Citizens Bank Resolution…At Long Last



After six months of seemingly never ending delays and frustration, my saga with Citizens Bank is finally resolved.  The resolution is credit to a very empathetic and helpful woman named Amelia at the New Hampshire Banking Commission.

After lodging complaints with the New Hampshire Attorney General’s Office and the United States Comptroller of the Currency and reopening the report we filed with the Portsmouth New Hampshire Police Department, Citizens Bank finally did the right thing, in under a week.  The AG’s office referred to the case to the Banking Commission and even though Citizens Bank is not under the enforcement of the State, Amelia reached out to her contacts at Citizens Bank and got the President of the NH/VT region for Citizens Bank to call me.

After speaking with the President and describing the situation, a check for my mother’s missing money is on the way.  No more affidavit’s, no more back and forth phone calls, letters and frustrations.  On Friday, the woman at the Office of the Chairman called to provide the tracking information for the payment and to see how I wanted to resolve the matter of the overdraft on our personal account, after the account was confirmed permanently closed.  I requested that in lieu of the fact that Citizens Bank was not returning my mother’s money with interest, I felt it would be a proper gesture of good will on the banks part to just make this matter go away and remove the negative report on our account.  Within hours, she called me back to let me know my request had been approved.

This long, frustrating saga is finally resolved.  I leave it to you to draw your own conclusions about Citizens Bank.  I still strongly feel that Citizens Bank is one hundred percent responsible for what happened.  I am thankful that they finally did what was right and are returning my mother’s money and erasing any remaining issues on our personal accounts.  At the end of the day, none of this ever should have happened and that’s what still concerns me most.  I can only hope that this situation will cause Citizens Bank to investigate thoroughly how this happened and why it took six months and the involvement of so many agencies and resources to resolve.

What A Great Cybersecurity Event


This morning, Onepath hosted a cybersecurity event at the Harvard Club in Downtown Boston.  Over my career, I have participated in many events like this, but I have to say that this was the best event that I have been fortunate to be a part of.  Every attendee echoed similar thoughts.


We billed this event as a fireside chat.  The main speakers were Brian Shield, VP/IT for the World Champion Boston Red Sox and Eric Rosenbach, Co-Director of the Harvard Kennedy School’s Belfer Center for Science and International Affairs and former Assistant Secretary of Defense for Global Security.

The discussion with Brian and Eric was outstanding.  They made things so relatable and for individuals with their experience and responsibilities, they were so humble, down to earth and relatable.  They had the room riveted the entire time.  Thank you to everyone who came out for this event!

Following are some of the highlights from the chat:

  1. Ransomware like the latest LockerGoga will continue to be problematic and most likely grow. The worst Ransomware came from NSA and DoD leaks of offensive cyber weapons.
  2. Nation States will continue to lead bad actors. It’s an asymmetric weapon that non-democratic countries can use against more powerful western countries.  Many countries are unable to compete with the traditional military power of the United States and NATO, but hacking and other cyber weapons and attacks level the playing field.  North Korea uses ransomware and other cybercrime to raise money to get around sanctions. Look for more info ops like what the Russians did in the 2016 elections.
  3. AI will help defensively, but we need to look out for info ops that may look very real but be fake. Think of online videos from a political candidate that’s not really the candidate. How do we know what’s real and what’s not?
  4. Cybersecurity is a holistic approach. It’s not just technology, it’s a leadership issue. CEO’s and Boards need to have raised awareness.
  5. Incident response plans are critical. The plan must be tested as you don’t want to test it when you first have to activate it.
  6. Cyber security is very interconnected. Private industry is being targeted. We are all on the front line. It’s important to the national security of our country to educate our workers on how to remain safe.  Eric feels this is a duty we have to our country. We must address the threat. We need to change the culture and improve investment.
  7. Social Media monitoring can give you insight into whether or not your organization may be targeted.
  8. Worry about the threat actor that infiltrates and hangs around for several months. That’s a big concern of Brian’s.
  9. Your corporate assets are highly vulnerable in foreign countries like China.  It was recommended to never bring your personal or corporate cell phone or computer.  Get a burner, solely for the trip.
  10. Your reputation may hang on your supply chain! Be sure they have good cybersecurity and put requirements and penalties into your contracts.
  11. Everyone should be using 2FA.

