Tag: cybersecurity

Did I spam myself?

A client writes:

I just received an email from myself with a fraudulent QR code containing a link that’s clearly a scam. But it looks like it actually came from my email, and other people are listed as recipients. What should I do?

Sadly, it’s not difficult to make email appear on the surface as being from any given address. Harder to make that more than surface-level, requiring a true hacking of an account. Since you and I have worked together, we have pretty well covered the bases to set the chance of that happening to you dang close to zero.

In other words, and to answer the question of what you should do now: Ignore it, stay vigilant, and keep using those strong passwords and two-factor authentication, preferably with a password manager. (I got a blog post about those, and the TL;DR there is that, for iPhone users, Apple Passwords is free, and great even if you have a PC. And 1Password [affiliate link] is fantastic if you want something more robust.)

All that said, to get more forensic about it, you can look at the source code of the original. In Apple Mail on the Mac, go to View menu > Message > Raw Source.

I know it looks like the matrix, and I don’t pretend to read it like prose myself. But see below for an example of part of the source code from a legitimate message, one of the sections you can look for where you can see your domain and terms like “dkim” and “dmarc” matched with “pass”, which indicates my email service (Google) asking your email service (also Google), “Hey, is this legit from yourdomain.com like it purports to be?” and getting a couple different “Yes”’s in response.

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=yourdomain.com header.s=google header.b=Ssjl9RVC;
spf=pass (google.com: domain of xxx@yourdomain.com designates
209.85.220.41 as permitted sender) smtp.mailfrom=xxx@yourdomain.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com;
dara=pass header.i=@mydomain.com

If you look in there and something doesn’t pass a sniff test, let me know!

Identity Theft

In the past six months I’ve received two letters from local health facilities telling me that they’ve been hacked. One office suggested we victims use a company called IDX in case of identity theft. I have Googled IDX, but I do not like that they use cookies. I’m also wary about handing over my social security number. What do you think?

I sure appreciate your vigilance and suspicion! I don’t know if you clicked on the reviews for IDX when you searched for the company, but they indicate pretty clearly that you should steer clear. I’m not asserting that all such companies aren’t worth their salt, but at least a few of IDX’s customers are displeased.

The businesses you are hearing from are under obligation to make some kind of remedial suggestion to you, though I wish they had stricter obligation to maintain tight security in the first place.

What they should be doing is telling you to place credit freezes at the three major bureaus, and to change your major passwords to all be different if they aren’t already. Also use multi-factor authentication on every account that allows.

Sigh.

Your instinct guided you correctly, and keep trusting your gut. If anything on the internet smells even a little fishy, it almost certainly is entirely fishy. That said, you should know that nearly every single website you visit employs cookies. Of a nature it can be a useful technology, for example, letting a web app remember how I had logged into it and displaying my most recent choices on that app. You are not wrong, however, that cookies are also used for purposes more convenient to the site owner than to me, in gathering information about me to sell to data brokers.

The GDPR law passed by the EU in 2016 requires that websites that use cookies must display a choice screen if they want to operate in the EU. I think the spirit is right, though the implementation has proven annoying: rather than use different policies for visitors from different locations, the sites show those choice screens to the globe. So perfectly legitimate, nice, well-meaning, or beneficial websites might show you that they use cookies and let you turn different categories of cookies.

Finally, while I support your care in handing your social security number to just anyone, that number is flowing like water all over the internet, and the credit freezing and password security are our primary, if not only, defenses against identity theft.