Thursday, May 25, 2023

How to protect yourself from Card Skimmers

Before I go into steps to protect yourself from card skimmers, it is important to understand the various protocols used in POS (point of sale) devices to read your credit/debit cards. There are 4 types and they are --- swipe (magnetic strip), chip (chip in card), tap (RFID) and smartphone (NFC). I won’t go into the details on each of these, but it is sufficient to be aware that there are multiple technologies involved in POS transactions. Now, here are different ways to prevent or at least lower your chances of becoming a victim of card skimming listed in the order of most effective to least effective.

  1. Use your 'smartphone' to pay (Google Pay, Apple Pay) wherever you can. How to get this setup is outside of the scope but it is very easy. This is the strongest protection you get today, and it is extremely difficult (if not impossible) for criminals to scam you. Most POS devices accept these today although if you live in US (lagging behind the world) it is not uncommon to see vendors using ancient devices that does not support smartphone pay.
  2. Use 'chip+pin' if your card and the POS device supports, this is the second-best way. If you live outside of US like Europe, even in India, you are golden because it is the standard for POS devices for many years and you are required to use pin to do transaction. Every time I was on a business trip to India, I always find myself arguing with waiter at restaurants “hey, I don’t have a pin” 😄. If you live in US, it sucks since chip+pin is not mandated for whatever reason.
  3. Use 'chip' if your card and the POS device supports. Most credit card/banks these days issue cards with chip but unfortunately in US, they also include the magnetic strip to cover the lazy ass vendors who still use archaic magnetic swipe. This pretty much negates the benefit of chip as scamming devices can still read your magnetic strip. So, if you live in US, what I’d recommend is to scratch the magstripe on purpose (I did that on all my cards). Use a sharp knife or steel wool to scratch the magstripe to a point it can’t work. Keep one card with magstripe in case the vendor says, “we don’t have chip reader you have to swipe”. Trust me these guys won’t change unless they are mandated by law to switch to modern POS at state/federal level.
  4. Use ‘tap’ if the POS device and your card supports it. If you see this symbol on the back of your card, then it is enabled for RFID. Again, US lags on this protocol as well. While this is the most convenient way to make purchase, there is a huge security hole in this method which enables most sophisticated attacks which I won’t go into detail but there are things you can do to avoid them i.e., use an RFID blocker (you can buy them at amazon for $2 a piece) and place it in your wallet/purse along with your credit/debit card equipped with this technology. I use these if you need a recommendation https://link.selvansoft.com/1307688f
  5. Use 'check' which of course has many problems of its own but it may be slightly better than the last one below.
  6. Lastly, if none of the above options available to you, you have no choice but to use magstripe/swipe. You might want to spend few seconds to look for signs of tampering on the POS device. See the picture at top of this blog for signs to look for. Obviously, you won’t have lot of time besides, you may annoy other customers behind you if you are spending too much time poking around the device 😄

Finally, you can and should setup text alerts when your card is charged even for a $1. Almost all bank/credit card institutions provide the feature to TXT. The only annoying thing is getting TXT for everything you do on your card, but it is better than being a victim. 

My text alerts look like this (see screenshot below).  Notice it says “card ending in xxxx was not present” that has multiple meaning but, in this case, it means these transactions are done without card i.e., done with google pay which I use everywhere it is accepted and it’s the most secure way today to pay at POS. Period.


Tuesday, May 23, 2023

ProtonVPN - fast & free

ProtonVPN

Not sure any of you are aware of Proton Mail which is a fully secure email service and has been around for a while. I signed up for their free tier email service a while back but never used it since I don’t want to pay for yet another cloud space and the free tier space of 500 MB is not much for daily use.

Anyway, I know they had VPN for free as well but never tried it until recently and I am blown away by the speed --- very low overhead compared to different VPN service I have used. Granted it is wireguard, a modern successor of VPN but still, literally I get same speed as provided by my ISP. First, I could not believe and started measuring speed with every speed test tool that is out there and they all came back with more or less same and speed which is roughly same as what I get with my ISP  (see screenshot) without VPN layer. At this point, there is absolutely no reason to not use them permanently… and it's Free!



