Site icon Easy Prey Podcast

Security Planning with Consumer Reports with Amira Dhalla

Easy Prey
“There are tons of ways to be smarter shoppers. Use multi-factor authentication. Use strong passwords. Make sure your computers and phones are up to date on the latest software developments. That’s an easy way to protect yourself… Click To Tweet

Consumer Reports is known for the research and comparisons of products and services, but they also offer a free personalized security and privacy planner. Today’s guest is Amira Dhalla. Amira is the Director of Impact Partnerships and Programs at Consumer Reports focusing on digital privacy and security. Amira works on projects that improve the cybersecurity and privacy products and tools on the marketplace while also tackling topics like discriminatory technologies, deceptive design, trust, and safety.

“There are so many factors to consider when shopping online. What we’ve seen is that the pandemic has increased the likelihood of people buying online. It is prime time for those who are preying on buyers.” - Amira Dhalla Click To Tweet

Show Notes:

“Breaches, data attacks, and cybercrime have almost moved mainstream. They’re in pop culture and advertising. The industry itself has just exploded.” - Amira Dhalla Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Amira, thank you so much for coming on the Easy Prey Podcast today.

Thanks, Chris, for having me.

Can you give myself and the audience a little background about who you are and what you do?

Sure. My name is Amira Dhalla, and I work at Consumer Reports as the Director of Impact Partnerships and Programs, with a focus on security and privacy.

 

In that realm, I organize programs like securityplanner.org, and I work on a lot of issues at consumer space that are directed towards any sort of privacy that they might have online. How can we advocate for that? How can we partner with organizations on better policies? As well as how do we tackle emerging technology issues that are often preying upon individuals who are on the cusps of these new technologies or really starting to engage in them.

Awesome. Is there a story behind why you got into this field, or was this just the trajectory of your career?

I never knew that I was going to get into technology from the forefront. I think that was part of just the allure of somewhere where I could have a place where I can make an impact and really get into this technology field. That was about 15 years ago. I think many people at that point were like, “What is this new internet? What are these new resources? Let's go play around.” I was definitely part of that group of people.

I found it really inspiring. I found there were so many opportunities—to the web, to the tools—where we could develop and create. Within those 15 years, I actually spent 10 years really helping promote a more inclusive, safe internet and working on digital rights and literacy programs. In doing that, I worked with hundreds of thousands of community members in about 50 countries around the world.

When doing so, I learned that it wasn't enough for them to just come online and learn how to use these tools and the web, but they were actually scared of what happens when they are there. In doing that, I really shifted my focus to work on privacy and security, specifically to address the problems that the communities I cared about had when they showed up in these spaces.

Since then, it has snowballed. I've done a lot of privacy and security and really got into cybersecurity to really understand consumers and users play in part as it exists to make sure that we're all being able to be safer and maintain that security when we're using these platforms or tools that can have real opportunity in our lives.

One of the things about the Internet is this great place to find new things and access all sorts of stuff. Unfortunately, the quality of what you're connecting with may not always be what you hope it is, whether it's a product, or a person, or a service. It's always a little bit of a wild card when you're using the Internet.

Yeah, and technology has emerged so quickly. There are so many things that have evolved. I remember one of the first startups I worked at, we were the first ones in North America to create video on mobile devices. At that time, it was not easy. There was a lot to do with creating videos because you had to optimize them for each operating system. It was quite complex.

The moment we did it, we streamed the Olympics. I think it was on AT&T. We were all huddled around one phone watching it. At that point, we were growing slowly with technology. Now, you're just seeing things like AI and cybersecurity boosting and booming at a rate that is just unprecedented and we couldn’t have even predicted.

I don't think 20 years ago that I would have predicted people would live so much of their lives online, fully connected. I think everybody dreamed of the Dick Tracy watches. But no one would have expected accessing all the world's data from a device in the palm of your hand that weighs four ounces or something like that. It's really been an incredibly interesting time to be alive.

It is indeed.

I was curious about your being an advocate of getting people online. What were some of those fears that people had when getting online?

I remember in certain parts of the world where I would be working with groups of women and girls. They felt that spaces were not safe for them, that they would get harassed and attacked. And that happened often.

In other parts of the world, they were scared of losing money, because there were all these different scams that happened where they were clicking on it, and maybe had the literacy to join the web or join a program but weren't aware of things like phishing. At that point, we didn't even have words for it pretty clearly, to know when a site might be malicious.

