Cyber Security for Previous Generation
After being tech support for my mom, sorting out my parents affairs when my father got cancer and my mom got Alzheimers, I’ve gathered some insights on the vulnerability of the previous generation to cyber threats like phishing, spoofing and identity theft.
This is my security perspective and it will be different for each person. Take what works and adapt. The goal is to raise awareness that helping the previous gen stay safe is as important for them as much as it can help keep you safe. And yes these tips can be applied to every generation.
I break down the tips in the following categories:
- Own & Protect Identity
- Assess Access Vulnerability
- Limit Online Footprint
- Social Media Safety
- Clean-up Footprint
- Weigh Economics
- Question Authority
Key threats to be aware of and these tips are focused on are:
- Phishing is an attack that exploits regularly used communication channels where the bad actor pretends to be someone you trust so they can steal information or money.
- Spoofing in phone calls is changing the caller ID to look like a number you would trust or an email header that looks like it came from someone you trust like a bank.
- Identity theft is the deliberate use of someone else’s identity to gain financial or other advantage in the person’s name.
Even though I share examples from handling my mom’s care, helping the previous gen be safe is needed across the board whether the person has a disease or not. Main points to remember when you are helping is be respectful, patient, keep it simple and meet them where they are in what they can do.
And, its good to be a little bit paranoid at times.
Own & Protect Identity
Take ownership and steps to protect the identity and accounts that can be used to access information, finances or take other actions that can take advantage. Help the previous gen person in your life do the following to better protect her/his identity.
- Sign up for core accounts especially financial, utilities and healthcare that haven’t been set up to prevent malicious actors signing up and taking advantage. (esp. Social Security to prevent identity theft)
- Setup a password manager to centralize the passwords and make it easier to track, update and share/manage remotely. As my mom forgot things she only had to keep track of a single password to get access to all of her passwords which kept her independent a lot longer. Note, keeping passwords written on paper can be ok in some cases. Assess your situation and where there are vulnerabilities with that approach.
- Make sure password(s) and login details are stored somewhere someone you trust in your life can access. When my father passed, I struggled to figure out how to get into his account and never fully unlocked his computer.
- Add extra layers of complexity and protection for logins:
- Vary usernames (change for each account)
- Use random, long, diverse passwords and change for every site
- Setup 2FA (factor authentication) w/ at least text but try for FIDO
- Use fake answers for security question
Do what is easiest for the person you are helping as well as for yourself to track account details.
Assess Access Vulnerability
Phishing and spoofing are key attacks used to prey on everyone in regards to different communication channels (e.g. phones, snail mail, email, text messages, cell, applications, etc.). You want to take steps to help reduce the attack surface and inform those in your life from the previous gen. Below are some steps I took when my mom was living alone and still using tech.
- Install tech patches and updates when they come out. I would do this regularly when visiting my mom in the past. Better yet, automate the updates
- Redirect communication channels for your review. When I found my mom had been shoving her unopened mail into drawers for months, I permanently forwarded it to my home which you can do through USPS.
- Use VirusTotal to scan suspicious links. Most of us don’t click links anymore but if you have one you want to click it can assess the link.
- Open & send attachments in GoogleDrive. It has virus scanning features and allows you to remove access permissions if needed.
- Turn off image loading for email.
- Setup security cameras for monitoring and protection. I know this gets into an interesting discussion but your call for your situation. I installed cameras at the doors into my mom’s house a year into suspecting her illness. First, it helped me see and weigh in on people she was concerned about. It transition into a way to check on her as she became more confused especially when trying to get her to stop driving (it was like having a teenager).
Specific note about spam calls. My mom was easily getting 90% spam calls on her landline the last year she had her phone. By 2019, its estimated 50% of cell calls will be spam which it seems like that’s much higher already. An approach I’ve adopted and recommend to others is when someone calls claiming to be from a company, I refuse to answer any questions. I end the call (if I’ve even answered), lookup the company number online and call back. Also note, the IRS doesn’t call, they send mail.
