Insecurity about Security

There may be errors in spelling, grammar, and accuracy in this machine-generated transcript.

Alicia Katz Pollock: In this week's edition of the unofficial QuickBooks Accountants podcast, we have a what I consider a fun topic for some people consider a scary topic. We're going to talk about security and fraud as it relates to the QuickBooks universe. Um, I've got with me Dan DeLong of School of Bookkeeping and the QB Power Hour. [00:00:30] Hi, Dan.

Dan DeLong: Alicia. And we have a we have a new one.

Alicia Katz Pollock: Yeah, we have a special guest today. Um, we also have with us Jamie Pollock, who is my business partner and my husband, and, uh, he is here because, um, where I do all the QuickBooks training, he does all our Apple training, and one of his courses is a course about internet security. And generally he gives it to seniors to keep them safe on the internet. But a lot of the concepts, of course, have the deeper level [00:01:00] that are relevant to us as accountants. So welcome, Jamie.

Jamie Pollock: Well, I thank you very much. I'm very excited to be here.

Dan DeLong: And we're, we're I it was my suggestion that that that Jamie join us because when we're talking about this kind of stuff, we need someone smarter than both of us combined. And so here, here we have Jamie joining us today.

Jamie Pollock: I'm gonna have to push back on that because I married this one. Um, which.

Alicia Katz Pollock: Makes you brilliant.

Jamie Pollock: Well, that was a smart decision. [00:01:30] Uh, but when it comes to IQ point, IQ point. Uh, no, she's neurotically intelligent.

Dan DeLong: He's at least understanding the inner workings of of of some of this stuff is we need an outsider's perspective because we're we're not just talking about what you can do inside of QuickBooks. Right?

Jamie Pollock: Well, honestly, uh, to be invited in, uh, as a, as a resource for you guys, uh, I'm privileged, absolutely privileged to not often [00:02:00] as somebody working with Alicia and then says, Can Jamie join? It's just not it doesn't happen.

Alicia Katz Pollock: This is just the first.

Jamie Pollock: Oh, okay.

Alicia Katz Pollock: Okay.

Dan DeLong: Don't get.

Alicia Katz Pollock: Comfortable. All right. So for the listeners, the reason why this is important is that we, as accountants are the gateway to security for our clients because we have our hands in our clients sensitive data. And so there's a lot of potential for fraud. And we know that the fraudsters are getting really creative. And especially as the technology evolves, doors [00:02:30] open that weren't available before. And so we got to make sure that we are paying attention to all the different nuances. It's our responsibility to safeguard safeguard our client's data. And so Dan and I wanted to address security and fraud as it relates to QuickBooks. So Dan, I'm going to hand it over to you.

Dan DeLong: Yeah. So we I've been seeing, um, on the the Facebook sphere, um, you know, various Facebook groups of, of, [00:03:00] uh, accountants and bookkeepers and proadvisors, uh, getting their login compromised. And so it started to raise a lot of questions and concerns of, well, just how secure is is this whole is this whole process, right? I mean, I worked when I worked at Intuit in like 2013, you know, Qbo a, you know, the accountant portal came about because accountants and their clients [00:03:30] were just sharing their login, and it was just like they would get into their QuickBooks on their clients, QuickBooks online with their clients login. And then we're, you know, as, as a company, you know, Intuit was like, ah, that can't be a best practice, right? Sharing personally identifiable information back and forth. So that whole thing started the the the process of individually accessing, you know, your QuickBooks [00:04:00] online. But still, I mean, to this day, you know, people just don't have the greatest, uh, secure method for, for logging in, for logging into QuickBooks. And as an accountant and a ProAdvisor bookkeeper, as a, you know, if you have 10 to 1000 clients on your on your QuickBooks online, you now have a one point of access that, you know, a bad actor that's out there [00:04:30] could access the company.

Dan DeLong: And now, with real money movement being possible inside of QuickBooks online with bill pay the bill pay service, QuickBooks payments and payroll, uh, that now gives, uh, those bad actors out their incentive to access your information Nations so that they don't have to access all the individual companies that are there. Um, so it it boils down [00:05:00] to how secure is your is your process. And um, recently and we had talked about, you know, the Intuit account and um, you know, in a prior podcast and we'll put that in the, in the show notes of all the things that you can do to kind of batten down the hatch, uh, inside of inside of QuickBooks, uh, or the Intuit account in general. But we want to talk a little bit about Passkeys, because that's relatively, [00:05:30] uh, a new process, uh, in, in the whole security. And that's why we wanted to have Jamie to come on to kind of talk about what a passkey is and how that actually helps secure accounts. So I'm going to toss it over to, uh, to Jamie. So what is passkey? What is what What is that? When when we we hear all these things about.

Jamie Pollock: Very good. So one of the things I want to make clear, because even Dan kind of asked a question earlier about [00:06:00] apples versus windows or different devices or on multiple devices, and passkeys are supposed to make passwords go away, like no more passwords because we just used passkeys. So a basic definition is a passkey is an encryption key. It's a physical like a token. It is something that you would go to the server into it or Google or whoever and say I'd like a passkey. It will generate this passkey and then download it onto your device. It's a physical thing that's on the device that the server generated, the server has. [00:06:30] The other side of the passkey that it matches. And so any device when you log in you're going to pass this passkey to the server. It's going to know that it matches and say this is you. Now there's two things that make passkey work in a smooth way. Um, one of them is a password vault so that it can sync across multiple devices. And that's where the question Dan had comes. And we'll talk about that a little bit later, is what if I'm on a computer that's not mine? What if I don't have a password vault syncing [00:07:00] my passkey? I don't physically have that thumb drive with me. Right. The second thing that comes to be important for Passkeys, besides the syncing concept of it is biometrics. Um, and so passkeys are supposed to be unlocked by a touch ID or face ID there's got to be some sort of biometric where the computer can read your body so that it knows that it's really you and passes that passkey. And that's one of the reasons why they're so secure [00:07:30] and can't be hacked, because nobody has my face or my finger.