How to get ProtonVPN

Head out to https://proton.me and sign-up for free account and you get encrypted mail service and 1 VPN connection free. Wireguard is pretty simple to use, all you have to do is install wireguard (https://www.wireguard.com/install/ ) and get the credentials/keys from ProtonVPN and off you go. 


How to run wireguard (MacOS or Linux)

After wireguard is installed, follow the simple steps shown in screenshot below to start/stop wireguard. The screenshot is on macOS but it should be same in Linux possibly on windows under powershell as well. The third argument is the name of your wireguard configuration file without the '.conf' extension. In my case it is lion.conf. This is the configuration file you downloaded from the ProtonVPN and it should be copied to /usr/local/etc/wireguard/ on MacOS, or /etc/wiregaurd on Linux.

Wednesday, April 5, 2023

HOWTO: Credit Freeze

Data breach incidents are very common these days. In-spite of all the efforts & money spent by organizations on robust cyber security measures to protect themselves, data breaches continue to occur. With countless sensitive records compromised, it serves as a stark reminder that no organization or individual is immune to cyber threats and as an individual, there is nothing you can do to stop. However, there is one thing you can do to protect your identity and personal data by adding a credit freeze on demand or forever. 

As a matter of fact, I don’t see a need for your credit report to be in “unlocked” status unless you apply for loan, bank account, credit card etc. which you don’t do every day. So, why does it need to be in “unlocked” status? When you need it, you can, with a click of a button (at most bureaus) unlock your credit, get your business done and lock it back. 

I have listed below all you need (link/phone/address etc) to place a “free” (yes free) credit freeze to avoid becoming a victim of identity theft, fraud and scam that could potentially wipe your hard-earned money and ruin your financial reputation, possibly forever!

EQUIFAX:

Online: https://my.equifax.com/membercenter
By phone: 800-685-1111
By Mail: Equifax Security Freeze, P.O. Box 105788, Atlanta, Georgia 30348-5788
Online Account:
Terminology: Freeze
How To Lock: Home and select Freeze on the side bar

EXPERIAN:

Online: https://www.experian.com/freeze
By phone: 888-397-3742
By Mail: Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
Online Account:
Terminology: Security Freeze
How to Lock: Experian is sneaky & goes out of the way to hide the free service pushing customers to pay for the “File Lock” (a paid service). Use the direct link below to get to the ‘free’ option.

TRANSUNION:

Online: https://service.transunion.com/dss/
By Phone: 888-909-8872
By Mail: TransUnion LLC, P.O. Box 2000 Chester, PA 19016
Online Account:
Terminology: Credit Lock
How To Lock: Dashboard has Lock/unlock button
Direct URL: N/A

INNOVIS:

Online: https://www.innovis.com/securityFreeze
By Phone: 866-712-4546
Online Account:
N/A

Final Note: The information above is designed to be simple and easy to follow, so that anyone can place a credit freeze quickly and easily. Permanently freezing your credit reports is sufficient in protecting yourself from identity theft. However, I did encounter a more complex process outlined on Reddit (link below) that focuses on all the steps to take if you were indeed an identity theft victim. Some of the steps mentioned there are very extreme and complex, but I suppose overprotecting yourself isn't bad, especially when it comes to your identity.

https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/

Saturday, March 18, 2023

ChatGPT vs. Google search

Whether you're looking for the latest news, a specific product, or a how-to guide, Google search can help you find what you need in a matter of seconds. We all use google search every day at least once or some people like me use multiple times a day. 

Ever since ChatGPT came along, I find myself going there in the hope that I will find what I am looking for faster and easier using the conversational search approach. However, I often find myself falling back to Google search because 4 out of 5 times ChatGPT gives me wrong information and directing me in the wrong path (see the screenshot at end). At this point, I am convinced that it is actually faster for me to go to Google search in the first place for accurate information. Granted my search needs are highly technical in nature and I understand that is not exactly same for everyone but still I think Google search is faster, and most importantly accurate, at least for now.


What do you think?


Just for fun, I asked ChatGPT the question and here is the response I got.

