Blog

6 Inventive Approaches for Better Password Security

password-article

A strong password helps keep your information – and money – secure. When your passwords are weak, you put yourself at risk for identity theft, credit/debit card fraud and a whole slew of other un-fun consequences.

We’ve all heard the basics about creating a good password: make it long, use a combination of letters, numbers and symbols, and avoid anything that could easily be associated with you.

“Person-on-the-street interviews showed that people aren’t taking active steps to help protect themselves from fraud or don’t know what they should be doing,” says Dr. Brad Klontz, a financial psychologist who is teaming up with Chase to help share tips to prevent fraudulent activity.

“By working together, we can help you keep your accounts safer and even more secure,” says Michael Cunningham, the managing director of Chase Fraud Operations. “One of the simplest steps you can take to help prevent fraud is creating stronger passwords.”

Great. So what should you do, exactly, when trying to come up with a stellar password that will be hard to crack? We spoke to a few experts to get their top tips for creating an airtight password.

#1 – Yes, size matters  

For a while, 6-8 characters were considered to be enough. Now, experts recommend upwards of 12-14 character passwords – at minimum – to ensure better security.

“The length and complexity of a password is important in that it makes it more difficult to be cracked,” says Greg Kelley, the CTO at Vestige Digital Investigations.

Shorter, simpler passwords are easier to figure out – especially by hackers who have the technology to do so. But when a password is long and complicated, that same hacker (or software) will move on to the next.

#2 – Skip the obvious

Weak passwords like “12345” and “password” continue to be the most common – and pose the biggest threat for users.

Also on the “no-no” list? Anything that someone could discover about you by doing a simple internet search. Things like your name, birthday, spouse’s name, dog’s name, or anything else that are easy to uncover via social media should not be part of your password.

This tip is especially critical when it comes to your bank account password.

“At the core, fraud prevention is a partnership between cardholders and their bank,” Klontz says. “Being a victim of financial fraud can be a very stressful experience. Why put yourself at risk when you can take a few simple, proactive steps to significantly lower your vulnerability to fraud?”

Don’t risk it: Take a few extra minutes when creating your passwords and come up with something unique.

#3 – Think sentences, not word

Many of the experts we spoke to stressed that creating a pass-phrase rather than a pass-word is a smart way to increase complexity.

“Quotes you find easily memorable — from books you love or movies you’ve watched – blended with special characters and numbers would be the best choice for a password due to its overall length and complexity,” says Avi Kasztan, CEO and founder of cyber intelligence firm Sixgill.

For example, “summertimeandthelivingiseasy” is better than, say, “summer1.”

To up the ante, mix numbers, capital letters and characters into your sentence to make it even better. Now it becomes “$ummerT1meAndTheLivingIsEasy.”

It’s a creative way to ensure your password will be unique and complex.

#4 – Utilize the space bar   

When creating a passphrase, don’t forget about the spacebar! This keystroke is often overlooked by password cracking tools and can help make your passphrase more complex.

Alex Heid, Chief Research Officer at SecurityScorecard, suggests something like: “My favorite dinner is steak & potatoes.”

This works well, Heid says, because the phrase uses mixed casing and special characters – plus it’s easy to memorize.

#5 – Don’t neglect your email password   

When many think about password security, they picture things like bank accounts, credit cards and other pieces of delicate information. Email passwords, however, are often overlooked. But access to this account can be destructive.

Because your email is a gateway to password resetting, locking in a secure phrase and changing it up on the regular essentially works as an extra level of protection for all your other accounts.

Michael Kaiser, Executive Director of the Nation Cyber Security Alliance, suggests implementing authentication steps for your email – a “layer of protection beyond login and password that’s readily available and free [for] nearly all major email providers.”

#6 – Switch it up  

When all your passwords are the same, you’re essentially giving hackers a universal key into your life. Experts recommend changing your password every 60-90 days. However, changing your password often but neglecting to make each iteration complex enough could be just as bad as never changing it.

Joe Siegrist, GM and VP of password management site LastPass, says that a recent survey by his company found that 61 percent of respondents use the same or similar passwords across accounts, while 55 percent do so even though they understand the risk.

“Password reuse is one the easiest ways to get hacked, yet even the most tech savvy users are guilty of this,” Siegrist says.

Don’t be lazy! Vary your passwords across your accounts and never repeat those you’ve already used.

Posted in: Security

Leave a Comment (0) →

Factory resetting doesn’t wipe all your data: here’s how you can

resetThere are various good reasons to perform a factory rest: fixing bugs following an Android update, general housekeeping for maintaining Android performance and completely wiping data from your phone. The problem is that Google’s built-in factory reset option can expose your data even after a reset. Here’s why a factory reset doesn’t wipe all your data, and what you can do about it.

The factory reset problem was uncovered by some Cambridge University researchers in the first major study of this taken-for-granted Android security feature. The factory reset, we’ve always been told, will delete all data, accounts, passwords and content from your Android device. The problem is, this is only partially true.

Why doesn’t a factory reset work?

The researchers tested a range of second-hand Android devices running Android versions from Android 2.3 to Android 4.3 and found that in all cases they were able to recover account tokens – which are used to authenticate you once a password is entered the first time – from service providers such as Google, Facebook and WhatsApp. In a staggering 80 percent of cases, they were able to recover the master token.

The master token is essentially the key to the front door, the equivalent of installing a top-notch security system and then hiding the key under the doormat. Once a master token is recovered, the user’s credential file can be restored and all your data re-synced to the device: that means emails, cloud-stored photos, contacts and calendars.

How could this happen?

There are a few reasons. Part of the blame is with the manufacturers who simply don’t provide the software required to fully wipe flash storage. Likewise, flash storage is notoriously hard to wipe, and of course, Google is to blame for not providing a more fail-safe option for users.

The researchers went on to note that while security and antivirus companies may use these findings to promote their own tools and services that the only real solution was likely to come from the vendors themselves.

Unfortunately, even devices with built-in encryption are not safe from these weakness. The decryption key is also left intact on a device once it has been factory reset. While that key is itself encrypted, gaining access to it would be a few days’ worth of work for most hackers, according to the researchers.

What can I do about it?

It must be noted that devices running Android 4.4 and above were not tested, so it is not clear whether devices running Android KitKat and Lollipop are also affected, although the researchers were quick to point out that it’s plausible that they could be.

The main things one can do to protect themselves is to encrypt their phone and use a strong, randomly-generated password that contains a mixture of upper- and lower-case letters, numbers and symbols and is at least 11 characters long. The issue with this is that it is sufficiently awkward to do on a regular basis that most users simply won’t do it.

