Smart Bots

AI is making them smarter, smart enough to fool even some of the more savvy among us.

Gone are the poorly worded messages that easily tipped off authorities as well as the grammar police. The bad guys are now better writers and more convincing conversationalists, who can hold a conversation without revealing they are a bot, say the bank and tech investigators who spend their days tracking the latest schemes.

And

AI has enabled scammers to target much larger groups and use more personal information to convince you the scam is real.
Fraud-prevention officials say these tactics are often harder to spot because they bypass traditional indicators of scams, such as malicious links and poor wording and grammar. Criminals today are faking driver’s licenses and other identification in an attempt to open new bank accounts and adding computer-generated faces and graphics to pass identity-verification processes. All of these methods are hard to stave off, say the officials.

That much is on the banks’, et al., IT folks, and I’m unsympathetic to them. This sort of thing is an arms race, and the thieves usually have the initiative of the first move. However, harder, and hard, mean possible; there’s no excuse for being slow to respond—and by slow, I mean as late as the next day or two to advise the victim and to correct the problem.

Even the late Muammar Gaddafi’s widow is becoming a better writer as she appeals to each of us.

However, the victim and potential victim—you and I—have certain critical responsibilities, too. One of those is to check our accounts frequently to look for unusual, unexpected, unknown charges and expenditures. That means checking much more frequently than the monthly account statement: at least a few times per week. Sure that takes a bit of time, but what’s the cost of letting a bogus charge go undetected for so long?

There’s a proactive step we can take, too, that will take longer to bring to fruition because it involves our legal system, but it can have broader and more permanent outcomes. The bad guys are now…more convincing conversationalists. Since they’re willing to talk, ask the conversationalist straight out if it’s a bot or an AI-generated conversationalist. If the answer comes back “Yes,” you can continue or not with a better understanding of the risk you’re taking.

If the answer is to hang up the call or otherwise quit the conversation, you’ve gotten an even clearer answer.

If, though, the answer comes back “No,” and something untoward happens to you through that conversation, now you have the programmer who wrote the bot, and likely his employer, too, whether an otherwise legitimate company or a dark net entity, engaging in any number of frauds, including false advertising and theft. Convicting the programmer and burning the employer will take that longer time, but the outcomes are more permanent.

In the end, though, an old and tritely phrased aphorism is absolutely true: if the arrangement on offer seems too good to be true, it isn’t true.

How is this Possible?

Personal information of 7.6 million AT&T customers and of 65 million former AT&T customers have appeared on the dark web in the last two weeks. Stuff happens, even egregiously bad stuff. What makes this stuff especially egregiously bad, though, is AT&T‘s claim that the data appear[] to have come from 2019 or earlier.

That especially bad status flows from some questions:

Why wasn’t the data breach discovered those 5 or more years earlier; why did AT&T not know of the breach of its own systems until they saw the results of the breach just recently?

If AT&T did know of the breach those years ago, why did they sit on the information all this time?

If AT&T did discover the data breach promptly, and the data that appeared on the dark web only happened to be from 2019 and prior, what were the safe guards in place—or not—for what would have been archived data? What are the safeguards for data from 5 years ago through to the present? How does AT&T know those data haven’t been penetrated and stolen, also?

Password Access for Heirs

Kurt Knutsson has some thoughts on ensuring your heirs, as designated by you, have access to your passwords after you’ve died. Passwords are especially critical for access by your heirs to your financial accounts, brokerage accounts, subscriptions and online purchasing facilities on which you’ve stored credit data for convenient renewal and purchase execution (yeah, I know…), and so on.

Knutsson’s thoughts center on using a password manager to hold the passwords so that only the manager’s password needs to be kept available to an heir.

I have thoughts, too.

In-the-cloud password managers can be hacked, just as can another other cloud facility, because the ongoing arms race between hackers and security developers always has the hackers having the initiative. When anything in the cloud gets hacked everything in the cloud—at the least, your particular assignment in the cloud—gets exposed. There go the passwords.

In-the-cloud managers also depend on access to the Internet, and lots of things can block that access at critical times and for critically long durations. These can range from storm-related power failures taking down ISP servers or power to your own house’s neighborhood, through to auto accidents taking out an electric power distribution point feeding your neighborhood (this has happened to me a couple of times) on up through to hackers’ access denial attacks.

Password managers on your browser? That would eliminate Internet access-related problems, but not the hacking problem. Browsers can be hacked, and yes, even the most carefully set up household LAN can be hacked—see the arms race above.

All of that is remote access by the hacker.

An alternative, preferred by my august self, is to write down on paper your passwords and the accounts to which they allow access. Keep those passwords under lock and physical key (cypher locks can fail from battery failure. Losing memory from loss of battery is rarer with modern locks, but there is neither battery nor memory failure from any cause with a physical key). Let your heirs know where they can find that locked location and its key. A good place to store that knowledge is in the Letter of Instruction you’ve written (and keep updated) and placed with your copy of your Will. Because of course you’ve written both.

Hard copy, written down, passwords can only be hacked by physical entry into your home and entry into your locked storage device. That requires the hacker to be physically on scene. And that’s much rarer than any software hacker breaking into any software password manager from anywhere the hacker finds convenient.

Oh, and the convenience of password managers for accessing your money-related accounts across all of your devices? No, don’t do that. Keep your money access stuff limited to a single device, ideally your PC or laptop, and never your cell phone. The cost of that convenience is just too high.

Keep it real, as the kids say. Keep it physical.

What To Do on Getting a New PC?

Kurt Knutsson offered a checklist for this in a recent Fox News article, and it could be a useful checklist, but for one glaring error (IMNSHO).

That error relates to securing the new PC from hackers. In Knutsson’s checklist, that doesn’t occur until the fourth step. His first step is thereby made the most dangerous thing a new PC/laptop owner can do.

When you first open your new PC, Windows will ask…to connect to your Wi-Fi. Select whatever network you use and input your password. You can then click on “connect automatically” so Windows won’t ask you for a password every time you want to connect to the internet.

Years ago, I bought a new laptop from a major seller, and in short order, it arrived, direct from the seller’s factory in Shanghai, PRC. At the time, in my naivete, I thought that was pretty cool. However, before I connected the laptop to my LAN, much less to the Internet, I swept it with an anti-malware software package that I moved onto it via a thumb drive, something I’d always done heretofore just on GPs. My brand, spanking new, fresh from the factory laptop had come with a factory-installed Trojan malware package. (When I corresponded with the seller about this, that entity showed zero interest in dealing with the matter. I’ve declined to do business with that company since.)

So. Contra Knutsson, it’s a Critical Item that the first thing you do after applying power to your brand new PC/laptop, wherever it was assembled, is to sweep it with your anti-malware package, which you install from a thumb drive (not by any connection to your LAN or to the Internet), and clear out any malware that may already be present. In truth, preinstalled malware is a pretty rare thing, but it would take only one occurrence to infect all of your devices.

Once that sweep-and-clear operation has been done, it would be good to work through Knutsson’s checklist. One further recommendation, though: if the Windows OS (or the Mac OS) allows it, do the computer security settings step next, then install your preferred browser and set up its security/privacy settings. Then do the Windows (Mac) update step, and then proceed through the checklist.

But malware sweep first.