I wrapped up the chat by sharing a few stories that reinforced some of the above.  Finally, I concluded with the following concluding statement from recent CompTIA testimony before the US Senate Committee on Small Business and Entrepreneurship titled “Cyber Crime: An Existential Threat to Small Business” delivered by CompTIA EVP Elizabeth Hyman:

“While the challenge that lies ahead of us can seem overwhelming and almost too great a burden to bear, it is one we cannot afford to ignore. By working together and continuing to embrace the private-public partnership that has long benefited the cybersecurity ecosystem, we can do a great deal to help better prepare small businesses, and business of all sizes, for the cybersecurity threats they are facing.”

What’s your plan for addressing your cybersecurity risks and educating your workforce on their role?

Technology Employment Expands


Following up on my post from a week ago, How Do We Fill Millions Of Open Tech Jobs?, I wanted to share some really interesting stats from CompTIA‘s newly released Cyberstates 2019 report.

According to the report, more than a quarter million tech jobs were created last year.

Here are a couple of interesting stats for the New England region:

  • New Hampshire had the second strongest growth in tech jobs at 4.2%.
  • Massachusetts had the highest concentration of tech workers at 11.3%.

“Cyberstates 2019 (#cyberstates) is based on CompTIA’s analysis of data from the U.S. Bureau of Labor Statistics, the U.S. Bureau of Economic Analysis, EMSI, Burning Glass Technologies Labor Insights, and other sources. Estimates for 2018 are subject to change as government data is revised and updated. The full report, with complete national, state and metropolitan level data, is available at”


Great Two Factor (2FA) Resource


I’m sure you’ve heard the term 2FA, which is IT lingo for Two Factor Authentication, also known as Multi-Factor Authentication.  2FA keeps your accounts secure, by requiring more than just a username and password to login.  This is the best and simplest way to keep your online accounts secure and keep the hackers away.

If you have ever logged in to a web site that required you to use an app, after entering your username or password, or sent you a text with a code to enter, you’ve used 2FA.  I’ve written several blog posts about 2FA as well.

Microsoft Authenticator App-The New 2FA Kid on the Block and 2 Factor Authentication Should No Longer be Optional are two such posts.  If you search this blog for Cyber Security tag, you will find several more.

One of the challenges with 2FA is knowing which software and services support it.  There is a fantastic web site that tracks exactly this.  You can search for web site and services that you use or click on a category to see all of the options.  Even better, the site lets you know how 2FA is supported and if it’s not, if provides a way for you to contact the vendor and ask that they support 2FA.  This appears to be a crowd sourced site, but it is a great resource that I recommend you save and refer to often.

Two Factor Auth (2FA)


Cybersecurity Event March 28th In Boston


Onepath is hosting a really unique cybersecurity event this week on Thursday at the Harvard Club downtown Boston.  I’m honored to be among a great group of speakers.  Headling this event will be a fireside chat with Brian Shield, Vice President/Information Technology for our World Series Champion Boston Red Sox and Eric Rosenbach, Co-Director of Harvard Kennedy School’s Belfar Center for Science and International Affairs and former Assistant Secretary of Defense for Global Security.

This promises to be a very special event with a level of insight and discussion not often found in such an intimate and informative way.  I’m excited to see several of our clients and meet the other organizations who have registered to attend.

There are still a few seats available before we start building out our waiting list, so if you are interested, please click this link to register.


AVOID Citizens Bank At All Cost


CitizensNoThis is a follow-up to my post Alert for Citizens Bank Customers from November 2018.  For nearly the past six months, I have been trying to recover funds withdrawn from two different accounts with Citizens Bank that were the victim of check fraud.  In the process, I have come to realize that Citizens Bank is perhaps the worst bank I have ever worked with in my life.  The amount of obstacles and delays that I have encountered is almost unbelievable.  The lack of concern for a client, who is the victim of a crime that looks like an inside job at the bank, is astounding.  Here is an update, based on the original post linked above:

  1. The check fraud perpetrated against my personal account has been refunded.
  2. The ACH fraud perpetrated against my mother’s account has been refunded.
  3. Six fraudulent checks drawn on my mother’s account amounting to almost $5,000 have NOT been refunded.
  4. Funds were withdrawn from my personal account in January 2019 that were not initiated by us.  Citizens charged that same account $90 in overdraft fees as it was at a zero balance, because it was permanently closed on November 5, 2018 when we reported the fraud.