Alternatively, once a phone has been factory reset, the flash storage can be refilled with useless data to overwrite the tokens and crypto keys left in flash storage. Of course, the app used to fill the phone would need to be installed outside of Google Play to avoid a Google token being registered on the device once again. The only other solution the researchers came up with was to destroy the device.

This solution, however, raises issues for users that find themselves with a lost or stolen device, or for those devices that have been remotely wiped with Android Device Manager. Until a legitimate solution can be found, just be careful who you sell your second-hand phone to.

Gordon, Scott Adam. “Factory Resetting Doesn’t Wipe All Your Data: Here’s How You Can”  AndroidPIT, Sept. 2016. Web.


Our mobile devices have become a critical tool that we use to access important business information and to communicate to our colleagues, clients, and vendors while on-the-go. This can be both a blessing and a curse!

If it falls into the wrong hands, the sensitive, company confidential information (e.g., customer contacts, contracts, email communications, trade secrets, etc.) that it might contain or have access to can put your business at risk.  It is wise to create a plan to protect your digital intelligence in the event that your mobile device is lost, stolen, or replaced.

Our staff is well-versed in best practices that can help to secure your data. Give us a call at (732) 780-8615 or send us an email at support@trinityww.com for more information or to schedule an appointment with one of our trained professionals.

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →

Like-farming Facebook scams: Look before you “like”

If you’re a regular Facebfb-farmingook user, you’re pretty much guaranteed to run across lots of “like-farming” scammers – maybe without ever even realizing it.

At best, these like-farming pages clutter your friends’ feeds, crowding out content they actually want to see (and possibly making them annoyed with you, for drowning their feeds in such noise); at worst they put your personal information in the hands of unscrupulous marketers, or help spread dangerous computer viruses and other forms of malware.

But what is like-farming? Facebook policy forbids it, though of course scammers and con artists by definition tend not to follow the rules. Like-farmers start pages and fill them with content dedicated to collecting as many “likes” or “shares” as possible in the shortest amount of time.

Since Facebook’s algorithms place a high value on popularity (as measured by likes and shares), these highly liked and shared pages therefore have a much higher chance of appearing in people’s “Feeds” and being seen by other Facebook users.

Then, once the page has a sufficiently high popularity rating, the like-farmer either removes the page’s original content and replaces it with something else (usually malware or scam advertising); leaves the page as is and uses it as a platform for continued like-farming in order to spread malware, collect people’s marketing information or engage in other harmful activities; or outright sells the highly liked site to cybercriminals in a black market web forum.

Appeals to emotion

How do like-farmers lure people into liking or sharing their content? As with any scam, it appears in multiple forms.

Many like-farmers rely on appeals to emotion: anytime you’re urged to “like” or “share” a post that pulls at your heartstrings or pushes your buttons, there’s likely a like-farmer behind it. “This poor little girl with cancer lost her hair to chemotherapy — ‘like’ this post to let her know she’s still beautiful!” “This new government policy is outrageous — ‘like’ this post if you’re outraged, too!”

Confession: I fell for a couple such like-farming scams myself, back when I was still new to Facebook. And I didn’t even realize it until a couple weeks ago, when I went on a nostalgia-crawl though my old Facebook “activity log” and was appalled to see that back in 2010 or so, I’d allegedly “liked” a couple pages advertising some scammy pseudo-scientific quack medications.

But of course I never “liked” any such nonsense; I’d actually “liked” posts shared by various friends of mine – probably posts to the effect of “’Like’ to let this little bald girl know she’s beautiful!” or “’Like’ if you’re outraged by this new policy!” – and only later, after the page collected enough “likes” for a high Facebook popularity ranking, did the page owner scrub the original content and replace it with ads for scam products.

Valuable prizes

Not all like-farmers rely on appeals to emotion, though. Others will claim to offer valuable prizes to people who “like” or “share” a post; those posts you see promising the chance to win a free Macbook or latest-gen iPhone, free chain-store gift card or some other valuable freebie are pretty much guaranteed to be scams.

Last week, for example, the anti-scam website Hoax-Slayer issued an alert about a fraudulent Facebook page promising to give away 100 Macbook laptops: all you have to do is like and share the post, and specify whether you want a white or black one.

The “Fans of Mac” page has 22,925 “likes” in the screenshot Hoax-Slayer included in its alert; as of this writing, that number had grown to 25,660. The “About” section says that Fans of Mac is “Facebook’s LARGEST and most vibrant Apple community with worldwide fans! If you LOVE Apple … then join us today!”

Yet the page contains no posts from fans discussing the pros and cons of the latest Apple iThing, nor even links to media coverage of the latest iThings. There are, as of press time, only eight posts visible on the entire page, and every single post claims to offer valuable free iStuff to people who like and share it. A post from April 7 claims “We have got 100 boxes of Macbooks that can’t be sold because they have been unsealed. Therefore we are giving them away for free. Want one of them? Just Share this photo & Like our page.”

fans-of-mac_large

Even by the standards of fake-free-stuff postings that makes no sense: since when does Apple or any other tech company have the policy “If the packaging on our expensive new latest-gen products becomes ‘unsealed,’ those products cannot be sold or even destroyed; we’ll just give ’em away for free”? They don’t.

Unsurprisingly, if you scroll a bit further down the Fans of Mac page you’ll see the exact same post on Nov. 25, 2014: “We have got 100 boxes of Macbooks that can’t be sold because they have been unsealed. Therefore we are giving them away for free….”

No free iPhones

The first post on that page is dated Sept. 23, barely two weeks after Apple unveiled its then-new iPhone6, and it said: “We have got 10 boxes of iPhone 6’s [sic] that can’t be sold because they have been unsealed. Therefore we are giving them away for free.” (Coincidentally, Sept. 23 is also the day we here at ConsumerAffairs published an article headlined: “Watch out for these iPhone6 scams; nobody’s giving free phones away over Facebook or email, either.”)

Anytime you see a Facebook post offering free valuable items in exchange for “Likes” and “Shares,” you’re almost certain to find a similarly scammy Facebook page behind it.

Still other like-farming posts are high-tech variants of the old chain-letter scam, promising good though vague results if you forward the post. Just this week, one of my own Facebook “friends” shared a photo showing thick stacks of $20 and $100 bills, over a caption reading “Money will come to you sometime this month say Amen and Share” [sic]. As of this writing, that one single photo and caption has 14,441 “likes” and 284,926 “shares.”

Another insidious form of like-farming presents itself almost as a religious duty: “’Share’ this post if you’re willing to publicly proclaim that Jesus Christ is your Lord and Savior!” (Consider: even if you need to share your faith on Facebook — why would you need to “share” that particular post, rather than simply write your own announcement on your Wall?)

