Cybercriminals are stealing ‘ face scans to break into mobile banking accounts

Cybercriminals are stealing ‘ face scans to break into mobile banking accounts

Cybercriminals are stealing ' face scans to break into mobile banking accounts

Cybercriminals have set their sights on iOS users, using malware to steal face scans and gain access to Apple device users’ bank accounts. This is believed to be the first of its kind in the world.

A group of cybercriminals who speak Chinese, known as GoldFactory, have been distributing smartphone apps infected with trojans since June 2023. The latest version, GoldPickaxe, has been around since October.

GoldPickaxe and GoldPickaxe.iOS target Android and iOS devices respectively. They trick users into performing biometric verification checks, which are then used to bypass the security measures of legitimate banking apps in Vietnam and Thailand, where these attacks are focused.

Cybercriminals are stealing ' face scans to break into mobile banking accounts 1 security
GoldPickaxe and GoldPickaxe.iOS trojan targets Android and iOS devices respectively

The iOS version specifically targets users in Thailand, disguising itself as the official digital pensions app of the Thai government. However, there are suspicions that it has also made its way to Vietnam, as similar attacks were reported in the region recently, resulting in the theft of thousands of dollars.

Group-IB researchers noted that GoldPickaxe.iOS is the first iOS Trojan they have observed that combines various functionalities, such as collecting biometric data, ID documents, intercepting SMS, and proxying traffic through victims’ devices.

The Android version of the malware has even more functionalities than its iOS counterpart, due to the more open nature of the Android platform compared to the closed nature of iOS.

While Android malware is more common due to the ability to sideload apps, the discovery of iOS malware has surprised researchers because of the tighter security controls on Apple’s platform.

The Android infection was more straightforward, with malicious apps being available for download/sideload through a fake but seemingly legitimate Google Play store.

Researchers also found that the Android version had more disguises than the iOS version, posing as over 20 different government, finance, and utility organizations in Thailand, giving attackers more opportunities to deceive users.

LastPass Hacked – How serious is it & Things You May Not Know

LastPass Hacked – How serious is it & Things You May Not Know

Lastpass hacked, how serious is it, what you need to know

If you use LastPass as your password manager, I recommend reading this post in full.

If you know anyone who uses LastPass, forward this to them.

Even if you do know about the LastPass hack, I still recommend you read this, as there will be information here that you may not know about and risks you have not thought of

In case you are not aware LastPass got hacked Back In August 2022 and then AGAIN in November and all customer password vaults have been stolen. This is also not the first time they have been compromised either, it has happened before.

LastPass has been very sketchy about revealing what happened or revealing the seriousness of the hack and waited until December 22nd to put out a statement telling customers their vaults had been stolen, knowing full well that most users would have left for the Christmas holidays and probably wouldn’t read the email or be able to take action.

you can read more about the hack here

My advice is to move away from LastPass ASAP and change all your passwords.

How Serious Is This?

As long as you had a very strong master password on your LastPass account, security experts agree that hackers will not be able to crack it and decrypt your vault, which would potentially take thousands of years or more. If however, you had a weak or moderate master password, then you should probably consider it compromised.

However, the strength of your master password is not the only issue.

There have been numerous issues revealed about how LastPass encrypts data and enforces strong passwords, especially for users who signed up several years ago, when the requirements were much weaker, and LastPass has never prompted or enforced these users to change their weak master password. This means many users do still have weak master passwords that are easy to crack.

It was also discovered by security experts, that LastPass only encrypts the PASSWORD and NOTES fields in the vaults, everything else is in plain text and can be viewed by hackers right now, which is a serious problem. This means all the other data in your vault is compromised, so they know who you are, what company you work for, what websites you use, the usernames of those websites, and any other piece of data you stored in your vault.

If any of the websites/accounts you had stored in LastPass also had weak passwords, the chances of those also being hacked have now also increased.

You can also be sure the hackers will be selling your vault to anyone who wants it on the dark web, so it won’t just be the original hackers trying to get into your vault, it will also be every other hacker and cybercriminal they sell the data to.

The even bigger issue here is that LastPass has now been hacked several times, so obviously their security is not up to scratch, plus the way they have handled the situation is highly unprofessional and unethical. In an attempt to save their reputation and stop customers from leaving in droves, they have been intentionally sketchy with the truth and tried to mislead everyone about what happened, when it happened and how serious it was, meaning they simply cannot be trusted anymore.

Armed with the non-encrypted information from users’ vaults, it will be very easy for hackers to launch phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts. So you need to be extra vigilant in checking that every email you receive is really from who it says it is from.

