When we say that new technologies surround us in our day to day, it really is. We can become the target of the “bad guys” both in professional and personal life, whether they are hackers (with computer skills) or scammers (with personal deception techniques).

For this reason, we steered today’s advice towards the warning signs to take into account when using ATMs. Especially if we are traveling: Especially if we are traveling:

• Only use ATMs where there is a bank security camera installed: If we see one unprotected by cameras, we must suspect that it is not being surveilled and, therefore, it could have been tampered with.
• Physically check the ATM, especially if it is at street level: criminals can replace the part where we put the card or even the keyboard, to later duplicate that card and use it with our PIN.
• Cancel the operation if you see that the screen does not look like that of a regular ATM or “does strange things”: both cybercriminals can manipulate the ATM’s computer program, as well as scammers replace the screen with a similar tablet that records the information entered.
• Cover the keyboard with your hand when entering your PIN: As currently online purchases are also confirmed with the card’s PIN through an SMS link from the bank, knowing these four numbers is very important for criminals.
• Maintain a safe distance between people: This way we avoid that the people around can see, over the shoulder (shoulder surfing), the information that we enter.

La entrada SECURE&TIP: ATMS se publicó primero en Secure & Academy.

La entrada SECURE&TIP: RESPONSE TO CYBER-ATTACKS se publicó primero en Secure & Academy.

La entrada SECURE&TIP: VIDEO CALLS se publicó primero en Secure & Academy.

La entrada SECURE&TIP: SPRING CLEANING se publicó primero en Secure & Academy.

La entrada SECURE&TIP: SECURE PASSWORDS se publicó primero en Secure & Academy.

Personal data, that information that makes us different from other people and that allows us to identify ourselves, must be protected both by ourselves and by third parties who may have access to it.

It is not always easy to know how a company or entity can properly protect the personal data it has in its systems. Because this will depend on multiple factors, such as the type of company or entity, whether it is public or private, the service or product it provides, the information it collects, the technologies it uses, the country in which it operates, etc. This complexity means that it is essential for companies and entities to have legal advice, expert in data protection.

However, we would like to give you, our readers, some general guidelines, so that you know how to handle personal data, especially if it is not your own data, but information belonging to third parties.

• Legal or legitimate basis: The legal basis is what authorizes us or our company or entity to manage and maintain in its systems data of third parties. Nowadays, the consent of the person to whom these data belong must always prevail, which may be by means of an express authorization or a contract. Only in the event that a law requires collecting data from third parties or we are providing a public service of vital interest to that person or general interest to the public, the collection of consent may be exempted. But these will be very extreme cases, such as, for example, when the person receives health care due to an emergency situation and their data must be processed in order to identify them.
• Transparency: From the moment we process personal data of third parties, whether we must request consent, or whether we are legally authorized to process it without consent, we must always always always always inform that person about the processing of his or her data. This implies informing about:
  • • What data we will process.
    • How we will treat them.
    • When we will start treating them and for how long.
    • Why we are going to use this data.
    • Where we will treat and store them (both in what type of physical or digital system, and in what country).
• Security: It should be taken into account how to protect the data by applying technical security measures (such as a password), but also physical (a locked drawer) and organizational (limiting the use to those people who really have to work with those data). In order to know what security measures to follow, the ideal is to keep up to date with the policies, procedures, manuals and guides made available by our company or organization, which help us to protect personal data and also confidential information, even if it does not belong to individuals, in a secure way.
• Right of the data subject: The data subject is the person to whom those data we are working with belong. The information, when it is about personal data, does not belong to the company or entity and neither to the worker who manages it, it belongs to the third person to whom that information identifies. Therefore, if that third party asks us to exercise one of the following rights, we must always attend to it simply and free of charge, because it is their right to choose whether they want their data to be used or not:
  • • Access (receive information on all the points indicated in transparency and request copies of the same)
    • Rectify (modify the information because if it is out of date it may affect you)
    • Delete (delete data and stop using them)
    • Porting (taking the data away and no longer using it)
    • Limit (restrict the use of data to the minimum necessary)
    • Object (prevent further processing of data for certain purposes to which you do not consent)

La entrada SECURE&TIP: PERSONAL DATA PROTECTION se publicó primero en Secure & Academy.

In this type of cyber-attacks cybercriminals pose as a person known or close to us and try to convince us either by mail, phone, SMS, Whatsapp or social networks, that they are in a complicated economic situation or emergency and need us to make them an urgent and immediate money transfer. The excuses they make range from needing money to pay for a cab, to needing a loan to pay bills at the end of the month.

How can we detect this type of scams?

• • It is common that in these cases, in order to reach the maximum possible number of victims, Artificial Intelligence programs are used again. So the person who contacts us is not real, it is an answering machine and we can detect it in the mechanized voice. In case of doubt, we recommend asking the person who contacts us a very personal question that only he or she should know how to answer. If it is a cybercriminal, he or she will answer incorrectly, hang up the phone or stop answering the messages.
  • Even if the phone number belongs to the same contact, it is also important to be alert and verify who is really contacting you. In most cases cybercriminals do not try to hide the contact number or email from which they are writing to us, indicating that they are our co-worker, friend, child, relative, but that they have run out of battery in the cell phone and are therefore writing to us from someone else’s phone. Here the suspicion may be more evident. But there is also the possibility that they have obtained a duplicate SIM card of our acquaintance and are using the same mobile number. In either case, we recommend calling the number directly to check the voice of the person who picks up the call and verify that it really is our acquaintance.