Just clickbait

A close cousin of like-farming might better be called “response farming,” or just clickbait: posts designed solely to elicit a response. It differs from like-farming in that like-farming is done by actual scammers, whereas response-farming is usually promoted by actual companies to increase their Facebook popularity rankings. Look at the promotional Facebook page of a typical genre-music FM radio station, for example, and you’re almost certain to see lots of response-farming memes.

One such meme that’s been around since at least early 2013 involves asking a ridiculously easy question, usually followed by commentary suggesting the question is actually quite difficult:

Can you name a band that

has no letter “T” anywhere

in their name?

This is harder than you

think!

Post your answers below,

and share with friends.

Most people think they can

do this but fail, can you do

it?

Or this:

Name a ‘FISH’

That does not

have the LETTER

‘A’ in it.

I bet you can’t 😉

Some of these non-challenging intelligence tests came from like-farmers, but most were local-radio or business clickbait — still driving up like-counts and cluttering your friends’ Facebook feeds, but at least they won’t likely spread malware or put money in a scammer’s pockets the way like-farming pages do.

If you’re going through your own old Facebook archives and discover you’ve “liked” a scammy page you don’t recognize, you can send Facebook a scam report for that page, and then click the “unlike” button to remove your own name from it.

Abel, By Jennifer. “Like-farming Facebook Scams: Look before You.”ConsumerAffairs. ConsumerAffairs, July 2016. Web. Oct. 2016.


Like- farming, phishing, spearfishing, socially engineered email and links are designed to get your employees to open the door to malicious attacks, and they appear in various ways. We believe that the best approach is to take a defensive stance by arming your staff with the most updated information.  And since we believe that knowledge is power, we have put together a presentation to explain the many deceptive tricks of hackers, as well as the most common mistakes made by end users. We also have a method to reinforce training by creating a phishing scheme which will test who will “take the bait”.

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to set up an appointment for a security consultation.

Posted in: Mobile Computing, Security, Social Media Marketing

Leave a Comment (0) →

How to protect your Apple ID with Two-Factor Authentication

ios-9-two-factor-authenticationTwo-Factor Authentication strengthens the security of your Apple ID by preventing anyone from accessing or using it, even if they know your password. With Two-Factor Authentication, one of your trusted devices generates a one-time code when you make a purchase or sign in to your Apple ID, iCloud, iCloud.com, iMessage, FaceTime or Game Center account on a new device. Two-Factor Authentication is also required for Auto Unlock so you can unlock your Mac by wearing an Apple Watch.

In this tutorial we’ll show you how to protect your Apple ID with Two-Factor Authentication or, if you’re still using the older and less secure Two-Step Verification, upgrade to Two-Factor Authentication.

Two-Factor Authentication vs. Two-Step Verification

Two-Factor Authentication is the preferred protection system for Apple IDs.

It replaces Two-Step Verification and is more secure because it’s integrated deeply into the bowels of iOS and macOS. The older, less reliable Two-Step Verification system relies on different methods to trust devices and deliver verification codes.

With Two-Factor Authentication enabled, a six-digit code is required to verify your identity using one of your devices or another approved method before you can:

  • Sign in to your Apple ID account page on the web
  • Sign in to iCloud on a new device
  • Sing in at iCloud.com in a web browser
  • Sign in to iMessage, Game Center or FaceTime or a new device
  • Make an iTunes, iBooks or App Store purchase from a new device
  • Get Apple ID related support from Apple

See Apple’s support document for more information about Two-Factor Authentication, including an up-to-date list of countries where this feature is available.

System requirements for Two-Factor Authentication

In order to use Two-Factor Authentication, you must own one of the following devices:

  • iPhone, iPad or iPod touch with iOS 9 or later
  • Mac with OS X El Capitan or later and iTunes 12.3 or newer
  • Apple Watch with watchOS 2 and up
  • Windows PC with iCloud for Windows v5.0 or later and iTunes 12.3.3 and up

Logging into your Apple ID on a device that has software earlier than specified above may yield a message saying Two-Factor Authentication is unavailable so make sure your gadgets meet the requirements and run the latest software.

Protecting Apple ID with Two-Factor Authentication

If your Apple ID is protected with the older Two-Step Verification method, you must first disable it before you can opt in to Two-Factor Authentication, Unfortunately, Apple does not provide a direct upgrade path for Two-Factor Authentication.

If you already use the newer Two-Step Verification system, skip this section and proceed with the steps outlined in the section titled “Enabling Two-Factor Authentication”.

Disabling Two-Step Verification

1) Sign in to your Apple ID account page using a desktop web browser.

2) Click Edit under the Security heading.

3) Click Turn Off Two-Step Verification, then create three new security questions and verify your birth date and phone number when asked.

apple-id-1

You will receive an email from Apple confirming that Two-Step Verification for your Apple ID account has been turned off and the Apple ID account page will reflect the change.

apple-id-2

You can now protect your Apple ID with Two-Factor Authentication.

Enabling Two-Factor Authentication

1) Go to System Preferences → iCloud → Account Details → Security on your Mac. Alternatively, open Settings → iCloud → your Apple ID → Password & Security on your iPhone, iPad or iPod touch.

2) Click Set Up Two-Factor Authentication and follow the onscreen instructions.

apple-id-3

You must provide three security questions and answers, verify your birth date, add a rescue email and verify a mobile phone number where Apple will send you verification codes when your trusted devices are unavailable.

If you see a message that some of your devices are incompatible with Two-Factor Authentication, hit Turn On Anyway to continue. Enrolling in Two-Factor Authentication will replace your iCloud Security Code with your device passcode.

To enable Two-Factor Authentication on the web: log into the Apple ID account page, clickEdit under the Security heading, hit the link “Get Started…” below the Two-Step Verification heading and follow the onscreen instructions.

apple-id-4

The Apple ID account page lists under the Trusted Devices heading all your Apple devices which are capable of generating Two-Factor Authentication codes. Any iOS device with Find My iPhone enabled can generate these codes.

Now all that’s left for you to do is double-check that Two-Factor Authentication has really been enabled by following the instructions below.

Verifying that Two-Factor Verification is enabled

To double check that you’re using Two-Factor Authentication or that you’ve successfully upgraded your Apple ID from the older Two-Step Authentication system to the more secure Two-Factor Verification, do the following:

1) On your Mac, open System Preferences → iCloud, click the Account Details button, then click the Security tab and make sure Two-Factor Authentication is on.

apple-id-5

2) On your iPhone, iPad or iPod touch, go to Settings → iCloud, tap your name to reveal account details, then tap Password and Security and make sure that Two-Factor Authentication is on.

apple-id-6

3) If you own an Apple Watch, open the companion Watch app, go to My Watch → General → Apple ID and verify your Apple ID is showing.apple-id-watch-7

That’s it, your Apple ID account is now protected with Two-Step Verification.