LastPass Hacked - How serious is it & Things You May Not Know 2 security

It is not likely that hackers will be going after the average user, there are millions of them, instead, they will be targeting the vaults of high-profile users, CEO’s, MSP’s etc, but this still doesn’t mean you are safe, see the indirect risk warning below.

Please also be aware note that the 2-factor authentication on your LastPass acocunt will not help here, since 2FA only protects the login process on the LastPass app or website. The hackers do not need to log into anything here, they just have an encrypted file that they need to decrypt. So they are simply trying to decrypt the password vaults, which are encrypted with your master password only, so no 2FA is involved.

If you used a password that is made up of information that could be easily gleaned by checking your social media posts and activity etc, such as family member names, date of birth, etc, then these are also easily hacked.

NEVER create passwords made from personal information about you or your family or hobbies etc. Always create random passwords or phrases made from random words. This is the point of using a password manager and why they do this for you.

LastPass Hacked - How serious is it & Things You May Not Know 3 security
How you Actually Get hacked

It is also important to consider how this can indirectly affect you.

Even if your vault does not get compromised, someone else or another company who you do business with (such as me for example), who also has access to any of your systems, websites, or accounts, could have their vault compromised, especially if they had a weak password (my passwords are strong BTW) which in turn compromises you.

It is also highly likely that some websites/businesses you use and trust will end up being hacked as a result of this, due to that company or someone who works there having their LastPass vault compromised.

So by changing all those passwords, you are also protecting yourself from this indirect compromise as well.

What you need to do

You need to get all your data out of LastPass, move to a new password manager, delete your LastPass vault, cancel your account, change all your important passwords and enable 2FA everywhere possible.

1. Change Your LastPass Master Password

Please note that this will not help with the copy of your vault that has been stolen, it will only change the password on your current vault, but if the criminals do manage to crack your master password, then you don’t want them then being able to login to your LastPass account and accessing your live vault as well before you have had a chance to delete it and close your account.

2. Export all your data from LastPass

Click here for instructions on how to do that

If you use LastPass as your 2FA authenticator to generate your One Time Passwords (these are the codes you use for 2-factor authentication), these cannot be exported as they are randomly generated every 60 seconds, what you will get in the export will just be junk.

So you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator. You can either use whatever new Password Manager you move to or if you prefer to use your mobile device, then I recommend using Microsoft authenticator.

You will need to keep your LastPass account active while you do this since you will need to use it to generate your One Time Passwords to log in to those sites and reset 2FA to begin with.

I recommend importing the exported csv file to Excel, password-protect it, and then save as an .xslx file.
now delete the original csv file and also empty your recycle bin.


This way you do not have all your passwords stored on your computer insecurely in plain text.

2 – Import your data into a new Password Manager

First, you need to pick a new password manager, the best solution will really depend on your requirements.

If you don’t need to share passwords with anyone else, don’t need any bells and whistles, and are happy to store everything on your mobile device, then you can use Microsoft authenticator, as this also has a built-in password manager.

The downside of this is that if you need to log into anything on your PC/laptop or any other device, you will need to manually type those long, randomly generated passwords.

Other popular choices include 1PasswordDashlane, NordPass, Bitwarden, KeePass and many others.

If you use Bitdefender antivirus, then this also has an optional password manager.

I personally have moved to Bitwarden, which has a free plan for personal use and very reasonable pricing on all the other plans. However it’s not the most pretty or intuitive app, so may not be the right choice for the less computer illiterate among you, who may prefer one of the other apps above or something else.

All make it nice and easy to import your LastPass data and provide instructions in their knowledge base on how to do this.

And finally don’t forget to delete that exported file once you have finished with it, and also delete it from the recycle bin too. 

TIP: It you press SHIFT while deleting a file, it doesn’t go to the recycle bin.

3. Reset all your 2-factor authentications

As mentioned above, you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator.

If you don’t do this first, you will no longer be able to get into those sites once you delete LastPass as you won’t be able to generate a OTP, and will need to go through more hoops to reset 2FA and get access to those sites. So decide which option is preferable.

Anywhere that offers 2FA, make sure it’s enabled.

3. Delete your Lastpass account

Once you are sure that you have everything you need from Lastpass, and don’t need to access the OTP’s (One Time passwords) for 2-factor authentication for any of your sites, you can go ahead and close your LastPass account, which will delete your vault.

How to delete your LastPass account.