When it comes to finding specific information quickly, Google search is still the go-to tool for most people. However, if you want a more conversational and personalized response to your query, ChatGPT can be a great option.

Here is a screenshot of one of the flat-out wrong answer from ChatGPT for one of my search/question with high degree of confidence 😆



Tuesday, March 14, 2023

Bloatware in Pixel?

I only buy Google Pixel phones to avoid carrier & phone manufacturer installed, un-removable bloatware but little that I know these bloat kings like Samsung, Verizon, AT&T, etc managed to shove their crap on my Pixel phone and I have no clue how they managed to do that. I accidentally discovered some and believe it or not, you can't remove it without ‘root’ing your phone which will disable monthly security patches. Long story short, I wrote a script to disable them from running. 

Feel free to use this script but you need to have android adb installed on your computer and connected your phone with USB cable in order for this script to work.

https://github.com/aselvan/scripts/blob/master/andriod/remove_bloatware.sh

If your phone is not pixel, you will find crap ton of bloatware. If you give me the full list (i.e., run my script '-a' option), I can update the bloatware list in the script so you can remove them. Right now, the list I have hardcoded in this script only includes what I found on my pixel which are listed below.

Finally, here is a quiz to see if anyone can answer this question (post your answer as comment). So you found a strange package called ‘org.thoughtcrime.securesms’ installed in your phone i.e. run my script with argument  ‘-p org.thoughtcrime.securesms’ that checks your phone to see if you have it. Do you think it is a malware? 😜

PS: all the scripts I post on my GitHub repo are digitally signed by me so they are as safe as it can be to run and if you feel brave you can run directly in a bash shell (MacOS or Linux) like so below.

curl -s https://raw.githubusercontent.com/aselvan/scripts/master/andriod/remove_bloatware.sh | bash -s -- -h


Tuesday, March 7, 2023

Free Cloud storage

Yeah, you read it correct, free 😁. We all know the phrase “there ain't no such thing as a free lunch” but there is a way to store all your family vacation pictures, videos for free with a minor caveat.

All of us have ton of vacation pictures, videos and such lying around on our computer, phone, USB stick, camera SD card etc. While it is always a good practice to backup your precious memories to external hard drive, but it is still not good enough. Hard drive is not permanent storage as it can fail anytime. What would you do if all your precious memories went down with your backup drive? While cloud storage does address this problem, it does cost money. What if I told you that you can store your stuff on cloud for free? Read on if interested …

Videos:
First, let’s start w/ video files as its pretty easy. I am sure many of you used YouTube to upload your videos to share w/ your family & friends or even to public in some cases. Did you know that you can also upload all your personal videos there as well and mark it as “private” (see screenshot below) so it's visible only to you? 


That is right, you can upload literally everything you have in video format to YouTube. As of now, Google does not charge anything for storage, and it’s been that way for years, but that may change down the road but for now it is absolutely free. While YouTube runs super aggressive compression algorithm to maximize space, it does not impose any limit on length or size of files you can upload, and the loss of quality is not noticeable at all. I just uploaded a really huge video file (15 GB) and google is cool w/ that. If you don’t know how to upload files to YouTube, follow these simple steps. While logged in with your Gmail/Google account, head over to https://studio.youtube.com/ select Dashboard/Upload Videos and drag/drop your videos as much as your heart's content. Before you do that, you need to go to “Settings”/”Upload defaults” to set visibility to “Private”. There you have it.

Pictures:
Obviously, video is easy but how do you upload pictures since YouTube only accepts video? Well, you could generate a video of your pictures may be one video for each vacation or event and upload as videos. This is the minor caveat I mentioned earlier, i.e., you have to do some work to convert your pictures to video which is not that hard. To make it easy, I wrote a script to do just that on MacOS, or any Linux, or ChromeOS based computers. Windows users can run the script under WSL (Windows Subsystem for Linux) on Windows 10/11. If you are like me who always create slideshows with vacation pictures anyways, converting to video is not a bad option at all. The script to convert picture to video is available at my GitHub repo at link below.


