Wells Fargo cannot follow its own phishing security advice

Wells Fargo has a reasonably good security page educating customers about phishing email and texting scams.

They make three good comments about how to recognize a phishing email scam, informing the user to look out for a combination of red flags:

Non-Wells Fargo email address: The email address of the sender does not include the wellsfargo.com domain name, instead using something like [email protected]

Urgent call to action: The email includes an urgent request in the subject line and message copy, such as “Don’t miss your chance to win $1,000. Complete the survey today.”

Suspicious URL: The email contains a link to a non-Wells Fargo URL, which could be a fraudulent website, such as https://mail.gallupmail.com/track?xyz.

As you may have guessed, I replaced their actual examples with similar but real content that I received by email from Wells Fargo.

On the left is a screen shot of Wells Fargo’s good security advice regarding phishing emails. On the right is a screen shot of an actual Wells Fargo email violating its own advice (verified months later as legitimate by the Wells Fargo Executive Office).

Wells Fargo emails look like phishing emails

Wells Fargo, you have a responsibility to perform email best practices. All emails from Wells Fargo should come from the wellsfargo.com domain or a subdomain of wellsfargo.com, and all links in said emails should link back to the wellsfargo.com domain or a subdomain of wellsfargo.com. Nothing less is excusable.

Follow your own security advice. Don’t send customers emails that look no different than phishing emails. By doing so, you are training your own customers to trust emails they should not trust.

Top 10 ways to strengthen your personal online security

Most of us have a home network with multiple electronic devices, along with hundreds of online accounts and credentials. These tips will help you strengthen your personal online security by helping you better secure your devices and credentials.

Strong Passwords

Stronger passwords are long and have high entropy (users lowercase, uppercase, numbers, and punctuation). Use tools like passed.pw and LastPass Password Generator to create stronger passwords. Use How Secure Is My Password and LastPass How Secure to test how difficult it would be for an attacker to guess (brute-force) your password. Visit XKCD’s correct horse battery staple for some cartoon humor to drive this point home.

Unique Passwords

Use a unique password for every website you visit. Using the same password to log in to multiple accounts, like your Target.com account and your Facebook.com account, increases your security risk. When one website gets hacked (say Target.com or HomeDepot.com), those leaked credentials will be traded among criminals. Bad actors will then write scripts to automatically try your compromised Target.com and HomeDepot.com credentials on all other websites; hoping that you didn’t use unique passwords. Creating a unique password for each account reduces this risk and keeps each account more secure. Visit Have I Been Pwned to see if any of your credentials have already been hacked and are being shared among criminals.

Password Manager

Keeping track of hundreds of unique passwords would be onerous. Instead, use a password manager. The LastPass Password Manager is an excellent option that works across multiple browsers and devices. Otherwise, most web browsers have a built-in password manager.

Multi-factor/Two-factor Authentication (MFA/2FA)

Multi-factor authentication (MFA) and Two-factor Authentication (2FA) are essential the same thing. In addition to entering a username and password, you’ll also be prompted to enter a one-time code that changes every minute. There are many forms of MFA. Hardware tokens and software tokens are the best; but phone calls, texting, and emails are better than nothing. Visit twofactorauth.org for a list of which websites support MFA/2FA and their options. The most important would be to add MFA to your password manager, email accounts, banking accounts, and social media accounts.

Patch Operating Systems, Applications, and Firmware

Protect yourself from known security vulnerabilities by promptly patching the operating system, applications, browsers, and plugins. Security vulnerabilities are discovered every week. When you receive notifications to update your software, do so as soon as possible. Configure your operating system to automatically download and install updates, and do the same for your mobile devices. Lastly, logon to your home network router once a quarter to see if it has a firmware update.

Automatically lock your devices

Your mobile devices are a treasure trove of your digital life. Both Apple iOS (Use a passcode with your iPhone, iPad, or iPod touch) and Google Android (Set screen lock on an Android device) devices can be configured to automatically lock.

Remotely Track and Wipe your devices

If your mobile devices is ever lost or stolen, you can visit Apple or Google to remotely lock and/or wipe your data if your device still has a network connection and battery. Visit these instructions for Apple iOS (If your iPhone, iPad, or iPod touch is lost or stolen) and Google Android (Find, lock, or erase a lost Android device). If you also use your mobile device for work purposes, your employer’s IT team may also be able to remotely wipe your device (because company information like email is also on your personal device).

Encryption at Rest and in Transit

In addition to securing your accounts, it’s also important to encrypt your devices and your network connections. For Windows, use Bitlocker to encrypt data on your hard drive. For Apple iOS (This is how we protect your privacy) and Google Android (Full-Disk Encryption), most devices enable encryption by default. For encryption in transit, make sure you are using https for all of your connections to websites. The HTTPS Everywhere browser plugin will help ensure you are encrypting your traffic.

DNS Filtering

Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names (e.g. youtube.com). Web browsers interact through Internet Protocol (IP) addresses (e.g. 127.0.0.1). DNS translates domain names to IP addresses so browsers can load Internet resources. One easy way to protect all of your home devices from visiting bad websites, is to configure them all to use a DNS provider that filters out bad websites for security, privacy, or even advertising reasons. The best option is to configure your router to use one of these DNS services, which will pass the settings to all devices on your home network.