It’s important to know/remember that phishing attacks have continuously evolved as our communication channels and approaches have changed. Thus, we have to stay cautious and informed as well as help the previous gen when using those channels.
Limit Online Footprint
All sorts of data is being collected about us in various places. As my mom became more confused, I knew one of the best ways to protect her and empower her to live independently longer is limit how many people knew about the disease. Basically, limit how much I talked about it and to whom.This included online interactions.
I realized when I did a search on cancer after my dad’s diagnosis, I noticed targeted content and messaging regarding cancer everywhere I looked online, in social media and in apps. And no this wasn’t the same where you break up with someone and notice all the songs on the radio are about breakups (for those from my generation and before who remember listening to music on the radio). Anyway, I was deliberately cautious about how I did my Alzheimers research initially.
If you want to take some steps to limit data collection consider:
- incognito browser
- VPN (virtual private network)
- HTTPS Everywhere
- browser extensions and plugins to minimize footprint (caution on what browser plugins & phone apps because they also capture data)
You can also use a friend’s computer or not do the research if you want to go the extra mile. Again you have to call what works best for your situation.
Social Media Safety
This is really more of a subsection to limiting the online footprint because part of doing that is being careful about what you share through social media.
We’ve all heard stories of how social media is used against others and I purposefully did not share anything about my mom’s condition anywhere on social media until she was no longer living alone.
When thinking about how to approach social media, here are some things to consider:
- What have you shared?
- What have others in your life shared?
- What content is in the photos you are sharing that someone can exploit?
- Think before publishing.
- Discuss with friends and family what & how to share.
- Limit connections because you don’t need to link to everyone.
- Check account privacy settings. (are you sharing and do you want to the location of tweets or FB posts or what you paid someone)
Its your call on what and how much you share online. The main thing especially when someone is vulnerable is to think about whether anything shared can make the previous gen in your life a target.
Data exists and is being captured on everyone by many different groups. Some groups collecting data on us and making it available to find are called Data | Information Brokers. Actions you can take to help clean-up your footprint are the following:
- Request removing info from Data Brokers.
- Use services to manage requesting data removal.
- Flood the Internet with fake information about you (also known as data pollution).
Data Brokers | People Search
Below is an example list of key brokers and removal links (not exhaustive):
- Spokeo (remove: http://www.spokeo.com/opt_out/new)
- Anywho.com (remove: http://www.anywho.com/help/privacy)
- Intelius (remove: https://www.intelius.com/optout.php)
- Radaris (remove: http://radaris.com/page/how-to-remove)
- Mylife (remove: call)
- Truthfinder (remove: https://www.truthfinder.help/remove/)
- Whitepages (remove: https://support.whitepages.com/hc/en-us/articles/115010106908-How-do-I-edit-or-remove-a-personal-listing-)
The challenges with removing data from a Data Broker database is that it is hard to fully remove your information from all the brokers. The brokers have many different spin off sites and your request on one doesn’t necessarily remove it from all. You also have to get all of your family and friends to remove their information. This requires repeated requests because the data will get pulled for a period of time and usually resurface.
Alternatives to manually removing are hiring a service. A friend of mine used DeleteMe. I have not used it but it was effective for her. There are other options out there that I recommend you research and know it can be costly. As for data pollution, this is an interesting example of someone working on a product to help. It has its pros and cons on the approach for flooding the Internet with fake data on you. If you want to get a kick out of seeing what this can look like look up Donald Duck on the Data Broker sites I’ve listed above.
When you break it down, you have to think about what is really worth it. Is the attack worth it for the bad actor? Is it worth it to take the steps to protect the account, the app, the phone, the fill in the blank? The economics of the attack weigh into why you would help the previous gen protect what they have. And it helps keep it reasonable and attainable to setup protection the person you help can adopt.
For example it was worth it getting my mom to adopt a password manager and add two factor authentication to key accounts especially financial. I was able to hold off for a while on taking away her landline despite how many spam calls she received because she wasn’t answering her phone unless she recognized the name in caller id.
You want to keep the solution simple as much as possible and the best way to do that is evaluate what is worth spending energy protecting and focusing efforts there.
