Staying Safe in the Digital World

This living topic explores the ever-evolving landscape of cybersecurity threats and the measures consumers and businesses can take to protect themselves. Covering a wide range of issues from data breaches and phishing scams to the misuse of artificial intelligence, the content offers insights into the latest cyber threats and practical advice for enhancing digital security. It highlights recent incidents involving major companies, such as AT&T and T-Mobile, and provides guidelines on how to safeguard personal information and respond to breaches. The overarching theme is the importance of vigilance and proactive measures in maintaining cybersecurity in an increasingly digital world.

Article Timeline

Newest
  • Newest
  • Oldest
Article Image

FCC moves to beef up security of home ‘smart’ devices

How many “smart” devices are in your home? And how many are vulnerable to hackers?

Those are not questions many consumers ask themselves but should. Thermostats, garage door openers – anything that can be controlled using your smartphone – are connected to the internet.

The Federal Communications Commission (FCC) is creating a voluntary cybersecurity labeling program for Internet of Things (IoT) devices and other consumer-facing products that rely on an internet connection. The idea is to make consumers more aware that these devices are connected to the internet and, just like PCs and tablets, need protection.

Dominic Chorafaklis, a principal at cybersecurity firm Akouto, says the FCC’s move is a step in the right direction but that a lot more needs to be done.

How concerned are manufacturers about security?

“The companies that make consumer IoT devices tend to be more concerned about keeping their products cheap and simple than about making them secure, which does come at a cost,” he told ConsumerAffairs. “Even when security features are built in, they often rely on consumers taking steps to enable them and configure them correctly.”

And many times, consumers don’t. They often keep the default login, which tends to be very simple and very hackable.

Tim Mackey, head of Software Supply Chain Risk Strategy at Synopsys Software Integrity Group, says the U.S. is just catching up with the rest of the developed world by taking this step.

“From a consumer perspective, this new program is completely voluntary,” Mackey said. “That means that we won’t suddenly see an influx of certified devices on store shelves or from online retailers. Instead, consumers should expect to see manufacturers who take cybersecurity seriously aggressively pursuing certification.”

Some will and some won’t. Mackey says consumers should look for the certification label and QR code when shopping for smart devices because their security will be the most robust.

The weakest link

Maria-Kristina Hayden is CEO and founder of OUTFOXM, a cyber hygiene and resiliency company. She comes from a background in U.S. intelligence, where cybersecurity is a top priority. She points out that one weak IoT device in a home can grant an attacker access to all other devices on that home network.

“Consumers must be provided with easy-to-understand instructions about choosing secure IoT devices and how to configure settings,” she told us. “This is where the FCC's proposal should really help.”

The FCC says the smart products covered by its new rule and that meet certain requirements will be able to use the label on packaging and advertising, similar to the ENERGY STAR label that shows that a product is energy efficient. Outside, accredited research labs will perform the testing.

How many “smart” devices are in your home? And how many are vulnerable to hackers?Those are not questions many consumers ask themselves but should. The...

Article Image

The 12 Cybersecurity Don'ts of Christmas

With scammers running rampant this holiday season, it’s more important than ever for consumers to stay vigilant and safe in the final weeks leading up to Christmas – and into the new year. 

In an effort to bring some levity to the serious situation of cybersecurity, while also providing consumers with tangible advice on staying safe, Karin Garrido, vice president and general manager at AT&T, Pacific States, shared “The 12 Cybersecurity Don’ts of Christmas” with ConsumerAffairs. 

While the security tips may seem funny and lighthearted – and they are – their sentiments ring true. With online shopping, shipping gifts, and the general frenzy of the holidays, it’s easy to get lax with online security measures. 

With Garrido’s advice, the goal is to keep your private information private for the holiday season and beyond. 

The 12 Cybersecurity Don’ts of Christmas

Here is Garidoo’s official “12 Cybersecurity Don’ts of Christmas:” 

1. Re-gifting passwords: Just like last year's fruitcake, re-gifting passwords across multiple accounts is a no-go. Santa uses a password manager.

- If you use the same password on several accounts, then all those accounts are vulnerable if your password is exposed on just one of them. It’s hard to keep track of so many passwords, so a reputable “password manager” is a good option. 

2. Clicking on mischievous links: Not all links are wrapped with good intentions. Think twice before clicking on them, and three times before entering information.

3. Ignoring software update elves: These diligent elves deliver security patches that shield devices from new threats. Don't ignore their hard work!

4. Typing Santa’s credit card number on an open network: Public Wi-Fi networks can be as open as a chimney on Christmas Eve. Don’t expose sensitive intel to cyber-Scrooges.

- As a precaution against electronic snooping, you should avoid typing in sensitive information like credit card numbers when you’re using public Wi-Fi. 

5. Keeping a cluttered digital house: You might get unwanted company, so it’s wise to delete old downloads and emails that are full of personal information.

- If someone succeeds in breaking into your email or computer, what will they find? If you don’t need old emails with your Social Security number and other personal information, it’s best to delete them.

6. Downloading a Trojan reindeer: Untrusted software downloads can be like a Trojan reindeer, carrying unwanted malware gifts.

- This is a longtime safety tip. Don’t download software from non-trusted sites or unexpected pop-ups.

7. Forgetting to back up data: Regular data backups are like keeping an extra set of presents in the attic, just in case. 

-If you have documents or photos that you wouldn’t want to lose, copy them in more than one secure place on a regular basis. 

8. Oversharing on social media: Oversharing personal information is like leaving your doors and windows wide open during the holidays. Facts about you can be used by fraudsters in many ways. Your pet’s name or mother’s family name may be a backup for a forgotten password. 

