In 2018, security and cyber breaches are no longer a matter of if – they’re a matter of when, and how protected you are. In fact, most people have already had some portion of their data or personal information compromised, but don’t yet know it.
Dan Konzon is the Vice President of Guidance and Information Technology at Advisor Armor – a cybersecurity firm especially for financial firms. Additionally, he’s spoken at Microsoft and taught parents and students about cybercrime and online best practices.
Just like planning for retirement or estate planning to protect your family, protecting yourself from cybercrime is ongoing. You can’t quite just fix things forever. However, there are many small, easy things you can do in order to empower yourself and stay much safer. Today, Dan joins the podcast to share information you may not know, as well as how to protect yourself from the bad guys for years to come.
In this podcast interview, you’ll learn:
Complete Show Notes: bayntree.com/18
Interview Resources
0:00:45] Andrew: Welcome, Dan, to the Your Wealth & Beyond Podcast. We’re super excited to have you today. How’s everything going?
[00:00:53] Dan: Things are going great with me, Andrew. I’m glad to be here today.
[00:00:55] Andrew: And as you listeners know that your Wealth & Beyond Podcast is built from the ground up to help each of you build wealth, find purpose but also provide tips and strategies in our everyday life. And for all of us, it’s not really if. It’s when we’re going to be affected by a security or cyber breach. And today, Dan, thanks for spending the time to go through some of what’s happening out there, the tips, the strategies that we can all take away whether we’re individuals, whether we’re business owners to help protect us at home and on the go. So, Dan, we’re going to dig into a lot today but real briefly, what’s your passion in regards to IT Security and helping to protect individuals and businesses from the bad guys? Where did that come from?
[00:01:51] Dan: Sure. First, I’ll say that it’s not an if when somebody’s getting attacked. Most of the time we’ve already been hacked. We just don’t know about it and my passion from this just it’s grown over time started helping, wanting to help others, needing to help myself out of necessity out of the cyber stuff and then through plenty of speaking engagements through like Microsoft and helping students and parents learning about how cybercrime can affect them as professionals and/or students trying to get into college.
[00:02:29] Andrew: So, what you stated there, that’s a pretty scary phrase you said there. We know it’s going to eventually affect all of us but would you say the majority of us have been affected and we just don’t really know to the extent?
[00:02:41] Dan: Totally. I would probably say all of us have been hacked or are hacked and maybe don’t know it. And so, typically we don’t know that we’ve been hacked until we actually feel the effects of it or like on a system until maybe multiple hackers are vying for resources on that machine.
[00:03:04] Andrew: You know, when we think about the news over the last five or six years, one of the big few, the Yahoo breach back in 2013 and 2014 which I think affected over 3 billion people and then the Equifax which was last year. So, it’s not a lot of times – so we hear these big breaches or even the eBay or the Target that gets us starting to think about it. So, listeners, just like when you plan for retirement, just like when you protect your family through estate planning, we’ve got to be proactive in protecting ourselves from the cyber sleuth, these thieves out there, and it’s one that, unfortunately, guys, it’s not going to be where we fix it and then it’s gone. It’s going to be an ongoing battle. So, walk us through, Dan, some of the things that are out there, some of the concerns that you have, that we have that are forefront that they know but then some of the concerns that maybe we don’t know. So, let’s start there and then we can dive into some of the tips and strategies on what we can do to protect ourselves.
[00:04:06] Dan: Sure. Some of the big ones and the easiest ones for hackers to do are phishing scams, spear phishing, watering holes, these kinds of things. We hear these terms and what they are is when someone is targeting an individual to try to get their usernames, passwords, things like this but then log in to other sites. So, passwords are a big concern.
[00:04:30] Andrew: So, when you say phishing and I know that’s a phrase that a lot of us have heard but what about those of us out there that have heard it but don’t really understand what that means?
[00:04:40] Dan: Sure. Phishing is we have PH but it works a lot like with the FI. So, it’s not much different than actually trying to go and get fish but phishing is just electronically going out trying to send let’s say sending you information or doing tracking keystrokes. I can actually send you an email with a link and then if you click on that link, I can actually put malware in your computer that captures keystrokes or sends you to a fake let’s say bank account and then when you log in to that bank account page, I capture your username and password, state that it’s incorrect and then forward it to the actual site so then I capture that and then try to use it on every other bank account or credit card account as possible because oftentimes people use similar passwords for multiple accounts which is a big no, no.
[00:05:37] Andrew: Right. And these phishing scams that I’ve seen progress over the years and we all get them, sometimes we just don’t know, but what you’ve seen as well is the professionalism of it. And, listeners, what’s happening is they’re taking brands that you trust whether Bank of America, whether it be PayPal, whether it be Chase, whatever that realm is, Amazon, iTunes, ultimately, they’re going to like you said, phish out there, but then put together this email that looks to the naked eye like it’s real. I guess because I’ve been in the industry and security is very important for us, we’ve got a keen eye to it but for the more of the novice out there, is there anything in regards to these phishing emails that they should look for before making that click? What would be some advice?