Dan DeLong: Except you.

Jamie Pollock: Except me. I want to give one quick example so that something that we already do without thinking about it, that is the same concept. And that's SSL certificates on websites. We know that if a website doesn't have security, it's HTTP, and if it has an SSL certificate, a secure secure socket layer certificate, it's got Https. What happens when we go to a website like Amazon, Google, anything [00:08:00] that has https. The minute the website loads down, it loads an encryption key down onto your computer, into your browser, and then you can put in your password or your credit card. And when you hit submit, that key encrypts it. And the only thing that can unencrypt it is the other end of that key on the server. So I hit submit. My credit card or password goes up to the server. That's where the unlock part of the key is. And then it can use my I know my credit card is encrypted and safe on its way from my computer to the server. [00:08:30] It's that same concept of of of getting it locked here and getting it unlocked there.

Alicia Katz Pollock: I remember, you know, 15 years ago SSL was a big deal. And like, you had to check to make sure the website had SSL and now it's just become so ubiquitous that we don't even think about it anymore. So if you've ever wondered what the HTTP is versus the Https, that's what you're looking for is the S means that there's encryption on the website.

Jamie Pollock: Do you want to know how ubiquitous it is? Sure. For a very long time, once it became a thing, Apple [00:09:00] would put a little black lock up in your location bar in Safari to let you know that there is an SSL certificate, and more importantly, the domain name matches the domain name. You're looking at matches the name on the certificate. If you go to Amazon.com and it says Amazon.com, you've you've you've misspelled it. That's your own problem. Um, they took it away. There's no little black lock in the location bar signifying you're on a secure website anymore, because they just think it's normal and they don't necessarily need to call it out anymore.

Dan DeLong: So if you don't see that [00:09:30] Https or if Chrome is giving you this, this site is not secure. You just don't want to be entering any personally identifiable information like a password or. Uh, any credit card information because it's essentially one key only, and that's the website that happens to be it. So as you were talking about that, I was thinking of war games. And, you know, the two, uh, you [00:10:00] know, the two people with the two different keys, you know, in order to launch the missiles, right, you have to have two people involved. And in this case, it's two different computers or systems that are talking to each other, turning the key at the same time.

Alicia Katz Pollock: I really like that analogy.

Jamie Pollock: And then one thing that I'm always going to do when when you're asking me these sorts of questions, is the implementation. How does the end user deal with this? Right. Because we can talk about the concept. But unless I say how to deal with it, I'm not really helping the people we're talking [00:10:30] to. So in a lot of the browsers now, they don't show you the HTTP colon slash slash anymore. It just says facebook.com or Amazon.com. If you simply click up in there, it'll show you the entire URL and not just the short domain name of the URL. And once you have that whole thing in there, then you can see is it HTTP or is it https.

Dan DeLong: Mhm. So the um I think the biggest concern right okay. So you enable Passkeys, you [00:11:00] have strong passwords. You do all this stuff to secure your password. What is really concerning is that people are still getting hacked. They're still getting um their, their login compromised. So even with the MFA codes or, you know, they're essentially not necessary with a passkey because it's even more, uh, more secure as long as somebody can reset the [00:11:30] password. That's the that's the vulnerability here when it comes to your Intuit login. So I want to talk a little bit about maybe some of the horror stories or, you know, things that we've seen about.

Alicia Katz Pollock: Yeah, we're all fighting. Like, I want to go first. Um, I actually had somebody reach out to me through Facebook, through my training for QuickBooks users Group, asking for help because he was locked out of his QuickBooks [00:12:00] account and he couldn't log in. And I'm like, well, just go reset his password, reset your password. And he's like, well, I can't because da da da da da. So I started helping him and then I realized that something was a little fishy. So I took the email address and I emailed him and I emailed and I said, I think somebody's trying to hack into your account. And he emailed back and said, no, it's me. It's really me. But then I realized that that was actually a the hacker inside the email account. So that is the way in. And [00:12:30] if somebody gets your email password, then when you go through the whole email reset process, you they have the keys to the kingdom and they can just answer all the two factor.

Jamie Pollock: Authentication is one of the things they do, especially in Comcast hacking, which is happening quite a lot, is they'll hack into a Comcast account and then they'll immediately make a new free account on Outlook.com or gmail.com. That's the same beginning with at something different at the end. So when they email through Comcast, they make the reply to the other domain name. And most [00:13:00] people don't notice and they answer the message, hit reply, type in whatever. This is quite often the I need you to buy me a gift card trick, right? And so they get a Comcast email. I need a gift card. They reply that goes to outlook not Comcast. And next thing you know they're in the hands of the hacker. And they just didn't happen to notice the domain name changed on the email address.

Alicia Katz Pollock: The reply. So it's the reply to.

Jamie Pollock: It's well there's two things they do. One is they they put a reply to so that it redirects it out of Comcast. But they also when they're in the Comcast account they create [00:13:30] a forward. So all the messages that hit the inbox in Comcast also forward over to this new domain Uh, email that again has the same first part to confuse you and a different domain that you may not notice.

Dan DeLong: So how hard, Jamie, is that for a a bad actor to hijack phone numbers for, for MFA codes or, or email addresses? Is, is there better, uh, domains that are I mean, are there better web [00:14:00] web email?

Jamie Pollock: I love it, I love it. Um, there are definitely some that are more secure and some that are less secure. Um, I don't want to dunk on any specific companies. Microsoft. Um, but, um, Apple and Google have always been known to be extremely secure because of what they do and how they do it.

Alicia Katz Pollock: Meaning Gmail, Gmail, Gmail.