It is pretty simple to run the script. First, copy all your pictures of a specific event or vacation trip to a directory and run this script on that directory as shown below. You can specify a title to use with the -t option and use any MP3 for background audio. The generated output video will be in the same directory. Now you can upload the video to YouTube!















To make bulk creation easy, I wrote another script that reads a CSV file where you can define where your files are and what title, background to use and run at one shot to create videos of all of your files as long as they are in separate directory. See script below.


Finally, if you have any questions on the options for generating video, feel free to ask. Enjoy!

For completeness, I want to mention there is a very complex method available to literally store any of your files, including documents, zip file etc on YouTube for free. Which of course requires lot more technical knowledge/skills that is way beyond the scope of this blog. If interested, you can read about it here https://hackaday.com/2023/02/21/youtube-as-infinite-file-storage/ and here https://gizmodo.com/backup-data-on-youtube-hack-white-noise-aka-isg-1850261527 . Keep in mind these are not reliable methods as one tweak in compression algorithm will render your data unreadable and useless so I would not use these methods to store anything important.




Friday, March 3, 2023

Phishing scams using URL Shorteners

I am sure many of you are familiar with shortened URLs that redirect you to a different long-winded URL when clicked. If you’ve ever seen or used tinyurl.com, or a bit.ly link, you are already familiar with how they work. 

These shorturl services like bit.ly etc., have been abused by scammers for their phishing campaign for a while now. Recently, there is an increased use of these technique specifically leveraging reputable/legitimate websites like linkedin.com (see link below) since malware protection software and spam blockers are unlikely to block these short links created by reputable organizations like LinkedIn.

https://www.malwarebytes.com/blog/news/2023/02/linkedin-slinks-abused-to-phish-email-and-payment-details

So how do you know if your given short URL is not going to take you to a shady phishing site or worse, to a malware laced website? Essentially, what you need is an inverse of shorturl i.e., longurl 😁 which expands the shorturl to show where it would take you if you were to click. That is exactly what I have done on this simple tool below. Feel free to use.

https://selvansoft.com/longurl/

Note: Try expanding this sample short link (https://bit.ly/3YuGbTA) using the longurl service above. For safety, the redirect address is checked w/ out actually traversing there and also it goes just one level deep only. There is also urlscan.io that does lot more if you want to try that as well. 

PS: I also have a very simple shorturl service similar to bit.ly here  https://selvansoft.com/shorturl/ Again, feel free to use.

Thursday, January 26, 2023

DocuSign sends sensitive info in plain text

Yes, you read the title correctly. DocuSign indeed sends everything including sensitive information to you after you complete "docusigning" something.

Have you ever used the DocuSign service for signing any documents? I am sure many of you are familiar with DocuSign because it is used very widely everywhere for document signing online. If you think you haven't used it, think again, you may have used it and not know about it. Typically, a lot of information you enter when you sign any legal document like your loan application, lease contract, loan, even job acceptance these days goes via DocuSign. When both parties completed the signing process, DocuSign will send you a mail with a copy of the fully signed/executed document (PDF file) once. The PDF file may likely contain your SSN, DOB, address, phone number, account number and many other sensitive information you may have entered during the signing process. Guess what, all of these are in "plain" form and sitting in your email (gmail, yahoo etc). If you don't believe me, search your email from docusign.net and open the attachment they sent you. You would not believe what you see.

If you use gmail (who doesn't?) here is a easy search filter to quickly show all mails from docusign containing PDF files. 

"from:(docusign.net|docusign.com) has:attachment filename:pdf"

The screenshot below will help if you don't know how to search for e-mail messages with filter. 



How to spot phishing attempt - an anatomy of a phishing Email

Note: This is an old post from 2014 at blog.selvans.net. It is moved to this site as part of migration. Though it is more than 8 years old, it is still valid and relevant.