[00:06:30] Dan: Sure. The big thing to do is when you hover a link, it will expose what that link is before you do it and so it’s always a good way to before you just click on something you just hover over it, see if it actually goes to that site. Oftentimes, instead of going to Bank of America it’ll say it’s going to $B1blahblahblahBank of America. And so, that’s a good telltale that it’s not correct. But better yet, if you get something from a bank or what’s really popular lately is a LinkedIn request and so you’ll get something that says, “Hey, this person wants to connect with you on LinkedIn. Click here to connect with them.” It seems harmless and you go, “Great. Connect.” These are fraudulent emails. The best thing to do is to not open the email, to go ahead and log into your bank account or log into LinkedIn or whatever account that’s potentially fraudulent and then interact with it there. So, if I’ve sent you a friend request that it’s going to be in LinkedIn. You don’t have to deal with it via the email.
[00:07:37] Andrew: That’s interesting because I guess if I do the podcast because I learn stuff all the time but an interesting component there on the LinkedIn so I’m thinking in my mind one way to protect from that and I’ll probably do this after the show, is there a way within LinkedIn that you could turn off email notifications of invites?
[00:07:53] Dan: Yes, you can. However, that doesn’t stop somebody from still – if I send you a fraudulent email, you’re still going to get that, right?
[00:08:02] Andrew: True. But you also in my mind I would know and if you did that, you would know, listener, that, “Hey, I already turned this off at the spigot. It’s off.”
[00:08:11] Dan: Right. I shouldn’t be getting it. Right.
[00:08:13] Andrew: You shouldn’t be getting it. That’s one way to protect because I think with LinkedIn that’s a great way for these guys to get in there. So, first and foremost, always think through before you click even if it’s somebody that you recognize because they could be compromised. Isn’t that correct? If I’m sending you an email and you say, “Oh, that’s Andrew. I trust him,” but you always have to be thinking that potentially I was hacked and now it’s a domino effect down to you.
[00:08:41] Dan: Totally. And you bring up a good point there, Andrew, with being purposeful on when you do click. And so, when you do interact with things, it’s very important to be very purposeful and to make sure you’re doing something that you really intend to do. One common way the hackers get information too is through Facebook. And so, using something like a Facebook social media account where I can send something to you like what’s your favorite, what’s your dinosaur name, and actually can put malware in that link. And so, when you click on that, not only do I capture information on you but I can capture all the contacts that you have on your Facebook account as well and I can try to get reach out to them.
[00:09:28] Andrew: And so, the way they’re doing that that would be via an email?
[00:09:31] Dan: That would be via – something that pops up on your Facebook account. And so, it can be something as simple as and I’ll give you an example of I hacked a newscaster on live television once and what we did is we played a cat video and a couple of seconds into that cat video, there was a script that ran that paused the video and said, “You can log out of your Facebook account. Re-login to continue.” And no matter what information you put in there it continues the video. And so, once you’ve given that information now, I mean, you’ve given that information to a hacker, the hacker didn’t even have to go and try to hack the information from. They just asked you what your username and password is and oftentimes people will actually give it.
[00:10:18] Andrew: Do you have the clip of that live TV show on YouTube that we can add to the show notes?
[00:10:23] Dan: I don’t. I know it was run – some of it was edited out because of his when we pulled up his profile.
[00:10:31] Andrew: Got it.
[00:10:31] Dan: But it did run. It was in Vegas during the hacking convention there, DEF CON, and it was run before – so in Las Vegas and it was run before the Olympics opening ceremony. So, if you just could probably search for it and find it there.
[00:10:51] Andrew: Perfect. And so, one of the other things when we, and still staying on this phishing email because I think that’s a big one, it’s accurate to say that no big bank, no company that you have a relationship with are going to ask you for your password, your user ID, your Social Security number, your date of birth, your mother’s maiden name, none of that would or should come through an email. Is that accurate?
[00:11:17] Dan: Very much so. And they shouldn’t be asking – they really shouldn’t be reaching out in an email for you to click through things either. Usually, you’ll get a notification that says, “Log on to your account and we’ll notify you there.”
[00:11:29] Andrew: Okay. So, the first step for you is for your own self to be very, very, very diligent in regards to looking at an email before you click on anything and never ever give your information even if you do click. And let’s say somebody does make that mistake to click, does it necessarily mean they’re dead in the water yet or did they then have to actually input their information so they’ve got like a two-step to screw up once and then say, “All right, I got to protect myself?”
[00:12:04] Dan: Sure. This is a great question and sometimes they could be dead in the water depending on what that link did. There are ways that the users can protect themselves that they’re on their home network. They can use one antivirus software, malware detection software as well. So, not just antivirus but malware detection as well so when they do click on something, if it picks it up as malware it should prevent it from taking over the computer. And then three, having a device like a firewall device on their network as well like CUJO is an inexpensive easy-to-set-up home network firewall. I think we’ll also protect them as well so when they do go to click on that or something tries to run on the background that will prevent it from maybe happening to their computer.