Jamie Pollock: Google, Gmail, um, Apple at Icloud.com. At Me.com, at mac.com. The ones that I've seen hacked over time. I mean, Comcast [00:14:30] is just the worst. I mean, they just it's it's a third thought to them. Their email's emails, not why they make any money. It's a free service that they wish they didn't have to do.

Alicia Katz Pollock: And that's Xfinity.

Jamie Pollock: That's Xfinity and Comcast are the same thing. Um, the other ones that we find that have been in trouble over time are AOL, Yahoo. And unfortunately I'm going to say Hotmail, um, because Microsoft does have layer after layer because Hotmail used to be MSN.com, it used to be Hotmail.com, and now it's Outlook.com, and at one time it was Live.com. [00:15:00] These are all aliases for the same thing. And at this point in their evolution, Outlook.com is where you go, no matter what the domain name is, in your email address. So they do have one portal, Outlook.com. Um, now that they've condensed that, it is a little bit more secure, but we still occasionally see it used. One other thing that I wanted to mention about what Dan had just said about Passkeys. I want to kind of make sure we finish the Passkeys before we talk about the horror [00:15:30] stories, which I'm really excited to talk about. The horror stories Passkeys are meant to replace passwords. Ultimately, the technology is a way for passwords to disappear from our world. But the truth is, is that every company, every app, every website gets to implement its own way, like HTTP. I mean HTML or website coding or what platform are you on and what browser are you in? It all comes into play. So if we have a thousand companies with five different browsers and, [00:16:00] you know, a million apps, everybody's implementing it differently. So what the trick is, is that not everybody has, oh, I don't know, a password vault. And not everybody has biometrics on every device they own. And if you don't, then passkeys aren't easy. So most of the companies are keeping their username and password function in place and allowing Passkeys to go in parallel with them. In concept, when they introduce Passkeys, it should just the password goes away. And now you only use Passkeys. [00:16:30] But it's going to be an evolution. It's going to be gradual. And then eventually we're going to see certain companies flip the switch and say, we're not accepting passwords anymore.

Alicia Katz Pollock: Well, so that's going to be still, you know, five or maybe ten years away because every single user has to have a biometric secure device, whether it's an iPhone or their phone or their computers. Until so until everybody has the ability to to put your fingerprint on your computer [00:17:00] for that biometric login, we are still some time away.

Jamie Pollock: I mean, how long did it take before Adobe, um, went away? The flash player, that's the way they delivered malware for years. And it wasn't until HTML5 came around that that function was built into HTML, and we didn't need the Flash player as an extension, and the extension was vulnerable, right? So every time we had to update the extension, we were vulnerable to malware again.

Alicia Katz Pollock: Right. And you know, but and it did take some time. [00:17:30] So, you know, every because everybody's, you know, has to extend the life of your phone and your computer. And so since computers live in double dog years, like one year in your computer's life is about 14 years in, in, in actuality. So by the time your computer hits five years, it's 70 years old. And by the time your computer hits seven years, it's 94 years old. And so your computer can still like, you know, get around, but it's going to be a little slower and it doesn't do all the [00:18:00] modern stuff. And so.

Jamie Pollock: We say it still works, but it would really like to retire 50 or 70 like.

Dan DeLong: Wow.

Alicia Katz Pollock: So yeah, we've got at least that life cycle until we're completely over to Passkeys.

Dan DeLong: Yeah. So I mean, as far as the, the challenges that are that are still out there, right? So the the past key or the, the way to sign in can only be as secure as the. Recovery process [00:18:30] of which to reset said passkey. And I think that is where Intuit's login is. Still it's still vulnerable, right?

Jamie Pollock: And I bring up one thing that Intuit's doing that I saw AOL do just yesterday when I was trying to recover an AOL account for a client. Sure. But Intuit does this too. If you don't have your passkey and then you try your password and you don't have it right, they will offer a third option now, which is two factor verification, which is if they [00:19:00] have your phone number and email on file, they will text your phone number with a code, a 6 or 8 digit code. And if you type that in, you don't need to put your password in. They think they feel that that is enough. But what Dan has already said is if somebody has your phone number and or access to like your line two or your Google Talk, or there's all sorts of voice over IP options where phone numbers go to computers. Um, then they could easily get back into that account, leveraging two factor verification. [00:19:30]

Dan DeLong: Yeah. And now the real horror is when you go through the other way. Right. When you log into Intuit and you, you know, if you don't have access to the phone number, if you don't have access to the to the email, then there's a third option that says how to recover your account if you don't have access to either of those two things. And it it involves, you know, submitting a, [00:20:00] um, a photo ID, right. Which as long as these bad actors have access to what your email is, which typically that's what people do, is set up their Intuit login based off of what their email. And it only takes a matter of going to your website to find out what your email is. And then and then that now allows them to be, you know, a gateway to start to recover said [00:20:30] password by updating the email and the phone number, because you're allowed to do that. So if it's if it's easy enough for them to have access to your, uh, to your phone number to get the codes or the email in order to get the codes as well. It doesn't take a whole lot of, uh, it's not that far of a stretch to say that these bad actors can forge your documents in order to do that. Right?

Jamie Pollock: So we call we call [00:21:00] it the Facebook void because Facebook, if you if you get hacked on Facebook and you want to recover, they're like, send us a picture of your photo ID and then you do that and then you don't hear back from them and you're like, wait a minute, did I just give that to somebody? Like, what just happened to me? Um, or the or the Google loop? Trying to recover a Google.

Alicia Katz Pollock: Account don't scare us because that's not the Intuit way. Okay.

Jamie Pollock: What I think I'm trying to say is into it's actually a little ahead of the game, honestly, for some of the shenanigans happening out there. I've been impressed with [00:21:30] Intuit's implementation.

Dan DeLong: The, the the challenge, though, is that if if the the only thing that someone that a bad actor needs is your email address. That's one of the things that is a best practice, right? So don't use your email address as your login name. Uh, changing your email address or changing your login name to something other than your, your, uh, your email address would add that extra layer of stoppage, uh, [00:22:00] for, for someone to be able to, to access that which is a, which is a good thing. You're pointing your finger like you want to say, add something there.

