Securing Financial Applications Behind Secondary Accounts

Many people run their entire lives from their mobile devices. Unfortunately, this makes mobile devices prime targets for malicious actors. Apple and Google have responded to this by continuously bolstering the security of their respective mobile operating systems (although the openness of Android means device manufacturers can and often do undo a lot of that security work). One major security improvement has been the optional use of biometrics to unlock devices. Before fingerprint and facial recognition on mobile devices, you had to type in a password (or optionally draw a pattern on Android) every time you wanted to unlock your device. This dissuaded people from setting an unlock password on their devices. Now that mobile devices can be quickly unlocked with fingerprint or facial recognition, implementing a proper unlock password on a device isn’t as inconvenient. With this increase in convenience came an increase in the number of people properly locking their devices.

Setting a proper unlock password protects the owner from the consequences of their mobile device being stolen. A thief might get the device, but if it’s a properly locked (which implies all security updates are installed and the device is actively supported by the manufacturer) device, the thief will be blocked from accessing data on the device such as any financial applications.

Now that locked devices are more prevalent, thieves are resorting to new forms of trickery to gain access to the valuable information on devices:

Most scams that utilize payment apps involve a range of tricks to get you to send money. But some criminals are now skipping that step; they simply ask strangers to use their phones and then send the money themselves.

The victim often doesn’t realize what’s happened until hours or even days later. And by that point, there’s very little they can do about it.

If somebody asks to borrow your phone, tell them no. But asking to borrow a phone isn’t the only way thieves acquire access to unlocked devices. Thieves are also targeting people who are actively using their devices (and since those people often aren’t paying attention to their surrounding, they’re easy targets). If a thief steals an unlocked device from somebody, they can gain access to the information on the device until it is locked again.

Most financial applications offer the ability to set an application specific password, which you should do. However, Android offers another level of security. Android supports multiple user accounts. Applications and data in one user account cannot be accessed by other user accounts (an application can be installed in multiple accounts, but each installation is unique to an account). A user can add a separate user and install their financial applications in that account. When they’re using their main account for things like making calls and instant messaging, their financial accounts remained locked behind the secondary account. So long as the user isn’t actively using the secondary account, any thief who swipes the device while it’s unlocked will not even be able to see which, if any, financial applications are installed.

Financial applications aren’t the only ones that you can hide behind secondary user accounts, but they’re good candidates because unauthorized access to those applications can result in real world consequences. Furthermore, financial applications usually aren’t accessed frequently. They’re accessed when a user needs to check the status of an account or make a transaction.

Bring Enough Gun

A story making the rounds illustrates the importance of ensuring that you have enough gun:

A large bull moose spent more than an hour stomping on the sled dog team of a rookie Iditarod musher in the wilds of Alaska last week – and the attack didn’t end even after Bridgett Watkins emptied her gun into the animal.

[…]

‘As he charged me I emptied my gun into him and he never stopped,’ she wrote on Facebook. ‘I ran for my life and prayed I was fast enough to not be killed in that moment. He trampled the team and then turned for us.’

[…]

She did carry a .380 caliber gun because there are few people where she trains, and she keeps it to to deter or scare off animals. She has since upgraded to a larger caliber firearm after it didn’t stop the moose.

A bull moose is basically a freight train on legs that is fueled by rage. Shooting one with a .380 will just piss it off. In Watson’s defense, she wasn’t foolish enough to believe that a .380 would drop a moose. She carried it assuming that the noise it created would be sufficient to scare off an attacking animal.

So this story illustrates two important consideration when creating a self-defense plan. First, recognize the threats and bring sufficient firepower to deal with those threats. Second, if your plan includes deterrence (which it should), have a backup plan in case it doesn’t work.

Consider the self-defense plan one might establish in a city. Your primary threat will likely be humans. That means calibers like 9mm, .45 ACP, 5.56x45mm, and 7.62x39mm are sufficient in most cases. Pepper spray is a non-lethal option that is often sufficient to dissuade an attacking human. In a city your defensive plan might include a 9mm handgun and a small canister of pepper spray.