So, where does this stand?

Citizens Bank is now asking that I sign new affidavits to even investigate the fraud on my mother’s account that has yet to be returned.  My mom passed away in late November 2018, so this ongoing matter prevents us from moving forward to complete the affairs of her Estate.  The day we reported the check fraud on our account and hers, we signed and notarized affidavits at Citizens Bank.  Citizens Bank investigated and repaid the check fraud on our personal account, but hasn’t done a thing with the check fraud on my moms.  They have sent me new affidavits two prior times, each of which were wrong.  They asked me to attest that we had not signed the checks in question.  The signature is not the issue.  Another set asked that we send the affidavits to the payee, who is the criminal that perpetrated the fraud.  Sure, lets send the crook an affidavit to sign and notarize.  That makes sense.  The internal controls at Citizens Bank seem to be nonexistent.  Below are copies of the backs of all of the fraudulent checks that Citizens Bank paid.  They look remarkably similar, don’t they?

These images represent six fraudulent checks, presented against two different accounts over a period of a few days.  The original post shows the front of these checks.  These backs clearly show it is the same persons handwriting.  So, given that one fraud case was able to be researched and refunded using the original affidavit, why is it that the larger fraud case is not?  This is the same type of fraud and the same perpetrator, yet Citizens Bank seems unable to even research this.  Why?  They know who they paid these checks to.  Why haven’t they demanded these funds back from that bank, where the thief is doing their handywork?

We also have a letter from Citizens Bank, on their letterhead, signed by the Assistant Branch Manager confirming that our accounts were permanently closed due to extreme fraud.  Here is a slightly redacted copy of that letter, as I do not hold the manager who signed this at fault for this terrible situation.


I post this letter, becuase how could Citizens Bank process charges and assess us overdraft fees on a permanently closed account?  They did and then charged it off and reported us to an agency that monitors delinquent checking accounts.  Clearly, no one is paying attention to what is going on within the bank.

Over the last six months, I finally was able to get this case escalated to the Office of the Chairman and have been in contact with a woman there for the last month.  It is under her escalated watch that this charge off took place and the fourth request for new affidavits has been received.  Throughout, we the victims are made to feel like this is our fault and the burden is solely on us to push and push and push for resolution.  Not once has Citizens Bank accepted responsibility for this ongoing saga, not even when refunding two of the fraud cases.  The funds just appeared, with no admission of responsibility.

Just this week, I requested to speak with the manager of the person in the Office of the Chairman as I am at my whits end with how to make progress.  Would you believe that she would only provide the managers first name?  A very common first name no less.  There must be hundreds of Citizens Bank employees with this persons name.  I had to push hard before she would finally provide me with this persons phone number, but never her last name.  I left this manager a message yesterday, after waiting over 24 hours to hear from her.  I have yet to have my phone call returned.

This is the type of bank Citizens Bank is.  I urge anyone who banks with them to find another bank before you become victimized by their lack of internal controls and accountability.

Fortunately, our local police department has assigned a detective to our case and the State AG’s office has engaged the State Banking Commission and the US Comptroller of the Currency to try to help us.  I’m hoping by increasing the pressure on the bank that someone of reason will become involved and refund the money that has been illegally held from us for the past six months.  Any bets on whether or not they pay us interest on these funds they have illegally withheld from us?

How Do We Fill Millions Of Open Tech Jobs?


Todd Thibodeaux is the CEO of CompTIA, the Computing Technology Industry Association, the non-profit, global tech trade association connecting innovators with
experienced technology solution providers, who together, are actively redefining the state of business technology.

I have had the pleasure of knowing Todd for past 10+ years, since the time when he interviewed for the CEO job.  We have worked together in many capacities, most recently during my service to the Board of the Directors of CompTIA.  I consider Todd a valued professional colleague and a friend.  His vision for tech and how CompTIA can advance tech on the global stage is inspiring.  Todd and his team do amazing work, every day, to help more people enter the tech workforce and to help tech play an ever more important role in just about every aspect of our personal and professional lives.