Alicia Katz Pollock: Yeah, I kind of have a little question about that. So like, you know, my Intuit accounts are so old that I actually have like I'm not going to say what it is, but my I have words as my. I almost said it out loud. I have words as my username which predated needing to use your email address [00:22:30] as your as your username. And so I did read though that in the in the suggestions that people were saying of changing your email address back to a username that's not an email address. The people who did that still came back and said, yeah, but I can still log in with my email address.

Dan DeLong: So there's a way to yeah, there's a way to get to the login by just using the email address. Um, but what I'm referring to here is just [00:23:00] the, the, the recovery or the updating of the login based off of the email address. Um, which, you know, that's another best practice to and maybe Jamie can, can, uh, fill in here. Is that a lot of the web web mail, especially Google or Gmail. They allow you to create an auto forwarding of your of your email by adding a plus something right where you [00:23:30] could say you know if your if your email address is my username at my domain name.com, you can just say my username plus QuickBooks Live at email domain name.com. So to intuit that is a unique email address that has nothing to do with your original email address, but any kind of communication automatically gets forwarded to the main email address. So Jamie, talk [00:24:00] a little bit about so what you're talking.

Jamie Pollock: What you're talking about is referred to either alias aliasing. There's a lot of aliasing or masking is kind of the new term that they use. Some of even like the data scrub like the services that'll that'll scrub your data off the internet. Uh, offer, uh, phone number masking and email masking so that you can hand out this fake one. That's not your real one, but everything forwards to it. Um, I'm an Apple guy. I do do a little bit of windows, but I'm [00:24:30] mostly Apple and Apple's new operating system, and Apple Mail does offer hide my email as a little checkbox. Um, and anytime you're even signing up for something, it asks, do you want me to randomly generate an email address that this website will think is you that will always forward back to your email address for you? Right. But just like everything else, we need a password vault. Or we need some way of. Lord, I'm tired of people putting [00:25:00] them in their contacts. I'll tell you how many old people I have that put their passwords in their contacts. Come on now, people. Right. Um, so a password management tool, like one password or Dashlane or. I mean, there's 100 of them. Apple now has the passwords app. And in the Apple world, we call it the keychain. So so encrypted data stored in the keychain and the passwords app lets us look at it. And that is where our passkeys are stored. Our passwords are stored, but it is that username combo. It's using a temporary [00:25:30] or a fake, right. Something that is a throw away. Um, and they do randomly generate it on the spot, but you never want to have to. Like I'm on a friend's computer. I need to type that in. Right. Like those, those, those computer generated passwords that are AB12-5712-. I don't ever want to type it in on my phone. It just is inconvenient.

Dan DeLong: Right? The, um, and then the, the the other thing, um, I think we had talked a little bit about it before, Alicia, [00:26:00] is that if you happen to be compromised and you're essentially locked out of of your QuickBooks login, which then locks you out of your entire Their client list and you can't do work while that while that is happening. Another best practice is creating a back door login into your firm right where it is, another login, another email address, or another way for [00:26:30] them to. Another way for the individual to to actually sign in and still work in their clients. Right. You want to talk a little bit about that?

Alicia Katz Pollock: Yeah. We had introduced the concept. Um, I think the episode was, uh, episode 83 on March 27th. If you want to go back to look at it and listen to it. But basically what you're doing to solve for that is you add yourself as a team member in your qbo using a different email [00:27:00] address that's maybe unrelated to the company. Or maybe you spin up a Gmail address that's completely only for this purpose, and you add yourself as a team member and you assign yourself to full access to your Qbo eBooks and full access to all the clients currently on your client list. And then if worst case scenario happens and you get locked out through your main username and password, then you can log in as this side team member and still get all your work done [00:27:30] and still access all your files.

Dan DeLong: Yeah.

Jamie Pollock: Would that be would that be the same as like I can get into QuickBooks just like you can get QuickBooks. So if you get locked out, you just say, Jamie, help me.

Alicia Katz Pollock: Yeah. It's making a username and password specifically for this purpose.

Jamie Pollock: Right. But specifically, if you don't already have a team. Right. If you have a team, you can go to a team member.

Alicia Katz Pollock: You could you could get.

Jamie Pollock: Into an easier solution.

Alicia Katz Pollock: Typically when we have team members, we don't give all the team members free reigns to the company.

Jamie Pollock: They don't have superuser, right? You need a superuser at that point.

Alicia Katz Pollock: Superuser. [00:28:00] That's that's a great word for what we're talking about. Yeah.

Dan DeLong: Right.

Dan DeLong: So that's that's one best practice is, is giving yourself a way to get into your Intuit services as another way. So maybe it's just a secondary login for your for yourself or something like that. So that's uh, so changing your, your, your, your login to not just making it harder for, you know, kind of keeping people honest that, that aren't that, [00:28:30] that are, that are bad actors out there. Right. So if somebody wants to get in there to your lock and they will find a way and then so the the second login or, you know, you know, secondary way to get into your QuickBooks is another best practice. But um, the, the final thing where it is, you know, the the way to recover your, your, your login. And this is where I think [00:29:00] Intuit is not as secure as it, as it could be, is that, you know, like when you go to a bank, uh, and, uh, recover your your login. Forgot your password. And you need to recover that. They ask for something else that is not part of your login, uh, to be able to do that, right. So if you go to your bank, it's your account number or your debit card number or something that you should essentially have [00:29:30] on your person. Right. So you need that.

Jamie Pollock: For digital security or.

Dan DeLong: Something like that. Right.