4. Change all your Important Passwords.

You could work on the basis that your vault will not be decrypted and that you are safe, especially if you had a very strong master password.

Or you may want to go and change all your passwords just in case, don’t forget the indirect compromise I mentioned earlier.


Anywhere where you have 2FA enabled is technically safe, as the password by itself will not let the hackers into that account, and you should get notification of any attempted access.

But you should certainly consider changing passwords on any important site or account where 2FA is not in place.

Such as: your email account (very important, very few email providers have 2FA), hosting account, online banking, social media accounts, website admin, amazon account, and other online stores and anywhere that has your banking or card details stored and could be used to make purchases.

Remember, any website/account that gets hacked, even seemingly insignificant websites, may contain information about you that will then help the criminals/hackers gain access to other accounts of yours, such as your answers to security questions, which are likely going to be the same on every website you use.
Armed with this information, they can then pretend to be you, claiming they have lost their login details, and use the security questions/answers to reset passwords and gain access.

If any 3rd parties also have their own separate logins to anything of yours, such as your email, website, banking, amazon etc, send this information to them, and if they use LastPass, they should also change their passwords too.

5. Be vigilant

As mentioned above, armed with the non-encrypted information from users’ vaults, hackers, cybercriminals, and scammers all around the world will be launching phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts.

These emails will likely come in the form of warnings about your account being compromised or about this very LastPass hack, telling you to reset your password, and sending you to a fake website.

Since there will also be legitimate emails from those same websites telling you the same thing, you need to check who the email really came from (check the from address) and verify that links in any emails go to the real website (look at the domain name).

The best suggestion is simply to avoid clicking links in such emails, and instead, just go to the website manually by typing the URL, then you know you have gone to the real website.

Also be wary of unusual emails/messages from friends, family, colleagues, staff, and even your boss, as the person sending the messages may be a criminal or scammer who has compromised their email, social media account, etc. If in doubt, always pick up the phone and call that person to make sure it’s actually them you are talking to.

LastPass Hacked - How serious is it & Things You May Not Know 4 security

I hope this information was helpful.

Stay Safe

Why fraudsters create fake accounts?

Why fraudsters create fake accounts?

Why fraudsters create fake accounts

Fraudsters are everywhere on the Internet. If you run a website that allows users to create an account in order to access goods or services then you will definitely encounter your fair share of them. For the purpose of this article, we’ll cover 2 types of such fraudsters.

Plus, the amount of online fraud has dramatically increased over the last couple of years due to worldwide pandemic, which according to the latest print on demand eCommerce stats, is due to the online business market growing like crazy.

Credit card fraudsters

This is the type of fraudster that you’ll see frequently if you run an online business. They will create multiple fake accounts with various email addresses, often using free or disposable email providers. For them, it’s a form of anonymization to cover their malicious activities. As far as the online merchant is concerned, they are different people because the email address is different.

After creating multiple fake accounts, the fraudster will then attempt to purchase multiple items at the website using stolen credit cards. With different accounts and varying email addresses, it’s often hard to manually trace the culprit. In the end, the online merchant will suffer severe financial losses from chargebacks by the legitimate card owners.

Spamming fraudsters

Now, these guys are everywhere in forums, blogs, review sites, etc. They are often paid shills that are given the task of promoting some dodgy websites or giving fake reviews to boost the status of a questionable product. They just keep spamming everywhere that they can post their website links as well as any review sites.

Similar to the credit card fraudsters, they hide behind the identities of multiple email accounts. Without an automated screening tool, it would be next to impossible to identify all such accounts. Using mass spamming bots, they can severely compromise the integrity of review sites as well as degrade the usage experience of the normal web users.

How to limit the fake account issue?

In the case of the credit card fraudsters, online merchants can use FraudLabs Pro which offers both  plugins or APIs to screen out fraudulent credit card transactions. The highly sophisticated algorithm in FraudLabs Pro, coupled with blacklists powered by feedback from other merchants, makes it a highly effective screening tool to block the transaction.

Since both types of fraudsters rely on fake accounts to perform their nefarious deeds, the use of the FraudLabs Pro SMS Verification is another tool to prevent the fraudsters from signing up with multiple accounts. By requiring a mobile phone number to receive the One-Time-Passcode (OTP) for verification, it is a lot harder for bad actors to successfully sign up for multiple accounts.

In the case of blocking the scammers and spammer on your website, there are plenty of tools available to fight the spammers, which very much depends what your website is built with. One of the most popular solutions is Cleantalk, which can be installed on any website, and blocks spam silently in the background. No annoying captcha or math problems for users to solve.