How to use Two-Factor Authentication

With Two-Factor Authentication enabled, you’ll verify your identity by entering both your Apple ID password and a six-digit verification code any time you sign in to the Apple ID page or iCloud.com, make an iTunes, iBooks or App Store purchase from a new device or sign in to iMessage, FaceTime or Game Center on a new device.

apple-id-8

A prompt that goes up on your trusted devices includes a mini-map showing you where the sign-in attempt is coming from. Tap Allow to get a one-time six-digit verification code that you must type into your other device to verify the login attempt.

How to manually generate Two-Factor Authentication codes

You can also manually generate a verification code at any time:

On your iOS device, go to Settings → iCloud, tap on your account name at the top, then hit Password & Security and select Get Verification Code.

apple-id-9

On your Mac, click the Account Details button in System Preferences → iCloud, then click the button labeled Get A Verification Code found under the Security tab.

apple-id-10

Now enter your six-digit verification code into your other device to sign in.

With Two-Step Verification enabled, your Apple ID account will be more secure than ever and you will be able to use advanced features like Auto Unlock in macOS Sierra and watch OS 3 which lets you get into your Mac simply by wearing an authenticated watch.

Zibreg, Christian. “How to Protect Your Apple ID with Two-Factor Authentication.” Mid Atlantic Consulting Blog. idownload Blog, 21 Sept. 2016. Web.


Although the above article pertains to Apple ID, you can add this higher level of security to just about any of your accounts and/or devices.  One thing to realize is that two-factor authentication (2FA) is not a new solution and over the years many different 2FA options have developed. We know that narrowing down your options can be an overwhelming task, so we have done that part for you. We have a few solutions to the problem and will work with you to find the right one to suit your particular needs.

One of our experienced professionals would be a happy to discuss the best options for you and your organization.

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: IT Support, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Two-Factor Authentication: Methods and Myths

images

When I mentioned to a few friends that I was writing a feature about two-step authentication, the typical response was an eye-roll and “Oh, that annoying thing?…” Yes, that annoying extra step. We’ve all had that thought when we needed to get a code before we could log in or verify our identity online. Can I please just login without a barrage of requests?

However, after much research about two-factor authentication (often referred to as 2FA), I don’t think I’ll roll my eyes at it anymore. Let’s get to know two-factor authentication a little better, the different options out there, and dispel some myths surrounding that “annoying” extra step.

Most Common Alternatives For Using 2FA

SMS Verification

It’s commonplace for apps and secure services to suggest you add 2FA at least via SMS messages, for example when logging into your account — either at all times or just when doing so from a new device. Using this system, your cell phone is the second authentication method.

The SMS message consists of a short single-use code that you enter into the service. This way, Mr. Joe Hacker would need access to your password and your phone to get into your account. One rather obvious concern is cell coverage. What if you’re stuck in the middle of nowhere without a signal, or traveling abroad without access to your common carrier? You won’t be able to get the message with the code and won’t be able to log in.

But most of the time, this method is convenient (we all live with our phone attached to our hand). And there are even some services that have an automated system speak the code so that it can be used with a landline phone if you can’t receive text messages.

Google Authenticator / App-Generated Codes

Potentially a better alternative to SMS because it doesn’t rely on your wireless carrier, there’s a good chance you’ve already used at least one short-term code generating app. Google Authenticator (made for Android and iPhone) is the most popular app in its category.

After setting up a given service with Authenticator, you’ll be prompted to enter an authentication code in addition to your username and password. You’ll rely on the Google Authenticator app on your smartphone to provide you with a fresh code. The codes expire within the minute, so sometimes you’ll have to work fast to enter the current code before it expires and then the new code is the one to use. Even though the name is Google-centric, you can add a multitude of services to it beyond Gmail, including but not limited to Dropbox, Lastpass, Amazon Web Services, Evernote, and many others.

If you don’t want to rely on Google for this kind service, there are a few alternatives of which Authy is considered the most comprehensive. Authy offers encrypted backups of the codes generated over time, as well as multi-platform and offline support. Lastpass recently launched their own authenticator as well.

These apps will keep generating time-specific codes till kingdom come, with or without an internet connection. The only tradeoff is that setting the app setup is slightly complicated.

Physical Authentication Keys2016-08-19-image

If dealing with codes and apps and text messages sounds like a headache, there’s another option that is on the brink of popularity: Physical authentication keys. It’s a small USB device you put on your keychain (the FIDO U2F Security Key pictured above.) When logging into your account on a new computer, insert the USB key and press its button. Done and done.

Some companies are at work creating a standard called the U2F. Google, Dropbox, and GitHub accounts are already compatible with the U2F token. At some point in the future, physical authentication keys will work with NFC and Bluetooth to communicate with devices that don’t have USB ports as well.

App-Based and Email-Based Authentication

Some mobile apps skip the above options altogether and verify through the app. For example, enable “Login verification” on Twitter and when you log into Twitter for the first time from a new device, you must verify that login from the app on your phone. Twitter wants to make sure that you, not Mr. Joe Hacker, has your phone before you log in. Similarly, Apple uses iOS to verify new device logins. When logging in on a new device, you’ll get a one-time-use code sent to an Apple device you already use.

Email-based systems, as you probably figured out just from the title, use your email account as the second-factor authentication. When logging into an app or service that uses this option, the one-time-use code will be sent to your registered email address.

Myths / FAQ

What are common services where enabling 2FA is recommended?

  • Google / Gmail, Hotmail / Outlook, Yahoo Mail **
  • Lastpass, 1Password, Keepass, or whichever password manager you use **
  • Dropbox, Google Drive, iCloud, OneDrive (and other cloud services where you host valuable data)
  • PayPal and other banking sites you use that support it
  • Facebook / Twitter / LinkedIn
  • Your website hosting provider: WordPress, Softlayer, Rackspace, etc.
  • Steam (in case your game library happens to be worth more than your average bank account balance)

** These are particularly important because usually serve as a gateway to everything else you do online.

If you are wondering whether a certain site or service supports 2FA, twofactorauth.org provides a very comprehensive list.

If there’s a security breach, turn on two-factor authentication ASAP

The problem is that you can’t just flip a switch and turn on 2FA. Starting 2FA means tokens have to be issued, or cryptographic keys must be embedded in other devices. And since 2FA is so heavily reliant on user participation, don’t expect it to be up and running super quickly.

Should I enable two factor authentication or not?

Yes. Especially for critical services that contain your personal data and financial information.