Dan DeLong: It will I mean, there's ultimately additional ways to, uh, you know, to find and, and data mine that information. But, uh, but in, in that case, uh, it is it is much harder for someone to be able to pretend that they're you, because in Intuit's case, it's all they're asking for [00:30:00] is the phone number and the email address in order for them to upload the the ID in order to do that. So that is I think one of the things if anyone from Intuit is listening, that is something I think they should be able to, um, implement. Um, so that it's much harder for, for these bad actors to be able to, you know, forge their way into that, that login. Because as of this point, it [00:30:30] is not if, you know, if they if they don't have access to to the phone number and they don't have access to the email, all they need is the email and a way to forge the, you know, the the identification. Now, I don't know what process they go through to, you know, validate that identification to that person, but I imagine it is available right for that, for that actor to be able to pretend [00:31:00] that they are that other person.

Alicia Katz Pollock: I mean, even security questions like, what's the name of your first pet? What are the.

Jamie Pollock: I told the story.

Alicia Katz Pollock: What was your first concert?

Jamie Pollock: I told the story earlier that when the iCloud photos leaked of, uh, celebrity nudes. Uh, the the chick from Big Bang Theory, um, she got she got taken. Uh, it's that you can search online for Taylor Swift's dog's name or or, uh, caylee's first car. Right? Uh, you you [00:31:30] you crack enough information about security questions, and you might just get it. And those Facebook surveys. Right. What was your first concert? Don't ever, ever, ever go on Facebook and say my first concert was almost it almost said it out loud. I've never used it. I'll tell you. It was men at work. I'm not scared. I'm not scared. And their reunion.

Dan DeLong: Down Under, did you?

Alicia Katz Pollock: Well, you know, I've really appreciated that Intuit is at least [00:32:00] starting to offer, you know, Everybody require your your two factor authentication? I know it's annoying to have to go check your email or go check your phone to go get the codes, but you need that level of security. And I'm glad that they're doing authenticator apps and I'm glad that they're doing, uh, the, the biometrics, um, with my my fingerprint. I love being able to use my fingerprint. So really do take advantage of these and especially a password manager. And, [00:32:30] you know, operationally, password managers are huge in actually streamlining your communications with your team. One of the things that I really like about I use one password, and the reason why we went with one password is because it allows us to keep separate vaults. And so every employee has their own personal private vault. But then we have group vaults that are only in by permission. And so we have the administrative passwords that we need Jeff, to get into. And we have the the team vault [00:33:00] that has, you know, the Adobe and like the things that all the tools that everybody needs to log into. And then I have a bookkeeping vault, which is just my any of my client information that I need that only me and my bookkeeper, um, have access to. And like, Jamie can't get. I don't want it to those. Right.

Jamie Pollock: I don't want it.

Alicia Katz Pollock: And so that's the beauty of one password is I can also sit down. I can access it from my phone, or I can sit down at any of my computers and have instant access [00:33:30] to the things that I need. But nobody else can get in because it's either under my personal password or literally my fingerprint.

Jamie Pollock: I make a comment about two factor verification real.

Alicia Katz Pollock: Quick.

Jamie Pollock: And again, I'm always about the implementation. And how does the end user deal with this. One of the best parts about two factor verification, especially with logging with your Apple ID every once in a while a device will be like, I just need you to re-authenticate just for no reason. I just need you to prove you're you right? Or maybe you installed something, or you got a new something, or you wiped something, or who knows what. And then all of a sudden you get a pop up on all your devices. [00:34:00] Somebody just logged in as you. Right. Somebody is in Gresham logging in as you. Um, it's quite often the wrong location. The GPS isn't really good. Uh, but the nice thing about that is if somebody does have your password and username and they are trying to log in somewhere, you might get a two factor verification pop up and you're not the one trying to log in. That's when we start thinking, oh, wait a minute, I'm not trying to log in anywhere. Why did I get this notification? And then, you know, you're getting hacked and you can go straight to that account and change the password. [00:34:30] And the number one solution that you always have to do first is go change your password. Right. And don't use anything that's that you've used before. Make it different you know. But but changing your password and lock everybody out of all the devices. Facebook gives you that option. Do you want to leave everything logged in, or do you want me to, like, push everybody out of your account and make sure that you choose that when you're changing the password? If that's if you're doing it because you think you've been compromised.

Dan DeLong: Yeah. Yeah, yeah. [00:35:00] I was getting a code at, like, random times of the day, uh, for for my bank. And so I'm like, I know it's not me. Like I was asleep. Um, and I called them, and they're like, well, we don't know where that's coming from. It's like, what? Wait a minute. Now you're the bank and you don't know where that's coming from. And they're like, of course you should. You should reset your password. But as it turns out, I think it was um, it was some, it was some integration [00:35:30] like that was logging into, into the bank's website at the wee hours of the morning.

Jamie Pollock: Oh, you're on your own integration, your own little utility.

Dan DeLong: I locked myself out.

Jamie Pollock: Good times. Times ten.

Dan DeLong: Resetting the password.

Alicia Katz Pollock: Well, I want to actually give a shout out to Intuit. Um, one of my clients, just this week, um, was on the phone with Intuit because Intuit called them, because [00:36:00] there were multiple attempts at changing her login information. Somebody from Georgia and then from Florida and Intuit noticed and called her and said, hey, we think somebody's hacking in. And then they actually discovered a fake $900 invoice and a $24,000 invoice in her system. Now, that's a stupid hacker. If the hacker is going to try and give her money and not run an expense. But Intuit actually [00:36:30] saw the fraud happening and called her.

Jamie Pollock: Can you say the hacker used the software wrong. She's like the best trainer troubleshooter on the planet, which she's going to, like, dunk on the hacker for not using her balance sheet. Right?

Alicia Katz Pollock: So I assume it's one of those phone card kind of things where they give you the money and you think like, oh, wow, I have all this money, and then you spend it and then they pull it back, and now all of a sudden you're, you're.

Jamie Pollock: And also I want to mention.

Alicia Katz Pollock: The bank account.