Now consider the wilderness in the Upper Midwest. While humans are still a threat in the wilderness, they’re much less common in the wilderness and smaller than some other threats. If you go to the northern parts of Minnesota, you might encounter moose. Throughout much of the Upper Midwest there are also black bears. Both are larger than humans and require more firepower to reliably drop. Therefore, your self-defense strategy might include a .357 magnum, .44 magnum, or 12 gauge shotgun loaded with slugs. Run of the mill pepper spray won’t be sufficient, which is why bear mace exists. In the wilderness of the Upper Midwest your defensive plan might include a .44 magnum revolver and a canister of bear mace.

Obviously a gun and chemical irritant aren’t a complete self-defense plan. There are many other components including a plan to deal with injuries (which is even more critical in the wilderness where emergency services are often unavailable). However, like every other part of your plan, your lethal and non-lethal tools need to match the environment.

Preparing for Bad Times

It’s obvious that inflation and shortages are long term trends, not short term “transitory” states as claimed by the current rulers and their mouthpieces in the mainstream media. If history is any indicator, we’re moving towards bad times. However, the effects of bad times can be mitigated with a bit of planning and preparation.

I’m guessing a large percentage of people reading this have been preparing for bad times for a while. If you have been, good on you. You were smart. If you haven’t, don’t worry. There’s still time. Although most goods are harder to come by than they were two years ago, necessities can still be readily had in most places (although you may have to go to several stores to get everything on a list).

If you haven’t been, this post is a primer for you. It’s not all encompassing. It’s a bullet point list meant to get your started.

Creating a Plan

During the first wave of lock downs people snapped up toilet paper and frozen pizzas like they were gold. They did this because they realized that they needed to “do something” but didn’t bother to develop a plan.

When preparing for bad times, you want to allocate resources where they will do the most good. Having a stockpile of toilet paper is good, but all the toilet paper in the world is worthless if you don’t have any food. The first step of developing a plan is identifying what you need. The most immediate needs of a person are water, food, and protection from the elements (shelter and clothing). If you want to avoid disease, you will also need a hygienic environment and medical supplies. I suggest starting with these categories.

Water

Water availability will differ from region to region. If you live in a desert, you will need more stored water than somebody who lives near plentiful fresh surface water (in which case filtration can be an alternative to storage). Unless the water coming out of your tap is poisonous (in other words what I’m writing doesn’t apply if you live in Flint, Michigan), I’d suggest storing tap water over buying bottled water from a store. Do keep in mind that filling random containers with water isn’t sufficient. You need to store your water properly if you want it to last.

Food

Judging by availability immediately after the lock downs, a lot of people believe they can eat frozen pizzas forever. Setting aside the dubious nutritional value of frozen pizzas, putting all of your eggs in one freezer isn’t a smart long term plan. Freezers require electricity and can breakdown. If electricity is unavailable for an extended period of time or your freezer suffers a mechanical failure, everything stored in it will thaw and spoil. You can mitigate the risk of power loss with a generator (so long as fuel is available), but you can’t mitigate the effects of a breakdown unless you have a backup freezer (two is one, one is none). I don’t want to discourage you from making frozen food part of your plan, just don’t make it your entire plan. Having a backup plan for your backup plan is never a dumb idea (again, two is one…).

The good news for your preparedness plan is that there are options in addition to frozen food. Canned goods are the most obvious. Canned goods in good condition can last for a very long time if properly stored. Dry goods are also worth adding to your plan. Dried beans, rice, pasta, etc. store well without the need for refrigeration. Specially prepared foods such as pemmican and hard tack also store well without refrigeration and can serve as alternative ways to store otherwise perishable foods like meat if a freezer isn’t available.