People were like, “I've known this thing and as much as I can connect with others, I'm going to lose money.” There's even this one time not that long ago. I was teaching a whole bunch of librarians in New York—actually a Brooklyn Public Library. I was like, “OK, everyone knows about phishing. Everyone knows not to click on these emails.”

They were telling me just horror stories of different members of the community that were coming in and were losing large sums of money. And that were being hit with different scams and emails from people that were pretending to be relatives, and sites that they thought that they were logging into but giving away personal details. That was just so common for them. They were unequipped to actually process that, or deal with it, or support those communities.

It's one of those interesting things. We've made it super easy for people to get online—the collective we, I guess. But there's not a whole lot of, like, your internet service provider doesn't come out and say, “Yeah, I'll keep you safe online.” Your cable company doesn't say, “I'll keep you safe online.” It's like, “Well, here's access. Good luck” has almost been the way it's worked out for us, unfortunately.

I was looking at the website that you guys have built, the securityplanner.org. Let's talk a little bit about that because I think it's a really deep way to look at security and figure out what I need to do, as opposed to go online and try to figure out what I need to do.

Security Planner has been around for a very long time. Consumer Reports worked closely with the individuals who created it at CitizenLab and brought it into our toolset a few years ago. It is a free, easy-to-use guide to staying safe online. There are so many great perks about it that I'd love to promote.

 

There are specific things I'll highlight now for you, which is, it's very personalized. When you sign on to securityplanner.org, it asks you questions about which device you're using, what are the questions you have about your safety, and you get to customize what sort of recommendations.

Then when you get to create a plan, it'll actually share with you what parts of that plan are most important, what are free, what are easy to use, what are accessible. We're really creating a community of people being able to promote events and resources directly for those individuals.

One of my favorite actual facts about Security Planner is it's backed by an industry of experts. We have lots of people from around the industry—not just Consumer Reports—who are talking with us every day, helping to advise us on what are the best recommendations, what are emerging threats, like memory, safety and others that we need to be looking at, so that we can create a better world for consumers and keep them out of risks’ harm.

There are so many features and assets to it. It's updated regularly. There are just so many ways in which we are continuously improving it to make sure that it is a tool that is for the people, by the people, really addressing emerging threats and just anything you might need as it comes to the digital world.

That's great that you have a resource that's constantly being kept up-to-date. As we were talking earlier, one of the most difficult things with producing content online about technology, privacy, security, and even platforms is, as these platforms change, all these resources that talk about the platforms and tell you how to use them have to also be updated on how to do what you need to do.

I know you guys also just produced a cybersecurity and online privacy report. Can we talk a little bit about that?

Of course. We just produced the Consumer Cyber Readiness Report with The Aspen Institute. What it looks at is the behavior of consumers online as it relates to cybersecurity and data practices, just to understand where we are in terms of evolution in the last few years.

A lot has happened in the last few years as we think about it. Obviously, the big one is the pandemic. But also the idea that breaches, data attacks, and cybercrime have almost moved more mainstream.

Some of that might be in pop culture, so you can see the documentaries or the movies coming out. Then some of that is actually in just the advertising we're seeing, or the media and the news. People are advertising new products. The marketplace for VPNs is huge right now. You don't know which one to pick. So there's that.

I was talking with someone recently. A bunch of schools in LA have just suffered a data breach over ransomware. You think about these things, and you're just hearing and seeing them more often. The industry as a whole exploded. I don't think the pandemic is immune to that in terms of the factors which have really caused a lot of these things to come to light.

Was there anything in the report that surprised you in a good way? I know you've done surveys for the report in the past. Are there areas of improvement that have really surprised you that like, “Wow. People are really learning to deal with things better”?

Yeah. We study actual behaviors of tools that people are using. I will say the first thing that I was really impressed with and excited to see was that multi-factor authentication has dramatically increased in the last three years. In our survey, we study where people are at in 2019, and then compare it with similar data that we collect in 2022.

In 2019, people use roughly about, I think, 60-plus percent, or 50% of multi-factor authentication. In 2022, that number jumped to 77%. I think that's a multitude of factors. That's just phenomenal because that's one of the single greatest things you can do to protect yourself online and your accounts, especially if there's a data breach or cyber attack, likewise. That's huge.

One of the things we point to in the report is that institutions are mandating it. Corporations are requiring and encouraging you to set up MFA. I think we're seeing this trend, where it's like, if a government, or if it is the corporation, are telling you to do these things, you're more likely to do it and understand what it is. As a result in the last three years, that just totally changed our behavior.