Jamie Pollock: The log in from Georgia, and then they're in Michigan and there, that's just a VPN. Anybody can [00:37:00] be anywhere and use a virtual private network to make it look like they're someplace else. And hackers will take a VPN and try to access it from multiple servers and or physical locations that they're not in. So just know that that also can be easily bogus.

Dan DeLong: Yeah. Yeah. And, uh, and it's it's getting to the point where it's, it's the real people who are having difficulty proving who they are. Uh, when it gets to the point of, uh, you know, bad actors acting [00:37:30] on their behalf, um, it's real easy. You know, once, once your login or something is compromised about about the sign in experience trying to prove the real the the real people, trying to prove who they really are. Gets even more and more complicated because they haven't gone through, you know, the these these these processes, these security processes to make sure that they have that in place. And [00:38:00] that's that's really what we want. The the main thing that we want to press across today is that, you know, do your, do your own due diligence to have a password vault, have set up the pass keys, set up the the two factor authentication so that it just makes it allow you to be able to prove who you are. If that if it gets to that point, but also makes it harder for someone to, you know, to get into, uh, these, these types [00:38:30] of things. And because there is so, you know, and that's, that's really the, the concern, I think for, for, for accountants and bookkeepers is that they are the tip of the iceberg when it comes to accessing all of their, all of their clients information. And once they're once once that, you know, with QuickBooks online, you're You were only as secure as your login. And so that's why it needs to be top of mind when [00:39:00] when it comes to protecting you and your clients from from bad actors that are out there.

Jamie Pollock: I want to share something you should say to clients and or people that do support or training like we do quite often. You'll say, yeah, you should turn on two factor verification and they go, oh, I hate that. It's such a hassle. And I go, yeah, Uh-Uh, you don't understand why it's a hassle, but that we want the hassle. That's the good part. So, you know, when you're encouraging people or training them, why [00:39:30] to do such a thing. It's a little bit of a hassle for you. But man, getting hacked and having $24,000 move around that you didn't see moving around, it's a little bit more of a hassle.

Dan DeLong: Yeah. Yeah. They don't don't see those.

Alicia Katz Pollock: So now in in addition to the conversation about our accounts and our email addresses. There's I have a few other little points about other vulnerabilities, just kind of in the in the QuickBooks ecosystem. Would [00:40:00] this be a good time to introduce those?

Dan DeLong: Absolutely.

Alicia Katz Pollock: So the first one is um, you see people, you get an email that says, you know, like, oh, you owe money on your account or it looks absolutely like Intuit, but it's not Jamie. How do you know that?

Jamie Pollock: It's not oh my God, so good. So, um, one of my biggest tips and my Don't Get Scammed class. That's the name of my class don't Get scammed. Jamie's internet guide to security. Uh, and, uh, the number one rule that I give to people. [00:40:30] I'm going to give this away for free. Come to the class if you want the details. I got 25 examples of real life scams happening in the world today. If you want to see my PowerPoint. Number one is to know your source, know who you're dealing with, and the easiest way it's literally going to save you 95% of the time is to go to the top of the email, click on the name because they can fake the name, but when it drops down and gives you the email address, they can't fake that. The At domain is the At domain. So if they say they are Intuit and you drop it down and it's at gmail, [00:41:00] that doesn't match. It's so easy to catch them when they're using Hotmail or Gmail or Yahoo to try to act like they're Comcast or act like they're Intuit. Now, unfortunately, there's an exception to this rule that I like to bring up is that there's I've got four examples when the domain name might match and it's still a scam. Anybody can go to PayPal and create a PayPal account and send out invoices. And they will come from PayPal, right? Anybody can go to Comcast and get a free Comcast email and send [00:41:30] out emails that look like they're coming from Xfinity, because at the end it says at comcast.net. And unfortunately, Intuit is one of the other ones on my list because anybody can get a QuickBooks online account, create invoices and ship them out and it will say at Intuit. It so that it looks legitimate. And they may not be a legitimate business and it may not be a legitimate invoice. Right.

Alicia Katz Pollock: Um, and so the other place is if you look at the links, don't click the links, but if you just hold your cursor over the [00:42:00] link, it will pop up and see what it is. And the moment you look at that. And if the link is not Intuit QuickBooks intuit stuff, then that's somebody else spoofing.

Jamie Pollock: And I want to bring this up because both my I have a few people that are very close to me that have fallen for this little trick where they'll use a dash and it'll say Intuit QuickBooks, dash x, y, z, blah blah blah, something.something.edu dot. Are you, are [00:42:30] you, uh right or d or something. Um they put, they use the real domain name and a dash and then something else and it looks and then they also in the text message, just make sure it wraps right at that point. So it says Intuit. Com and then it wraps. And then there's the dash. And the rest of the domain name looks like the real domain name, but it's not.

Alicia Katz Pollock: When you get those emails, you can forward them to fraud at Intuit. Com and that helps them keep tabs on all the fraudsters out there.

Dan DeLong: And you [00:43:00] can always go to security dot Intuit QuickBooks and look at a listing of current known, uh, things that are going on out there. Security alerts. That's the word I was looking for. So security. The one.

Alicia Katz Pollock: Security.com. Yeah. I didn't even know about that one.

Jamie Pollock: I learned something today.

Dan DeLong: There we go.

Alicia Katz Pollock: Going there right now. In a second. Security.

Dan DeLong: Yeah. So it'll it'll have a place to forward things. So it'll give you the. It [00:43:30] used to be spoof at Intuit. Com but now it's security at Intuit. Com or fraud at Intuit. Com uh but there's a nice place there uh, to a good repository of Prior ones that have been forwarded that have been officially vetted as. Yes. These are yes, these are legitimate frauds. So that's a that sounds like an oxymoron.

Jamie Pollock: It's a real problem, not a fake fraud. It's a real fraud.

