Ransomware

Ransomware is on the rise — here’s how you can protect yourself

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Wikipedia

Ransomware is a hot topic right now, not only in the tech press, but in the mass media too, because of crippling attacks on companies like Colonial Pipeline, which recently found their electronic systems hijacked by profit-seeking attackers. But it’s not just big companies, governments, and hospitals that are suffering from the scourge of of ransomware: the bad guys are going after smaller targets, too, including small business and home NAS (Network Attached Storage) systems and personal computers.

Though the future that many cybersecurity experts were worried about years ago has sadly arrived, there’s a lot users can do to minimize the likelihood that they’ll become the victims of ransomware. Improving your cybersecurity posture is a very rewarding pandemic related activity that will leave you feeling happier and healthier. Here are my top recommendations for protecting yourself and your data from threats like ransomware.

1. Backup, backup, backup

If the worst should happen and you do fall victim to malware, you’ll be able to recover your precious data without paying the ransom if you have backups. Your backup strategy should be multifaceted, encompassing both local/onsite and remote backups. For example, you could use Apple’s Time Machine to automatically back up your Mac to a network drive or external hard drive, and you could use Backblaze to automatically back up that same Mac to a remote datacenter. Mobile devices can be backed up, too, using tools like iMazing or Android Device Bridge. Take advantage! Backups will not only help defend you against the risk of ransomware, but can help you in the event of other catastrophes, like loss/theft or a disaster like a house fire or tornado.

2. Embrace the three big cybersecurity wins

The three big cybsersecurity wins are:

  • Insist on encryption: Your data should not be stored or transmitted in the clear. You should encrypt your computer, your mobile devices, even your remote backups. Modern operating systems and applications make this fairly straightforward, for the most part. For example, Windows offers BitLocker, macOS offers FileVault.
  • Adopt a password manager: It’s better if you don’t know your passwords. That way, they can’t be weak and guessable. Let a password manager generate, store, and autofill your passwords for you. I can’t say enough good things about 1Password, my password manager of choice.
  • Deploy multi-factor authentication: From Facebook to Gmail to Twitter and LinkedIn, your accounts should be protected with multi-factor authentication, also called two-factor authentication, or 2FA. You can either use a hardware-based device like YubiKey or an authenticator app like Authy as your second factor.

3. Build a firewall for your whole network

You spend more of your time at home than anywhere else, and it’s also where most of your Internet-connected devices probably are, from your tablet, “smart” TV, Blu-ray player, personal computers, and “Internet of Things” gadgets, if you own any. These all need protecting. A network-based security strategy makes a lot more sense than a device-only based strategy, because it’s all-encompassing and doesn’t require any software to be installed.

This is where tools like Firewalla and pfSense come in.

Firewalla is a really nifty hardware based firewall. It’s a small box that you hook up to your router. Once you plug it in, it starts watching your entire home network like a hawk, and reports back to you using a mobile app for iOS and Android. It can block attacks, quarantine new devices automatically, and monitor what your vetted devices are doing. It comes in several flavors. The Blue Plus version ($199) is ideal for most home users.

Firewalla also offers ad blocking.

Its ad blocking tech is not as good as Pi-hole’s, but fortunately, if you like Pi-hole and are already using it, or want to use it, it is compatible with Firewalla. The two solutions can be used together. Just tell Firewalla not to monitor Pi-hole, and ensure Firewalla’s ad block tool is turned off.

You can even use Firewalla to set up policies to block social networks and gaming at certain hours if you want to reclaim family time.

Best of all, the team behind Firewalla is actively engaged in making it better. It regularly sees new releases, and you don’t need a subscription to use it. You just buy the hardware once and get free updates from then on.

pfSense, meanwhile, is a great choice for more advanced users.

4. Keep your devices and browsers up to date

New software vulnerabilities are being discovered all the time in all major operating systems and browsers, from Windows to macOS to GNU/Linux distros. It’s important to stay current, and the best way to do that is to turn on autoupdates on your computers and mobile devices.

