Here are the original articles:
- Nest Security Camera Gives Terrifying False Alarm to Orinda Family
- Nest Camera Hacked: Hacker Spoke to baby, hurled obscenities...
The Facts first: Yes, someone took over the accounts belonging to these two families creating havoc and panic. No one wants to hear a Nuclear Alert originating from their home without foreknowledge of a test in progress, much less general access to their private lives. The mere thought of walking past my child's bedroom and hearing a male voice swearing at my child would push the needle to the edge of my fight/flight reaction and someone would end up finding a Father Bear in the room protecting his cubs.
We have become very complacent in our digital worlds. That is the problem. And, most sites have left the security protocols on their sites lacking the necessary enforcement of stronger authentication schemes to protect end users and their privacy. It isn't the companies fault, but they aren't exactly championing safe practices while using their product.
Most companies want your accessibility to their site to be a balance between security and simplicity. These two things usually don't go well together. Most consumers don't want to remember long, abstract passwords. Who can blame them? I have about 50-60 sites I normally visit that I have credentials on, whether accessing from my PC, my iPhone or iPad or even other smart devices like my television.
So consumers become complacent in using very simple e-mail and password combinations. That isn't the issue - the issue is using them over and over and over again on site after site. Over a period of 3-4 years, there is a high chance your username (e-mail address) and password have been compromised and is floating around on the Dark Web somewhere. This isn't an article on using LifeLock or similar services - that will come later.
This is about bolstering the security of the existing systems you already are using. I am into the Google Universe pretty heavy - also Apple's ecosystem due to my iPhone/iPad love (had original iphone - still have it in my drawer).
Apple did a great service recently and PUSHED people to employ a 2 factor authentication to protect your online identity. Many of your online services recommend this and may prompt you at some point to put in your cell phone or use an authenticator. Why?
If my username and password are on the dark web, then some low-life reject out there can pay pennies on the dollar for thousands of username/password combinations and then using tactics like a brute force attack against a site, will check to see if any of the illicit username/passwords work on that site. Say they want access to NEST accounts... They take those 1,000 username/password combinations and run it through their application that then targets the login process for https://home.nest.com and sees which accounts are successful in logging in. Those that are successful, are flagged and the low-life comes back at a later date and sees what can be mined from those flagged accounts.
Now, to stay with our original targets - NEST, there isn't a tremendous amount that can be done on home.nest.com - except gain access to your security footage, home automation systems (heater, security), and cause shear panic via their pranks.
I use NEST products - love them - easy to setup and easier to operate. Want to protect yourself? Nest offers but doesn't PUSH their MFA or 2FA - what does that mean?
- MFA - Multi-Factor Authentication
- 2FA - Two Factor Authentication
In a nutshell - they are the same thing, but it means that not only would your provider require a username/password combination, but a 2nd check to ensure it really is you. The most common? TEXTING a simple random six digit code to your cellular device to ensure it really is you.
Want to set this up in NEST? This is super simple:
- Open up NEST on your smartphone
- Click the GEAR in the upper right corner of the application
- Choose ACCOUNT in the top of the list
- Click MANAGE ACCOUNT in the top of the next list
- Choose ACCOUNT SECURITY option
- Click 2-STEP VERIFICATION (might be OFF - switch to ON)
- It will want your cell phone and it will ask to test with your device
- When it is successful, it will register and that 2nd layer of protection will now be enabled on your account - next time you access your account from your cell phone or computer, it will prompt for that 2nd check on your identity.
That is the EASIEST thing you can do - turn on your 2FA for whatever online account you want to protect. Got a bank account you access? Better turn it on there. What about your 401K? Health Insurance/Medical Records like Kaiser or Blue Cross? That is a good candidate.
Do I worry about this for an online retailer like KOHLS, MACYS, etc. - not as much. Most times those sites might have my credit card saved, but they still require the security number on the back of the card to process an order.
Here are the sites you should protect probably in order of precedence):
- Legal (Social Security, HR Block, etc.)
- 401K or investments
- Online accounts for e-Mail (GMAIL, O365, Yahoo)
- Security Systems & web cameras (Nest, Ring, etc.)
- Online Shopping - Amazon, Target, etc. etc
You can also employ something like an AUTHENTICATOR application like Google Authenticator or Microsoft Authenticator - these employ a set of random generated numbers that are synchronized with your online activity. The problem with this method is that it requires the APP on your smart device to produce the number - if your phone is stolen or lost, you lose access to those stored codes. It isn't a bad idea, but at least with texting, it is tied to an agnostic phone number - could be on an android, iphone, etc. - I lose the phone, I just have to get a new phone from my provider and put my number on it and it starts working again.
Hope this helps. This only scratches the surface of protecting your online accounts and private lives. Security is bigger than ever in 2019 and will only keep getting more and more critical to our digital well being!