For added security against other kinds of threats/issues, I recommend Sucuri, which is a web application firewall/proxy service that sits in front of your website and filters all requests for malicious activity and blocks them before they ever reach your website.

For customers using WordPress, it is also critical to have a security plugin to monitor your WordPress installation and protect against malware. A popular passive solution is Malcare, which will detect an automatically remove malware, which is great for sites which are not being professionally managed. At the very least it is recommended to have the free versions version of Wordfence or Sucuri plugins.

Conclusion

Deploying at least basic security/protection doesn’t need to cost you an arm and a leg, in fact in many cases it is actually FREE. The FraudLabs Pro protection is an easy and fast way to limit the potential damage that fraudsters can do to your website and your reputation. Their Micro plan is completely free, so there is no reason not to give it a try.

FYI I do use all the above services myself for both myself and many of my clients.

As usual, If you need any help with your security or anything mentioned here, feel free to get in touch.

Google alienates kids & parents + How to recover files from a suspended G Suite account

Google alienates kids & parents + How to recover files from a suspended G Suite account

Google alienates kids & parents + How to recover files from a suspended G Suite account 5 security

I was one of the early adopters of what is now known as Google G Suite and have been using since it was launched back in 2006 when it was originally called Google Apps.

Like most early adopters, I started with the free Google Apps account, which was open to anyone and was originally intended for personal use. Like most people, I got it just so I could use my own domain name with Gmail. A few years later I upgraded to the paid plan, which then became Google Apps for Business and then G Suite basic.

Over the years many things have changed, including the name, rules and policies and new features have been added, not all of them positive and many of them infuriating.

One of the big changes is that G Suite is now intrinsically linked with your Google account, which you use for many other apps and services, including Single Sign On.

G Suite is now for business use only, not personal use, and as such they have intentionally crippled it so that it only works with the core G Suite services and you are not allowed or able to use any of the other useful services that regular Google users enjoy, such as Google families.

I have even discovered that I am no longer able to leave reviews for apps on the play store via my G Suite account, which has been a long-running complaint on the forums as this is the only way to contact the developers or get support for many apps.

Basically Google are treating their G Suite customers like second class citizens and seem to be punishing us at every opportunity simply for being a paying customer and having a G Suite account. Many customers, myself included, are feeling very alienated by this as it seems we would be better off using a free gmail account instead.

The other big change/annoyance is that Google now has an age limit. You are required to be 13+ years old in order to even have a Google account and use any Google services at all, even a free gmail account.

If Google finds out that a user is under 13 years old, they will permanently suspend that users account and will never ever reactivate or give that user or you (the parent) access to that account ever again, no matter the reason.

All these changes are a major problem for parents like myself, who used the original Google Apps for personal use. Like many, I used my Google Apps domain for my entire family and gave all my kids an account so that I could centrally manage their Android devices and permissions.

Image result for google apps history

Under Google’s new rules, this is no longer allowed, so if your kids are under 13 and have a Google account of any type, they are at risk of having their Google account suspended and deleted, which has now happened to me twice.

In both cases the cause of the suspension was Google+. Everything was fine until they tried to use something which prompted them to setup a Google+ account. As soon as you enter your DOB on Google+, it suspends your account immediately if you are under 13.

This was a surprise to me since AFAIK Google+ was actually shut down last April. what I had not realised that they had only shut down the public (free) version but it will still active for G Suite customers.

The other ridiculous thing is that the age limit rule also means that your kids cannot use any Android device since this requires a Google account, which they are not allowed to have.

The only way around this is to use Google’s Family link, which again cannot be used with a G Suite account ( I tried), which is a real shame as it seems like it would be a really great app if I could actually use it.

Image result for google family link

You might think, ok, so I will just create another Google/gmail account and have that on my device alongside my g suite account and use that to manage family link. Nope, this is not possible either as Family link does not allow you to have 2 Google accounts on the same device, not even on the parent device.

So the only way you can use Family link is by having a 2nd phone just for this purpose. If you have an old Android phone lying about, then this may be a viable solution, but it needs to be Android 7 to work properly and use all the features. This wouldn’t, however, be viable if you want to use any of the other family services, which you would obviously want on your primary device.

As if this is not bad enough, when I realised that I could not use family link I had to delete my child’s Google account from their phone in an attempt to put it back to normal, this then completely bricked the device.

I was completely locked out of the device by family link due to it not liking me removing the child account, so a factory reset was the only option. But after a factory reset it wants me to login as the previous user, which fails every time. I have now bricked 2 old phones by attempting to use the family link so far.