If you consider yourself as someone who knows how to spot spam and phishing emails, you won't learn anything new here. Others who want to learn how to spot spam or phishing mails, especially if you are someone who simply can't resist clicking on links in your email no matter how many times you were told not to :)  read on …

Like most of you, every now and then I do get a phishing mail delivered to my inbox. Gmail usually does a pretty good job of filtering spam and phishing mails, however, this particular one shown here slipped through gmail spam filter because of my own filter (a discussion on why it slipped is outside the scope of this blog). Anyway, here is a screenshot of the phishing mail we will be dissecting in this blog. Apparently, citibank all of a sudden lost everything they know about me except my email address :). You can stop right here since it is clearly a phishing attempt, but for the purpose of this exercise, lets continue. At a glance, for a novice email user, it looks legitimate and it does appear to have come from citibank.com, and is instructing me to download the attachment called Citibank.html. It must be important since it is from citibank alert service and I should immediately download the file and double click it right? The first thing you need to understand is that the 'mail from' (i.e. in this case alerts@citibank.com) is the easiest thing to fake. To find out where it really came from you need to see the full email headers from the “show original” option. [Note: The screen shot below is from gmail but as far as I know all mail clients like yahoo, hotmail, outlook etc allow you to view the 'raw' content of the mail which will show all mail headers].



When you select the 'show original' as shown above, you can get the 'raw' mail content including all the mail headers (see annotated screenshot below).



From the above screenshot, you can clearly see google's mail server received this mail from decisiontreetech.com not from citibank.com (highlighted in yellow). Does this mean the decisiontreetech.com is the phishing source? The answer is No. In this case, it looks like someone from that company seem to be infected with a malware allowing a remote hacker to hijack their email account session to send phishing mail via that company's mail server. If you look further down you can see a remote host from France with a IP address 62.244.93.88 initiated this message. For many of you, unless you are in cyber crime division of law enforcement, at this point, it doesn't matter who the criminal is (we will discover shortly below), you know this is fake and you should simply delete this mail and go on with your life. You can continue to read if you are interested in dissecting this mail further ...

Now, we are going to examine the attachment the crook wants you to download so he can collect your information. Typically, you can view the raw mail safely with your browser to see what the attachment contains to make sense out of it as long as its not binary. In this case it is supposed to be a HTML file. However, the crook encoded the content of the HTML text to base64 encoding so it is not easy to view what he is trying to do and where he intend to send your information (see the screen shot below).


I can just download the file to let the browser decode the base64 encoded HTML for me or just simply copy the content and decode it myself. The following screen shot is a relevant part of the HTML file decoded using an online decode tool from www.base64decode.org



Finally, you can see they are posting your information to a webserver at 69.73.182.242 to eventually mail everything to two email address i.e. sammy78@iname.com and effeferegregregre@yahoo.com There you have it.

PS: As of this writing the above server is still up and running although the post action is no longer working.

Hope this blog helped you to learn how to easily spot phishing mails and protect your hard earned money. Bottom-line is, if you get a mail asking for stuff your financial institution should already know, its a fake, delete it.


How to protect your Facebook account with encrypted notifications

Note: This is an old post from 2015 at blog.selvans.net. It is moved to this site with updated screenshot and content. Though it is more than 7 years old, it is still valid & Facebook still supports this feature.

As part of the Facebook account security feature, Facebook sends various notification e-mails. All these notification e-mail messages are in plain text. For notification e-mails like "Login Alert", it is not a big problem if the mail content is plain text as it does not contain anything important. However, in the case of password reset request e-mail, it is a problem since the reset code is sent in plain text. If your e-mail account is compromised, for example by a session hijacking method, the hacker has access to your e-mail account until the session expires so they can request Facebook password reset and easily take over your Facebook account.

Note: How your account got session hijacked is outside the scope of this blog but typically, it can happen when clicking on phishing e-mails or visiting infected websites etc.

From Jun 2015, Facebook introduced an option for users to request all notification e-mails in encrypted form. If you are already using or familiar with PGP, you can now provide your public key to Facebook so it will use it to encrypt all e-mail communications to you. Go to your Facebook profile and navigate your way to the "Security and login" section or click here https://www.facebook.com/settings?tab=security

See the screenshot below where I entered my public key.