Unless you’re a disciplined sysadmin who prefers to determine the precise manner and timing that updates will be installed, autoupdates are your best bet. You can set your browser to automatically pick up where you left off (keeping your tabs listed) in the event your machine restarts in the middle of the night to reduce the annoyance of autoupdates forcing a system restart.

brass colored metal padlock with chain

Making a WordPress site accessible via HTTPS only is about to get a lot easier

Since the inception of my Hardening WordPress guide nearly ten years ago, I’ve urged WP users everywhere to improve the security of their websites by setting up secure hosting and configuring WordPress to be accessible via HTTPS-only, at least on the backend (wp-admin). While enabling Forced HTTPS mode for administrative sessions has long been easy to achieve by setting a constant in wp.config.php, switching an entire WordPress site (backend + frontend) over to HTTPS has been unnecessarily difficult, requiring a number of carefully-executed steps.

But at long last, that is set to change, with WordPress 5.7. In a beta release announcement today, WordPress devs shared this very good news about a long-overdue enhancement that will make switching much simpler.

Migrating from HTTP to HTTPS is streamlined
Switching a WordPress site from HTTP to HTTPS has proven to be a pain for all involved. While on the surface, the Site Address and WordPress Address have to be updated, content with embedded HTTP URLs remains unchanged in the database. With this release, migrating a site to HTTPS is now a one-click interaction. URLs in the database are automatically replaced when the Site and WordPress Address are both using HTTPS.  Also, Site Health now includes an HTTPS status check.

Upon upgrading to WordPress 5.7, those who still are running unsecured sites will finally have an easy and officially supported migration path to HTTPS. As the excerpt above noted, it has historically been necessary to swap out http:// prefixes for https:// ones in a whole bunch of places to get a WordPress site working over HTTPS with no “mixed content” warnings:

  • The site URL and blog URL in Settings > General;
  • The site’s theme and widgets;
  • The site’s database tables (for instance, image URLs in post content);
  • … and sometimes even abandoned plugins still in use.

It’s far too easy to bork a site while doing the above, especially if the operations are being performed without care and without restorable backups.

WordPress sites built within the last few years are much more likely to have been set up with HTTPS enabled from the get-go, but there are plenty of older sites out there that aren’t. The advent of Server Name Indication (SNI) and Let’s Encrypt has eliminated barriers to the adoption of secure hosting, and it’s now essentially considered to be unethical for a host to charge extra for secure hosting as part of a hosting plan.

Yet there are still many WP sites that aren’t set up to be reached only via HTTPS because they date back to an era when secure hosting was unavailable or costly or harder to deploy. The work being done to create a proper migration path within WordPress in Version 5.7 could really help these old sites jump on the encryption bandwagon.

This looks like it could be one of my favorite WP releases ever.

Ever wondered how HTTPS works? Check out this visual explainer

Hypertext Transfer Protocol Secure, or HTTPS, is one of the most important means of securing data as it moves from computer to computer across the Internet. While many people have heard of it, they don’t know how it works or how it protects their privacy and security.

That’s why the folks at dnsimple have created this nifty visual explainer, which uses the power of cartoons to unpack the concepts. Check it out and bookmark it if it helps improve your cybersecurity knowledge.

The best mousepad there is

I love Wirecutter, the site founded by Brian Lam that is now owned by The New York Times Company. It’s an indispensable resource for what to get, and what not to get in every product category… from air purifiers and routers to credit cards and tax preparation services.

While Wirecutter has a recommendation for almost everything, they do not yet have an article on mouse pads. Fortunately, I’ve already found what I believe to be the best mousepad in the world: the Ergo-Mat by HandStands.

Head on view of the Ergo-Mat

I have been using an Ergo-Mat as my mousepad for over ten years, and I can say without reservation that there isn’t anything better out there.

This is it.

If you want the best experience with a mouse, then get yourself one of these. They don’t cost very much and they can last you an extremely long time. I forget exactly when I bought my first Ergo-Mat, but I remember where. I was walking down an aisle in Fry’s Electronics when I spotted the Ergo-Mat on a shelf, and I was immediately intrigued.

You see, the Ergo-Mat is unlike most other mousepads out there in that it doesn’t have what I’ll call a wrist bar. Nor is it thin and flat.

The HandStands Ergo-Mat: it is one large raised surface with a gentle slope (the slope is even more gentle than this promotional image suggests)

Rather, the whole pad is a raised, gently sloping surface that doesn’t slide around at all. It has a no-slip grip.