Before you run to the store and buy every can of Spam on the shelf, consider your current diet. If you don’t like Spam, buying pallets of it is foolish. Survival is the primary purpose of preparing for bad times, but there’s no reason you have to suffer to survive. Focus on buying foods you actually like to eat. This will make your life more pleasant in bad times and allow you to cycle through your stockpile during good times (more on that in a bit). Moreover, buy a variety of foods you like to eat. That will allow you to mitigate appetite fatigue (the point where you become so sick of eating the same thing that you can no longer choke it down even in a survival situation).

Protection from the Elements

I’m not going to spend much time on this. You need appropriate living arrangements to both protect yourself from the elements and to store your necessities. Proper clothing for where you live is also necessary (for example, if you live in an area with harsh winters, make sure you have clothing that will protect you from those conditions).

A bug out destination can be included in this category. Depending on the type of bad time you’re experiencing, your home may not be safe.

A Hygienic Environment

Medical care may be limited or unavailable during bad times. That makes getting sick more dangerous. The best way to avoid sickness is to maintain a hygienic environment. You want to have sufficient cleaning supplies to keep your home clean. That means supplies to sanitize where you prepare your food, supplies to prevent mold from growing in your bathroom, and supplies to keep your clothing and body clean.

This seems to be the most often overlooked part of a preparedness plan. Most people remember food and water, but often forget soap, laundry detergent, bleach, etc. Don’t be one of those individuals or all the water and food you painstakingly stocked will be wasted.

Medical Supplies

Speaking of illness, make sure you have stocks of basic medical supplies. Bandages, gauze, medical tape, tourniquets, disinfectant, etc. are all good things to have and usually store for a long time. Again, medical care may be limited so you may have to fend for yourself if you are injured. Moreover, try to stockpile any medications you need (this can be hard because the state artificially restricts access to prescription medications).

Pets

Do you have pets? Do you want them to survive bad times? If so, makes sure you stock supplies for your pets as well. How easy this is will depend on the kind of pets you have.

Cycling Stock

Instead of building a stockpile and forgetting about it until bad times hit, you should use and replace items from your stockpile during good times. For example, if you have a recipe calling for green beans, pull a can of green beans from your stockpile and replace that can with a new one. This serves two purposes. First, it guards against spoilage by limiting the amount of time any good is stored. Second, it increases your chances of discovering spoiled stock when it can be readily replaced. A can of rancid meat is less of a problem when you can go to the store and buy a replacement than it is when canned meat is unavailable.

Allocating Resources

So you put together a plan, crunched the numbers, and realized that this is going to cost a lot of money. Don’t be disparaged. You don’t have to buy everything immediately.

Your plan should be prioritized. This can be done by asking some simple questions. What items do you need immediately? What items can be acquired cheaply? What items will require saving money to acquire? What items are more readily available?

Obviously items you need immediately should be prioritized. If, for example, you were one of those individuals who stockpiled toilet paper during the beginning of the lock downs and still have several months worth in stock, toilet paper should have a low priority. You may want to prioritize items that you need and are already in short supply. For example, many of the recipes my wife cooks require coconut milk. We live in the Midwest where coconut milk is usually relegated to the “Asian section” of the grocery store, which usually has limited stock in the best of times. So coconut milk is prioritized higher on my list.

Items that can be acquired cheaply are good add-ons to your normal grocery list. For example, many canned vegetables can still be found for under a dollar a can (this is being written on November of 2021, if you’re reading this months after I wrote it, inflation may have made this claim look absurd). Adding a few cans of vegetables to your grocery list probably won’t break the bank. Over time a few cans here and there will result in a very comfortable stockpile. Keep an eye out for sales. If your grocery store is having a sale on an item on your preparedness plan, use the opportunity to stock up for less.

What about expensive items like generators and hiring and electrician to wire your house so you can connect your generator to your home? Budget for them. Save some money each month for the purpose of acquiring more expensive items.

