David Strom | The Verge

Why you might want a secure file-sharing service now that you’re working from home

2022-01-15T08:30:00-05:00

When we were all at the office, many of us were connected to the office network. We didn’t need to give sharing files much thought. But now that we’re scattered across the landscape, securely sharing important files can take careful planning. Here’s why you might want to use powerful file-sharing services to share sensitive files safely, so you can collaborate better no matter where you’re working.

Probably the easiest way to share a file is to just attach a document to an email, or to a Slack or other instant message. But either way invites trouble on several fronts. If you rely too much on your email or messaging system, your poorly archived files could become available to prying hackers with phishing lures. If you’re sharing traditional documents that way, you could also quickly find yourself playing the “who has the most current version” game. It’s hard to keep track of updates when multiple people are working on the same document, spreadsheet, or presentation.

Google Drive and OneDrive have their flaws, too

While built-in collaboration tools like Google Workspace or Microsoft OneDrive (or something equivalent based on your email identity) can solve the version control problem — and might be your only option if your company insists — they can become cumbersome the moment your team expands beyond your office domain. You might inadvertently share the document with people who shouldn’t see it, or lock someone out who needs access. The more convoluted you make your sharing situation, the greater the potential for a mistake where the world (or perhaps family members) gain access to your files. We’ve all seen the news stories where a database or collection of documents fell into the wrong hands because someone failed to apply the appropriate security. Some companies won’t risk it: With one of my clients, I had to get a new email address on their domain to share their Google Docs.

Besides Google Workspace and OneDrive, there are more than a dozen different providers of personal file-sharing services, including Dropbox, Box, and Apple’s iCloud. Many of these are free or nearly so for minimal use. But if you are contemplating these services, everyone in your sharing circle should use two-factor authentication (such as Authy) to access them, not just a username and password. Even so, they’re often second-rate when it comes to user experience (Dropbox’s collaboration features can be confusing, iCloud and Windows have a complicated relationship, and Box’s file preview feature doesn’t do such a great job). They’re adequate for single-use sharing or sharing files across your own devices, but they’re not my preferred solution.

Instead, you should consider an enterprise-grade cloud-based file-sharing service, one that adds more layers of protection by encrypting your data, and that has fine-tuned access control. Egnyte, SecureDocs, ShareFile, and SugarSync are just a few of the more popular services; here’s a chart with a rough comparison of how much they cost and what they offer to start:

Regardless of which one you pick, here’s what you should look for when researching a secure file-sharing service:

Automatic file sync for all users on all devices, including integration with Windows Explorer and MacOS’s Finder, so you can browse shared directories and keep local copies for quick access.
Support for Android, iOS, and web clients to browse shared directories and folders on the go as well.
End-to-end encryption. If someone manages to download your files without your login, they shouldn’t be able to do anything with them. ShareFile also has an Outlook plug-in that encrypts your files as an extra feature.
Additional login security. SecureDocs requires additional authentication by default for all of its logins, while the others I mention have it as an option. Setting this up is as simple as scanning a QR code into a smartphone app, as shown below:

Easy-to-disable public sharing options, or that they make it difficult to inadvertently choose to share publicly.
Customizable permissions and access rights to ensure that the right people are sharing the right file collections. Egnyte, for example, has numerous controls to add a password to your file, allow or disable downloads, and notifications, as you can see in the screenshot below:

Audit trails to figure out and fix when someone accidentally shares a file with the entire internet, or so you can quickly remove a shared file if it is no longer needed.

Many of these products have free trials (of the ones I mention above, all but SugarSync don’t require any payment details), and you can use those periods to evaluate them. Asking yourself these questions should also help you pick:

Do you routinely share very large files, such as videos or illustrated PowerPoint documents? Some services place limits on individual files; SugarSync, for instance, has a limit on web client upload size.
What other software tools work with the file-sharing service? Some (such as Egnyte) integrate with Salesforce, Google Workspace, and Slack, which makes sharing files easier to use as part of your normal workflows. Check the fine print if this is important to you.
Do you need a room? Some services offer a common shared “data room” that can be the cloud equivalent of a shared network file server. ShareFile and SecureDocs both offer unlimited space for their shared rooms. Others, such as Egnyte, cap the room at 1TB, which is still a lot of storage if you’re not a video producer.
What other specialized services do you need? Some services integrate with e-signature apps (ShareFile works with Citrix’s RightSignature), allow for custom workflows (like document approvals) and other tasks that can be real time-savers in a corporate environment.