[00:12:59] Andrew: Okay. So, what you’re saying is on a home network we’ve got the Wi-Fi, we’ve got the router so rather than just having a firewall installed on their laptop, on their computer like Microsoft and Apple has, you’re saying go a step further and make sure that the network itself is protected similar to when we’re in our office space, and we’ll talk a little bit about that here a little bit, but overall similar to how we have protection in there and in that way you’re protecting the network itself.
[00:13:30] Dan: Yeah. Very much so. And the extra layer of protection goes beyond your computer and they kind of jump into the Internet of things which a lot of people have heard about on their home networks. We connect doorbells, refrigerators, televisions, and these are other ways that hackers can get into your network and so having that firewall device on your network as well will protect all of those other devices.
[00:13:56] Andrew: And on that Internet of things and even your network, some of the mistakes you’ve seen in regards to passwords, what is some of the areas of concern that you have for individuals that aren’t properly protecting or creating that password correctly?
[00:14:10] Dan: Sure. They use easy passwords, short passwords with their name in it, with their birthday, their favorite dog, these kinds of things. So, the longer the password the more characters, things that you can put in there to make it more difficult to get, and more difficult for computer to automatically just throw in words, you’ve got random characters that makes it difficult. Two-factor authentication, if you can turn it on is always a good tool as well where it will send you maybe a text message. It also as you have to log in so you have to have your phone or some other device available and accessible to get on there so it kind of helps that it’s you. Another one is using software tools like LastPass or 1Password and there are others out there. They’re password managers so you can have, you can keep long passwords.
One caveat to this is people say, “Well it’s difficult to remember, a 25-character password that’s got a dollar sign, a hashtag, an exclamation mark, and upper and lower-case letters and numbers and things like this. And so, this way you can actually have some strong passwords for your bank, for your trading accounts, or even like LinkedIn and Facebook, all of these things, and then you only have is one password that gets you into an encrypted file that gives access to all that. The good thing about that is when hackers are trying to capture information from you, oftentimes it’s through keystrokes and things this way. If you use one of the software tools, you’re not entering in the password. It just populates the information. That’s one. The second good thing about these is they recognize the proper site that you should be logging on to.
[00:16:06] Dan: And so, if there’s a login for let’s say your particular bank, Wells Fargo, Bank of America, USA, whatever it is, if I send you a fraudulent link and webpage that looks just like well let’s say Bank of America, everything about it is identical to your login page but it’s a different page, when you go to log in with one of these password softwares, it will recognize that it’s not the correct page and it will reroute you to the correct page and log you in there. So, it’s a good protection tool for you.
[00:16:40] Andrew: You know, I can vouch for LastPass. I look at things and say there was life before LastPass and then life after. And I know there’s a couple of other ones you mentioned. The nice thing from my standpoint of LastPass is as a business owner, I have a corporate account and what I’m able to do is create shared folders for my employees and that way I control what sites they go to and control the password. What that allows me to do first and foremost is compliance-wise to know what’s happening but then if we have a situation where employees leaving, we can very quickly turn them off and they never knew what that username and password. You had mentioned earlier what happens with LastPass once you’re logged in and you go to that website whether it be TD Ameritrade or even your email or Facebook, automatically what will happen is your username comes up and the password comes up but it is all hidden.
So, in that case when you got employees or even I think with, Dan, it could be beneficial at all with family, with kids, if you wanted them to have access to certain sites but you didn’t want them controlling the passwords, it’s a way to create it as a family environment as well. The other neat part is that they will create the password for you meaning you could go to – let’s say you’re logged into a new shopping site and you got to create a username and now it’s like you said, “Ah, I got to create another password,” well then LastPass will create a very rich in-depth, oh, I guess you could never say impossible but close to impossible to hack and now you don’t have to remember it because it’s stored in there. But yes, it is important, you have to remember your master password because it is very difficult if you lose that because the LastPass doesn’t have access to that. It becomes very difficult to try to break that in. So, there’s a couple of different ways in how you protect from that but the LastPass you indicated, the password protection is so vital.
[00:18:34] Andrew: And then the two-step verification, I know we had talked earlier that it’s not foolproof but for email, for banking, you got to have it. There’s really on those type of sites making it more difficult for them, meaning the hackers, it’s a no-brainer. Now, maybe not for all of your sites you need to have it but I would say that is just one more step that you can put to protect yourself.
[00:18:59] Dan: And I’ll tell you honestly myself, do I use two-factor authentication every time I log in? No. I use one password myself same as LastPass this different software program but I do have two-factor authentication set up for when I do want to change any passwords and that’s good. So, if someone does try to go in and change your password, that two-factor authentication kicks in. And so, somebody can’t just go and change it and then be done and then you’re locked out of your own account. They have to have multiple devices. So, maybe I guess if they hacked into my laptop, phone, and iPad and had it also in front of them, they might have that advantage.