Do not always answer every request for information from “authority” figures (government, medical, financial, whatever). I’ve had to fill out a lot of forms and deal with a number of agencies and organizations for my mom. Yeah they can be very official and intimidating at times. That does not mean you are required to give them everything they ask for.
One big culprit is the medical paper forms people give that say they require writing in social security on every page. Most of the time it is optional and unnecessary to put on multiple forms that are going into the same folder at your doctor’s office. Granted I suspect all of our social security info is out there by now. Still don’t always fill in all the data because it reduces how many places it can be found and saves you time filling out forms.
This goes for phone calls and people coming to your house and everything else you want to think of. Keep the below in mind when dealing with different groups:
- Keep a healthy skepticism on info requests.
- Question and pushback on what is “required”.
- Know social security is usually not needed.
- Hang-up, look-up the # & call them back when companies call. (yes, I’m deliberately repeating this one.)
I remember one of the financial institutions repeatedly telling me they needed me to fill in their DPOA documentation and could not accept the standard one we had. I know that is not true and pushed back heavily on getting them to accept the form. They relented eventually.
The best example of questioning authority is when my mom received the US Census long form. There are many reasons why you should participate in the Census. I am going to note a negative experience for us, and I want to make it clear there is serious value in participation.
The US Census sent my mom the long form several years back when I was careful with what we shared about her living alone and her disease. I thought the form was a scam at first because it asked very invasive questions on how many people lived in her home, the tech she had, and when she was in and out of her home. The paperwork said it was required and she would be in trouble if she didn’t comply.
We researched whether this was legit and found that it was real. Even if it was the government, we didn’t fully trust who would be able to gain access to the info and exploit her vulnerable state.
For several months, she received reminders in the mail regularly and then many phone calls and finally people came to her house a couple times (yes, I had the cameras in place at the time). She was getting more confused and scared in general as her disease progressed. It definitely didn’t help to have the government harassing her for several months about this. I was beyond pissed about it for sure. Thankfully, the requests finally stopped and left her in peace.
When authority figures demand information, remember you have every right to push back and ask questions and you should especially when it doesn’t align to your security practices as well as those you are helping.
Draft a security strategy/posture for the previous gen you are helping if you haven’t already. You don’t have to spend all day, define 100s of lines or even write it down. Take some time to talk with the person you want to help and think about what matters and how to protect it. Also, you don’t have to set everything up at once. You can take it in chunks at a time.
Revisit the strategy as often as it makes sense (monthly, annually, daily). Do what works best for them. Definitely revisit because things change and you want to keep aware of those changes as well as plan for them. Stay aware of news, breaches, changes to privacy policies, and so forth.
The number one rule and I can’t say it enough is keep it simple. Adoption comes from simplicity and what is simple for you isn’t the same for everyone. You have to meet them where they are at.
It’s not about being paranoid, it’s about being safe.
EFF Surveillance Self-Defense has very in-depth information on cyber security. Do not consume all at once. This is a great example of fining what works for you and keep your strategy simple enough to adopt.
Other resources that helped me gather the details above are the following:
- https://inteltechniques.com/data/workbook.pdf (helpful online book)
- Recent tweet that pointed to all this: https://twitter.com/mzbat/status/1031952026366894082
- Image by adamkaz
Additional Data Brokers (but not exhaustive):
- Opt-out form: http://www.zoominfo.com/lookupEmail
- BeenVerified: https://www.beenverified.com/faq/opt-out/
- CheckPeople: http://www.checkpeople.com/optout
- Instant Checkmate: https://www.instantcheckmate.com/optout/
- PeekYou: http://www.peekyou.com/about/contact/optout/index.php
- PeopleFinders: http://www.peoplefinders.com/manage/
- PeopleSmart: https://www.peoplesmart.com/optout-signup
- Pipl: https://pipl.com/directory/remove/
- PrivateEye: http://secure.privateeye.com/help/default.aspx#26
- PublicRecords360: http://www.publicrecords360.com/optout.html
- USA People Search: http://www.usa-people-search.com/manage/default.aspx