When I saw the Ergo-Mat, I said, I have to try that. It was an impulse buy. But it has been my primary mousepad ever since.

I long ago lost the packaging and there are no identifying marks on the Ergo-Mat to indicate who makes it.

But recently, I decided to see if I could find it again. And I was successful. The Ergo-Mat is still fortuitously available, at least as of the time I made my purchase. I was so delighted when my package came and I opened it up. My new Ergo-Mats are entirely identical to my old ones.

Now I have several – one for each computer workstation I’ve built. No matter which machine I’m sitting at, there’s now an Ergo-Mat there. Hurrah!

I’ve rested my right wrist on my first Ergo-Mat for thousands of hours over the past ten years. It is very comfortable. I also use a sculpted Logitech mouse — I recommend you get yourself one of those as well (there are many models available). If you spend any amount of time sitting in front of a computer, then you should also have an ergonomic keyboard, a high end office chair, a monitor that can slide up and down on a stand, or a monitor attached to a re-positionable arm.

Most product reviews I’ve read are based on a few days or weeks’ experience with the product. I’ve had this mousepad for a decade. While it might be overkill to call it rugged, it will last you a very long time if you take reasonable care of it. Give it a try… I think you’ll like it.

Ten essential utilities to consider if you have a Mac

Like many technologists, I don’t have a primary desktop operating system. That’s because on a regular basis, I switch between computers running Windows, Mac, and Ubuntu to complete different tasks and projects. Frequently switching back and forth between different operating systems isn’t as jarring as it might seem, in part because I have assembled a set of tools specific to each platform that helps me get my work done and keep my systems in tip top shape. Today, I’m sharing a list of the utilities that I find most invaluable for administering and getting the most out of a Mac.

A little history: First released in 2001 as Mac OS X, macOS is the proprietary operating system that ships with all of Apple, Inc.’s desktop and notebook computers, including the Mac Pro, iMac, and MacBook Air/Pro series. It is a Unix-like OS with BSD (Berkeley Software Distribution) roots. After Windows, it is the second most widely used desktop OS platform, and it is popular with programmers and designers.

Now, on to the utilities!

CleanMyMac X

What it does: Makes it easier to find and delete old or large unneeded files, uninstall applications you don’t want anymore, purge app caches, and run maintenance and optimization scripts to fix issues with macOS. Developer MacPaw regularly ships updates to keep CleanMyMac current.

Cost: $34.95 for one Mac

Parallels Toolbox

What it does: This app is a real workhorse that does a lot of different useful things. Some of them are: making GIFs and screen captures (both stills and videos), provide a clipboard history, set alarms, see what time it is in other places around the globe, and convert units of measurement.

Cost: $20/year (included with a subscription to Parallels)

Moom

What it does: Simplifies window management. “With Moom, you can easily move and zoom windows to half screen, quarter screen, or fill the screen; set custom sizes and locations, and save layouts of opened windows for one-click positioning.”

Cost: $10

TG Pro

What it does: Enables easy temperature monitoring, fan control, and diagnostics for all Macs. You can see how hot your computer is running and easily ascertain which graphics card it’s using (dedicated vs. integrated) if you happen to have a higher end Mac laptop.

Cost: $20

Little Snitch

What it does: Gives your Mac a host-based firewall. It’s especially useful for monitoring outbound and inbound connections. You can pop open a map and see where your apps are sending and receiving data from.

Cost: $47 for a single user license (Little Snitch + Micro Snitch)

BlueHarvest

What it does: Gets rid of all of those stupid Desktop Service Store (DS_Store) and resource fork (_AppleDouble) files that otherwise end up littering flash drives and SD cards after removal from your MacBook.

Cost: $13.99 for access from the Mac App Store

Jettison

What it does: Helps eliminate annoying “drive not ejected properly” errors by automatically ejecting removable media before your Mac goes to sleep.

Cost: $4.95 for a single-user license

Vanilla

What it does: Allows you to painlessly eliminate clutter on your top menu bar by deciding what items/icons should be shown all the time, and which should be hidden behind a divider.