One of the critical issues facing the tech industry in recent years is a severe skills shortage.  In my own professional life, hiring is one of the most difficult things we deal with as the labor market is so tight.  As a nation and a global society, the amount of open tech jobs poses a real threat to our ability to progress and confront new challenges.

Todd wrote the following “Last Word” article for the current issue of CompTIA World magazine, the member magazine of CompTIA.  I think what Todd has written is so important, that I wanted to share it here on my blog.  I hope you find it as valuable as I do.

If you’d like to read this piece online, you may access CompTIA World’s online edition here and jump tp Page 80.  Otherwise, read on…

CompTIA CEO Todd Thibodeaux describes 10 ways we’re going to get there.


by Todd Thibodeaux

There are 36 million people in the global workforce today, and four million open tech positions globally – a gap of about 10 percent.

Expect that number to get even bigger.
The number of open tech jobs has hit almost 800,000 in the U.S. All those people are not going to come from university degree programs and the traditional places from which we’ve been able to source our tech workforce in the past. We have to think of new things to do now to feed the tech talent pipeline as we go forward. Here’s how we’ll get there – in 10 steps.

1. Bridge the Confidence Gap
We need to get more people to recognize they can work in the industry; to realize it’s
not this mysterious, magical place that requires you to be Einstein or Stephen Hawking.
Anybody can acquire the skills to come into tech. I ask everybody to talk to young people,
to talk to people who are transitioning from one career to another, someone who’s not
satisfied with their career, to say “Hey, you should actually look at tech, because you can
acquire the skills to work in this industry.”

2. Realize Parents Are Part of the Problem and the Solution
Parents a lot of times will mirror the things that they think they’re capable of, and then
they’ll impress those upon their kids, thinking “Well, I was doing this type of job, my kid
can do that.” So, we’re doubling our efforts this year to target parents to get that message
more effectively to kids that they can work in the tech industry. We have to get parents
to think more broadly about the industry and the types of people who can work in the

3. Stop Emphasizing Math and Science as Integral to Success in a Tech Career
Speaking on CNBC last year, LinkedIn CEO Jeff Weiner recommended we stop focusing
so much on coding, math and science and focus more on developing soft skills in our
incoming workforce. People who start with strong sets of soft skills tend to do better when they get out into the workforce and can then acquire tech skills. Soft skills are so important; you don’t see people sitting down doing differential equations and calculus, or algebra even, in their day-today jobs.

4. Devote A Lot More Attention to Teacher Training
We’re going to dramatically see the brain-drain that we’ve seen in other industries in the tech learning space. Teachers who are teaching tech today are in their fifties and sixties and they’re going to be retiring. We don’t have that young pipeline of teachers coming
up who have the technical knowledge and skills to fill that gap. We need to do a lot more right now to build the next generation of tech teachers.

5. Reintegrate a Full Tech Curriculum in Pre-University Education Programs
When you think about tech companies in general, the majority of people who are working for pure tech companies aren’t even in tech roles. They’re in marketing, sales, logistics, finance – you name it. From an education standpoint, we need to move away
from the idea that you can do everything with just coding. We see more and more schools coming around to the idea that they need to reintegrate a full tech curriculum. We need this full perspective of what the industry really has and what it means, so kids see the full breath of jobs.

6. Deemphasize University Degrees and Emphasize Pre-Employment Training
In my opinion, there’s virtually no entry level job that requires three to five full years of school. You can take just about anybody and give them six to nine months of training in a particular field and, if they have the ambition and drive, they can do it without having to go through the whole university degree process accumulating all this debt. We prove
that every day in our IT-Ready program, where we take people who have no tech background – some of them have never even turned on a computer – and eight weeks later they’re job ready.

7. Start Building an Education System Now for a Future of AI, Robots And VR
Emerging technologies can change an entire industry environment; to where we might have 40 percent of the workforce globally being disrupted, losing their jobs entirely or being asked to completely re-skill. The education system that we have today is unequipped and this idea that you have to go back to school if you want to shift career fields just doesn’t make sense if it’s on a huge scale. So, we need to create a system that can accommodate disruptive technologies like AI, robotics and VR.