  • cloudflare.com at 1.1.1.1 (security focused)
  • quad9.net at 9.9.9.9 (security and privacy focused)
  • opendns.com at 208.67.222.222 (security and adult content focused)
  • nextnds.io at 5.182.208.123 (security, privacy, adult content, and advertising focused)

Be Skeptical (phishing and social engineering)

Lastly, be skeptical. Avoid clicking on suspicious links, double-check the URL to make sure you are entering data into a legitimate website, and avoid revealing personal information. Even if the message comes from a site you trust, it’s better to avoid clicking on a email link and to instead go directly to their website on your own accord. Legitimate websites will not request that you send passwords or financial information over email.

How to use Google Fi data SIM on a Verizon Jetpack MiFi

Google Fi is an MVNO telecommunications service that provides telephone calls, SMS, and mobile broadband using cellular networks operated by Sprint, T-Mobile, and others.

Fi has easy-to-understand pricing, can be paused or canceled without penalty, allows up to 9 additional data-only SIM cards to share the same plan, and charges only for the data consumed.

My company has several Verizon Jetpack MiFis that are used during network disruptions, but sit idle most of the time — often for months. Converting these units to Google Fi dramatically reduced our monthly wireless bill. Here’s how to do it.

Create a Google account

Create a new Google account. This is getting more difficult to do because Google now requires an external email address or phone number to be tied to the account; presumably to assist with account recovery and reduce fake accounts.

Sign up for Google Fi and buy a phone designed for Fi

Using your new Google account, visit https://fi.google.com/signup to sign-up for Google Fi. When doing so, I recommend also buying one of these https://fi.google.com/about/phones/ Android phones that will serve as the master account holder. Having an Android phone is not a requirement, but its helpful and is a small expense.

Note: Only phones designed for Google Fi are able to switch among supported carriers. In the US, all other devices (like a Verizon Jetpack) will only use T-Mobile.

Activate your Android phone and Voice SIM

When your phone arrives in the mail, the master Google Fi SIM card for the account will already be installed in the phone. I call it the master because it will be the only SIM that will have Voice, SMS, and Data. Go ahead and setup your new phone and Google Fi account. This process is easy and really doesn’t require instruction.

Add data-only SIM

Logon to your Google Fi account, visit https://fi.google.com/account#plan, and select Add data-only SIM.

Data-only SIMs are compatible in many differnt types of devices in 170+ countries. There’s no extra monthly cost per SIM. You’ll only pay for the data you use at the usual $10/GB rate. Learn more about data-only SIMs.

Note: I found you may only order a few at a time.

Activate your SIM

In a few days, your data-only SIM will arrive.

Logon to your Google Fi account and visit https://fi.google.com/ data to activate your data-only SIM by entering the Secret Code presented on the physical card.

Upon activation, you’ll want to select Data-only SIM setup on other devices for instructions on how to set up Fi on devices other than iOS and Android. The critical piece of information is to change the device’s APN value to “h2g2”.

Software Update the Verizon Jetpack MiFi

Many of our Verizon Jetpack MiFis were in need of updates. Before changing SIMs, I recommend performing Software Updates on the devices. You might also want to make note of the Verizon phone number, SIM number, and other values (to help you close those Verizon accounts after you switch them to Google Fi).

In this example, I’m working with a Jetpack MiFi 6620L running software version 4.5.

Replace the Verizon SIM with the Google Fi SIM

Power off the Verizon Jetpack MiFi and pry off the back cover using this notch.

You’ll find the SIM slot behind the battery.

Press the existing Verizon SIM card in further, quickly release, and it will spring out.

Insert the Google Fi data-only SIM to the same depth as the Verizon SIM you removed.

Restore the battery, snap on the back case, and power on the Verizon Jetpack MiFi.

Change the APN value to “h2g2”

Now you need to configure the Verizon Jetpack MiFi to use the Google Fi wireless network (technically, T-Mobile). You cannot make these changes via the device. Instead, you’ll make them within the device’s built-in Jetpack Admin website. Select Help, Jetpack Admin Website on the device for instructions.

Join any wifi device to the Verizon Jetpack SSID, open a browser, and visit https://my.jetpack. Note that your connected device won’t yet have internet access. Instead, it has wireless access and will open an administration website located on the Verizon Jetpack MiFi.

Login to your Jetpack website and navigate to Jetpack Settings, Advanced, Networks, Show Advanced Settings.

The 4G LTE APN current value will likely be “VZWINTERNET”.

Change both 4G LTE APN and GSM/UMTS/HSPA APN to “h2g2” and Save Changes.

Manually change DNS (optional)

While you are at it, you might as well manually configure the external DNS providers of your choosing by visiting Advanced, Manual DNS. To improve privacy and security, consider using 9.9.9.9 and 1.1.1.1. This step is optional.

Reboot the Verizon Jetpack MiFi.

Network: T-Mobile

When the device powers up, head over to Settings and view the Internet Status. If you did everything right, you should see T-Mobile as the Network.

Celebrate by joining up to 15 devices to your Verizon Jetpack MiFi hot spot that is now running on Google Fi (via T-Mobile).

Savings

You can add up to 9 data-only SIM cards to a Google Fi account. If your parent Android phone with the Voice/SMS/Data SIM, along with 9 data-only Verizon Jetpack MiFis with Google Fi data-only SIMs are idle each month, you’ll be charged only $20 (see plans). If one or more of the SIMs consumes data, you’ll be charged only $10 per gigabyte per month (which will even be prorated).

Now I have a bunch of wireless hot-spot spares that are ready for a network disaster, without costing me $50 per device per month.

craigs-mobile.live is a phishing scam

If you use craigslist.org and post your mobile number, you are bound to get a text message scam from craigs-mobile.live or a similar site. Report the scam to your carrier and delete the text without responding.

See “Phishing stealing accounts, passwords, or financial information by masquerading as a trusted party” from craiglist.org.