There was one thing that surprised me. I saw that the number of people claiming to use strong passwords was a really high percentage—uppercase, lowercase, numbers, signs, and special characters. That number of people claiming to be using strong passwords seems surprisingly large, but hey, way to go. But I was really startled with how few people use password managers.

I think that's a good example of a space where people are overwhelmed. Password managers, because of all these things are very helpful. People are hearing that they're helpful. But what we hear often in Consumer Reports, the workshops, and events that we throw, is they’re like, “Which password manager should I use?” There are just so many options for them to actually jump into and figure it out, and there's a little bit of a technical barrier.

I think something like MFA, we're seeing skyrocket. What our data showed in 2019 versus 2022, there's little to no change in how many more people use a password manager. Some of that could be cost-related. It costs money to use a password manager for the most part. Some of that could be an overwhelming amount of choices. I think that's a really strong indicator of a space that we, as an industry, need to look at and figure out how we can create better adoption there.

I know Consumer Reports has their annual car-buying guides and things like that, and appliances. Have you guys done a buying guide for password managers or VPNs?

Oh, we have. We do it annually. We've got a great list online that anyone can search, and our members obviously get access to the detailed breakdown. We do recommend LastPass as one of the best password managers, and we have a list of other ones that are prime and helpful for your security and rank them across the board.

And you know offhand who your top VPN pick is?

We picked three. We use iVPN and Mullvad. I think the third was Mozilla which is like a white label version of Mullvad. There might be one I’m missing in there, but those are definitely ones we recommend as being better on security.

Awesome. One of the things that we were going to talk about was safe shopping. Consumer Reports has a 90-year history in helping consumers make good buying decisions. With this episode airing hopefully just before Black Friday—a peak shopping season, people who have been cooped up for the last two years with COVID and are looking forward to going out and doing their holiday shopping and Black Friday sales—how do we deal with shopping safe online and knowing, “Is this a deal? Is this not a deal? Is this a legitimate retailer? Is this even a legitimate product or not?”

There are so many factors to understand when it comes to shopping online. It is a big time of year for a lot of people, whether you're shopping for yourself or shopping for others.

What we saw in the past years with a pandemic is it just accelerated the amount people are going to shop online. Last year, we even saw tons of delays in products people were purchasing, or them quickly out of stock. Grinch bots were coming in. There were all these different factors.

There are ways to protect yourself but be warned and aware that it is a very key time for people to prey upon individuals who are looking for the best deal, who are looking for the items out of stock.

What you have is a bunch of scammers coming in and really trying to optimize on you in those times. While we often talk about it as being products that you sell, and actual things that you're buying, it's not immune from charity scams.

In the last year alone, the FCC put out a warning about charity scams coming up really high in the time of the pandemic. People were donating a lot more. Then a lot more phishing attacks were happening because of charity scams. I always like to include those together because it is not just what you buy. It is where you put your money. We do see a lot of those happen during the shopping times.

In the last year alone, the FCC put out a warning about charity scams coming up really high in the time of the pandemic. -Amira Dhalla Click To Tweet

There are a bunch of things you can do to keep yourself safe, so it is not all loss. It just means to be a smarter shopper in these times. There are tons of ways that I'm sure people who are listening to this often, and I hope already do, like using multi-factor authentication. We know you're using more of those. We know you're using stronger, better passwords, making sure that your computer or your phones are up-to-date on the latest software developments.

That's a really easy way to protect yourself against vulnerabilities and threats. People and organizations are often updating their sites and accounts and programs to make sure that these are not necessarily immune but that they're at their best capabilities for any threat that exists online. Those are the easy things you can do. I recommend those actually quite often—a lot of security things that people can do.

When it comes to shopping, keep your shopping on one or two credit cards. It makes it a lot easier for you to monitor what might be happening.  So stay alert, monitor those accounts, keep them in one to two places. It makes it a lot easier.

Keep your shopping on one or two credit cards. It makes it a lot easier for you to monitor what might be happening. -Amira Dhalla Click To Tweet

Use reputable brands, make sure you're checking the sites when you buy them. I know a lot of people love to shop local—I do myself—but it is one of those times where you want to make sure that you're using sites that have taken the time to set up proper security measurements.

Sometimes when you have a shop that's put up a site within a day, it's great for them. I really encourage more shops to set up shops online, but make sure they take the time to have security that is up-to-date and encourage people to use MFA or strong passwords.

Then before you pay, make sure there's encryption based on there. Some of the things you can do is check for HTTPS. It doesn't mean that it is a fully safe site, but it means that there is an added layer of security.

