User-friendly and secure. Hardly anyone would pick either word to describe the vast majority of wireless routers in use today. So naturally I was intrigued a year ago when I had the chance to pre-order a eero, a new WiFi system billed as easy-to-use, designed with security in mind, and able to dramatically extend the range of a wireless network without compromising speed. Here’s a brief review of the eero system I received and installed a week ago.

The standard eero WiFi system comes with three eero devices, each about the width of a square coaster and roughly an inch thick. Every individual eero unit has two built-in WiFi radios that are designed to hand off traffic with the other two units.

This two-radio aspect is important, as most consumer devices that are made and marketed as WiFi range extenders or “repeaters” contain only one radio, and thus end up halving the speed of the repeated WiFi signal.

The makers of eero recommend one device for every 1,000 square feet, and advise placing one device no further than 40 feet from another. Each eero has two ethernet ports in the back, but only one of the eeros needs to be connected directly into your modem with an ethernet cable. That means that a 3-piece eero set has a total of five available ethernet ports, or at least one open ethernet port at each eero location.

Most wireless routers require owners to configure the device by using a hard-wired computer or laptop, opening a browser and navigating to a numeric Internet address to enter some default credentials. From there, you’re on your own. In contrast, the eero system relies on a simple mobile app for setup. The app asks for your name, email address and mobile number, and then sends a text with a one-time passcode.

After you verify the code on your mobile device, the app prompts you to pick a network name (SSID) and password. The device defaults to WPA-2 PSK (AES) for encryption — the strongest security currently available.

Once you’ve assigned each eero a unique location — and as long as the three devices can talk to each other — the network should be set up. The entire process — from placing and plugging in the eeros to setting up the network —  took me about five minutes, but most of that was just me walking from one room or floor to the next to adjust the location of the devices.

MY TAKE?

The eero system did indeed noticeably extend the range of my home WiFi network. My most recent router — an ASUS RT-N66U, a.k.a the “Dark Knight” — cost about $150 when I bought it, but it never gave me coverage throughout our three-level home despite multiple experiments with physical placement of the device. In contrast, the eero system extended the range of my network throughout our home and to about a dozen meters outside the house in every direction.

In fact, I’m now writing this column from a folding chair in the front lawn, something I couldn’t do with any router I’ve previously owned. Then again, a wireless network that extends well beyond one’s home may actually be a security minus for those who’d rather not have their network broadcast beyond their front porch or apartment walls.

This is a good time to note one of eero’s best features: The ability to add guests to your wireless network quickly and easily. According to an interview with eero’s co-founder (more on that below), the firewall rules that govern any devices added to a eero guest network prevent individual hosts from directly communicating with any other on the local network. With a few taps on the app, guests are invited to join via a text or email message, and the invite contains the name (SSID) of the guest wireless network and a plaintext password.

There are a few aspects about the eero system that may give pause to some readers — particularly the tinfoil hat types and those who crave more granular control over their wireless router. Control freaks may have a hard time letting go with the eero — in part because it demands a great deal of trust — but also because frankly it’s a little too easy to set up.

There aren’t a lot of configuration options available in the app. eero says it is working on rolling out new features and options, and that it’s so far been focused on getting shipping all of the pre-ordered units so that they work as advertised. This is a WiFi system that I can see selling very nicely to relatively well-off consumers who don’t know or don’t want to know how to configure a wireless router.

To be clear, the eero is not a cheap WiFi system. I paid $299 for my three eeros, and that was at the pre-order rate. The same package now retails for $499. In contrast, your average, 4-port consumer WiFi router sells for about $45-$50 at the local electronics store and will do the job okay for most Internet users.

Another behavior central to the eero that is bound to be a sticking point with some is that it is regularly checking for or downloading new security and bug updates from the cloud. This may be a huge change for consumers accustomed to configuring all of this themselves, but overall I think it’s a positive development if done right.

For starters, the vast majority of consumer grade routers ship with poorly written and insecure software, and often with unnecessary networking features turned on. It’s a fair bet that if you were to buy a regular WiFi router off the shelf at the local electronics store, that software or “firmware” that powers that device is going to be out-of-date and in need of updating straight out of the box.