Alicia Katz Pollock: And [00:44:00] then the other one is not yet a vulnerability, but it's something that I noticed in with the changes happening to QuickBooks is that they have a new system for forwarding invoices and expenses to QuickBooks that it used to be. If you were going to forward a receipt, it had to be a user of the account. And that was a barrier for most people because, you know, not all your employees have Intuit logins. And so they changed the system so that now it's [00:44:30] one of those mass emails like we were talking about earlier, where it's your company name plus expenses at assist Intuit. Com. And you can give that email address to a vendor and they can forward their invoice, and that puts it in your receipts to turn it into a bill, which is amazing for our workflows. However, that does mean that if that email address gets out, people can send you bills, and if you're [00:45:00] not paying attention, you're gonna you might pay somebody that isn't actually a supplier. And so I'm a little worried about that. And I like that. You know, QuickBooks Online Advance has approval workflows, but not enough people are using QuickBooks Online Advanced. And that if you're looking for reasons to use advanced, that's a security option, is putting in a workflow that all bills need approvals. Then you won't get trapped by accidentally paying somebody [00:45:30] who sent you a fraudulent invoice.

Jamie Pollock: If you're a hacker or a fraudster, don't listen to what she just said. We're not supposed to publish the security alert until after it's plugged. We plug the hole, then we do the.

Alicia Katz Pollock: Oh, God, I hope, I hope I didn't just give the fraudsters an idea.

Dan DeLong: Aha! Well, we could we could probably have a water cooler discussion of all of the different ways that that, uh, that fraudsters or bad actors could, [00:46:00] could access, uh, the information or, or get, get into, into it. Um, but I think we should probably wrap this up so that.

Alicia Katz Pollock: We before we.

Dan DeLong: Before we scare more people away.

Alicia Katz Pollock: Yeah. All right. Well, that was an excellent, excellent conversation. And so, you know everybody keeping tabs. This is always evolving. The you know they're always finding new backdoors. And so I'm sure a year from now we're going to have this conversation again. Um, it looks like every six months for us. Um, [00:46:30] and so it's really important. And um, you know, we really want to make sure that we keep our privacy, um, as this world and technology expand.

Jamie Pollock: Can I give one more of my three rules of internet security real quick? Because I gave you the first one, which is know your source, know who you're dealing with, and if you don't, just don't deal with them, like delete it, hang up right, hang up the call, delete the email, delete the text. I'm not going to give you the second you got to come to the class for that third third rule though, and it's so funny and simple is [00:47:00] don't do anything, don't react, don't click the link, don't call the number, don't reply to the text. Right. I got one this morning. It just said is now a good time to talk question mark. It's called pig butchering and they just really want you to answer the text. And then they talk to you back and forth and become your friend for a year. And then they say, I got an investment opportunity, right. Um, most of the scams and hacks that happen in the bigger world, not just here, but everywhere, they [00:47:30] need you to take action. So their goal is to create Anxiety. Create a fear, create that. You have to react right now. If there's urgency on their part, you should just stop and turn off the machine, or put down the phone or delete the whatever. If you owe somebody $500 through PayPal, they'll get back to you. I guarantee it, they'll get back to you. Right? But 99% of the time, if you don't do anything, if you do nothing, guess what happens, Dan?

Dan DeLong: Nothing. [00:48:00]

Jamie Pollock: Nothing happens. Right? It's only when you take action that they get you in their net.

Dan DeLong: Right? They can't mine data if you're not giving them data.

Jamie Pollock: Ah ha ha ha. I like how you think, sir. I like how you think. All right.

Alicia Katz Pollock: All right. Well, thank you for that. That's really, really valuable stuff. So, Jamie, thank you so much for coming on the show.

Jamie Pollock: Hey, I really appreciate it. I really have a good time. And, uh, Dan, really, really love the info you bring and the expertise you bring.

Dan DeLong: Thank [00:48:30] you, thank you.

Alicia Katz Pollock: Yeah. Um, before we wrap it up, I actually want to throw in a little bit of Intuit news and opportunity. I saw a post from Jessica McCracken on the socials, and Intuit is really heavily looking forward to our feedback about, especially about the banking feeds, since that's like the place where everybody I have clients who think QuickBooks is the banking feed. Um, and so, uh, they are right [00:49:00] now, you know, we're we're switching the whole interface up, but they're really focusing on the banking feeds. And so they have a new board called canny. And, uh, it's at Intuit feeds underscore F or capital F. Capital B. I think that's because I'm seeing it on Facebook. Um, and it's a, a bulletin board where you can put in your feedback about the bank feeds and the developers are reading it. Um, [00:49:30] you can have conversations with other people, we can actually upvote some of the suggestions. We can talk about them and the developers actually join the conversation. And I've been really enjoying using it. It is absolutely just for ProAdvisor. It is not for general public, and they want actionable suggestions and feedback, not just like I don't like it. They want you to suggest, like you could do this to improve it, or this is the specific problem that I'm having. And so they are actively [00:50:00] looking for feedback about the banking feeds. And of course this is going to expand out into the whole new interface. And so actionable feedback this is the time. And so we'll put a link in the show notes.

Dan DeLong: And that is actually a great, a great way for, for us to actually see and and see the transparency of what is actually being worked on. And, you know, because when you, when you, when you flood feedback, right, you're doing individual feedback. You're, you're, you [00:50:30] know, and then somebody has to then aggregate that data and and consolidate it. Right. So here you can actually see somebody else's post or somebody else's feedback and upvote it right. And then put your like yes I agree with this. And then you can also see the the 360 type of situation where, okay, we're working on this or we plan to or it's already taken care of. That is amazing [00:51:00] I think in in what what we what we want to see our feedback actually come to fruition. And this gives you an actual way to to one not to duplicate other people's efforts, you know, spend an hour trying to, you know, provide a screenshot or the actionable data to do that when somebody else has already done that. So you don't have to reinvent the wheel if somebody else has and you just click a yes. I agree with this as well.