Those are some of the few things that one would do when they’re shopping online. But also, it doesn't mean that you are totally immune and these things won't come out, so just be aware of phishing emails and scams. Know that if something is too good to be true, it often is. There are tons of Grinch bots out there.  Do you know the term Grinch bots?

Know that if something is too good to be true, it often is. There are tons of Grinch bots out there. -Amira Dhalla Click To Tweet

I was going to ask you. I have not heard the phrase Grinch bot, and I was writing it down previously in my notes. What in the world is a Grinch bot? I know what an auction sniper is, but that's so 1990.

I think they were built off that. Grinch bot is just a good word, but it is the official name, I promise. Bots were short for software robots. They're applications that automatically make purchases on the Internet.

They have some good use cases. But more often than not, they're probably the people or they're the bots that are snatching up all the concert tickets and then having them resale for much higher prices.

You see these on eBay, or Craigslist, or other places where they're then doing huge markups. They take from traditional marketplaces and then they try selling them elsewhere.

The reason I specifically know a lot more about this is that CR has been urging senators and representatives to legislate against Grinch bots for the last year, really knowing that this poses an issue for consumers.

The reason it's so big and such an issue in terms of our cybersecurity is because once you go to these third-party sites, you no longer can verify if it's reputable. What you get is a lot of scams going on there and a lot of places that pop up that are like, “We have these for sale,” and it makes it very confusing for the average person to know what is going on.

I’ll date myself. I’ll use a really old example. When the Beanie Babies were popular, you can buy almost none of them at the standard retail establishment, but there are all these little Beanie Baby pop-ups at fairs and online, where they claim to have the super rare ones, hand-sewn ones that end up showing up in your mail.

I remember that. I also bought fake Beanie Babies in those moments in my time at collecting them. Those are literally what a lot of the sites are doing online now. While some of them are reputable, and they sell for extremely high prices, some of them are actually quite fake. Obviously, you don't want fake products for yourself or for anyone else. But a lot of them are also scams. That's where you have to be careful.

It's hard to judge whether it is a reputable site anymore because there are all these third parties. Instead of buying something on the original, authenticated site, you're forced to go somewhere else, which means you need to be aware of the phishing sites and emails you might be getting from as a result.

It used to be that you could tell people if it's HTTPS, you're fine. It's a legitimate organization. But now with the certificates basically free, that really only means your communication is encrypted. It doesn't mean that you're really dealing with the entity that you think you're dealing with. It doesn't necessarily mean that they're even a legitimate entity.

Yeah, it's hard.

What would be some of the signs of a fake website or illegitimate store that you might find?

It might look very similar to a store you know. I would look for ones that potentially are saying their store and then maybe go straight to the URL that you know who are searching them online. I would look for HTTPS, making sure that S is added at the end. Stores are often unfamiliar addresses or domains. So it might be instead of a .com, it’s a .ev. So you look out for those types of things.

When they're scam-related, they often ask for personal details or account information right away. They might send it in an email or other sorts of places, but they just want to get your personal information as quickly as possible. Oftentimes, if they are trying to replicate a reputable site, they're using an old logo or brand. So if you love that brand or site, make sure you're up-to-date on their branding.

Then often, it's really interesting to me because a lot of them contain bad grammar or spelling. I find that that's usually a tip-off for me, or they contain errors with some account or something about my name. A lot of them have immediacy to them. They want you to get to do something right away. They want you to fill out something to claim this added prize to your thing. That makes it seem so much better than others. Those are the things that I look out for when I'm on these sites.

I make sure that something feels great. Do they ask you if it's encrypted? Do they say they're storing your information? I know not many people read privacy policies, but it's good to get into the habit of skimming those to understand what they're going to do with your data.

There are great tools to understand just even how you're going to be tracked on those sites. What they are taking from you? Every time you're inputting information, every time you're getting to a site or searching a specific thing, they're tracking and using all of that.

I suppose with any sites, always be cautious about what data they're asking for. Why do you need to know this piece of information?

Red flags all around.

If I will keep with the Beanie Baby example—sorry, for anyone who's under 40. You probably have no idea what a Beanie Baby is. If they're asking you for your date of birth, in order for you to buy one, that should be a red flag. If they're asking for stuff that's not relevant for the service that they're providing.

Yeah. I do a lot of education and teaching. When we talk about strong passwords or security questions, they often literally phish for what might be your questions like, “What's your dog's name? What's your maiden name?” Or something of that sort. Those are all common security questions. Those are places you don't need to be adding those info.