Now I understand that Google has implemented these age limits in order to be compliant with COPPA, but they seem to gone completely OTT and heavy-handed with their approach and have further alienated a lot of their customers in the process.

I have become so frustrated and disappointed with Google over the last couple of years that am seriously considering cancelling my g suite account and moving my domain over to office365 or Zoho.

Recovering Data From a Suspended G Suite account

Google alienates kids & parents + How to recover files from a suspended G Suite account 6 security
Your Google account has been suspended

As I mentioned above, I have been on the receiving end of Googles “no compromise” account suspension of my daughter’s account.

I pleaded with Google support just to unsuspend it for an hour so I could backup all her files from Google drive, but I was told by the agent that there was nothing he could do and the account could not be reactivated under any circumstances.

I asked if he could backup the files and send them to me, but the answer was also no, and I was told categorically that there was no workaround and no way I was ever going to get access to this account or the files.

So off the top of my head, I came up with a couple of workarounds, which surprisingly the support agent had never thought of, because it was not in his list of KB canned responses. Creative thinking doesn;t appear to be one of the skills of a Google support agent.

  1. Rename the Account
    Despite what I was told, there is in fact 1 way to get an account reactivated, which is if the suspension was a mistake because you accidentally provided the wrong DOB and the user is in fact over 13. In which case you need to provide ID to prove your age and if accepted, the account will be re-activated.
    https://support.google.com/a/answer/1110339?hl=en

    You will note in the above link it says there is supposed to be an option for the admin to change the users DOB, but this was not available to me, in fact I could not do anything with the account except delete it.

    So I thought, what if I rename the account to be in my wife’s name, and then send them my wife’s ID as proof of age, thus getting the account reactivated.
  2. Transfer files to another User
    When you delete a user from G Suite, it gives you the option to transfer all the files to another user. So I thought I could just create a new user for my daughter, delete the old user and transfer the files to the new user.
G suite delete user and transfer files

Option 2 was obviously the quickest and easiest solution, so that is what I decided to do, and it worked perfectly. Unfortunately, you cannot save the emails using this method, only the files, but this was not a problem for me.

I also then decided to re-create the original user, expecting this to not work because Google would know it was a previously suspended user.
Surprisingly this also worked, the account was no longer suspended and worked fine. so I repeated the process, and deleted the NEW user, and transferred the files back to the original username.

Now let’s just hope that Google do not read this and decide to further screw us over by stopping us from performing either of the above workarounds.

Are you sharing sensitive data & passwords on freelancer websites?

Are you sharing sensitive data & passwords on freelancer websites?

password security - stop sharing your passwords on freelancer websites such as PeoplePerHour and Upwork
stop sharing your passwords on freelancer websites such as PeoplePerHour and Upwork

As a freelancer/consultant, I use freelancer sites like PeoplePerHour or upwork on a regular basis. One of the issues evident in every job I have done is the total disregard for security on these platforms.

Most IT or web-related jobs done on freelance platforms are going to involve the exchange of sensitive data, specifically passwords, which is required in order to do the job. Clients will gladly share everything with multiple freelancers without a second thought, including their logins for control panels, hosting accounts, domain registrars, websites, and everything else.

This unconscious sharing of such details has massive security implications which I will address below and offer better and more secure alternatives.

Security Bad Practices

Firstly and most importantly, you should not post any sensitive information in the job chat/discussion on the freelancer sites (unless they are temporary logins that will be revoked/changed). These conversations are stored in plain text and not encrypted in any way and can be viewed by anyone with access. Certainly, in the case of PeoplePerHour, upwork and Fiverr, I have asked them directly and they have confirmed this is the case.

In fact Fiverr support even said outright to me that they do not recommend sharing passwords on their platform, even though it doesn’t state this anywhere on their site, they do nothing to discourage it and this is exactly what everyone does.

Secondly, your login details are for your own use, and everything that is done with your login credentials links back to you. If you share these credentials with multiple people and there is a security breach, you will have no idea who is responsible. If you are an employee and have a boss, then you will most certainly be blamed for the security breach, which could cost your company dearly.

hackers could  easily gain access to your passwords on freelancers sites
Hackers are everywhere, don;t share your passwords insecurely

Thousands of sites get hacked and data is stolen every single day. Most of them are unaware they have even been hacked and the breach can go unnoticed for months or even years in some cases.