Two-factor authentication is impervious to threats

No. 2FA depends on both, technologies and users that are flawed, so it is also flawed. A 2FA that uses SMS text as the second factor relies on the security of the wireless carrier. It’s also happened where malware on a phone intercepts and sends SMS messages to the attacker. Another way that 2FA can go wrong is when a user isn’t paying attention and approves a request for authentication (maybe it’s a pop-up message on their Mac) that was started by an attacker’s attempt to log in.

Two-factor solutions are (basically) all the same

This may have been true at some point, but there’s been much innovation to 2FA recently. There are 2FA solutions using SMS messages or emails. Other solutions use a mobile app that contains a cryptographic secret or keying information stored in a user’s browser. Reliance on third-party services is something to think about, and should be improved upon, as it has been breached and the authentication has failed in some instances.

Two-factor authentication is an annoying extra with little benefit

Well, with this attitude we’ll never get anywhere. In reality, some businesses or services approach 2FA as a compliance requirement, instead of something that can help reduce fraud. Some companies use the minimum required 2FA that barely does anything, just to check off the 2FA box. As a user, it can be annoying to use 2FA, but if the company is using a flexible authentication method (not just the bare minimum) it can reduce the possibility of fraud. And who doesn’t want that?

It’s the end of 2FA as we know it

Maybe. Everything you’ve just read is about 2FA today, and we don’t know a lot about the future besides that it will change and become more commonly used. The most hope-inducing and cool part of 2FA is that is can become much better as time goes on. Right now, 2FA is still sitting on the outskirts of the crowd. So, it will be interesting to see if 2FA security and ease of use can improve enough that it becomes a tool we all love.

Pope, Devin Kate. “Two-Factor Authentication: Methods and Myths.”TechSpot. TechSpot, 21 Sept. 2016. Web. 06 Oct. 2016.


Although the above article pertains to Apple ID, you can add this higher level of security to just about any of your accounts and/or devices.  One thing to realize is that two-factor authentication (2FA) is not a new solution and over the years many different 2FA options have developed. We know that narrowing down your options can be an overwhelming task, so we have done that for you. We have a few solutions to the problem and will work with you to find the right one to suit your particular needs.

One of our experienced professionals would be a happy to discuss the best options for you and your organization.

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Employee Negligence The Cause Of Many Data Breaches

data-breach

Enterprise privacy and training programs lack the depth to change dangerous user behavior, Experian study finds.

More than half of organizations attribute a security incident or data breach to a malicious or negligent employee, according to a new survey.

Sixty-six percent of the 601 data protection and privacy training professionals surveyed for the Managing Insider Risk through Training & Culture report say their employees are the weakest link in their efforts to create a strong security posture.

Awareness of the insider risk, though, is not influencing many companies to put in place practices to improve the security culture and training of their employees, the Experian Data Breach Resolution and Ponemon Institute report found.

Only 35% say senior executives think it is a priority to ensure that employees are knowledgeable about how data security risks affect their organizations, and 60% say employees are not knowledgeable or have no knowledge of the company’s security risks.

“It’s no surprise that employee-related security risk is their number one concern,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.”

Training Programs Inadequate

Each of the organizations in the survey has a training program, but many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk. Only half of the companies agree or strongly agree that current employee training actually reduces noncompliant behaviors.

Forty-three percent of respondents say that training consists of only one basic course for all employees. These basic courses often do not provide training on the risks that can result in a data breach: 49% of the respondents say training in their organization does not include phishing and social engineering attacks. Only 38% of respondents say the course includes mobile device security, and only 29% say courses include the secure use of cloud services.

Less than half –45% — say their organizations make training mandatory for all employees. Even when mandatory, exceptions are made for certain individuals. For example, 29% of respondents say the CEO and senior level executives in their companies are not required to take the course.

Additionally, if an employee doesn’t pass a privacy test or do well on a training course, 60% of the companies in the survey don’t require them to do anything else but check off the right answers on the test, Bruemmer says.

Responsibility Starts At The Top

The responsibility for data protection and cybersecurity should start at the top with company board members and senior management, he notes. Cybersecurity should be one of the top five strategic priorities, he says. And if companies are setting up an organizational structure, the chief information security officer or an executive with that responsibility, must report at a minimum to the CEO, if not directly to the board.

“So cybersecurity, privacy, and data breach response must have a priority at the highest level of the organization,” Bruemmer says. To back up that argument, Bruemmer notes that 29% of the cybersecurity professionals surveyed say that the lack of senior executive buy-in contributed to the inefficient training.

“In this day and age, given the cost of a data breach, which is about $6.2 million per incident, to not spend the money upfront to address the number one cause of data breaches – a relatively low cost compared to some of the other preparations – it just seems like there is a real miss here,” Bruemmer says.

Mitigating the insider risk, according to Bruemmer, should include both culture and training. Sixty-seven percent of respondents say their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues.

The report recommends that companies should provide employees with incentives to report security issues and safeguard confidential and sensitive information, as well as better communicate the consequences of a data breach. Plus, companies should “gamify” training to make learning about potential security and privacy threats fun.

Meanwhile, federal cybersecurity professionals also recognize that people can be their organization’s greatest cybersecurity asset or greatest liability: 42% of cybersecurity executives surveyed for a new (ISC)² and KPMG LLP report say that people are currently their agency’s greatest vulnerability to cyberattacks.

Lack of accountability was also a consistent theme throughout the federal survey results, as some respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Federal cybersecurity executives are still struggling to understand how attacks could potentially breach their systems a year after hackers stole the personal information of 22 million people from the Office of Personal Management databases, according to the (ISC)² report.

Yasin, Rutrell. “Employee Negligence The Cause of Many Data Breaches.” N.p., n.d. Web.


In 2015 43% of data breaches were a result of employees, half were intentional, and the other half accidental.  So let us help you with the “accidental”…

Phishing, spearfishing, socially engineered email and links are designed to get your employees to open the door to malicious attacks, and they appear in various ways. We believe that the best approach is to take a defensive stance by arming your staff with the most updated information.  And since we believe that knowledge is power, we have put together a presentation to explain the many deceptive tricks of hackers and the most common mistakes made by end users. We also have a method to reinforce training by creating a phishing scheme which will test who will “click”.

Employee awareness is the key to fighting the cyberwar!

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to set up an appointment for a security consultation.

 

Posted in: Business, IT Support, Security

Leave a Comment (0) →

Dropbox’s Big, Bad, Belated Breach Notification

69 Million Dropbox Passwords Compromised; Last.fm Reportedly dropboBreached in 2012

To the annals of super-bad historical mega breaches that no one knew about, add a new entry: file-hosting service Dropbox. Separately, music service Last.fm also was reportedly breached badly in 2012, although that has yet to be independently confirmed.