La entrada SECURE&TIP: THE KNOWN IN TROUBLE se publicó primero en Secure & Academy.

What is meant by “information in transit”?

Information in transit is all that which moves from point A to point B. This movement can be by technical means (from one computer to another), or by physical means.

When this is done by technical means, either because we send an e-mail that travels over the Internet or we enter data on a web page, protection measures are required that are the responsibility of the IT Department and are called “encryption of communications”. These measures may involve the use of passwords, digital certificates, double authentication factors and VPN systems, both for consulting, extracting and transferring information.

But today we will not talk about this more technical part, we will only focus on the physical part, the responsibility of the Userthat is to say, the person who is accessing corporate information remotely (from home or any other place), or who is transporting it for reasons of a trip, work visit or because he/she needs to continue working on it at home.

Moreover, when we talk about data in transit, we should not only think about the information as such, or what is the same, in a digital or physical document, but we also have the responsibility to protect it even if it travels within apparently secure devices. This implies applying a principle that is always remembered in public places such as train stations, airports, etc., not to leave personal belongings or objects unattended., This includes physical briefcases, computers, USB sticks, cell phones and/or tablets and any other “information containers”.

What security incidents can we suffer and how to prevent them?

• THEFT: We can be victims of data theft, both in places and public transport where they can steal, for example, a computer, as well as if they force the door of our vehicle to steal its contents.
• LOSS: Unlike the previous point, in which a third party forces this situation, the loss of data is usually due to human error or carelessness in their care. Therefore, it is our responsibility to be careful with the information, especially if we are outside the work environment.
• INSECURE CONNECTION: It is not uncommon, especially when we are traveling or traveling, that we try to connect to WIFI networks available in trains, hotels, airports, restaurants, etc. so that the internet connection is faster and works better. In this sense we must be careful and connect only to those WIFI that are officially of the establishment, and for this it is preferable to confirm it with the staff of an information point, reception or customer service, before making the connection.
• UNAUTHORIZED ACCESS: Whether we are consulting information on a plane, on a train or in a coffee shop, we must be aware of a type of technique called “looking over our shoulder”, which implies that the people around us may have within their field of vision our cell phone and computer screen or the physical documentation we are reading. They do not always have to have a criminal interest in knowing that information, but sometimes we could make the mistake of providing data, without realizing it, to an unauthorized third party. And it could be the case that this third party later uses them in their own interest. Therefore, our recommendation in this regard is to treat and work on strictly confidential information (including e-mail replies), preferably in a private environment, away from prying eyes. It is preferable to postpone this reading for when we are already at home or in a hotel room.

IMPORTANT NOTE: If you have the slightest suspicion of having suffered a similar situation or have been the victim of a security incident, do not hesitate to inform your line manager, the CISO Security Manager and the IT department, so that they can advise you appropriately. And on a personal level he reports the cyberattack to the police authority.

La entrada SECURE&TIP: INFORMATION IN TRANSIT se publicó primero en Secure & Academy.

Cybercriminals can infect and gain access to our devices (especially cell phones and tablets), whether professional or personal, by means of fake applications that we may have downloaded or malicious programs that have been installed by clicking on a fraudulent link.

In this way they can use them at will, without our knowledge or consent, and even launch cyberattacks from them.

The harm to us, therefore, is not only that our information contained in the device or in applications (e.g., banking app, Whatsapp, email, social networks and others) is misused, but that we are used to commit a crime and that, in case of police investigation, our device is implicated as the means through which it was committed.

• The battery drains quickly, despite hours of charging.
• The device overheats, without having been exposed to high temperatures.
• We have a new program or application installed, which we have not consciously downloaded.
• We receive unusual notifications from our programs and applications.
• We detect changes in our location when using mapping or GPS programs or apps.
• We lose processing capacity, which makes the system run very slowly.
• There is a noticeable increase in data consumption statistics, which can even be detrimental to our bills if we exceed the contracted rate (check in “Settings – Mobile data” or on the computer in “Settings – Network and Internet – Data usage”).
• If everything fits, we must inform the IT Department as soon as possible, at the labor level, and the Police, at the individual level.

La entrada SECURE&TIP: INFECTED CELL PHONES se publicó primero en Secure & Academy.

Cybercriminals contact us either by e-mail, phone call, SMS or applications such as Whatsapp, Line, Telegram and similar, to inform us that we have been selected for a job. Following this and in the same conversation, they will ask us to confirm that we agree to continue in the selection process and that in order to formalize the hiring they need us to provide some personal data (including bank details).

At the moment, how are these scams being detected by Users?

• In these cases, in order to reach the maximum possible number of victims, it is common to use Artificial Intelligence programs. So the person contacting us is not real, it is a reply and we can detect it in the mechanized voice.
• In these conversations they do not usually indicate neither the company they are calling from, nor for which company the selection process would be for.
• Working conditions are often not just good, but “spectacular”, to attract our attention. In other words, we are offered a very high salary, 100% telecommuting, flexible working hours, etc.
• If we have not been actively involved in a selection process, it is very rare that a company will contact us directly to offer us a job.It is very rare that a company will contact us directly to offer us a job.

In these cases it is preferable to ask to be able to call them back at another time or for them to contact us again, so that we can check on the internet (on official websites or professional social networks) that the offer really exists. If we still have doubts about whether it is real or not, we can also contact the company from which they say they are calling us (by dialing the phone number we find on the official website), to ask for the same offer.

La entrada SECURE&TIP: FAKE JOB OFFER se publicó primero en Secure & Academy.