[00:19:37] Andrew: Right. Which is the chance to that, very minute.
[00:19:40] Dan: True.
[00:19:41] Andrew: Let’s go back to the Internet of Things. We’ve got an Alexa at home and I very rarely plug it in. It’s just one of those areas for me. I don’t know not that we have anything to hide. It’s just kind of that privacy concern. You hear or read these stories on these smart TVs that some of them are hacked into or that they could actually watch the homeowner itself. Is there any validity to that? Is there any fear to that? And if so, what can we do to protect ourselves from a smart TV going HAL’d from 2001 and taking over things?
[00:20:17] Dan: Sure. These are true and what’s more true rather than viewing somebody with I think more that was bigger issue with like baby monitors but some of the TVs are being taken over with ransomware and so a hacker actually just takes your TV and controls it and doesn’t allow you to watch it unless you pay them money.
[00:20:43] Andrew: And probably in bitcoin I assume.
[00:20:46] Dan: Yeah. Of course. It’s kind of like the weakest link. And I see those often where someone has they’ve got their – they have their home router, they’re interconnected to it. They don’t broadcast their SSID or their network name. They’ve got a strong password for it but then they go buy a peripheral device and this is a big deal with a few years back maybe some of the listeners will remember the Barbie hack issue, with the dolls. And so, what happens is we buy these Internet of Things, these devices that have Internet access but to use the features, we have to put them on our network. And so, we don’t even think twice about putting in our password and the SSID and password, network name and password on these devices and we give them access to this. And so, that’s where like that CUJO device or that home firewall ends up protecting you because when you’re going to come home, you’re going to put your television, you’re going to put it on your network.
[00:21:53] Andrew: Right. You mentioned the baby monitors. I remember reading a story a couple of years ago where there’s like a two-year-old, they kept coming to mom and dad and saying, “There’s somebody talking to me,” and legitimately somebody had hacked in because they had used probably the password that came with the device and this psychopath was literally talking to this two-year-old and scaring the you know what out of them and they finally figured it out. But that’s the kind of stuff you got to look at all of these things and whatever sicko was out there, whatever they’re trying to do, you got to protect them. Would you say that for the novice, for the one that is the layman in regards to technology and security, would you recommend that they maybe hire a consultant to come in whether it be a geek squad from BestBuy or something of that nature that can come in and really get things in order and help to make sure that they’ve got all the protection in place that they can?
[00:22:46] Dan: If someone has absolutely no clue about any of the technology, that might be a good thing do but honestly, nowadays when you get to your Internet service provider and you’ve got tech support to get all of that set up, they have some firewall and things with that. When you use things like I mentioned that CUJO firewall, you don’t need to know anything about setting that up. Their customer service is so right nowadays with some of these tools that you actually put an app on your phone for support. You set up the device. You plug in the device, and if you can’t get it to work, you call support. They put you on a video chat. You show them what network, where are the wires, and stuff that you have and they tell you what to plug in where and get it to work for you.
[00:23:35] Andrew: And when you say CUJO, now you’re not referencing the Stephen King movie? This is actually a company?
[00:23:41] Dan: Actually, a company, yeah. C-U-J-O. They’re probably a couple of hundred bucks worth of protection that will prevent you from thousands of dollars of losses with your devices.
[00:23:50] Andrew: We’ll have that in the show notes as well and even maybe a link to one of my favorite Stephen King novels. We’ll have to see. So, going back to social media, you bring up a good point especially Facebook which isn’t really locked down like an Instagram or you can protect your Twitter, obviously, LinkedIn. So, when you think in terms of everybody putting their everyday life out there, their vacations, their dog, when you talk about them trying to figure out a password, this is where you’ve got to take ownership of what you’re putting out to the world and especially on Facebook, I’ve seen and we’ve heard this, people putting on while they’re on vacation, beautiful pictures. They’re in the Bahamas. They got the beautiful water there, this and that, but they’re putting in real time and with Facebook you just don’t know if you’ve got a big network, you don’t know who’s actually in that network and there are, I believe, stories of people that have burglarized the home because they knew that that family was out of town because of Facebook. So, what would you say to people in regards to what they’re posting in Facebook, Instagram, etcetera?
[00:25:00] Dan: Sure. It doesn’t matter what the social media account is. We need to realize that what we post on there doesn’t go away and despite all of the security settings that are on these software tools, they don’t turn off. Like, if I actually delete something where I say you can’t view it, it’s only kind of a curtain kind of thing where these switches and we say, “Pay no attention to the man behind the curtain,” but if you peek around the curtain, you can still see everything that’s going on. And a lot of that information is publicly available and there are actually sites that you can go on to actually search through someone’s social media profile and pull up information that was marked not to be viewed by not their friends, that kind of thing. And so, it’s very important that everything that you post, again, intent, purposeful, make sure that there’s a reason that we’re posting it or be very conscious because that information is available.