Don’t Panic

Preparing for bad times is, in my opinion, a continuous process. If you do a little bit every week or month, you will be in a solid position surprisingly quickly. It’s easy to convince yourself that everything could fall to pieces tomorrow and panic. Remember that things seldom fall to pieces overnight. When you wake up tomorrow, there will likely still be food on store shelves and the money in your wallet will likely still be able to buy it.

The Police Aren’t Coming

A law enforcer killed a black man in Atlanta and is being charged. This has ruffled the feathers of many other law enforcers in the city and now they’re coming down with the blue flu:

Hours after the Fulton County district attorney announced felony murder and other charges against the former Atlanta police officer who fatally shot Rayshard Brooks, a 27-year-old black man, in the back, a number of Atlanta police officers called in sick just before a shift change Wednesday evening.

A lot of people argue that nobody needs tools to protect themselves because if they’re in danger, they can call the police. I along with many (probably most) other advocates for gun ownership have argued that you can’t rely on other people to protect you. This argument often falls on deaf eras. Even when you point out that law enforcers have no duty to protect you, gun control advocates will argue that a cop isn’t going to just stand by and let something bad happen to an innocent person.

The recent civil unrest that started in Minneapolis has done a wonderful job of illustrating that law enforcement departments can easily become overwhelmed and when they’re overwhelmed they don’t send resources to protect you or your business. Atlanta is now illustrating the fact that there are circumstances where law enforcers will refuse to show up for work. As with Minneapolis just a short while ago, it appears that the people of Atlanta are on their own.

This is why defense in depth is such an important concept. You want redundant self-defense plans in case any single plan fails. This is especially true if any of your plans rely on anybody but yourself to execute (the only person you can 100 percent rely on is yourself because that’s the only person whose actions you can control).

Play Stupid Games, Win Stupid Prizes

This story is an illustration of how not to handle a fender bender:

Following the fender bender, Kamrowski stopped in the left lane and got out of his Ford F-150 pickup truck to exchange insurance information with Fitzgerald, according to police.

Fitzgerald, 37, of Ashland, Massachusetts, stayed inside of his white 2016 Infinity QX70 SUV, authorities said.

“That encounter became adversarial,” police said in a statement.

At some point, Kamrowski of Framingham, Massachusetts, reached into Fitzgerald’s vehicle and snatched a water bottle and then stood in front of Fitzgerald’s SUV, police said.

Ideally, after a collision, both parties get out of their vehicle and cordially exchange insurance information and let their respective companies deal with the situation from there. However, ideal situations are almost as rare as honest politicians. If you find yourself in a collision and the other party won’t exit their vehicle, don’t approach. But if you can’t stop yourself from doing that, at least don’t reach into the vehicle. Record the other driver’s license plate number, the make and model of their vehicle (if you can determine it), and identifying characteristics of their car (color, bumper stickers, etc.) and person. If the driver flees, you have a good description to give to the police. If they don’t, they’ll have to get out of their vehicle eventually.

Let’s pretend for a moment that you’re an idiot though and couldn’t restrain yourself form approaching and reaching into the car. At least don’t do this:

“Fitzgerald then began driving towards Kamrowski, who subsequently jumped on the hood of Fitzgerald’s vehicle,” according to the statement from police.

The box of his F-150 would have been a better place to go (or, better yet, back into the cab). But if do jump on the hood, do it only long enough to jump off the vehicle in a safer direction. If you decided to overstay your welcome (and your welcome will be approximately zero seconds), you could end up going for a ride:

With Kamrowski clinging to the hood, Fitzgerald headed west on the turnpike, accelerating and stopping in an apparent herky-jerky attempt to shake Kamrowski, police said. Fitzgerald’s Infinity hit speeds of up to 70 mph as it traveled about three miles on the highway with Kamrowski holding on, police said.

Now you get to ask yourself a question, is the driver panicked and working from their fight or flight state of mind or are they purposely trying to kill you? It’s a pointless question because the answer is irrelevant to your situation. But asking it might distract you from the fact that you’re probably going to die because of your poor decisions.