Once you enter your public key (make sure to check the box to enable encrypted notifications) and save changes, you will get an encrypted mail from Facebook. You then decrypt the mail using your PGP tool and confirm using the link Facebook sends you. After this, all e-mails from Facebook will be encrypted using your public key so only you can decrypt it. In addition, you should to add Facebook's public key to your PGP keyring so you can verify the signature of the encrypted e-mail to ensure it is from Facebook. The key is at link below.


See this whole process in action. I get numerous attempts by cyber criminals monthly, weekly and even daily sometimes to reset my facebook password. The following is an example of an attempt. For every attempt, facebook will send me an e-mail (shown in the screenshot below) with encrypted content containing the reset code which is useless to anyone but me.



Below is the screen shot after I decrypted the content using my private key. 


So even if my e-mail account was compromised (highly unlikely 😀), the hacker can't read the code sent by Facebook to reset my password since he can't decrypt the mail without my private keys. For PGP encryption/decryption, I use GNUpg (https://gnupg.org/download/). However, there are other tools and browser plug-ins readily available which you can easily install in your browser (chrome or firefox) to use PGP.

If you are new to PGP, the read the link below for a quick introduction before getting started on using Facebook encrypted e-mails.

https://www.makeuseof.com/tag/pgp-me-pretty-good-privacy-explained/

How to access your passwords anywhere

Note: This is an old post from 2014 at blog.selvans.net moved to this blog site.

Have you ever forgotten the password to login to one of your many online accounts? It happens to me all the time so I save all my passwords to a file, encrypt it, and have a shell script to decrypt, search and spit the plain password whenever I don't remember the password. This is great when I am at home where I have access to my script and my encrypted password file. However, if I don't remember a password to a site when I am not at home, it is a problem. So I exposed a simple public interface on my webserver to securely decrypt my passwords online from anywhere. Feel free to use this tool to encrypt/decrypt anything (passwords, email, or just any text) and share a per message passphrase to other person to decrypt the message to its original content. Don't worry no one will be able to read unless you give them your passphrase. You can save the encrypted content (see a sample below) anywhere like google docs, dropbox, skydrive, or usb stick etc so you can easily access it anywhere. Feel free to use the tool (it is at the link below). There are many password manager tools like lastpass, keepass etc available freely that does similar things but the only difference is, here you control how you safeguard your encrypted file and in addition, you have simple web access to encrypt/decrypt any arbitrary text.



It is perfectly safe to store the encrypted message anywhere in your laptop/desktop as it will be encrypted with strong AES-256 cipher. Whenever you need to see the message content, all you need to remember is the passphrase you used to encrypt it. To get an idea, decrypt the sample content below using the passphrase 'th1s 1s coo1' without the quotes if you are interested to see how it works.

b97ca8a4928db1a7M5lbEofsXXYqTrvEQXyIYBwbJgqUo8S5iUZuzUuoX370OzoeIXiEbkX1KKprK02Z7n9ocnMx1JoEeB3cJdgqBxkpO84Pq+rQrSsUcgLtOp10xZnFM40EJX9RPyLD7Gyl1yKIzZ5nuWxrKIz29R5UFel6J6ZBGKCbWRP2lVbaQPKFZLJtgUQ7Vq7sKxffUOepPoBxeCWcpNYyhthj4IQ/t1WUl8asGSH7CUp0Rje3GJIaHBSciwUDA+g4euunb4NY6Kivq3O7FCyJ8REpZgZ9TIZuUgYFV0tjMi9xdAxWR4EUsJUaG4fC+5JfFA05cGZgcEkwc9VSdLKDc6L1p3Ku3L/3dRnBSlSC1hXZM0Shsdo=

Sunday, July 17, 2022

How much of your info is freely available online?

Have you ever wondered how much of your information is available on public websites for anyone to search? I am sure some of you are aware of paid services that go far beyond typical google and other search engines but I am talking about totally free service to instantly get a ton of information not only on you but also everyone associated with you like your kids, neighbors, relatives, phone numbers, and more. Not to mention all the places you have ever lived which I am sure many of you know is one of the key attributes to validate your identity with many financial institutions.