[00:25:58] Andrew: Right. I think the importance of that with, I have a daughter who grew up in this world posting everything and it’s letting them really and truly understanding that Google never forgets and a lot of this stuff can be at some point used against them. But it’s tough because they were just born in this generation that it was commonplace and it is commonplace to share and I think the time where I grew up, I feel like I was the last of that generation graduating high school in the 90s and college before the 2000 and overall, it was kind of blissful that some of the things we did they’re not on the recorded line, the recorded record, which is probably good for all of us but ultimately, I think there’s a learning curve for both parents but then so important to sit down and let your kids know what’s going on out there and some of the big factors, the big issues, that could be faced by putting your life 24/7 online, on YouTube, on Instagram, on Twitter, LinkedIn, etcetera.
[00:27:05] Dan: Yeah. Totally. And I think a lot of that is having the conversation and these information hacks are available on the Internet so spending a few moments looking up some of those, I can send the link to you to send out to your users. A friend of mine, Josh, who does this specifically for teenagers and parents and teachers to get this awareness of certain apps and certain social media things and what you post out there that it can affect you. It can affect you getting into college later. It can affect you getting a job down the way when someone pulls that stuff up. And so, I think pulling up some hacks showing your children if it’s a parent, hey, this is the stuff like here’s an example this is something that somebody posted. This is publicly available. It was pulled and they didn’t get their scholarship for college because of it. Sometimes we see the effects of it and maybe it helps put it into reality.
[00:28:14] Andrew: Yeah. There’s no question there and now with Facebook and the Cambridge Analytics issue that comes to surface over the last year or so, one thing, there’s kind of a backlash against social media companies. When we think in terms of all the stuff that’s free for us, even Google, it’s all free or Mint.com. What we always explain to our clients is that if it’s free, it means your information is the cost and with Cambridge Analytics all of that data that was repurposed and then sold to the highest bidder in regards to being able to target advertise us it’s a scary proposition. So, I think that trend is changing now where we’re becoming more careful and cautious of us being the revenue generator for these companies. And that’s something that I think our information is valuable to ourselves and you just got to be careful in understanding how it’s being used for the betterment of these big corporations now that they’ve kind of taken over the world.
[00:29:17] Dan: It is. It’s something that we give up a little bit of our privacy and some of this information for the convenience to be able to maybe keep up with the relatives and friends and what’s going on that you normally maybe would lose touch with. So, we do have to keep in mind that, yes, this information is out there and it is being sold. I mean, Facebook, well, this week I think Facebook has been in talks with several banks as far as capturing their information along with Facebook to try and tie the two together to know what your account balances and things are. And so, the argument is, it’s for convenience so you can just on Facebook and Messenger you can just say, “Hey, what’s my available balance in my checking account?” and that could give you back the information just for you but rest assured you’re not the only person that can see that information.
[00:30:06] Andrew: Owning a financial services company and having the access for the client information, we take security so important and we try to educate clients that come to us and say, “Hey, I’ve got everything aggregated with Mint or Quicken or Personal Capital,” and that’s great. The whole purpose of aggregating all your accounts and seeing your total net worth in real-time or understanding your spending habits to the credit cards, fantastic. But what is the cost of that? Mint’s not doing it because they like you. They’re doing it to generate revenue. So, one of the things working with a financial firm whether it be Bayntree or other independent registered investment advisory firms, we use an aggregator. It’s called eMoney and now owned by Fidelity but the key component here is that there’s some protection built in because we, like other firms, we’re not selling that data and all of a sudden that exposure that they had is not there anymore.
So, very important, we love aggregators, enables you to see things but be careful on it and if you do have a firm you’re working with, see if they have a planning software that will allow for eMoney or MoneyGuidePro. Those are some big ones. We’ve got some other ones that have come on the scene but that’s one of the core components and as, Dan, your company that you have helped build, Advisor Armor, just give us a real quick overview of what it does to help protect your clients which are financial firms like myself and how that then catapults to protecting the consumer, the individual.
[00:31:45] Dan: Sure. The registered investment advisors, certified financial planners and leads, when you’re working with one of these professionals, it’s good that your clients know that these people, these companies they’re subject to stricter guidelines and compliance rules from the state and the feds especially on things like cybersecurity and really got to make sure that they’re doing things to protect their clients. And Advisor Armor, that’s one of the things we do not necessarily for your clients – and, I mean, ultimately, I guess for your clients but for like companies like yours, we help keep you in compliance with cybersecurity, with your due diligence, policies, and procedures, training, training the employees, all these things. It’s not just a matter of saying, “Hey, you’ve got a firewall and you’re protected.” The employees of that organization are going to be trained on cybersecurity as well because you don’t want them clicking on links. So, it’s important to keep all of that current and that’s some of the things that we help do. Besides, if there is a breach or something then we do help with incident response.