Using any enterprise sharing service will take some adjustment, but I feel they are worth the effort to gain additional peace of mind, better security, and collaborative features.

How to recover when your Facebook account is hacked

2021-12-07T09:00:00-05:00

Hopefully, the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you, for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control.

Let me take you through the recovery process. Afterward, I’ll provide some proactive security pointers you can follow to prevent this awful moment from happening, or at least reduce the chances that it will.

Three ways you can lose control of your Facebook account

There are actually three different possible scenarios.

Scenario 1. You let a family member or friend “borrow” your Facebook account on your computer or phone. They proceed to consume content, post messages as you, or befriend random people. This happened to a friend of mine, who had a grandchild staying at her home for a week. The girl left town and left a mess behind on my friend’s Facebook account. “She didn’t post anything to my account, but I had odd friend requests that I had to clean up. I decided to just quit using my account.” This is more of a nuisance than a hack, but still annoying.

Remedy: First, use Facebook’s security page to check and see where else your account is already logged in.

This list should also remind you of all of the devices that you have used Facebook on in the past. I took this screenshot after I found (and then removed) an older Windows laptop that I hadn’t used in years on the list. You’ll also see an entry for my iPhone that is located somewhere in Indiana. I haven’t visited that state in years, so sometimes the geo-location algorithms are a bit wonky. Even if your account isn’t hacked, it is helpful to routinely check this screen to make sure you haven’t enabled a login by mistake.

If you don’t recognize (or don’t use) any of the devices on this list, click on the three vertical dots on the right and force those machines to log out of your account. Next, change your password to something unique. Also, remember in the future to sign out of Facebook (and Messenger) before you loan your device to anyone.

Scenario 2. Someone uses your photo and name and sets up a new account. Then they proceed to try to recruit your FB friends to their account.

Remedy: There isn’t much you can do about it, other than tell people you are still you and to ignore the imposter. This should be a warning when you receive a friend request from someone you think you have already befriended, or someone you haven’t communicated with in years. A word to the wise: send them an email or text asking if the request is genuine.

Scenario 3. The doomsday scenario. Someone guesses your account password and proceeds to lock you out of your account. This situation is the most dire, and fixing this will depend on what else you have linked to your Facebook account and how determined you are to get it back.

This happened to Elizabeth, a book author. She ended up working with two different friends who were IT professionals and a lawyer over the course of four months. She had two complicating factors that made recovering her account difficult.

First, she used Facebook ads to promote her books, so she had connected her login to her credit cards. This resulted in the hacker charging her card with their own ads to try to lure other victims to compromise themselves.

The second complication was that she was using her pen name and a random birthday date for her account. During the recovery process, Facebook asks that you scan your ID to verify who you are. When she told me this, I became concerned for myself. For years I prided myself on using January 1 as my Facebook “birthday.” Now she was telling me that I was setting myself up for trouble if someone hacked my account.

She eventually got her password reset, but almost immediately the hacker reset and took over her account again. “I tried to get someone at Facebook to help me, but I couldn’t get anyone on the phone,” she told me. Before the pandemic, the company had a special phone hotline for industry insiders, “but this was discontinued,” she said. She had more success blocking the credit card charges by phoning her bank. “I was trying to be a step ahead of the hacker, and losing sleep. My whole life was put on hold as I tried to deal with the situation. I got no work done for months. I ended up changing my passwords on more than 30 different accounts.”

Possible remedies: if you find yourself in this last situation, you have three basic choices:

1. Now would be a good time to leave Facebook. The trouble is, you have someone who is pretending to be you, and could leverage your identity into criminal and uncomfortable situations. Not to mention that they could try to leverage bank accounts that are linked to your account or open up credit cards in your name. (More on that in a moment.)

2. Try to reinstate your account on your own, using Facebook’s own obscure and oftentimes contradictory steps. That is the way most people I know have tried. However, you will find out very quickly that there is no easy way to do this. You have to communicate with Facebook support through someone else’s account, which seems somewhat contradictory, so hopefully your spouse or friend is willing to lend a hand. (Don’t be tempted to set up a second account, because that could result in both of your accounts eventually being canceled.) Then you have to choose one of several options (finding an unauthorized post, an account that uses your own name and/or photos) and enter the rabbit hole to recover your account.

