to larger organizations.

This leveling of the playing field enables small businesses to innovate, streamline operations, and deliver enhanced customer experiences.

Cloud computing has emerged as a transformative technology for small businesses, offering a wide array of benefits, including scalability, cost efficiency, enhanced collaboration, data security, and improved flexibility.

By embracing cloud services, small businesses can leverage the power of advanced IT infrastructure without the burdensome costs and complexities associated with traditional on-premises solutions.

The cloud empowers small businesses to compete effectively, drive innovation, and achieve growth in an increasingly digital and interconnected world.

A Four-Day Week Doesn’t Mean Four-Day Security

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Are you one of the many companies around the world that’s looking at a four-day working week? Perhaps you’ve already made the leap.

Or, do you find that your team takes more time off during the summer months?

For lots of businesses, it’s never going to work. But those that have tried it have generally found it to be hugely positive. It improves your employees’ experience, making them more loyal, engaged, and productive.

It can help to attract and retain better talent, while improving your brand reputation. And let’s not ignore the cost savings of shutting down the office for an extra day.

But it has to be done right. Forcing people to cram the same amount of work into fewer hours could be a recipe for burnout and exhaustion.

That can lead to corners being cut, which in turn could lead to a cyber security disaster. Even if processes aren’t being intentionally skipped, human error due to a lapse in concentration becomes inevitable. [Read more…] about A Four-Day Week Doesn’t Mean Four-Day Security

What Is App Fatigue And Why Is It A Security Issue?

The number of apps and web tools that employees use on a regular basis continues to increase. Most departments have about 40-60 different digital tools that they use. 71% of employees feel they use so many apps that it makes work more complex.

Many of the apps that we use every day have various alerts. We get a “ping” when someone mentions our name on a Teams channel. We get a notification popup that an update is available. We get an alert of errors or security issues.

App fatigue is a very real thing and it’s becoming a cybersecurity problem. The more people get overwhelmed by notifications, the more likely they are to ignore them.
Just think about the various digital alerts that you get.

They come in:

  • Software apps on your computer
  • Web-based SaaS tools
  • Websites where you’ve allowed alerts
  • Mobile apps and tools
  • Email banners
  • Text messages
  • Team communication tools such as Slack or Teams

Some employees are getting the same notification on two different devices. This just adds to the problem.

This leads to many issues that impact productivity and cybersecurity. Besides alert bombardment, every time the boss introduces a new app, that means a new password.

Estimates are that the average employees is already juggling about 191 passwords. They use at least 154 of them sometime during the month.

How Does App Fatigue Put Companies at Risk?

Employees Begin Ignoring Updates

When digital alerts interrupt your work, you can feel like you’re always behind. This leads to ignoring small tasks seen as not time-sensitive. Tasks like clicking to install an app update.

Employees overwhelmed with too many app alerts tend to ignore them. When updates come up, they may quickly click them away. They feel they can’t spare the time right now and aren’t sure how long it will take.

Ignoring app updates on a device is dangerous. Many of those updates include important security patches for found vulnerabilities.

When they’re not installed, the device and its network are at a higher risk. It becomes easier to suffer a successful cyberattack.

Employees Reuse Passwords (and They’re Often Weak)

Another security casualty of app fatigue is password security.

The more SaaS accounts someone must create, the more likely they are to reuse passwords. It’s estimated that passwords are typically reused 64% of the time.

Credential breach is a key driver of cloud data breaches. Hackers can easily crack weak passwords. The same password used several times leaves many accounts at risk.

Employees May Turn Off Alerts

Some alerts are okay to turn off. For example, do you really need to know every time someone responds to a group thread?

But, turning off important security alerts is not good.

There comes a breaking point when one more push notification can push someone over the edge.

What’s the Answer to App Fatigue?

It’s not realistic to just go backward in time before all these apps were around.

But you can put a strategy in place that puts people in charge of their tech, and not the other way around.

  • Streamline your business applications
  • Have your IT team set up notifications
  • Automate application updates
  • Open a two-way communication about alerts

Don’t Forget Your Phone’s Security Settings

It’s common for people to rely on their personal phones to keep in touch at work.