[00:32:54] Andrew: Yeah. That’s overall, on the listener side, the next time you have a conversation with your financial advisor, ask them what their cybersecurity policy is and if they don’t have one, it might be a little bit cause of concern. One of the nice things of having that proactive ongoing relationship with a firm like yours is a consistent training that we have and that keeps the security side of things and protecting and understanding phishing and so forth, top of mind for my staff, and even we’ll get periodically some phishing emails that are not really phishing emails but it enables me to be able to see if somebody did fall victim to that. So, it’s more so keeping that culture of compliance whether you work for a very large firm, you work for a smaller firm, most of the time the companies have that so that’s something that you have to take that mindset and bring it to your individual side as some of the things that we’ve discussed earlier today.
So, one last item that I think is a biggie is in regards to public Wi-Fi. So, Dan, you had mentioned some of the things that we can do to protect our internal network at home but what are some of the issues we see with Wi-Fi in the public domain and what hackers are doing and what we can do as individual to at least protect ourselves as best we can and create a shield around our data especially on our cell phones?
[00:34:28] Dan: Sure, Andrew. Just real quick on the last piece that you said. That’s a great question for your clients to ask anyone they’re working with is if they have some type of cybersecurity policy or at least they should say, “What are you doing to protect my data?” and they should be able to talk very strongly to that point and if they can’t, eyebrows probably should be raised with who you’re using. On the Wi-Fi, just don’t use any public Wi-Fi which is kind of hard for anyone to ever do because in reality, we’re out and about and we’re going to do things. One great way to protect yourself when you’re out using it besides to say don’t use public Wi-Fi, period, is to use VPN service and there’s a few out there. Hotspot VPN is one, NordVPN. I believe you’ll have some documentation to provide listeners with a few different places to get them started on their search for those but these are things that you can put on all of your devices.
And so, personally, I used Nord. It goes on my computer. It’s on my phone. It’s on my iPad. It goes on everything I use and so when I do log onto something, at least I have this virtual private network. And so, what that does is instead of me just going onto a site not knowing where I am, I get access but everything I do is tunneled and encrypted through this virtual private network. And there are tons of other additional ways to do it. We can send users out some more information on how to protect themselves through things like that but the big one is using a VPN. But understanding how easy it is for a hacker to get a hold of your information and there’s a device called the Raspberry Pi and another one called a Pineapple and they’re both about the size of an iPhone and I can set that down inside of a Starbucks.
[00:36:29] Dan: And what I can do is I can kick everyone off the network they’re on. I can pose as all these networks and most people have on their devices remember me so I don’t have to re-login when I’m using my password every time I go onto a site. So, the next time I’m at the Marriott or the Hilton or Starbucks or someone else’s house, I don’t have to log in with that information. And so, what that does is when it goes to log in, my device says, yes, that’s exactly who I am and give me your username and password. Thank you very much. And then I forward them on to a site. And so, in a matter of minutes, someone could capture everybody’s username and passwords inside of that Starbucks.
[00:37:16] Andrew: Okay. So, I’m sitting in a Starbucks and I pull up my phone and there I see a couple of different Wi-Fis, maybe some Bluetooth. There’s really no way for me as the individual to know which of the Wi-Fi is actually Starbucks if there’s two that look very similar? Is there anything that we can look for on that if let’s say we don’t have a VPN?
[00:37:37] Dan: No, not really.
[00:37:38] Andrew: Wow.
[00:37:39] Dan: Yeah. It’s a testing game because I can broadcast a Starbucks Wi-Fi or have it – and we call it whatever we want and so, what you think looks like a legit network name, it can be something that’s totally spooked. And so, be cautious when using those. I would use VPNs so the Hotspot, Nord, TorGuard. There’s a bunch of them out there. Something else that if someone’s doing secure stuff and they’re really concerned about it, they can use a web proxy as well, a Proxify, or Anonymous, Disconnect.me is another one. Surf Anonymous is another site they can use. These web proxies help block their IP address and the hackers it’s difficult for them to get into their computer. That coupled with a VPN makes it really tough and if they really want to step it up another notch, they could use a Tor browser. It’s a T-O-R and that can reroute an IP address as well. And so, it makes it really difficult for anyone to get any information off of their devices.
[00:38:54] Andrew: So, let’s say a lot of people are hearing VPNs and they’re hearing these anonymous surfings and all these different things and you know how most people they just don’t do anything. So, what is the real risk? Okay. I’m into Starbucks. I just got compromised. Now, people, most of the time have their email already connected through their phone so they’re not going in specifically to Gmail. They’ve got the Gmail app. It’s already logged in. Is that hacker able to see an email that’s coming in and out?
[00:39:24] Dan: Not necessarily. They have to get into someone’s device somehow. So, just going in and accessing your email that may not be – it may be okay. If someone is using their device like use of their phones or iPads and oftentimes we do have a private network or personal broadcasts of our phone which is safer than going onto the local stores and Wi-Fi. And so, if we can use, if you’ve got an unlimited plan or you have a bandwidth capable to be able to do your own Internet from your device is probably a better way to go. And if you couple that with a VPN, we say VPN and be able to think, “Oh my gosh, I don’t know what to do,” some of those VPN softwares like Nord once you install that app on your phone and it turns on the VPN feature and it’s kind of a set it and forget it kind of thing. They don’t need to mess with it again.