Alicia Katz Pollock: I've really liked seeing the developers [00:51:30] actually come on and say this is a good idea or we're working on this and there's an it even has a roadmap of things that they have decided that they are going to implement. So I love that transparency. Yeah.

Jamie Pollock: And then you hit refresh and there it is. So great online.

Dan DeLong: Like the data analyst used to tell me at Intuit is like in God we trust, all others bring actionable data.

Alicia Katz Pollock: That's fantastic. All right. We're going to end with that one. Um, so, Dan, before [00:52:00] we wrap up, what is going on in your world?

Dan DeLong: Well, um, we just wrapped up our AI and accounting cohort, um, really, really some positive feedback on on that. And we're going to repurpose, uh, our four week session and make it available so that, you know, you don't have to join a four week cohort in order to get the glean the insights of that. So that's, uh, that's one of the things that, that, that we're working on here today. Um, how about you? What's, uh, what's going on in the [00:52:30] the Pollack's world?

Alicia Katz Pollock: Okay, let's start with you. What's going on in your world, Jamie?

Jamie Pollock: Uh, you know, I, uh, did a lot of travel for summer. I hope to do some more, but I just finished my big inbox clean out push. And in the month of June, I deleted 500,000 emails from my clients. And I'd like to hit a million by the end of August. So basically, I log in to your Gmail or whatever, and I masked lead emails in a way that you may not know how to using power searching, uh, and delete and [00:53:00] basically just clean out. My favorite is unread messages that are more than two years old. You just never read them. Two years ago, you didn't read them. Why? You're not going to read them now? Uh, so we're wiping those away. Also, August is password cleanup month, and so I'm expanding it. Funny enough for this topic, um, it's an hour of my time, or I screen share into your computer and teach you about the password management tool. We look for duplicates. We look for old information. I teach you how to make a good. What is a good password? How to make a good password that [00:53:30] you might be able to remember. That is still good enough that it's not computer generated. Uh, and so there's a lot of training that happens, but it's also hands on me implementing and cleaning in front of you.

Alicia Katz Pollock: They'll note that it means that you are in a Zoom watching him with his permission, and you're still doing all the security stuff. It's this is not a vulnerability.

Jamie Pollock: This is not this is not a vulnerability.

Alicia Katz Pollock: Yeah. And it's been an amazing service. [00:54:00] It's been amazing. All the clients that are coming to him and the emails that he's doing, you know, he'll at the end of every day he's giving me a report 20,000 emails today, 50,000 emails today. What's really funny is when he finally sits down in front of my computer, he's going to hit that.

Jamie Pollock: Let me hit the million. I did 120,000 emails in a two hour period. About three weeks ago, I came home and I was like, ah. I just went from 200 to 400,000 in a day. It was great.

Dan DeLong: Yeah. [00:54:30] I'm sitting at my looking at my email unread email badge 20,032. I think I need to sign up for your class.

Jamie Pollock: Hey, dad, I'm going to send you a link. A link to my site, to my login, my sign up page. Hey, Alicia, what's going on in, uh, in the QuickBooks side of Royal Wise?

Alicia Katz Pollock: Yeah, and the QuickBooks side of Royal Wise. Um, as everybody by now knows, Intuit is now rolling out their new QuickBooks on the Intuit platform. And so, uh, by the time you hear this, it yours may just flip [00:55:00] over. And Dan and I did an episode a few weeks ago where we pored through all of the features so that you understood how the interface worked. Um, but what this means for us at Royal Wise is that I have over 30 classes that are all in the old interface that now need to be republished in the new Interface and I'm actually making lemonade. We are having a time.

Jamie Pollock: Time?

Alicia Katz Pollock: Um, we are using this [00:55:30] as an opportunity to refresh our entire catalog. So if you have ever been thinking about taking royal wise classes, this is the time to jump in. We start in mid September with my beginner's guide to QuickBooks online and introduction to for Bookkeeping and Accounting. Then we go into my Boot Camp class, which is the six hour flagship course that we teach you how to do the workflows. So like if you're going to do just one course with us, that would be the one. Um, but then I [00:56:00] have to double my cadence instead of teaching a new class every two weeks like normal, I have to do a class every single week all the way through May in order to, uh, to update my content. So if this is an amazing opportunity, um, to become a royal wise member, if you become a silver member or a community member, you get automatic enrollment into all of the live webinars, which range from 1 to 6 hours long. Most [00:56:30] of them are two hours a couple three hours. You get two group Q&A sessions every single week where we come together as a community and you can ask me anything about your QuickBooks. Um, and, uh, you also get full access to the entire library. So when you're not sure how to do something, you can just go to the website and log in and go to the search and say, like, how do I do a car loan? And it will pull up all my videos that show you how to do a car loan or how to do a vendor credit. So this [00:57:00] is a great opportunity to become a member of the Royal Wise Owls. And we will have a link in the show notes for that too.

Jamie Pollock: So join our community and gain access to the expert. Those are really the big the big bonuses. I'm going to do one more quick pitch is my don't get Scammed class. It's on demand on the website if you just want to go watch the last time I did it, but I'm for hire, I will come to your organization. I will do it over zoom. I will do it live. I travel to assisted living centers, and I do it for 30 to 50 seniors at a time. [00:57:30] But it is 25 real world screen capture examples of scams that are happening today. So you will get real world examples with my tips on how to avoid falling into the trap.

Dan DeLong: Nice.

Alicia Katz Pollock: Excellent.

Dan DeLong: It's a hoot!

Alicia Katz Pollock: Jamie is a hoot.

Jamie Pollock: It's actually a hoot. Hoot.

Alicia Katz Pollock: All kinds of hoot tips. Yeah, all right, all right, all right, all right. So, uh, thank you, everybody, [00:58:00] for joining us for our episode about, uh, security and QuickBooks. And we will see you in the next one.

Dan DeLong: See you in the next one.