That’s not always the best idea, and there are lots of good reasons to provide company phones to your team (would you want to own the number and block access to sensitive data if somebody left?)

But whoever owns the device, you need to make security your top priority. Cyber criminals know how much valuable information lives on our mobiles, and they’re making phones a target.

If you don’t already have a mobile security and management strategy in place, it’s time you did. Here are our top 5 ways to keep phones secure:

Set minimum upgrade requirements

Cyber crooks and device manufacturers both work in three-year cycles. That means that, as threats evolve, so do the protections that address them. Upgrade devices to follow this cycle, and even if you’re using BYOD (bring your own device), enforce this rule if employees want to use their personal phone for work.

Implement mobile device management

MDM allows you to track the location of devices, lock/wipe their data remotely, and can help you access remote support for any issues. That means your data stays safe, even in cases of a lost or stolen phone. You can also create a list of apps that are to be blocked for security reasons.

Set up MFA (Multi-Factor Authentication)

Make sure all devices have biometric locks requiring facial or fingerprint ID to open them, and that all apps require MFA to log in. Only allow employees access to the software and files they need for their job.

Always update everything

Like all your devices, phones need to have the latest updates installed as soon as they become available.

If you have MDM in place, it’s possible to schedule updates across the entire team at the same time – ask us for more info.

Regular awareness training

You should hold regular cyber security training for your team that includes mobile devices. Your people are your weakest link when it comes to security. Keeping them up to speed on security risks can improve compliance.

It’s easy to overlook mobile devices when it comes to keeping your data secure, but it’s a vital step in protecting yourself against cyber attacks.

These Everyday Objects Can Lead To Identity Theft

You wouldn’t think a child’s toy could lead to a breach of your personal data. But this happens all the time.

What about your trash can sitting outside? Is it a treasure trove for an identity thief?

Many everyday objects can lead to identity theft.

Old smart phones

Our smartphones and tablets have become extensions of ourselves, storing a vast amount of personal information. If lost, stolen, or compromised, these devices can provide unauthorized access to sensitive data, including emails, contacts, financial apps, and social media accounts.

Make sure you clean any old phones by erasing all data or destroying the device.

Wireless printers

Protect wireless printers by ensuring you keep their firmware updated. You should also turn it off when you don’t need it.

Trash can

Identity theft criminals aren’t only online. They can also be trolling the neighborhood on trash day. Discarded items in your trash can reveal personal information that identity thieves can exploit. Dumpster diving is a common tactic used to extract valuable data, such as bank statements, credit card receipts, or pre-approved credit offers.

Always shred or destroy any documents before disposing of them, even those that may not seem sensitive at first glance.

It’s also wise to invest in a cross-cut shredder, which provides better protection compared to strip-cut shredders.

USB sticks

You should never plug a USB device of unknown origin into your computer. This is an old trick in the hacker’s book. They plant malware on these sticks and then leave them around as bait.

Old hard drives

When you are disposing of an old computer or old removable drive, make sure it’s clean. Just deleting your files isn’t enough. It’s best to get help from an IT professional to properly destroy your old computer hard drive.

We have a special drive crushing tool at Tech Experts – just let us know if you need some drives recycled.

Physical documents

Physical documents, such as bank statements, bills, medical records, and tax documents, contain a wealth of personal information. Disposing of them carelessly or leaving them unattended can be an open invitation to identity thieves.

Always shred sensitive documents before discarding them, especially those containing financial or personally identifiable information. Furthermore, consider digitizing important documents and securely storing them on encrypted devices or cloud platforms with strong authentication measures.

Children’s IoT devices

You should be wary of any new internet-connected kids’ devices you bring into your home. Install all firmware updates and do your homework.

ATMs

This is called skimming. Malicious actors can use hidden devices on ATMs or card readers to steal your card information during transactions.

Identity theft can have devastating consequences, impacting both your personal and financial well-being.

Safeguarding physical documents, securing mail, keeping wallets and purses safe, protecting mobile devices, and properly disposing of personal trash are essential steps in minimizing the risk of identity theft. Remember, vigilance and informed decision-making are key.