Cost: Basic version costs nothing; the Pro version costs $4.99

Turbo Boost Switcher

What it does: Allows you to control when your Mac’s processor enters its “Turbo Boost” mode. Turbo Boost enables a Mac’s Intel processor to run at a higher clock speed when macOS requests. This is great when you’re plugged in to AC power and not so great when you’re running off the battery. This app can automatically deactivate Turbo Boost when you’re on battery power, reducing heat and lowering power consumption.

Cost: Basic version costs nothing; the Pro version costs $9.95

NetNewsWire

What it does: A modern desktop feed reader that allows you to easily keep up with lots of websites that you care about without having to visit all of them. You simply install the application and then add feeds to it (most sites that run WordPress will have feeds available at a URL like https://example.com/feed/)

Cost: None — free!

Hang up to avoid becoming a victim of a phone scam

I’m occasionally asked how to avoid becoming a victim of the robocall-driven phone scams that seem to be so common and prevalent nowadays.

The answer is fairly straightforward: Hang up.

If someone calls you with an offer, do not give them any information, just terminate the call. If someone tells you your computer is infected with a virus and you need to install a particular tool to clean it, disregard their instructions and immediately end the conversation. If someone asks you to wire money somewhere for any reason, refuse and tap your phone’s End button.

Why is it always safe and prudent to hang up, even if you’re not sure? Because hanging up won’t hurt your relationship with a legitimate business or a government agency. You should only provide sensitive information over the phone when you originate the call. Caller ID can be spoofed and businesses you have a relationship with can be impersonated.

So you need to be careful.

To avoid falling for scams, don’t give someone who calls you any sensitive information at all, and don’t let them direct you to do anything, whether that’s wire money someplace or install software on your computer.

And, if time allows, report scams so that they can be investigated by the authorities.

This morning, a group of scammers who are engaged in harvesting credit card numbers called me. I answered the phone and knew within seconds it was a scam, but decided to play along for as long as I could in order to (a) learn more about the scam and (b) waste the scammers’ time.

This particular group of scammers was running a con that goes like this:

  • Place a robocall to lots of people that advertises being able to get lower interest rates on credit cards (the brands Visa and MasterCard, which are networks, not issuing banks, are specifically mentioned)
  • Screen people who respond to the robocall by pressing “1” to see if they are an appropriate target for the scam by asking a bunch of fake qualifying questions that pretty much everyone would answer “yes” to;
  • Transfer the call to a fake “supervisor” who will then attempt to extract credit card numbers from the victim.

These scammers use some of the same techniques physics and magicians use. For instance, to establish their credibility and get you interested, they ask their would-be victims questions like: “You have three or more credit cards, correct? And you’re paying interest of more than ten percent on each card? And you’d like to pay less interest on those cards?”

(Most people would be able to answer yes to these questions.)

Among those Americans who have a credit card (29% don’t), the average is almost four cards. That means most Americans with a credit card have several of them, typically at least three. Hence the scammers’ question, “You have three or more credit cards, correct?”

The next question they asked was which banks the cards were issued from. I told the screener I had cards with Bank of America, Wells Fargo, and CapitalOne, all of which are major card issuers with millions of customers. To all of the other screening questions, I offered responses like: “Great!”, “Excellent!,” “Yeah, sure,” or “That’s right.”

I was also told that I am a good customer and that I have a long history of making payments on time.

After I got through screening and was passed off to a more senior member of the scamming crew, I was asked for card numbers, beginning with my nonexistent Bank of America card. I used a credit card number generator to give the scammer a fake number, to see what he would do, and discovered he was trying to validate (and maybe authorize) the numbers in real time.

When the scammer protested that the sixteen digit number was invalid and not even a number beginning with a Bank of America prefix, I said, “Oops, sorry about that; try this,” and supplied a second fake number.

“Sorry, sir, that is not a valid Bank of America credit card number either,” the scammer said solemnly, a hint of contempt and resentment in his voice. “Darn,” I said. “That’s a shame.” He promptly hung up.

In this case, instead of hanging up on the scammers, I forced them to hang up on me, and I wasted several minutes of their time while learning more about their scam… a satisfying result.

If you only get robocalled once in a while, you may be able to deal effectively with the occasional scammer simply by hanging up the phone. Terminating a call is the simplest and easiest way to thwart phone scams.