[00:40:26] Andrew: So, you bring up a good point though. Number one, the VPN and I use it in most cases when I’m out traveling. The one downside, it does slow down some of your Internet connectivity. It’s a little bit of a drawback there so just take that with what it is and that’s why you want to use one of the big ones. I use Nord myself and the neat thing there is that they’ve got hundreds of different servers that you can connect to and that way you can make sure you’re finding one that maybe isn’t loaded up so that you can have a more streamlined Internet experience. But the other thing I do I was just out of the country and I did have the international and the cell phone, we have unlimited data, is I do create that hotspot that goes from cell phone to computer. I do that also at the airport so that’s from my standpoint I look at that as probably a little bit more safer than even just going straight VPN on the airport Wi-Fi plus I don’t know, like you said earlier, like which one is real and which one isn’t, so that’s where using that hotspot but make sure that you create I think it automatically comes with a pretty intensive password, these hotspots. Is that correct?
[00:41:32] Dan: Yeah. I mean, you can always create your own but again, yeah, make sure you don’t use some of the one-word, bananas, and then bananas2, bananas3 for all of your passwords. You brought up something I think that’s pertinent to all the VPN too especially traveling out of the country like any of your users do, I know I do, and like Nord, one beautiful thing about that as well is you’re on a US IP address and so even if you go to another country, let’s say Mexico, who doesn’t have the laws as strict as we do for cybersecurity and compliances like that. When you’re there and you go through your network and then you go through something like a VPN like Nord, you’re on a US IP address and so, one, you’ve got some protection and, two, any sites that you’re on will not block you as well. So, if anyone’s traveled and never tried to get on their bank to do something, the law again, some countries you might have issues with that but the VPN will allow you to do that safely.
[00:42:44] Andrew: Okay. Good advice there. The last thing that I wanted to chat about and this is in regards to the privacy settings in a Gmail or a Facebook, what can some of the individuals out there do to make sure that their data is as protected as they want? Because I know a lot of the features in these in Gmail and Google and so forth is to allow them to have access to all of your data and then they mine that and then they’re really able to get a good composite of who we are, what some of the things you like. Now, some people may like that. “Hey, I want the targeted marketing. I want that targeted marketing based on my loves and some of the things I enjoy doing,” but I think the majority of us kind of feel that that data is ours. So, what are some things that we should look for when we’re logged into iTunes or we’re logged into Gmail, Facebook, Twitter?
[00:43:35] Dan: So, some of the settings are they’re there to make us feel good but do they actually protect us? Sometimes not so much. It is good to go through those settings and they can turn off as many as those as they’re comfortable doing as far as tracking. A good exercise for someone to go through if they’re on their computer is to get there’s like a Google extension called Ghostery, G-H-O-S-T-E-R-Y. And so, they can click on that extension and when they browse the web, they can actually see every single company that is tracking them and they can turn them off. And so, that’s a beautiful feature. One, it’s a good exercise to actually see how many people are tracking you because one thing is I might give you control and say you can have access but I don’t want anyone else to have access.
The problem with all the user agreements which no one ever reads is I give you access but you’ve given four of the company’s access. And so, the problem is when I go onto your site, I have four other companies that might be tracking me that I didn’t know about. And so, I might say it’s okay for you to do it but no one else but as soon I do with you, say Google, it might go out to four or five other countries. So, a good exercise for someone to do is to go on Google Chrome, download Ghostery or add that as an extension, and then actually just log into three or four sites, log in to LinkedIn, log into a bank, log into Facebook and do a couple of searches for something, looking for grocery store or something like that. That’s it. And then look at the Ghostery map of all the companies that are tracking them and there’ll probably be hundreds on there. And they can click on each one of those and say block.
[00:45:42] Andrew: And so, you keep referring to Chrome. Would you say out of chrome and IE and Mozilla Firefox and Safari, would you say Chrome is the top one to use in regards to functionality and security?
[00:45:55] Dan: I think the big ones, I think it’s important that we stay with – I mean there are a lot of third like off-brand browsers and I’d be very cautious at using any of those. I think the big ones were pretty safe. Safari, Firefox, Opera, Chrome and then Tor. Tor has its own browser as well. Tor is probably going to be the safest browser of all of them. That’s what a lot of hackers are using to get on the dark web. And so, it is a way to not get a hold of your data. But the Google, Firefox, Safari, Opera, they’re all good of turning on the privacy settings again.
[00:46:34] Andrew: And I know another browser that’s becoming more popular is that DuckDuckGo and that one was from everything I’ve read built to really not track anything of your experience.
[00:46:45] Dan: Yeah. I think it’s along the lines with the Tor browser. They’re making more a general user I guess marketing these to.