Well, wonder no more as there is tons of information about you online and are freely available for anyone to search. And these are constantly being updated and redundantly stored on multiple online sites!

Now that I caught your attention 😊, here is a quick way to find out how much information is out there on you and how to remove your information ... well, you can attempt to remove it but it's not that easy, which is explained at the end. Just open your browser and navigate to the following site below and search your name and your address (just city or even state is fine) or phone number ... you would be very surprised to see how much of your info is out there. 

https://www.fastpeoplesearch.com/



Make sure to scroll down all the way and click the "VIEW FREE DETAILS'' button at bottom (as shown in the screenshot) that brings up the detailed screen which shows all info they got on you. I am sure some of you know that this is not new, and this specific site mentioned is in business for well over 10+ years but how much of the information they gathered over the years is nutts!. This site has a lot more free information now than it had before when I looked at it several years ago. 

Note: I removed my information but it is erroneously showing someone else in that place 😄

So how do you remove it? For this site, navigate to the link below and follow the directions. It should be fairly quick to get your data removed. Feel free to post a comment on this blog if you have trouble removing yourself and I will try to help you. Now, the big question is, how long it's going to stick?

https://www.fastpeoplesearch.com/removal

Here are a few more sites and the corresponding removal links but these are by no means a full list. 

Website

Removal Link

www.truepeoplesearch.com

https://www.truepeoplesearch.com/removal

www.peeplookup.com

https://www.peeplookup.com/opt_out

www.beenverified.com

https://www.beenverified.com/app/optout/search

truthfinder.com

https://www.truthfinder.com/opt-out/

www.zabasearch.com


www.intelius.com

https://www.intelius.com/opt-out/

www.familytreenow.com

https://www.familytreenow.com/optout

www.peekyou.com

https://www.peekyou.com/about/contact/optout/index.php

www.fastpeoplesearch.com

https://www.fastpeoplesearch.com/removal

www.spokeo.com

https://www.spokeo.com/optout

nuwber.com

https://nuwber.com/removal/link

Radaris

https://radaris.com/control/privacy

unmask.com

https://unmask.com/opt-out

whitepages.com

https://www.whitepages.com/suppression-requests

infotracer.com

https://infotracer.com/optout/

emailtracer.com

https://emailtracer.com/privacy

freebackgroundcheck.io

https://freebackgroundcheck.io/optout

govwarrantsearch.org

https://www.govwarrantsearch.org/

familytreenow.com

https://www.familytreenow.com/optout

peopledatalabs.com

https://www.peopledatalabs.com/do-not-sell-or-share

clustrmaps.com

https://clustrmaps.com/bl/opt-out


I know there are literally 100's of them out there and they all scrape data back and forth, in addition to pulling data from common public sources and constantly updating themselves. As detailed above, they all provide a mechanism (varies by site) to remove your information, but you will soon find out the task of removing your info will become a constant battle of whack-a-mole game since they all feed on each other and the information you removed will be back, eventually! 😟

While this blog is focused on outlining how to remove publicly available data from data brokers, it is worth mentioning that you should also check if your personal data has been compromised in any of the data breaches over the last decade or so. Obviously, you can't remove breached data, but you can find out if any of your critical PII data, like your SSN, is part of these breaches and take necessary action. The following table lists a few websites among the many out there to search.

https://haveibeenpwned.com

A goto website that has aggregated data of many breaches of last few decades

https://npd.pentester.com

Exclusively search the NPD dataset - a super large breach in July 2024

https://monitor.mozilla.org/


https://dehashed.com/



If you find that your SSN has been leaked, which is highly likely with the NPD data breach if you live in the US, you can read this blog below on how to freeze your credit file to protect yourself from becoming a victim of identity theft.

On a final note, there are many paid services like Optery, Incogni, DeleteMe, BrandYourself, and many more that claim to remove your data from all sites for good. However, I am very skeptical about how effective these services are and whether it is even worth spending a lot of money on them. On the plus side, they are convenient and eliminate the time and effort required to do it yourself. However, on the flip side, they now have all your detailed personal data in addition to all these data aggregators. In the event that they get breached (if not today, it will be soon; that is the reality), your full information could end up on the dark web forever. In my opinion, doing it manually is one less thing to worry about.