8. Grades 9 to 12 Should Be More About Helping Kids Find Out What They’re Good At
Schools are doing what they think is a really good job of preparing kids but spending all this time cramming them full of knowledge that they’ll probably never use. Today, so much of that information, if you need it you can find it almost instantly – we’re in a
Google-era and all this information is available. We can do a lot better job of helping kids understand what things they might be good at and, because we know what kinds of skills are needed in particular jobs roles and industries, steering kids in that direction.

9. Employers Have to Step Up and Do Their Part
Right now, we have employers being extremely picky; tending to only hire people who meet their exact qualifications and specifications for a job. But all those people are already working for somebody else. The market is tapped out. You have to be willing to take people who are only halfway there. Further, employers need to start looking in non-traditional places in nontraditional ways. They just keep posting ads in the exact same spots with the exact same qualifications – including college degrees.

10. Soft Skills Are More Important Than Entry-Level Knowledge In Most Cases
In any industry, if you ask employers what’s the most important skills they see coming in, it’s not degrees, it’s not certifications … it’s soft skills and the ability to come in and be a functioning, communicative part of the team from day one. That’s the most important skill-set that we need to have for kids. So, if you know young people who seem to be
great communicators and have soft skills, absolutely encourage them to work in the industry because it’s one of the best places that you can go.

Be Sure Office 365 Is Secure


This article was published in the March 17, 2019 editions of Foster’s and Seacoast Sunday.

0365-security-and-complianceIf your business uses Office 365, you need to be sure that you secure your tenant. As more and more businesses embrace Office 365 for email and the host of other services that comes with it, hackers have increased their attempts to compromise the service. You’d be surprised how frequently Office 365 tenants are compromised due to a lack of best practices to ensure its security.

Some of the most common compromises involve email phishing attacks, when hackers send you an email that looks amazingly legitimate, but is not. The email often asks you to login to your Office 365 account to reset your password, check your email quarantine or some other reason. Unless you check the links to confirm where they are taking you, you could very easily login to a compromised web site that exists soley for the purpose of capturing your username and password. Once captured, a hacker is able to mirror your email account or worse.

In some cases, hackers may use specific code to insert rules into your mailbox to forward every email you send and receive to the hackers email account. In this example, hackers monitor your email traffic with the intent of spoofing your email and sending email messages that look to be from you, but are really from the hacker. This is how many hackers steal money, but impersonating an actual user and sending requests for funds to be electronically transferred that may seem legitimate, but are far from it. While on the surface, this may seem hard to believe as you would think common sense would prevent someone from doing this. However, millions of dollars are lost every year to scams like this.

So, with increasing attacks against a very robust and popular email service, what should you do? For one, be sure you have an experienced resource to setup your Office 365 accounts that knows how to properly secure them. In its default configuration, Office 365 offers reasonable protections, but it is not hardened to prevent targeted attacks like the one described above and countless others.

It should go without saying that your user accounts should be setup with complex passwords that are required to be changed every 90 days. In most organizations, these accounts should be tied to your organizations Active Directory as well. It should also go without saying that you should enable 2 Factor Authentication, which is included with Office 365, to further secure your accounts and prevent most of these attacks from being successful.

There are many advanced hardening techniques that should be used. These include things like enabling all logging on the accounts. Should you ever suspect and issue, these logs will be critical to finding the data to validate whether or not you have been compromised. There are several highly technical elements to hardening Office 365 that I will not go in to here as it will not mean much to non-technically oriented readers.

A simple technique you can employ to help limit your risk of suffering a successful phish is to brand your Office 365 logon screen. Most hackers will not go through the added effort to determine if your organization is using a branded login page. By changing this page from its defaults, you can help avoid the risk of users being tricked into entering their username and password in to a compromised web page.

Like any online service, even those exposed to the Internet from internal networks, it is critically important to properly secure your systems. These risks are in no way unique to Office 365. The point is, you can’t settle for default configurations. Once hardened, you then need to be sure you have proper monitoring and alerting in place, so that you know of any and all attempts to compromise your systems.


Technology And The Modern Conference Room


Conference rooms used to be a safe haven from technology. Not any longer. When was the last time you were in a meeting in a conference room that didn’t include a large monitor displaying some content, or sitting around the table with most people on their laptop or tablet? Probably not recently.