I've heard of a lot of people who use their password managers to store fake answers to the security questions specific to the site that they're on. So if their bank asks them for what their mother's maiden name is as part of their, not the account creation or the identity entity verification portion, but just the security, they put something like “blue.”

When that question is asked on a different platform, it's “telephoto lens.” I’m making up things or just the standard 32 characters spit out by a password manager, as a way to keep that security and not knowing whether or not if it's not a legitimate site, I don't need to be providing a legitimate answer to a security question to someone who doesn't need to know that real question.

This is why password managers are great. We just need to change the dial on people adopting them more.

You also mentioned during this time of the year, charity scams and the propensity for us to give during the end of the year. Let's touch on that for a few minutes before we close out, if you don't mind.

Yeah, of course.

What should we be watching out for in terms of charity scams and being able to figure out a real charity from a fake one, or a real representative versus a fake representative?

I'm glad you're focusing on this because I think this one often gets forgotten in our holiday shopping or holiday times. It is a time when a lot of organizations, particularly nonprofits or others, are asking for donations. It is a huge fundraising time for them. I want nonprofits and organizations to continue. I appreciate people donating to them. I do it myself. But every time when we're online at a specific moment, the phishers will come.

They know you're more likely to enter in your credit card information to make a donation to an organization at this time. They will come in this time to make sure that they're sending you emails. I would say, when you are doing this, use some of the same advice we used for looking at an actual site or store to make sure it seems legitimate.

If you want to donate to a charity or an organization, enter their URL directly. If you don't know their URL, search it online. You're most likely, from your search engines, to be taken to it in the top search, and you can do it directly from there.

If you want to donate to a charity or an organization, enter their URL directly. If you don't know their URL, search it online.-Amira Dhalla Click To Tweet

But be wary that, specifically in the last couple of years during the pandemic, there have been more charity scams because people are more likely to donate. Whether they had extra funding or they were more inclined to in a time when there are many things happening in the world, people are coming into their inbox.

More often than not, it's usually an email. Never click on an email that asks you to enter your credit card information right away or as urgency.  Same recommendations. Go to the site directly.

Never click on an email that asks you to enter your credit card information right away or as urgency. -Amira Dhalla Click To Tweet

That's always been my approach. If someone is coming to my door or meeting me outside of a grocery store, or an email, or a phone call, I only give what I have control of who I'm communicating with. If someone approaches me, they very well could be a legitimate representative of the company, but my personal opinion is I just don't deal with people directly in this.

I initiated the contact because I don't want to have to figure out how to vet you, or vet the person outside the store, or figure out, “Was this person really calling from the Red Cross?” It's just a lot easier for me to go to the Red Cross, go to the charities that I want to give to directly and give there and not necessarily be responding to whether it's legitimate marketing for the charity or phishing emails.

That way, I'm in control of the conversation. I'm in control of how much I give and when I give, and making sure that I'm giving to the causes that I support and care about.

And the charities, the nonprofits, the organizations appreciate that for sure.

I guess you could always use Charity Navigator. There are a couple of websites. There’s Charity Navigator and I can’t get it off the top of my head, unfortunately.

Charity Navigator has direct links to the charity organizations. They’re good for assessments if you’re wanting to look at a charity or nonprofit and understand where you’re donating to or searching for different communities or groups or issues. It can generally be very helpful to go. I do trust them as a reputable site to have the links that go directly to those organizations.

And the other one is CharityWatch.

CharityWatch. OK.

Both of those provide links to the actual charities. Sometimes I’ve seen ads. You search for a charity and an ad comes up. It might be the charity or it might not be the charity. No one would put up a scammy ad.

Honestly, all that are organizations collecting your data and using it to track you across the web, so I’m moving away from that process altogether and showing people we don’t necessarily need those ads to do the things we want to do.

I love that. Are there any additional resources or things you want to add before we close today?

I would say even for your shopping and holiday needs, for new devices or systems or tools that you’re using in your homes, securityplanner.org has tons of resources. Some fun ones in terms of what we just updated out there is how to delete and find old accounts. That is critical. Scammers and other sorts of organizations are taking your data from those things and they’re using them against you.

I know a lot of you don’t remember that you had a Foursquare account, but you did. Or other accounts that are still out there that are really still using your data in ways that you might not want them to. All of these and more are in securityplanner.org. I really just encourage people to check that out.

It’s a really, really great resource. I’ve had the opportunity to play around with it. I will absolutely be linking it to the show notes as well.

Great. Thank you so much, Chris.

Amira, thank you so much for coming on the Easy Prey Podcast today.

Exit mobile version