Fortunately for Kamrowski, a good Samaritan managed to end the situation before he died:

Several motorists tried unsuccessfully to get Fitzgerald to stop, police said. When Fitzgerald eventually got bogged down in traffic, a motorist with a permit to carry a concealed weapon approached Fitzgerald and ordered him out of the SUV at gunpoint just as troopers arrived on the scene, according to the police statement.

But that’s not something you can bet your life on. Moreover, you’re probably still going to jail:

Fitzgerald was charged with assault with a dangerous weapon on a person over 60, negligent operation of a motor vehicle and leaving the scene of a property damage accident.

Kamrowski was arrested on suspicion of disorderly conduct and malicious damage to a motor vehicle.

In summary, don’t be either Kamrowsky or Fitzgerald. Especially don’t be Kamrowsky though because he put is life in danger (Fitzgerald, on the other hand, was at least smart enough to stay in his vehicle and thus maintained a significant advantage in the deadly situation they both worked to create).

Hey Siri, I’m Getting Pulled Over

Do you carry an iPhone? If so, is it updated to iOS 12? If you answered yes to both, there’s a very useful tool you can download:

There’s a big new feature for iPhone experts this year: It’s an app called Shortcuts, and with a little bit of logic and know-how, you can stitch together several apps and create a script that can be activated by pressing a button or using Siri.

[…]

But Robert Petersen of Arizona has developed a more serious shortcut: It’s called Police, and it monitors police interactions so you have a record of what happened.

Once the shortcut is installed and configured, you just have to say, for example, “Hey Siri, I’m getting pulled over.” Then the program pauses music you may be playing, turns down the brightness on the iPhone, and turns on “do not disturb” mode.

You can download the shotcut here.

I’ve downloaded it and tested it. Sure enough it works as advertised. Grab it and install it on your phone so it’s ready if you get pulled over.

You Must Guard Your Own Privacy

People often make the mistake of believing that they can control the privacy for content they post online. It’s easy to see why they fall into this trap. Facebook and YouTube both offer privacy controls. Facebook along with Twitter also provide private messaging. However, online privacy settings are only as good as the provider makes them:

Facebook disclosed a new privacy blunder on Thursday in a statement that said the site accidentally made the posts of 14 million users public even when they designated the posts to be shared with only a limited number of contacts.

The mixup was the result of a bug that automatically suggested posts be set to public, meaning the posts could be viewed by anyone, including people not logged on to Facebook. As a result, from May 18 to May 27, as many as 14 million users who intended posts to be available only to select individuals were, in fact, accessible to anyone on the Internet.

Oops.

Slip ups like this are more common than most people probably realize. Writing software is hard. Writing complex software used by billions of people is really hard. Then after the software is written, it must be administered. Administering complex software used by billions of people is also extremely difficult. Programmers and administrators are bound to make mistakes. When they do, the “confidential” content you posted online can quickly become publicly accessible.

Privacy is like anything else, if you want the job done well, you need to do it yourself. The reason services like Facebook can accidentally make your “private” content public is because they have complete access to your content. If you want to have some semblance of control over your privacy, your content must only be accessible to you. If you want that content to be available to others, you must post it in such a way where only you and them can access it.

This is the problem that public key cryptography attempts to solve. With public key cryptography each person has a private and public key. Anything encrypted with the public key can only be decrypted with the private key. Needless to say, as the names implies, you can post your public key to the Internet but must guard the security of your private key. When you want to make material available to somebody else, you encrypt it with their public key so hey can decrypted it with their private key. Likewise, when they want to make content available to you they must encrypt it with your public key so you can decrypt it with your private key. This setup gives you the best ability to enforce privacy controls because, assuming no party’s private key has been compromised, only specifically authorized parties have access to content. Granted, there are still a lot of ways for this setup to fall apart but a simple bad configuration isn’t going to suddenly make millions of people’s content publicly accessible.