If scam and spam calls are a frequent annoyance, however, you may want to go further so you can reclaim your time and sanity. There are many tools that can help shield you from unwanted calls of all kinds, scam calls included.

For example, there’s Jolly Roger Telephone Service, which can deploy bots to talk to telemarketers and their bots for you.

Or Nomorobo, which can protect VOIP lines and mobile lines. (Most VOIP providers, like Vonage and Ooma, include Nomorobo as part of their plans.)

Or Truecaller, which provides an app for mobiles that can be used to identify unknown numbers, record calls, and block numbers.

Scammers are wily people who have ways of evading defenses like number blocks, so don’t expect any of the aforementioned tools to totally eliminate unwanted calls. Your best defense of all against phone scammers is your own good judgment and critical thinking skills.

If more people had the equivalent of a Spidey-sense for detecting scams, scamming wouldn’t be as lucrative and profitable as it is. So pass on your scam fighting knowledge! It makes a difference.

A year with Gutenberg: WordPress’ new editor has proved its worth

One year ago, WordPress 5.0 landed, and with it, a new default editing experience, made possible by the Gutenberg project.

The Gutenberg project originated as plugin backed by the core development team that aimed to offer a modern replacement post editor for the world’s most popular content management system.

Last year, Gutenberg was merged into core for the final WP release of 2018… a move that attracted significant opposition and criticism within the community of people that use and work with WordPress.

Anyone not wanting to switch to Gutenberg upon installing WordPress 5.0 was given the option of retaining the classic editor with a plugin appropriately named Classic Editor. And many people took advantage. The Classic Editor plugin has over five million installations, according to the statistics maintained by the WordPress.org plugin directory.

As a longtime WordPress beta tester, I had the opportunity to try out Gutenberg long before it was ever merged into core.

And while Gutenberg was certainly rather rough around the edges in its earliest incarnations, it has matured beautifully into a modern post editor that offers an empowering writing experience.

One year after its incorporation into core, my assessment of Gutenberg is overwhelmingly positive. It has proved its worth.

What makes Gutenberg superior to the Classic Editor?

Several things.

  • Gutenberg is clean. The editing interface is simple and elegant, encouraging distraction-free writing.
  • Gutenberg is logical. Content is organized into blocks, which can be paragraphs of text, images, videos, embeds, or anything else.
  • Gutenberg is fast. Really fast! It loads quickly and it publishes content faster than the classic editor. This could be my favorite attribute.
  • Gutenberg is always improving. The bugs and flaws that existed at the outset are gone, and the editor keeps getting better.

I especially love the pre-publish checks that Gutenberg runs. This functionality is not available with the Classic Editor except through a plugin.

I have used both Gutenberg and the Classic Editor on different sites since WordPress 5.0 was released. In each of the sites I’ve installed since last December, I’ve chosen to keep Gutenberg as the default editor, rather than installing the Classic Editor. And I haven’t regretted that choice.

Once you get used to Gutenberg, you start to appreciate what it can do for you. Gutenberg really is more intuitive than it might appear at first glance. If you’re used to the Classic Editor, then you probably have a sort of mental equivalent of muscle memory that may hinder your Gutenberg experience at first. But once you get past that and start mastering Gutenberg properly, you may well have different feelings about it.

In my view, the best way to get acclimated to Gutenberg is to set up a brand new WordPress website for fun or for testing purposes. Make a site that is dedicated to an activity or hobby that you enjoy.

For example: If you love cooking, then why not set up a WordPress site that hosts your favorite recipes and food preparation tips?

If you love knitting, why not create a blog or personal site about knitting?

If you enjoy reading, how about setting up a site where you can share your favorite books and news articles you’ve recently read?

What I’ve found is that getting to know Gutenberg on a brand new WordPress site is the best way to develop good feelings for it. A brand new post editor doesn’t feel out of place in a brand new website, you see.

There’s nothing wrong with continuing to use Classic Editor on your existing sites, especially if you use plugins that aren’t yet compatible with Gutenberg (although most major plugins in the WordPress ecosystem now get along just fine with Gutenberg). But if you have not tried Gutenberg at all, or have concluded it’s no good based on the many negative reviews that have been published about it, then you’re missing out.