On Aug. 27, Dropbox began alerting customers that if they had signed up to the service before mid-2012 but not changed their passwords since mid-2012, then they would be required to do so.

Dropbox_Alert_Aug2016“We recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012,” Dropbox says on its website, indicating it first heard related rumors in mid-August. Resetting the passwords that it believes may have been exposed “ensures that even if these passwords are cracked, they can’t be used to access Dropbox accounts,” the alert notes.

Dropbox first learned about that breach in 2012 and issued an alert to users in July of that year, saying it had traced the breach to an employee reusing their corporate password across multiple sites. The company said it added new security features designed to protect against such breaches. But at the time, Dropbox evidently failed to comprehend the true magnitude of the breach and forced relatively few password resets.

What’s belatedly come to light, however, is that as a result of that 2012 breach, details for almost 69 million user accounts – including email addresses and hashed passwords – were stolen. The information reportedly began circulating recently on underground forums.

More Historical Mega Breaches

This year has seen a spate of mega breaches belatedly coming to light. Four announced in May came from MySpace – the date of its breach remains unclear, though it’s obviously not recent; LinkedIn, which disclosed that its 2012 breach resulted in 165 million passwords being compromised; Tumblr, which warned that 65 million accounts were breached in 2013, prior to its acquisition by Yahoo; and “adult social network” Fling, which said that 41 million accounts were breached in 2011.

On Sept. 1, paid data breach site Leaked Source described yet another old, alleged breach, this one hitting music service Last.fm. Leaked Source claims that the service was hacked in March 2012 and data on 43.6 million users – including usernames, email addresses and passwords – was stolen. While that breach has yet to be independently verified, Leaked Source says that it successfully cracked 96 percent of the site’s unsalted passwords, which had been hashed with MD5.

Last.fm didn’t immediately respond to a request for comment on that report.

Dropbox Breach: Worse than Believed

Dropbox’s Aug. 27 breach alert arrived just a few months after several identity theft services misreported that user data from the site had been leaked (see Dropbox Confident Amidst Breaches).

It turns out, however, that the 2012 Dropbox breach appears to have been much worse than originally believed. Indeed, sometime after Dropbox was hacked in mid-2012, “a large volume of data totaling more than 68 million records was subsequently traded online and included email addresses and salted hashes of passwords, half of them SHA-1, half of them bcrypt,” says Troy Hunt, who runs the free Have I Been Pwned? website.

Security experts laud bcrypt as an excellent, purpose-built password-hashing algorithm, but warn that SHA-1 – as well as MD5 – are deprecated and shouldn’t be used. Dropbox, to its credit, in recent years appears to have phased out SHA-1 in favor of bcrypt.

Technology news site Motherboard reports that it obtained a sample of the data that hackers allegedly stole from Dropbox, and that it contains details relating to 68.7 million accounts, including email addresses and hashed passwords. It says that an unnamed, senior Dropbox employee confirmed that the information was legitimate.

Dropbox couldn’t be immediately reached for comment on that report.

But Hunt says he independently reviewed the data and found it to be authentic. He acknowledges that it contains old passwords set by him and his wife.

 Schwartz, Matthew J. Data Breach Today, “Dropbox’s Big, Bad, Belated Breach Notification” September 2016

Posted in: Cloud Computing, Security

Leave a Comment (0) →

10 mobile security myths that need debunking

smartphone securityMobile devices have introduced plenty of legitimate concerns, but there are some misconceptions floating around that may lead companies to focus on the wrong issues–or to ignore the real risks.

Securing mobile devices is a continuing challenge for enterprises as they deploy more mobile applications. In some cases, security risks are overblown; in others, they are underestimated. What myths about mobile security should IT security managers be aware of?

1: Mobile devices don’t need encryption

A surprising number of companies don’t implement data encryption on mobile devices. If these devices are being used as thin clients only, with enterprise data being stored in the cloud, there is less need for encryption. However, more and more mobile devices store contacts lists, photos, price lists, sales notes, and other sensitive information. The localized storage enables field-based personnel to keep working even if the cloud becomes unavailable. For these reasons alone, encryption should more widely considered.

2: Wearables don’t need to have security practices applied

Wearable devices are just beginning to make an entry into enterprises. In early applications, they are used for things like capturing photos of crime scenes in police work and photos of equipment in the field that needs repair and must be referred to an internal company expert. However, less than 60% of these devices are secured, according to a recent Tech Pro Research mobile security report. As more of these devices are dispensed for field operations, IT might need to rethink this.

3: It’s okay to skip mobile security evaluations in IT audits

When it comes to mobile devices, organizations tend to focus their mobile security audits on the network and its centralized monitoring and downloads to these devices. They should also focus security audits on employee mobile device practices in the field and on the security measures that are resident on devices themselves.

4: Mobile devices are inherently less secure than desktop devices

Mobile device security doesn’t have to be less robust than the security found on desktops. In some cases (such as the ability to track and shut down mobile devices remotely), mobile devices might even be more secure. Mobile devices also have small data footprints, using the cloud to store data, so they are unlike “fat client” laptop counterparts that have hard drives full of data. As a result, less data may be exposed to security breaches on mobile devices.

5: BYOD devices promote lax security practices

This isn’t necessarily the case. If IT has firm guidelines for qualifying which mobile devices will be accepted in its BYOD program, coupled with usage practices and IT security practices that are uniformly enabled, monitored, and administered on these devices, BYOD can be just as secure as enterprise-issued mobile devices.

6: Mobile devices have more security software vulnerabilities

Mobile devices do not have any more software security vulnerabilities than desktop computers. The difference is that mobile devices are in the field, so IT has to enact a centralized method of delivering new security and software patches down to these devices from the network as soon as patches are available.

7: Mobile devices don’t need two-factor authentication

Mobile devices are prone to being misplaced or lost, so the additional security sign-in code that goes beyond just user ID and password can help to secure them. It’s advisable for all mobile devices to use two-factor authentication, which require a secret signing code (e.g., where you went to high school) as well as a user ID and password for access.

8: Laptops are less vulnerable to security breaches than tablets and mobiles

Laptops and desktops in the office aren’t necessarily more secure than mobile devices. A primary reason is that many laptops and desktops still contain resident hard drives that store sensitive data. This creates greater risk that data can be stolen, comprised, or shared with unauthorized users.

9: Desktop PCs and laptops don’t get lost

Laptops and desktops do get lost, although not at the same rates as mobile devices. Even five years ago, lost laptops were costing organizations $18 billion annually—and the problem still exists today. IT should track this equipment with asset management software and other measures, in the same way it tracks lost or misplaced mobile devices.