Worse still, most of these device will remain in this default insecure state for the remainder of their Internet-connected lifespan (which is probably at least several years), because few consumer routers make it easy for consumers to update, or even alert them that the devices need updates. There are so many out-of-date and insecure routers exposed to the Internet now that it’s not uncommon to find criminal botnets made up entirely of hacked home routers.

True, geeks who feel at home tinkering with open-source router firmware can void their warranty by installing something like DD-WRT or Tomato on a normal wireless router, and I have recommended as much for those with the confidence to do so. But I also am careful to note that anyone who updates their router with third-party firmware but fumbles a crucial step can quickly be left with an oversized and otherwise useless paperweight.

INTERVIEW WITH EERO CEO/CO-FOUNDER

I wanted to know more about the security design that went into the eero, and fortunately was in eero’s hometown of San Francisco last week for the RSA Security conference. So I dropped by the company’s headquarters and got to sit down briefly with the company’s CEO and co-founder, Nick Weaver.

“The way we designed the eero system in general is that it’s a distributed system that runs in your home, and the system we use to deliver that experience is also a distributed system,” Weaver explained. “In your home, the system distributes the load of clients, compute, updates, and diagnostics across the units in your home. We also have a cloud with a distributed architecture, and that’s what allows the eero networks to update an configure themselves automatically.”

BK: Where does that distributed cloud architecture live?

NW: Today it’s Amazon, and everything is hosted on AWS. There’s a high frequency [of check-ins] but not a lot of traffic.  There is very little information exchanged. Only diagnostic info that explains how the links between the eeros are doing. You can think of it as a network engineer in the sky who helps ensure that your network is configured properly.

BK: How does the eero know the updates being pushed to it are from eero and not from someone else?

NW: Every update is signed by a key, and that key is locked away at [the bank].

BK: Does eero collect any other information about its users?

NW: There is no information collected ever about where you go on the Internet or how your connection is being used. That is not information that’s interesting to us. The other co-founder studied networking and security and contributed quite a bit to the Tor Project. We’ve got all the right tensions in our founding team. Security is really important. And it’s been totally underestimated by all the existing players. As we’re discovering more and more security vulnerabilities, we have to be able to move quickly and deploy quickly. Because if you don’t, you’re doing a disservice to your customers.

Would you buy a eero system? Sound off in the comments below.

Update 12:58 p.m. ET: Corrected the price of the 3-eero unit.

Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site.

The bulk of the security holes plugged in this month’s Patch Tuesday reside in either Internet Explorer or in Microsoft’s flagship browser — Edge. As security firm Shavlik notes, Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.

Windows users who get online with a non-Microsoft browser still need to get their patches on: Ten of the updates affect Windows — including three other critical updates from Microsoft. As always, Qualys has a readable post about the rest of the Microsoft patches. If you experience any issues with the Windows patches, please share your experience in the comments below.

As it is known to do on patch Tuesday, Adobe issued security updates for its Reader and Acrobat software. Alas, there appears to be no update for Adobe’s Flash Player plugin as per usual on Patch Tuesday. However, an Adobe spokesperson told KrebsOnSecurity that the company will be issuing a Flash Player update on Thursday morning.

Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.

Last week, this blog told the story of Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., who received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.

The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

In a statement issued Monday evening, the IRS said that as part of its ongoing security review, the agency was temporarily suspending the Identity Protection PIN tool on IRS.gov.

“The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool,” the agency said.

According to the IRS, of the 2.7 million IP PINs sent to taxpayers by mail for the current filing season, about 5 percent of those – approximately 130,000 – used the online tool to try retrieving a lost or forgotten IP PIN. The agency said that through the end of February 2016, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN.

“For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns,” the statement continued. “These strengthened review procedures – which are invisible to taxpayers – have helped detect potential identity theft and stopped refund fraud. Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool.”

Eight hundred taxpayers may not seem like a lot of folks impacted by this security weakness, but then again the IRS doesn’t release stats on fraud it may have missed. Also, the agency has a history of significantly revising the victim numbers upwards in incidents like these.