My advice is to make up your own mind. Gutenberg has its legions of critics, that’s for sure, and many of the concerns they raised when the editor was in its intensive development phase were wholly justified.

But the Gutenberg of December 2019 is also much more polished than the Gutenberg of December 2018 or July 2018 or earlier. Don’t let the views of other people prevent you from trying Gutenberg for yourself and reaching your own conclusion based on your own experience.

I look forward to seeing Gutenberg reach higher heights in 2020.

This post was authored in Gutenberg, WordPress’ next-generation post editor, offering a smooth and pleasant writing experience. To take Gutenberg for a test drive yourself, simply install a new WordPress site and start drafting and publishing content. Once you’ve mastered it and decided it’s for you, you can deploy it on older WordPress sites by disabling the Classic Editor plugin.

Don’t give out your personal mobile telephone number by default

This week, the New York Times published a stellar piece by Brian Chen which spells out the problems that stem from giving out your mobile number when asked for a means of being contacted by phone:

For most of our lives, we have been conditioned to share a piece of personal information without a moment’s hesitation: our phone number. We punch in our digits at the grocery store to get a member discount or at the pharmacy to pick up medication. When we sign up to use apps and websites, they often ask for our phone number to verify our identity.

An increasing number of Americans don’t have landlines and have become accustomed to typing their mobile number into online forms or giving it out without a second thought to entities of all kinds. If you do that, though, you’re increasing your risk of becoming a victim of cybercrime.

In fact, your phone number may have now become an even stronger identifier than your full name. I recently found this out firsthand when I asked Fyde, a mobile security firm in Palo Alto, Calif., to use my digits to demonstrate the potential risks of sharing a phone number.

Emre Tezisci, a security researcher at Fyde with a background in telecommunications, took on the task with gusto. He and I had never met or talked. He quickly plugged my cellphone number into a public records directory. Soon, he had a full dossier on me — including my name and birth date, my address, the property taxes I pay and the names of members of my family.

The CEO of Fyde is quoted in the next paragraph explaining that phone numbers are actually more unique than names are.

Many people can be called “James Smith” or “Mary Jones”, for example, but only one of those people will have a phone number like 907-555-0100 (that’s a fake phone number, by the way.) So if you give out your mobile number by default, then you’re creating a strong link between your mobile number and your name, which can be exploited by bad actors.

What should you do instead?

First: Get a VOIP (Voice Over Internet Protocol) telephone number and give that out as your primary phone number instead.

Even when you’re asked for a mobile number on forms, give out your VOIP number instead. Only provide your mobile number to family, friends, and institutions you trust. For example, you’ll probably want your bank or credit union to have your mobile number, along with your parents, siblings, spouse, children, and close friends.

Reputable VOIP providers include OomaGrasshopper, and RingCentral. Ooma is primarily marketed towards residential users, while Grasshopper and RingCentral are marketed towards business users.

Note that Ooma doesn’t support text messaging. If you want a VOIP number with SMS support, don’t pick Ooma.

There are also app-based VOIP providers, like Shuffle. These provide the ability to create auxiliary phone numbers (referred to variously as secondary phone numbers and auxiliary phone numbers.)

All reputable VOIP services cost money, so there is a cost associated with setting up and maintaining a VOIP number. But it’s worth it. You’ll have a number you can give out that isn’t directly associated with the smartphone you’re carrying around and the SIM card inside it.

Second: Avoid using the Short Message Service (SMS) for two-factor authentication. Use an authenticator app instead (like Authy, available for both iOS and Android), or better yet, hardware-based authentication like a YubiKey if that’s supported. These methods are more secure than getting a code by text message and putting that in.

Many platforms that require a telephone number to set up multi-factor authentication will accept a VOIP number (Google is a good example of a provider that accepts VOIP numbers) so you can provide that instead of your mobile number when you’re going through the initial setup.

Change your Venmo privacy settings

Do you use Venmo? Your transactions are public by default. Here’s how to change that.

Venmo, the popular person-to-person money transfer service owned by PayPal, is back in the news again after a computer science student named Dan Salmon created a website profiling several of the millions of Venmo users who use the service to send and receive payments.

The reason Salmon was able to do this is because in Venmo, transaction histories are public by default. That’s right… public.

Unless you’ve specifically configured your privacy settings to hide transactions, your Venmo activity is an open book.