10: Public app stores are safe

Smaller companies lacking their own network infrastructures for downloads will sometimes use public app stores to effect these downloads to their users—and in many cases, companies of all sizes will use public app stores to download handy applications to their end customers. These app stores have taken numerous precautions to ensure that downloads are safe and secure—but it doesn’t mean that they don’t experience security breaches, malware threats, and hacks. The best policy (especially for internal application downloads) is to create your own download procedures that your network administrator directly oversees.

Shacklett, Mary. TechRepublic, “10 mobile security myths that need debunking” July 2016

Posted in: Mobile Computing, Security

Leave a Comment (0) →

The Rise of ‘Have I Been Pwned?’, an Invaluable Resource in the Hacking Age

pwnedTroy Hunt has a database of 292,434,781 stolen user accounts.

The staggering amount of hacked data includes information sourced from 91 different websites that were compromised by hackers, including Adobe (152,445,165 accounts), Snapchat (4,609,615 accounts), and YouPorn (1,327,567 accounts).

But, as you may already know, Hunt doesn’t distribute or sell this data. Instead, it’s the backbone of Have I Been Pwned (HIBP), a website dedicated to informing victims of data breaches. (“Pwned,” in case you’re not familiar, is a slang term for being hacked, or otherwise having your digital security compromised.)

The idea is simple enough: enter your email into HIPB, verify that you control it, and then the site will let search through its hundreds of millions of records, and return results of any breaches you’ve been swept up in. Potential victims will also be notified if their email address appears in any future dumps that Hunt obtains.

Although many of the original data breaches include even more sensitive information like credit card information and passwords, Hunt only saves the user names and email addresses, so that people can find out whether they’ve been affected in a data breach.

Around 10,000 people visit HIBP every day, and 350,000 people have subscribed to getting an email notification if their information appears in a new breach.

Hunt started the site back in late 2013. At the time, Hunt, an Australian web security expert, was analyzing trends in data breaches, such as the common reuse of passwords across different dumps. He got the idea after noticing how many massive data breaches affect large numbers of people—people who may have had no idea they’d been compromised.

“Probably the main catalyst was Adobe,” Hunt said. In October 2013, 153 million Adobe accounts, including email addresses, usernames, hashed passwords and plain text password hints were breached. But naturally, Adobe wasn’t the only large dump circulating around that time: breaches from Gawker, Yahoo, and Sony were all being traded too.

“These people might not necessarily have any malicious interest in

the data itself, but simply collect, swap and archive data sets”

“I started to wonder how many people are actually aware of jut how broad this web is spreading, and how many places their data is now exposed,” Hunt said. With that, he starting putting together the pieces for HIBP, and wrote the first version in the middle of a flight.

Data breaches are incredibly common today. If someone is victimized, they are at risk of hackers logging into accounts, the theft of financial information, and more besides. And often, companies don’t notify their customers of a breach until long after it’s happened, leaving them even more vulnerable to attacks. If a victim is aware of the breach as soon as it happens, they can at least reset their credentials or be more vigilant to protect themselves.

“I want the people to be aware that they probably need to change their password, and they need to look out for unusual credit inquires,” Hunt said.

How Hunt gets that data varies from case to case. Sometimes, a public-facing individual who has come across the dump will send it Hunt’s way; other times, someone involved in the illegal trading of stolen data will forward a copy.

“There is a massive trade in stolen data,” Hunt said, liking it to the collection of baseball cards. These people might not necessarily have any malicious interest in the data itself, but simply collect, swap and archive data sets.

“Sometimes it takes four, five years before data either comes my way, or just begins to be broadly circulated,” Hunt said.

But sometimes the hackers who carried out the breach will contact Hunt directly and provide newly obtained data.

“Frankly, it pisses me off when I hear from these guys,” said Hunt, who wants to ask the hackers, “What is wrong with you?”

“Running this service exposes me to the shadier side of the web, and consequentially some shady people,” he said.

On the face of it, a hacker obtaining a dump, and then sending it to Hunt who plans to allow people to check its contents for free is pretty counterintuitive. But hackers are pulled by all sorts of different motivations, be those for ideology or fame as well as cash.

“It’s exposure, it’s kudos, it’s credibility,” Hunt added.

The site includes breaches from Forbes, Comcast, and Patreon, and even more personal services, such as AdultFriendFinder, YouPorn, and extra-marital affairs site Ashley Madison.

The publication of gigabytes of user data from Ashley Madison stood out to Hunt as particularly damaging. “I don’t think we’ve seen another breach where people havekilled themselves as a result of it,” he said. The records of some 30 million user accounts were dumped online in 2015.

Another stand-out breach for Hunt was VTech, the Hong Kong toy company, which not only contained account information, but photos of children too.

“I haven’t seen [another] data breach that impacted kids that way,” Hunt added.

There have been data breaches that Hunt has decided not to host, however.

“Other times I’ve outright said no, or I’ve reported it to the companies,” he said.

One of those was from a Dutch financial system that facilitated transactions between banks. Hunt received the data, got in touch with the affected company, and suggested they inform their customers.

One reason for this was because of possible legal ramifications.

“I want to be able to keep this service running, and I don’t want to step on the wrong side of an organization, such that one of them gets a bee in their bonnet, and then takes legal action,” Hunt said. In a case like that, he wouldn’t want the company first learning of the serious breach via a public posting on HIBP.

To date, Hunt hasn’t faced any legal action because of his site, but law enforcement have asked him for more information about what exactly was contained in a specific breach.

“I’ve had queries from FBI, Australian Federal Police, other law enforcement, legal professionals wanting to mount class actions: none of these, in any way [were] upset with what I’m doing with haveibeenpwned, but most of them [wanted] to understand more about the data,” he continued.

As for what he has learned from years of collating breaches, Hunt says it’s the free or cheap sites in particular that have exhibited really rubbish security over the years.

“There can be no way that those who manage the software development in these organizations, are not aware,” of the myriad of breaches that are going on, everyday, all around the web, Hunt said.

“Tomorrow it will be someone else, in exactly the same boat. It just frustrates me enormously.”

Cox, Joseph. Motherboard, “The Rise of  ‘Have I Been Pwned?‘ an Invaluable Resource in the Hacking Age” March 2016

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

8 Easy Ways to Combat Smartphone & Computer Eyestrain

8-easy-ways-to-combat-eye-strain-640px

Chances are you spend most of your day staring at some sort of screen. You may work in front of a computer all day. At lunch or on breaks, you probably check social media on your phone; the average American checks their smartphone 46 times a day. And when you get home, you probably find plenty of reasons to get back on the computer, from helping the kids with homework to catching up with friends on Facebook.

The hours you spend in front of a screen might not seem like a big deal at the time, but your body pays a price. If you spend three or more hours a day staring at a computer, smartphone or tablet screen, you may suffer from computer vision syndrome, which affects as many of 90 percent of computer workers.