For example, the very same weakness caused the IRS last year to disable online access to its “Get Transcript” feature (the IRS disabled access to the Get Transcript tool in May 2015). The IRS originally said a little over 100,000 people were impacted by the Get Transcript weakness, a number it later revised to 340,000 and last month more than doubled again to more than 700,000 taxpayers.

Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.

According to Seagate, the scam struck on March 1, about a week after KrebsOnSecurity warned readers to be on the lookout for email phishing scams directed at finance and HR personnel that spoof a letter from the organization’s CEO requesting all employee W-2 forms.

KrebsOnSecurity first learned of this incident from a former Seagate employee who received a written notice from the company. Seagate spokesman Eric DeRitis confirmed that the notice was, unfortunately, all too real.

“On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam,” DeRitis said. “The information was sent by an employee who believed the phishing email was a legitimate internal company request.”

DeRitis continued:

“When we learned about it, we immediately notified federal authorities who are now actively investigating it. We deeply regret this mistake and we offer our sincerest apologies to everyone affected. Seagate is aggressively analyzing where process changes are needed and we will implement those changes as quickly as we can.”

Asked via email how many former and current employees may have been impacted, DeRitis declined to be specific.

“We’re not giving that out publicly — only to federal law enforcement,” he said. “It’s accurate to say several thousand. But less 10,000 by a good amount.”

Naturally, Seagate is offering affected employees at least two-years’ membership to Experian’s ProtectMyID service, paid for by the company. Too bad having credit monitoring through Experian won’t protect employees from the real threat here — tax refund fraud.

As I noted in last month’s warning about W-2 phishing, fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Indeed, scam artists involved in refund fraud stole W-2 information on more than 330,000 people last year directly from the Web site of the Internal Revenue Service (IRS). Scammers last year also massively phished online payroll management account credentials used by corporate HR professionals.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints last year. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache.

Update, March 7, 12:36 p.m. ET: Several readers have forwarded news reports about other companies similarly victimized in W-2 phishing scams, including mobile communications firm Snapchat and GCI, an Alaskan ISP and telecom provider that handed thieves some 2,500 employee W-2’s.

A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot.

As first noted on this blog in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted.

According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.

“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”

Berger shared an email sent by one credit union CEO who asked not to be named in this story:

“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”

All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”

Wendy’s declined to comment for this story.

Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.

Thieves can abuse these automated systems to reset the PIN on the victim’s debit card, and then use a counterfeit copy of the card to withdraw cash from the account at ATMs. As I reported in September 2014, this is exactly what happened in the wake of the Home Depot breach.

Berger said NAFCU’s members are still trying to figure out whether they should just reissue cards for any customers who ate at Wendy’s anytime recently. After all, the restaurant chain hasn’t yet said how long the breach lasted — or indeed if the breach is even fully contained yet.

This brings up a fascinating phenomenon that occurs with card fraud linked to breached retailers or restaurants that customers patronize frequently. I recently spoke with a bank security consultant who was helping several financial institutions deal with the fallout from the Wendy’s breach. The consultant, who spoke on condition of anonymity, said many of his client banks had customers who re-compromised their cards several times in a month because they ate at several different Wendy’s locations throughout the month.

“A lot of them are kind of having a tough time because of they’re having trouble putting context around the exposure window, and because customers keep re-compromising themselves,” the consultant said. “The banks are reluctant to keep re-issuing cards if the cards are going to get re-compromised over and over because some customers just have to have their hamburgers each week.”

Many banks and credit unions are now issuing more secure (and more expensive to manufacture) chip-based credit and debit cards. The chip cards — combined with chip card readers at merchant cash registers — are designed to make it much harder and more expensive for thieves to counterfeit stolen cards. It’s not for certain yet but seems likely that the breached Wendy’s locations were not asking customers to dip their chip cards but instead swipe the card’s magnetic stripe.

Curious about why so many retailers have chip-enabled credit/debit card terminals and yet still ask customers to swipe? Check out The Great EMV Fakeout: No Chip For You! For a primer on why so many financial institutions in the United States are adopting chip-and-signature over chip-and-PIN, see this piece.