As Zack Whittaker of TechCrunch bluntly put it, using Venmo’s API (automated programming interface), “anyone can look at an entire user’s public transaction history, who they shared money with, when, and in some cases for what reason — including illicit goods and substances.”

Now — yes, now — would be a very good time to check your Venmo privacy settings and make sure your transaction history is set to Private. Again, this is NOT the default setting in Venmo. It should be, but it isn’t. If you want to protect your privacy, then you need to take action!

If you have the Venmo app, you can use this visual guide created by Salmon to adjust your privacy settings.

You can also adjust your privacy settings through the Venmo website. Go here and select the Private option. Then click the button under Past Payments that says “Change All to Private”. This will make that same setting retroactive to your past transactions. Here’s a visual guide:

Change your Venmo privacy settings

Travel confidently with these on-the-go financial management tips

Heading abroad on a trip this summer? Reduce your anxiety and minimize the likelihood that you’ll become the victim of a crime by following these best practices for managing your money while you’re away from home.

Tip #1: Limit the amount of cash you carry, and get it from an ATM

It’s a good idea to have some cash on your person when you’re abroad… but it shouldn’t be a huge amount, since an increasing number of places in an increasing number of countries take plastic.

You don’t need to be walking around Rome or Madrid with more than a hundred euros in your wallet, for example, since you don’t need huge sums to patronize street vendors and farmer’s markets.

You also don’t need to worry about stocking up on foreign currency before you arrive at your destination; you can get it from an ATM after passing through customs. Look for an ATM run by a reputable financial institution so you can avoid paying unnecessary fees. (Bank-owned ATMs generally have the bank’s logo prominently displayed; that’s how you can tell the difference.) You’ll be able to withdraw cash in the currency of the country you’re visiting.

Oh, and don’t bother with American Express “traveller’s cheques” … those are a thing of the past, as this traveler discovered. Hardly any establishments will accept them. Instead, bring multiple chipped credit and debit cards.

Tip #2: Keep your cash and your plastic in a money belt

Beware of pickpockets when traveling, especially while using public transit or when you’re visiting crowded tourist attractions. To protect your money and your identification, wear a money belt under your clothing so that your wallet can’t be lifted out of your pocket or purse by a skilled thief.

Tip #3: Use a credit card for purchases

Use your debit card to withdraw cash, but not to buy anything.

When you check into a hotel, rent a car, or make a purchase, always provide a credit card instead of a debit card. That way, you’re spending your bank or your credit union’s money instead of your own money.

If you experience the misfortune of your card number being fraudulently used, you won’t have to worry about a hold being placed on funds in your checking account, or worse, your money disappearing out of your account until you can get the fraudulent charges disputed. You also won’t have to worry about the many annoying restrictions rental car companies place on customers trying to pay with a debit card if you’re trying to get wheels.

Don’t have a credit card? Apply for one before you travel.

Tip #4: Tell your bank or credit union where you’re going

Most financial institutions will now let you set up travel alerts with a few mouse clicks or taps from a mobile device. You don’t even need to talk to anyone. Just log in and specify where you are going and for how long you’ll be there. By telling your bank or credit union about your travel plans, you greatly reduce the possibility that any transactions you attempt during your travels will be blocked due to suspected fraud. Do this for each bank or credit union that you have a relationship with.

Tip #5: Review your activity every night

Use your financial institution’s mobile app to review authorizations and charges that have posted to your account every night before going to bed. That way, you can quickly spot any fraudulent charges and keep track of your spending. Avoid signing into online banking using a cybercafe. If you’re connecting to the Internet through a public Wi-Fi hotpot, initiate a VPN session on your device prior to signing into your accounts.

Tip #6: Make photocopies of all of your cards before you travel

Before you depart on your trip, you should make copies of all of your cards… debit cards, credit cards, driver’s license, health insurance card, auto insurance card, and so on. You should also make a copy of your passport.

Leave one copy in your safe at home and give one to a trusted neighbor or family member who isn’t traveling with you. In the event your cards are stolen, you’ll then have an inventory of what needs to be replaced.

Bonus tip: Put your card data into your password manager too

You can also enter all of your card data into the secure vault of your password manager if you have one (and you should have one).