[00:46:53] Andrew: And then the last thing that I do personally that I think is important for those to look at and again it’s not recommending one company versus the other but I actually subscribe to two different services. One called Identity Guard and one called LifeLock and what this does for me is it monitors my credit on a daily basis and will notify me if there are changes to that credit or if there was an application for a new credit card, a new loan, a home equity line of credit. So, what that does is it helps me know if anything has changed and then if so, I’ll be prompted then to be able to quickly jump in and try to freeze things. So, it is an expense. Do you think that it’s worthwhile for individuals to do that in the face of what’s happened with Equifax and as you mentioned, the dark web and things of that nature?
[00:47:46] Dan: Sure. It’s up to the users what they’re comfortable doing. They should know that they probably have a lot of that duplicate coverage and they just haven’t set up anything and if they look at some of the credit card accounts that they have, these have credit monitoring available so their banks for their credit cards they might be offering credit monitoring already and it might already be for free. And so, a lot of these companies do affinity-based service agreements with the identity of these companies that monitor your credit and they provide that for you for free or for a nominal charge to get the alerts and do something with it. LifeLock is a little bit different story. LifeLock is a way to lock it. It does cost you some inconvenience because it locks down your credit if something happens. However, you unlock it if you’re going to purchase a house or a car, open up a new line of credit, before you do so those will protect you that way but I mean there is a cost of all of that.
[00:48:53] Andrew: Right. Yeah, and sometimes just the inconvenience may be worth it or that peace of mind may be worth it. Do you think people need to go out, and I know with Equifax they were running some ad or some type of benefits that you can see if your information has been released to the dark web, is that something that you guys recommend?
[00:49:10] Dan: Totally. Being aware of something and being able to address it immediately is always a good thing but I would rather know that my information has – so I recently got an email that said or an alert that said, “Hey, your email has been found on the dark web.” And so, you go in and you change your username and password on that or your password for that account to protect yourself. So, it’s better to have the ounce of prevention. To better have that little bit of prevention proactivity, being able to know that something has happened and address it before somebody files taxes in your name.
[00:49:49] Andrew: Yeah. And when that does happen and you get a PIN and again, a little bit of inconvenience but that way that is something we didn’t really discuss today but that is a huge concern is people, scammers filing tax returns before you do and then initiating the refund and having that wired out to their bank and that’s something that I think as IRS is trying to get a handle on it but that train has left the station and that’s an important thing for you to be very diligent in making sure that your CPA or your accounting firm is doing everything they can to protect that data as well.
[00:50:24] Dan: Yeah. You know, with the IRS it’s a simple thing to go on there and ask for the PIN and it’s a small inconvenience. Someone might delay they’re getting their tax returns for a few weeks having to do that, however, it sure beats someone filing taxes for you and then taking two years to try to undo that.
[00:50:42] Andrew: No doubt. So, we went through a lot of good nuggets today. Couple of key takeaways and in the show notes there’ll be the ability to download our best practices, some of the things that Dan and I had discussed through. Also, in the show notes some of the link out to the products and the different things that you can do to protect yourself but first and foremost, it’s being aware, staying proactive, not putting your head in the sand and, Dan, what would you say then in regards to social media, what would be the key take away for those out there that’s using it?
[00:51:15] Dan: Be purposeful and aware of exactly what you’re doing. We don’t want to just click around and just post everything that we want to post. You got to think through what it is that you’re going to post before you do it and think before you click.
[00:51:30] Andrew: I like that. Think before you click. The Internet makes life so much more convenient but there are some negative to it and we got to stay on point every step of the way. So, we don’t want to be doom and gloom, right, Dan? I mean, it’s not the end of the world here but I think you brought up some very important concerns and strategies to make sure that our life online is just as safe as our life offline.
[00:51:55] Dan: Totally.
[00:51:56] Andrew: And awesome stuff today. I appreciate you taking the time with us. Continue doing the good work with Advisor Armor and in the show notes as well, there’ll be information on how anybody can contact you if they want to learn more about what you guys do as a firm and how you’ve been helping to protect individuals and business owners especially in the financial services arena.
[00:52:20] Dan: Great. Hey, Andrew, thanks for having me on your podcast. I really appreciate it. I had a great time today and enjoyed helping others understand some of the complexities of cybersecurity and hopefully, they have learned some more. I know Advisor Armor continues to be a leader in assisting the advisors in staying compliant and protecting their clients, your listeners, so they can provide – I’m sure they can get more information on you’re going to have a download. Correct?
[00:52:43] Andrew: Yeah. We’ll have a download there as well so all of that enables the listeners to have more information and information is power and that’s what we’re here to do at Your Wealth & Beyond. I thank you, listeners, for being with us and stay tuned for later this month for our next podcast to help you build wealth and find purpose. Happy planning, everybody. Thanks for listening.
[CLOSING]
Thank you for joining me for today’s episode of Your Wealth & Beyond. To get access to all the resources mentioned during today’s podcast, please visit Bayntree.com/Podcast, and be sure to tune in later this month for another episode of Your Wealth & Beyond.
[END]