Staring at a monitor all day is harder on your eyes than other activities. Compared to a printed page, computerized images may not be as crisp, contrast might not be as good and glare can make your eyes work harder to see. After a few hours, your eyes can get tired, which is when computer vision syndrome kicks in. While any frequent computer user may suffer from CVS, people with existing eye problems are more likely to have eyestrain from overusing computers or smartphones.

Not sure if too much time in front of a computer is affecting your eyes? Here are the common symptoms of CVS.

  • Eyestrain
  • Headaches
  • Blurred vision
  • Double vision
  • Dry eyes
  • Neck, shoulder or back pain

You may be suffering from these symptoms without even considering whether your screens could be the culprit.

Fortunately, solving screen-related eyestrain doesn’t mean throwing your smartphone away or shutting down your computer for good. Changing your technology habits can take the strain off your eyes and ease symptoms of CVS.

1. Take regular breaks

Taking breaks is good for more than your eyes. Sitting at your desk all day is bad for your health. Stand up and get away from your computer every hour, even if it’s only a few minutes to stretch or get a drink. Giving your eyes and body a break is something both will appreciate.

If you have trouble remembering to pull yourself away, whether that means from writing a key report for your boss or catching up on “House of Cards” at home, try a reminder app. Time Out for Mac OS andEyeLeo for Windows both remind you to take regular breaks, and EyeLeo walks you through helpful eye exercises. Some fitness trackers can also remind you to get up and move regularly, including the Fitbit Alta ($119 on Amazon), the Jawbone Up3 ($62 on Amazon) and the Apple Watch ($299 on Amazon). If you prefer to keep things simple, set an alarm on your phone to remind you when it’s break time.

If you have to stay glued to your screen, remember the 20/20/20 rule. Every 20 minutes, spend 20 seconds looking at something 20 feet away. Even this short break is enough to reduce eyestrain. Regular breaks can prevent problems in the future.

2. Blink more

Simply blinking more frequently can significantly reduce eyestrain. We tend to blink less when we’re staring at a computer or smartphone screen, which can cause eyes to become dry and irritated.

Because blinking isn’t typically something we do consciously, blinking more often can be more difficult to remember than it sounds. If you’re having trouble remembering to blink, eye drops can also help moisten your eyes.

3. Position your screen properly

Whether you’re using a computer, smartphone or tablet, there’s a good chance you have it too close to your eyes or at a bad angle. A computer monitor should be 20 to 30 inches away from your eyes — about arm’s length. The top edge of the screen should be at eye level, so you don’t have to significantly move your neck or your eyes to see what’s on the screen.

While you don’t need to hold your smartphone quite that far away, you shouldn’t hold it right in front of your face, either. Aim to hold your phone 16 to 18 inches away. If this makes it too hard to read (the likely culprit for holding it too close in the first place), adjust your phone’s font size and contrast settings until it’s comfortable to read.

4. Reduce glare

Be sure your monitor is positioned in a way that it doesn’t catch glare from nearby windows or lights. Adjust curtains or blinds, try placing lights in different positions and move your computer until you find a spot where you can work without glare or reflections on the monitor.

Overly bright lights can cause glare problems too. Consider replacing high-lumen bulbs with something a little dimmer.

f you simply can’t find the right spot for your computer, buy an anti-glare filter for your monitor. Also known as privacy filters based on their ability to make it difficult for others to see what’s on your screen, these cover your monitor to help reduce harsh glare. They’re especially good in office environments with bright fluorescent lights. Expect to spend around $30, though prices vary depending on monitor size. Measure your screen to get the right filter.

For smartphone and tablet users, preventing glare is even more important. We carry our phones wherever we go, which means changing the office setup doesn’t apply. Some phones have screens that reduce glare, like Corning Gorilla Glass, a popular choice for smartphones because of its durability.

If your phone doesn’t have anti-glare glass (or if it’s not effective enough to cut the glare), buy an anti-glare screen protector for around $10. Buy one designed for your phone model to ensure the right fit.

5. Keep it clean!

Clean your screen to ensure text and images stay looking crisp and legible. Never spray liquid cleaner on your screen. Use a dry microfiber cloth or other cleaning cloth designed for screens.

If you wear glasses, keep your glasses clean, too. Fingerprints and smudges make it harder to see and put more strain on your eyes.

6. Adjust your screen settings

Make sure your screen settings are easy to see at the appropriate distance. Your monitor shouldn’t be too bright or too dim. Aim for a brightness similar to the room’s ambient lighting. Most smartphones and tablets have a setting that automatically adjusts the brightness for the best viewing.

You can also change the resolution of your screen (a lower resolution makes everything on your display look larger), increase your font size and adjust the contrast so that everything looks crisp and easy to read. These settings will appear in different places on various devices; go to your settings or control panel window and look for the display options.

7. Avoid blue light

Digital screens produce blue light, which can be another source of eyestrain and can make it harder to fall asleep at night. To help, try an app called F.lux, which lends your computer screen an amber tint after sundown. This reduces the amount of blue light emitted and is easier on the eyes in the evening.

Your mileage with these apps and tools may vary. Some report that F.lux is a lifesaver, but others can’t stand the orange tint to their screen. If you try F.lux, adjust the color settings before you give up on it entirely.

For the iPhone and iPad, a setting called Night Shift (find it under Settings > Display & Brightness > Night Shift) does this automatically. Night Shift’s color change is milder than that of F.lux. The features will be included in the next version of Mac OS.

Some apps offer so-called night modes, but this typically refers to giving the app a dark background rather than a light one. Some people find this easier on the eyes, but you won’t find the option in every app.

8. Try computer glasses

Computer glasses are a more expensive answer than changing your computing habits, so work your way through the tips above before you spend money. But even if you don’t wear prescription glasses, computer glasses could help. These glasses come with top-notch anti-glare lenses and sometimes a slight amber tint to help block blue light. Some include a slight magnification similar to reading glasses to keep things looking sharp.

Computer-specific glasses are also available with prescription lenses, and your optician can help you with anti-reflective coating or tinted lenses.

Whether you wear glasses or not, if you’re having continued eyestrain, it may be time to see an optometrist or ophthalmologist. You could need glasses or a new prescription, and not wearing the correct corrective lenses can cause eyestrain and make CVS worse.

If you’d like to try computer glasses, check out Gunnar ($45+ on Amazon). Your health insurance may cover part of the cost.

Harper, Elizabeth. Techlicious, “8 Easy Ways to Combat Smartphone & Computer Eystrain” August 2016

Posted in: Tech Tips for Business Owners

Leave a Comment (0) →
Page 5 of 15 «...34567...»