Protecting an Old Person's computer against hackers

[Freddyfruitba...]

So over the weekend my 87-yr-old mum was the subject of a concerted hacking attack simultaneously via landline/mobile and laptop, which very nearly succeeded in extracting several thou from her bank. Still trying to figure out exactly how it happened - started off with an Amazon Prime Refund phone call, but somehow the bastards progressed it to being able to install remote control software (Zoho Assist) on her laptop - she swears blindly she never clicked on anything but the evidence suggests otherwise.

This is the second time it's happened now - frankly she's not really safe to be left in charge of a PC any more but taking it away from her would be akin to taking away a driving licence so I'm really trying to avoid that if I can. It's a bloody nightmare though.

I'm looking at various options - stopping her accessing online banking on the laptop and doing it instead on her iPhone is a good start I think. What I'm also wondering is, can I nail down her Windows 10 account in such a way that she (or hackers) can't install or run software? Can that be done and would it help? When I was a wage slave all the work PCs were restricted like that - or can you only do that with Windows Professional or something?
____________________
KC100->CB100N->CB250RS--------->DL650AL2->R1200RS->R1250RS

[dynax]

I recently had one of them calls from amazon, i just hung up, you could run a VPN, or run Linux if most of the stuff she does is online no worries over viruses, and there are some flavours that are very similar in structure to windows so not much of an issue in crossing over
____________________
Mike.
Bikes: Xena, Bridget,Florence
https://www.youtube.com/channel/UCmihUc0xXxYbR4_0l-F1FzA/videos?view_as=subscriber

[xX-Alex-Xx]

Definitely educate on phone calls. Make it clear that when you phone a bank, they have to verify who you are. People phoning her have to prove who they are. If in doubt, look up the phone number is the company online and phone the direct.

Linux is an option for security, but it can be more maintenance and not everyone has experience to support it.

Get them to use a password manager if you can (Bitwarden is free open source and great) and make sure to enable MFA on every account they can. Authy is perfect as it has Add Ons for chrome etc, mobile devices, and will backup online so there’s little risk of losing your tokens.

The default user accounts on windows are administrator accounts, always have a separate account for admins, and give her a basic account so she can’t make system level changes.
____________________
DILLIGAF

[P.]

Give her a tablet instead. Little iPad.

[stinkwheel]

Linux and 2 factor authentication on the banking.

Should be able to take windows admin privelage off her so she logs in as a user. Password the admin account and don't allow her user account install permissions. Then you'd have to enter the admin password to install any software.
____________________
“Rule one: Always stick around for one more drink. That's when things happen. That's when you find out everything you want to know.”
I did the 2010 Round Britain Rally on my 350 Bullet. 89 landmarks, 3 months, 9,500 miles.

[The Shaggy D.A.]

[winz]

Same thing happened to my 93 year old gran.

Got a call saying from bank and very nearly scammed her. Really shook her up and cancelled her internet for a while. Shes back online now though.

I had to have a talk with her about it. So can only really echo what's been said above; by questioning anyone who calls saying they from the bank/insert service here. Don't give any personal details and hang up if you feel uncomfortable about anything they are asking. A iPad isn't a bad shout as that's pretty locked down.
____________________
Current Bikes: BMW K1200S
Previous: Honda CBR929RR, Honda CBR1100XX, Honda CB600F

[Easy-X]

Thankfully my mum's one of those quaint, old school racists so any time an Indian accent appears at the other end of the phone she's instantly suspicious.

Another vote for iPad. Easy to use and they don't mind having a keyboard added to make it a faux-laptop.

For Windows 10 the only practical thing you can do is change the main login from an admin account to a user account. Prompts for most serious stuff with "your admin must log in..." but not everything unfortunately. There are other things you can do but they're mostly too awkward outside of a domain-server type setup.
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[stinkwheel]

[ThunderGuts]

[wr6133]

I just had to do my yearly "IT Security Awareness Training". Apparently, "Smishing", is the fashionable thing now.

They send an SMS to a mobile that appears to be from something legit, victim follows the link (because most phones are online these days so you just touch the link), takes them to a legit looking page that is used to extract whatever information they are after.

This targets mobile devices so avoiding windows doesn't help. Apparently it's quite effective against those less technologically aware.

[panrider_uk]

With phones I always tell people to press and hold the link so the popup will show you where it will really go.

Likewise on a pc. Hover the mouse over a link before clicking it to reveal its destination.
____________________
Current bike: Honda ST1100

[Riejufixing]

The problem here, and I'm not trying to be rude, is not the computer, it's the user.