Sunday, June 26, 2022

Deterministic Password Manager

While Apple, Google, and Microsoft are all very hard at work on a variety of passwordless schemes, passwordless logins will not be a reality at every website you visit anytime soon, simply because password-based login systems are the easiest and the cheapest to implement and most business, including banks/financial institutions are too lazy and don't want to do anything unless they are forced to implement a better solution. So we all have to continue using password manager for quite some time to come. 

There are many commercial and free versions of password managers out there to choose from but most of them store your encrypted password somewhere on the cloud which has a potential to be compromised. What if a password manager stores literally nothing and is able to deterministically calculate your password every time you access it? Would that be cool? That is what I did with my deterministic password manager prototype below. 

My website password.selvansoft.com creates deterministic password without storing anything on the cloud or local storage unlike many password managers. All you need to remember is your single passphrase, the website name (FQDN), username for each website to create or retrieve your strong password on the fly. For convenience, the password is copied to browser's clipboard so it can be pasted into the website's password field directly.

Note: Password length can be set to 8 char for old & outdated websites that still insists on 8 char but it is highly recommended to use 16 char. Also, fields are case sensitive to ensure high variability on generation of password.


Simple Encrypted Drive

We all have sensitive data that we need to keep them away from prying eyes. While there are so many free software and solutions available, they all have advantages and disadvantages in using them. A discussion of available solutions and the pros/cons are outside the scope of this blog. If you are interested in using a simple, highly secure and most importantly, a free solution where you have 100% control of your sensitive information, read on. Note: This is only if you use a Mac or Linux laptop/desktop, sorry no Windows.


Here is a simple shell script to encrypt your data locally in your hard drive or on a portable USB stick to take it anywhere. If your USB stick is lost or stolen, the data stored in there are of course useless to anyone. The way the script works is by creating an encrypted disk using a special filesystem driver (encfs) and allows you to copy your ordinary files (i.e. unencrypted) through the driver just like copying a file with your operating system's copy command. To access these files, you have to mount the drive with your passphrase. Once the filesystem is mounted, they are available through a mounted drive in plain form to retrieve or update your files. Once the file system is unmounted, they stay in your hard drive or usb stick in encrypted from. 

Here is how to use it.

./encrypted_drive.sh -d /tmp -m

In the screenshot below, I am using a /tmp directory just as an example but you should actually choose a permanent storage like an ordinary directory in your home path like "$HOME/encrypted" or a USB disk mount ex: /Volumes/<mydisk> on Mac. Note: you need to choose a strong passphrase and remember that to access your files later. The very first time you run, script will ask you a question about encrypted volume type as shown below, just hit enter to take the default; subsequent runs will not ask anything except the Encfs password i.e. master password you chose to mount the encrypted volume.



Once the drive is mounted (see the screenshot above shows mounted drive on your desktop), you can simply copy your sensitive files using operating system copy command like shown below, or just drag and drop files like you'd do with any other drive/path. The mounted drive will stay mounted for 15 minutes and unmount itself automatically for security reasons.


As you can see from the above screenshot the files are now accessible through the mount point (/tmp/decrypted) for reading and writing in plain form. Once you unmount using -u command, you see the files in /tmp/decrypted are gone and the actual files in encrypted form are in /tmp/encrypted which is useless if anyone got a hold of your USB drive or your computer containing these files. (Note: replace /tmp/ with the path you chose for your permanent storage when you mounted the drive)

The script is available in my GIT repo below. Download it and follow the instructions (below) to install the encfs which is required for this script to operate. Love to hear feedback.


#  Instructions for installing encfs

#   Mac
#   run the following 2 commands on mac terminal (assumed you have brew installed)
#     brew cask install osxfuse
#     brew install encfs
#   
#   Linux:
#     Ubuntu/Debian: apt-get install encfs
#     Redhat/CentOS: yum install encfs  
#     Other: refer to your distro manual
#
#   Windows:
#      Sorry, wipe that crap 😃 and install Linux or get a Mac!
#