If any of the freelancer sites suffer a security breach, the hackers will have access to any data which is not encrypted, which includes all those login details that clients have entered in the chat with their freelancers. Not forgetting that the support staff can also read all your discussions as well, so any dishonest support agent could simply lift your login details and use them for illicit purposes.

Sadly there are also a lot of unscrupulous freelancers out there too, who will intentionally do damage to your systems in order to generate more work for themselves, or may seek revenge in the event of a dispute or disagreement.

I have had many jobs cleaning up after such situations and have found all kinds of back doors, insecure plugins, malware and extraneous logins that presumably had been created by other freelancers.

SECURITY GOOD PRACTICES

Ideally, you should find a single reliable freelancer/company who you are happy with and stick with them, rather than hiring a different freelancer each time. Not only is this better for security, but using multiple freelancers can also cause other problems as they are oblivious to what work their predecessor has done, and so will often break or undo each other’s work.

Sticking with the same person/company creates a relationship as well as a recurring income, which will, in turn, result in a better quality of work, fewer issues and less expense as they will know your systems and the work they have done before and be more inclined to keep you happy.

Plus any decent freelancer/contractor will use a task/project manager and will keep notes on the work he does for ongoing clients which also improves communication and project management.

Do not post sensitive information in the workstream/chat. An exception would be if you are providing a temp login which will be revoked once the job is done.

If you do need to give a freelancer (or anyone) temporary access to your accounts or website, then ideally you should provide them with their own login, not give them yours, which you should revoke (delete) once the job is done. You should also give restricted access where possible so the freelancer only has access to what is required to do the job.

If it is not possible to create a separate login for your freelancer, then you should always change your passwords after the job has been completed.

HOW TO SECURELY SHARE YOUR DATA

how to securely share your passwords on freelancer sites
everyone should use a password manager

Create a Secret Link

There are a number of online tools which will allow you to share information with someone securely via a special secret link that is randomly generated just for you and only works once. As soon as the recipient clicks on the link to view the information, that link and all the information is destroyed.

This makes it safe to share that link via email or on freelancer sites, because the link only works once, so is useless to anyone else that finds it after it has been used.

OneTimeSecret is my favourite so far.

This tool allows gives to a large text area, allowing you to share any amount of information in one go. It also allows you to put an optional time limit on the link (how long it will stay active for) and also an optional passphrase to protect the link as well. So you could then provide the password via phone or SMS to make it extra secure in case the recipient won’t be checking the link immediately or there is any chance of it being intercepted.

A few other solutions include- 1ty.me | Saltify | password.link

Cloud document sharing

Everyone has access to cloud storage and the ability to share files and documents FOR FREE.

I come across a surprising number of people who are unaware of this, but every single Windows user has access to OneDrive by default. It is part of the Windows operating system and allows you to sync up to 5GB of files to the cloud for free. You can then share these files with anyone simply by sending them a link.

Even if you do not use Windows, you can still get a free Microsoft /
OneDrive account.

So you could temporarily put all the info you need to share into a text file or word doc, and share that link with your freelancer. Once the job is done, unshare that file and delete it. You can also password protect the share for added security.

If you do not know how to share files with OneDrive, then please read this article “how to share files with others using OneDrive“.

You can also do the same with Google Drive, which you also already have access to if you have a free Gmail account or use Google Workspace.

Use a password manager

Are you sharing sensitive data & passwords on freelancer websites? 7 security

Using a password manager is something I recommend to everyone. It will remember all your passwords and other personal info for you, software licenses, bank details etc. It will automatically log you into websites, fill in forms, generate strong passwords for you and more.

Some of the most popular solutions are 1Password, Bitwardenand Dashlane, some of which offer a free edition, although there are many other apps available which vary in features and simplicity.

Password managers are also the most secure way to share logins and other sensitive information with your freelancer and then revoke the share once the job is done. You simply choose to share a login, enter the freelancer’s email address, and it will send them a share request. If they already use the same password manager, then job done, otherwise, they simply need to register for the free version in order to accept your share request.

As a result the login details are never shared in plain text, as the freelancer will only use the password manager.

WORDPRESS ACCESS

I am going to mention WordPress specifically because this is something I deal with a lot, since I build, support and manage WordPress websites.

In almost every WordPress job I do, clients will send me their own admin login, which they have sent to every freelancer before me, who still has access as the password has never been changed.

If you need to give someone permanent access, then create a new admin user just for them, if just need to provide temp access, then I suggest using the “temporary login without passwordplugin, which will allow you to provide a temporary login which will automatically expire after x number of days.