You ought ro report the attempt, especially as it got so far, to https://www.actionfraud.police.uk/ (yes, it's a pain, but).

Next, does she really need to use banking online at all? If the answer is "she can live without it", then live without it, on anything and everything, continue to use t'internet for other stuff.

Is there another product that would do (telephone/video banking, which allows notes to be displayed to the bank's operative, e.g. "Likely to be scammed")? Can the bank (some can) set a daily low transaction payment limit, which would reduce a potential loss? Can & will the bank set up another account with a smaller maximum balance, to be fed from a "secure" one that does not have online access, which would limit any damage?

[stinkwheel]

I like to think I'm pretty tech savvy but I wont use online banking because I think it's too vulnerable. It only becomes a mild pain in the arse when someone will ONLY take a BACS paymet because I then have to go into my branch to do it.

I do however still get logout-rolled off the forum by Ste on a fairly regular basis.
____________________
“Rule one: Always stick around for one more drink. That's when things happen. That's when you find out everything you want to know.”
I did the 2010 Round Britain Rally on my 350 Bullet. 89 landmarks, 3 months, 9,500 miles.

[xX-Alex-Xx]

[dynax]

My bank sends a one time passcode text each time i log into online banking, perhaps you could set that up going to your phone, then you have to authorise any logins, so if she logs in she will have ring you to get the code
____________________
Mike.
Bikes: Xena, Bridget,Florence
https://www.youtube.com/channel/UCmihUc0xXxYbR4_0l-F1FzA/videos?view_as=subscriber

[Freddyfruitba...]

Thanks a lot - some really helpful stuff here.

It's a really difficult situation to manage - it's a trade-off between my mum maintaining her independence and not getting ripped off.

She does have an iPad already and I'm definitely getting her off online banking on the laptop. As has been said, Apple stuff is much safer because at least the scammers can't use remote software on it. She still does have a need for the laptop for offline stuff, but I'm seriously considering just blocking its MAC address on her router, to prevent it accessing the internet at all.

At her age it's hard to implement too much change - eg moving to linux would be a total non-starter for her. And believe me, I've drummed into her (I thought) countless times who she should and shouldn't speak to on the phone, what she should and shouldn't click on etc, and I'm really banging my head against the wall with this.

Oh - the password manager suggestion... I thought I'd done really well a few years ago, when I managed to transfer her over from storing her passwords on a forest of post-it notes stuck on her monitor to KeePass. Well done me. Except what happened this weekend was that these arseholes ended up in control of her laptop and could see her desktop... I have to assume that she had the KeePass folder open so that all the user credentials stored in it were exposed. I've therefore had to go through the folder and change everything in sight. Suddenly, post-it notes not such a bad idea...

I've heard a bit more about what happened. (Tef alert) The whole thing went on for hours apparently. They told her that they'd refunded her the Amazon Prime fee, but oops, 'I've accidentally transferred an extra £5,000 and you now need to transfer it back please or I'm going to get fired'. At this point they had control of her laptop. Still can't work out how they managed that but presumably she must have clicked on something or visited a dodgy URL. So Mum logs into her bank account and can see that her account apparently contains £5k extra - because the bastards have edited her screen display to a figure just below her maximum overdraft facility. She duly tried to 'refund' it but the bank blocked it, thank God. At some point she ended up on the phone to the bank, at the same time the scammers are watching her on her webcam. The scammers are begging her not to dob them in to the bank because otherwise the 'employee' will 'lose their job' and their kids will starve. So the bank asks Mum 'do you know this person?' and Mum says 'yes'. To their credit, the bank then follows up with 'well, where do they live, then?' and of course Mum had no clue and the game was up. Bastards. Bastards.
____________________
KC100->CB100N->CB250RS--------->DL650AL2->R1200RS->R1250RS

[ThunderGuts]

It's good to hear the bank are working proactively in that situation.
____________________
TG.

[Easy-X]

Oh yes, there's a fella that does a YouTube channel where he deliberately strings along these scammers. He did a bit on the ol' account switcheroo.

https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw

A fun way to keep up with the latest scams
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[xX-Alex-Xx]

[Freddyfruitba...]

[panrider_uk]

I use Splashtop both for ad-hoc remote control of customers pcs and to control my own work pc.

That can remotely connect to tablets and phones inc IOS (view only for IOS).
____________________
Current bike: Honda ST1100

[xX-Alex-Xx]

[Freddyfruitba...]

[xX-Alex-Xx]

Would be worth getting her a modern tablet then. That’s a VERY old OS, and it’s always best to stay up to date with regards to patching etc.
____________________
DILLIGAF