Chripify Permissions

I was going to link my Marriott Rewards account to my Twitter and Instagram accounts to take advantage of the #REWARDSPOINTS social promotions and start taking advantage of the Extra Point Sunday Twitter trivia, but Chipify is asking too much.

Twitter permissions requested:

Read Tweets from your timeline. – reasonable
See who you follow, and follow new people. – reasonable
Update your profile. – why do they want/need to be able to update my profile?
Post Tweets for you. – why do they want/need to be able to post tweets?
See your email address. – reasonable

Instagram permissions requested:

Access your basic information: Your media & profile info – reasonable
Access public content: Media & profile info of public users – reasonable
Comment on photos: Post and delete comments on your behalf – why do they want/need to be able to comment?
Follow accounts: Follow and unfollow accounts on your behalf. – why do they want/need to follow/unfollow accounts?

Maximize LastPass Security with a Yubikey

While LastPass is very convenient and I want to be as cautious as possible when putting all of my eggs (passwords) in one basket. I have two factor authentication enabled has native YubiKey support as a second authentication factor

Protections:

LastPass Premium – alows simple use of unique passwords for each account
Typed/Remembered Password – protects from a stolen YubiKey allowing access to your vault
YubiKey OTP – Prevents a keylogger from allowing access to your LastPass Vault
YubiKey Static Password – ensures your Master Password is strong enough to prevent an attacker from brute forcing your password if they are able dump the LastPass database

What you need:

At least 2 YubiKeys. I recommend the YubiKey 4 or YubiKey Neo. Personally, I don’t like the YubiKey Nano 4, because it suggest being left in a computer, which reduces its value as a second factor. The FIDO U2F Security Key will not work for this.
YubiKey Personalization Tool
LastPass Premium

Setup Your YubiKey

YubiKey Programming Dialog (not my real password)

Launch the YubiKey Personalization Tool
Select "Static Password Mode"
Click the "Scan Code" button
Select:
- Configuration Slot 2
- Program Multiple YubiKeys
- Keyboard: US Keyboard
Enter a stong password
Insert each YubiKey, and click "Write Configuration"

Configure LastPass

Add YubiKeys to LastPass

Open your LastPass Vault and Click Account Settings
If you have not already configured your Yubikey as a second factor
1. Click Multifactor Options, Scroll down to yubico, Click the pencil
2. Set Enabled to Yes
3. If you use iOS, you will want to set Permit Mobile Device Access to Allow, even though it is slightly less secure
4. Pick which ever option you like for Permit Offline Access. Since you should only be loging in to LastPass from trusted computers, there not much of a security risk
For each of your YubiKeys, put the cursor in a YubiKey box and press the button on the YubiKey
When all of your YubiKeys have been entered, click Update
Under the General tab, Change Master Password. For your new master password, type a good password (it can be your current password), followed by the password in your YubiKey. This is the only time you will have to type the YubiKey password.

Use

Now when you log into LastPass, you will type your password, insert your YubiKey, press the YubiKey button for 2 seconds. The YubiKey will type its portion of your master password and <enter>. LastPass will prompt you for your second factor. Use a short press on the YubiKey button to enter the YubiKey OTP code.

Mobile Protection

Since my iPhone SE is not compatible with YubiKeys, I had to take a different approach. This one phone is the only mobile device allowed to access my account (restricted by UUID). I authorized it using the Google Authenticator app before disabling Google Authenticator. My phone is protected by TouchID and the LastPass app is protected by a PIN. I store the "YubiKey portion" of my master password in NoteCrypt which is proteced by a different/shorter password.

NoteCrypt https://itunes.apple.com/tc/app/notecrypt-encrypted-notes/id897154139 which appears to be developed by Tom King (LinkedIn). While I can’t audit what NoteCrypt actually does, it says all of the right things about encryption and password based key derivation. It also costs $2.99, so there is an economic model that doesn’t involve ads or selling of user data. Finally, the developer’s LinkedIn profile looks respectable.

Verizon Safety Mode Speeds

11/2/17 Speedtest Results

I used all of my high speed data in my Verizon Plan and was switched into Safety Mode. According to the FAQs, Safety mode is supposed to be limited to 128Kbps. I assume this limit is supposed to apply to all of the time, because the FAQ does not mention "congestion" or "peek times".

So far I have not experienced any slowdowns. Pandora and Netflix stream fine. Speedtest shows 11.35Mbps on my iPhone SE. Since this is the first time I’ve been over, I wonder if this is a grace period or if this is just an bug in Verizon’s system.

Marriott Rewards MORE

Update: November 2, 2017

I guess 3.5 pts / $ at Amazon.com was too good to be true. Last I checked, Amazon is no longer listed as a retailer.

Edited November 1, 2017 to correct actual earning rates in the conclusion.

Marriott’s brand new shopping portal, Marriott Rewards MORE, isn’t ready for prime time, but might be worth the hassle for Amazon.com purchases.

Once you sign in to your Marriott account, the MORE portal shows how many points / $ you can earn. This value appears to take into account all bonuses you are eligible for. The only retailer that stood out to me was Amazon.com. Being a Platinum member and having the Marriott Rewards Premier credit card provides a 50% and 25% bonus respectively. I think it’s better to use a different shopping portal for the other retailers, but this is the only shopping portal where I’ve seen a reasonable value for Amazon purchases.

To take advantage of this, you need to install a browser extension or install the MORE app.

The browser extension adds a big ugly banner to eligible pages.

Extension error in Safari.

First I tried through a browser. As far as I can tell, the HTTPS Everywhere extension in Chrome conflicted with the MORE extension and I didn’t receive points. I tried installing the extension in Safari and Firefox, but it gave errors when trying to load in both browsers and no other extensions.

You start you checkout process like normal, but when you get to the Checkout page, you need to click "Pay now" to select Marriott points before clicking "Place your order".

The checkout page when I didn’t receive points.

I finally downloaded the app (which is not available natively for an iPad). Here I was able to complete my transaction with minimal issues.

For the $56.98 charged, I received 114 base points (2x pts / $), 57 Platinum points (50% bonus = 1x pts / $), and 29 credit card points (25% bonus = .5 points / $) in addition to the 5% back from using my Amazon Store Card. This results in earning 3.5 pts / $. I figure points are work approximately $0.01 each which results in 8.5% back at Amazon.

I figure it’s worth the effort to add items to my shopping cart until I am ready to make the actual purchase through the MORE app.

Maximize Shop through Chase

If you have multiple cards with Chase Ultimate Rewards and you are trying to maximize your points using the Shop through Chase portal, do a quick double check to see if your cards give you different earning rates.

I recently checked Groupon and my Sapphire Preferred offered a 4 pts / $ bonus while my Freedom Unlimited and Freedom both offered 8% extra cash back. Since the Freedom Unlimited gets 1.5% cash back on all purchases, I can get 9.5% cash back on the Freedom Unlimited and transfer that cash back to the Sapphire Preferred.

Sapphire Groupon Bonus

Freedom Groupon Bonus

My current rewards strategy.

tidgubi.com

(computer) tips, security, tools