If you use Facebook as a means to log into other internet services, you will have to disconnect these links — otherwise a hacker can then compromise these other accounts. If, like Elizabeth, you have connected your credit card or other financial accounts, you will have to contact these institutions and get these charges rescinded. Start by trying to use Facebook from other devices you have previously used: perhaps the hacker hasn’t automatically logged you out.

3. Use a third-party recovery service, such as Hacked.com. This will cost you $249, but the company will be persistent and if they can’t help you, they will refund your fee. You also get a year’s digital protection plan included that normally sells separately for $99. If you have a complex situation like Elizabeth (connected finances, non-matching birthday), I recommend using this path.

But make sure you aren’t employing some random hacker who might be taking your money and doing nothing else. I spoke to Hacked.com founder Jonas Borchgrevink, who outlined the various sequences of steps that his staffers try in a recent Washington Post article. And he confirmed that if you are using a different name from what is shown on your ID, it is almost impossible to recover your account.

Proactive security measures

If you haven’t been hacked (yet) and are getting somewhat uncomfortable reading this, here are some steps to take to secure your Facebook account, or to at least reduce your pain points if it does happen. Start by doing at least one of them today, and make sure you take care of all of the items as soon as possible.

1. Set up additional login security on your Facebook account. Facebook offers you a set of confusing choices, but the one that I recommend is to use a two-factor authenticator app such as Google Authenticator. (You can start at this Facebook page.)

Two-factor authentication (also known as 2FA) uses an Android or iOS smartphone app as part of the login process. After you supply your username and password, Facebook asks you to type in a series of six numbers that are generated by the app. These numbers change every minute, so you need your phone nearby when you log in. If you want extra credit, take the time to enable this second factor method on your other accounts, including any banks and credit card companies that support this method (sadly, too few do).

Elizabeth was using a less secure method for her second factor: sending the six numbers as a text message to her phone. You can read more about why this isn’t my preference.

2. Check to see if you have any payment methods configured on Facebook. While preparing for this article, I was surprised to find my PayPal address linked to my Facebook account — and I thought I was being careful about my Facebook security. There are two places to check. First, there is the page that shows if you have set up any credit cards to make direct payments to individuals or causes, called Facebook Pay. Go to this other link to remove any ad payment methods. If you are running any ad campaigns on your business, you will have to stop them first.

3. Remove connected apps and websites. If you have signed on to third-party apps using your Facebook credentials, now is the time to review and remove them (you can find the appropriate page here). The same is true with removing any business integrations. You take a small hit in not being able to automatically log into these other services, but you also protect yourself if your account has been compromised.

If you have a Facebook business page, you should have at least two people who have admin rights to this page. (Go to Page Settings > Page Roles.) If your business account is hacked and you are the sole admin, it will be next to impossible to get it recovered. This contact should also have second factor authentication turned on.

4. Check your account’s email contacts (using this Facebook page). You should have at least a second contact email (or more) that Facebook can use to send you notifications in case your main email address becomes compromised. Of course, use different passwords with these different email accounts.

I know, this seems like a lot of work, and there are a lot of places in the Facebook settings pages that you will have to visit and pay attention to. And chances are, the links provided above might not work in the future, as Facebook likes to make changes to its settings.

If these activities to make yourself more secure haven’t gotten you frustrated, you might want to continue improving your security. I recommend either the Jumbo smartphone app for iOS and Android, or Avast One (available on Windows, Mac, iOS, and Android). Either can help walk you through the numerous steps to secure your Google, Twitter, and other accounts.

Parting words of wisdom

Think before you click. If you get a message from what looks like a social media company saying that your account has been compromised, don’t follow any links or call any phone numbers in the message. This could be a lure from a hacker. Instead, navigate to the site or use its own app directly.

Be aware of things that seem unusual. Keep an eye out for messages you didn’t send, posts you didn’t create, or purchases you didn’t make. These could be tells that someone has guessed your password or compromised your account. If you are lucky, it might be an errant teen using one of your computers.

As Elizabeth told me, “Being hacked is like getting a digital tattoo — everyone can see the after-effects of your poor choices.”