Conference room technology has come a long way in a short amount of time. This means interactive, content rich meetings have become the norm. No longer relegated to expensive conference rooms only found in the offices of Fortune 500 companies, even the smallest organizations now sport technology-driven conference rooms.


From touchscreen monitors to fully interactive electronic whiteboards and wireless display capabilities, businesses of all sizes can now affordably outfit their conference room with up-to-date technology. Companies like Microsoft, Sharp and Infocus make some of the easiest devices to implement. The Infocus MondoPad, Microsoft Surface Hub and Sharp Aquos Board are among the market leaders for small and mid-size organizations. They range in price from around $2,000 to upward of $10,000, depending on the features. Some of these units, like the Microsoft Surface Hub, can be strung together to create an entire smart wall of monitors, though that can get quite expensive. Using a single unit to replace a traditional whiteboard or monitor will introduce interactive touchscreen capabilities as well as the ability to run applications and get online.

Video conferencing solutions like GoToMeeting, WebEx and Zoom really come to life on these large screen interactive monitors, allowing you to see the remote parties and interact with applications and presentations for a truly rich meeting experience.

For those organizations who may want an even simpler solution, you can consider installing a large smart TV on your conference room wall, adding a webcam to it and using wireless display technologies to connect a computer to the smart TV without having wires dangling all over the room. There are several brands of smart TVs that can be purchased for well under $1,000 in sizes as large as 65 inches or more. These devices have embedded apps and browsers that allow you to get online with a web browser and in some cases, connect a computer to the display wirelessly.

If you have a smart TV that does not include an app to wirelessly connect your computer, you can purchase an inexpensive adapter to do this. Microsoft makes a wireless adapter that plugs into an HDMI port on the smart TV that will allow any Windows 10 PC to wirelessly connect. Several other companies make similar adapters that range from $50 to $200, depending on quality and distance needed. For Apple devices, if your smart TV supports AirPlay, you may use that. If it does not, AppleTV will allow you to connect or any number of adapters are available as well for similar prices as the Windows adapters previously mentioned.

There are also any number of fully integrated conference room solutions that combine a motion-activated camera with an online meeting solution that connect to any type of monitor, but like some of the first options mentioned, these can become expensive quickly.

As collaboration platforms like Slack and Microsoft Teams, the two market leaders, continue to evolve, they will become more important interactive meeting tools. From scheduling the meeting to check and avoid conflicts, to hosting the meeting within the collaboration tool on a conference room monitor like one of the options mentioned previously, technology is embedded in nearly every conference room you enter.

This article originally appeared in the March 3, 2019 editions of Foster’s and Seacoast Sunday.

A Sophisticated Phishing Example


I wanted to share this email that I received today.  It’s a sophisitcated example of a phishing attack.  An email that looks remarkably legitimate and aims to trick you to click a link and log in to what may look like a legitimate site, but is actually a site designed to capture your login credentials.  Once captured, the hackers use your credentials to compromise your account and impersonate you.  Check out this message…


This is a remarkably well crafted message.  Many users would click on the Click Here link and get caught by this phish.  Let’s look at this message more deeply and see how we could learn that this is not legitimate.

Email Address

When you hover you mouse over the link with the email address, you will see that this is a correct link showing the right email address.


Click Here

When you hover your mouse over the “Click Here” link you will see a long URL that is actually malicious.  The domain is not Microsoft, nor Office 365 and will take you to the compromised web site that will capture your login information and compromise your identity.


Hovering over the “set your Message center preferences” reveals the same malicious link.


As it does when you hover over the Privacy Statement.


If you have received communication from Microsoft in the past, you may recall that Microsoft’s address in One Microsoft Way, not One Micro Ave.  This would be an indicator that this email is not legitimate.


Finally, don’t fall for the “Unsubscribe” trick.  You might think that unsubscribing would be a good idea to try to stop these phishing messages.  But when you hover your mouse over the unsubscribe link, you will see it links to the same malicious site as all the other bad links.

To summarize, the first link in this email is legitimate, all the rest, are not.  This is a sophisticated phishing message that looks very real.  You simply can’t be too careful.  Don’t get caught falling for this attack.  Stay safe online!