Learning Lessons the Hard Way

I’d imagine that most of you were taught to keep your hands to yourself at a pretty young age. I certainly was. However, some people can only learn this lesson the hard way:

A woman jogging Friday morning in Salt Lake City fought back against a man who came up behind her and groped her.

She was attacked about 6 a.m. in a neighborhood near 1700 South and 500 East, Salt Lake City police spokesman Greg Wilking said.

The woman was carrying a small knife in her hand and stabbed the man multiple times when he grabbed her.

And a valuable lesson was taught.

With sexual assault so prevalent in the news, it’s nice to read a story about how high the cost of sexual assault can be. The biggest enable of sexual assault is likely the extremely low cost of perpetuating it. Sexual assaults often face no physical or legal consequences. If sexual assaulters were commonly beaten, stabbed, or shot, the cost of perpetuating sexual assault might be high enough where would-be sexual assaulters would reconsider their actions.

The Importance of Out-of-Band Verification

Yesterday I received an e-mail that appeared to be from a friend. It was a short e-mail asking what I thought about the contents of a link. The first red flag was that this friend seldom e-mails me. We have other forms of communication that we use. The second red flag was the e-mail address, which was his name at a domain I wasn’t familiar with. The third red flag was the link, it went to a domain I wasn’t familiar with.

Friends asking me about content on unfamiliar domains isn’t unusual. Moreover, friends e-mailing me from unfamiliar domains isn’t without precedence since new “privacy focused” e-mail domains pop up everyday and I have friends who are interested in e-mail providers who respect their users’ privacy. I smelled a scam but wanted to make sure so I contacted my friend through another messaging service and he confirmed that he didn’t send the e-mail.

The combination of social media with people’s general lack of security has made a lot of social information available to malicious individuals. If you want to specifically target somebody, the social information is often available to do it convincingly. Even if you’re not interested in specifically targeting somebody, the social information that is available is often complete enough that it can be fed to an automated tool that sends targeted e-mails to anybody it has information about. These types of scams can be difficult to defend against.

One method for defending against them is establishing multiple channels for communicating with your friends. Between e-mail, Signal, WhatsApp, Facebook Messenger, text messaging, Skype, XMPP, and a slew of other freely available communication tools, it’s easy to ensure that you have at least two separate means of communicating with your friends. If you receive a suspicious message that appears to be from a friend, you can use another form of communications to verify whether or not they sent it. Admittedly, such a tactic isn’t bulletproof. It’s possible for an attacker to compromise multiple communication methods. However, it’s more difficult to compromise two communication methods than to compromise one.

Cash is King

I’m a rare bird amongst my friends because I always have some cash on hand. In this day of credit cards, Apple Pay, Bitcoin, and other forms of electronics payments, cash seems antiquated. However, when the power grid and Internet connectivity become unreliable, all of those forms of electronic payments cease to function:

In post-hurricane San Juan on Monday, commerce picked up ever so slightly. With a little effort, you could get the basics and sometimes more: diapers, medicine, or even a gourmet hamburger smothered in fried onions and Gorgonzola cheese.

But almost impossible to find was a place that accepted credit cards.

“Cash only,” said Abraham Lebron, the store manager standing guard at Supermax, a supermarket in San Juan’s Plaza de las Armas. He was in a well-policed area, but admitted feeling like a sitting duck with so many bills on hand. “The system is down, so we can’t process the cards. It’s tough, but one finds a way to make it work.”

The cash economy has reigned in Puerto Rico since Hurricane Maria decimated much of the U.S. commonwealth last week, leveling the power grid and wireless towers and transporting the island to a time before plastic existed. The state of affairs could carry on for weeks or longer in some remote parts of the commonwealth, and that means it could be impossible to trace revenue and enforce tax rules.

I believe that it’s important to always have a backup plan. While we enjoy mostly reliable power and Internet connectivity here in the United States, the infrastructure that provides those assets is only a natural disaster away from not functioning. Having cash on hand gives you an option if the infrastructure is damaged.