9. Bypassing multi-factor authentication: This adds an extra layer of security for your accounts, just like double wrapping those precious gifts. If a criminal gets your password, an extra line of defense can help keep them out of an account. 

10. Leaving devices unattended: Devices left alone in public places are as tempting as unattended milk and cookies. Use a screen lock, too.

11. Using Santa123 as the North Pole password: Weak and predictable passwords are like a flimsy lock on a treasure chest of gifts.To make a password long and strong, consider a passphrase with several words inside it. Longer is recommended to help defeat automated password guessing. 

12. Having a bit of eggnog and forgetting to log off a public device: This is like leaving your sleigh full of gifts unattended in the town square. Occasionally we all may need to log into a hotel or public library computer. Uncheck “remember me” and don’t forget to log out. 

Scams don’t end with the holidays

Though the holiday season will wrap up in a few weeks, that doesn’t mean scammers’ work is done. Consumers need to keep cybersecurity at the top of their minds into the new year, as advancements in technology are likely to make it easier than ever to be on the receiving end of a scam. 

“The rise of AI and Deepfakes will result in more sophisticated communications fraud and imposter attacks,” Clayton LiaBraaten, senior executive advisor at Truecaller, told ConsumerAffairs. “In 2024, large language model (LLM) technology will enable highly granular data scraping and mining to enable extremely targeted, contextually relevant scam and fraud campaigns at scale."

Yes, 2024 is an election year. Consumers will likely be inundated by political voice and text SPAM. Not all of it will be legitimate.

With scammers running rampant this holiday season, it’s more important than ever for consumers to stay vigilant and safe in the final weeks leading up to C...

Article Image

Threat Alert: Watch out for Amazon Prime Day scams

Shopping has been in the news lately as Amazon, Walmart and Target have all announced special sales promotions for mid-July. 

Amazon started it all with its annual Prime Day and it remains the best-known of the sales. This week’s ConsumerAffairs-Trend Micro Threat Alert shows scammers are taking advantage of it.

Amazon phishing 

  • Trend Micro's research identified a phishing scam in which an SMS message prompts the victim to verify their Amazon account via a fake login page. 

  • The top five states being targeted are Virginia, California, Florida, Texas, and Georgia 

“Scammers are ramping up to take advantage of the annual Amazon Prime Day on Tuesday, July 11th. Consumers who want to take advantage of this day of savings should be vigilant in looking out for the plethora of scams we’re likely to see occur, Jon Clay, vice president for Threat Intelligence at Trend Micro told ConsumerAffairs. “Trend Micro’s research team has detected Amazon SMS phishing attacks looking to steal the account owners’ credentials with the top five states being targeted the most Virginia, California, Florida, Texas, and Georgia.”

Travel scams 

  • From April 1 to June 26, Trend Micro's research team found 1,979 travel-related scam URLs, which increased by 24.6% compared to the past weeks. This included three fake Booking.com login pages 

  • Over one-third of the victims in the U.S. are from Oregon: 32.37%. 

  • The top five states being targeted are Oregon, Virginia, Washington, Pennsylvania, and Illinois 

With the Fourth of July coming up Americans are hitting the road in greater numbers and scammers are deploying all types of schemes to ensnare victims. ConsumerAffairs recently reported on several of these summer travel scams, along with ways to avoid them.

Costco Survey Scam 

  • Trend Micro's research found scammers inviting customers to participate in a short Costco survey to get a $100 cash value prize. The scammers wish to collect victims’ private information and credit card information. 

  • The top five states being targeted are California, Alabama, Texas, Illinois, and Nebraska 

This scam is increasing again, probably because it is highly successful. The victim receives an email that looks like it is coming from Costco and asks the recipient to fill out a short survey.

The bait is a gift card or other item with at least $100. That should be a red flag since retailers can’t afford to pay that much for a consumer’s feedback. The scam seeks to steal personal information, along with credit card information.

FedEx Phishing 

  • Trend Micro's research identified scammers impersonating FedEx to ask email receivers to declare their imported items via specific instructions. Victims were prompted to log in on a fake website to collect the victim’s personal information.  

  • Trend Micro's research team found 194 logs on June 23. 

“FedEx does not request, via unsolicited mail, email, or text, any personal information pertaining to your account credentials or identity,” the company says on its website. “If you get a suspicious email, do not reply or cooperate with the sender.”

FedEx says red flags include an urgent request for money in return for the delivery of your packages and requests for your personal and financial information.

Office Printer Phishing 

  • Trend Micro's research identified scammers pretending to be Office Printer and sent victims a notification letter to redirect them to ‘View Document’ or ‘Download Document.’  

  • Trend Micro's research team detected 371 logs on June 26. 

The scammers sending out these emails hope to deceive recipients into clicking on a link. If they do, recipients open a bogus website where scammers try to steal the passwords of email accounts.

Shopping has been in the news lately as Amazon, Walmart and Target have all announced special sales promotions for mid-July. Amazon started it all with...

Article Image

Delete these 19 apps off your Android device now or face serious consequences

If you have an iPhone, you can move on to the next ConsumerAffairs story – but if you have an Android device, your next move should be to look at all the apps on your device. Google has sent up a flare warning billions of Android users that they are in danger of being harmed by 19 different apps.

These malicious apps cover everything a scammer has in their toolbox: adware, malware, spyware, trojans, and more. All can infect a phone, steal your identity, passwords, or financial information like credit card numbers and bank accounts.

The apps that need to be deleted

When you look at the following list, there are apps you may have used in the past with zero problems. But, dastardly scammers have gone as low as they know how, downloading these apps themselves, reengineering them by adding in the malicious code and then putting them back on the Google Play store, according to MalwareFox.

  1. Fare Gamehub and Box

  2. Hope Camera-Picture Record

  3. Same Launcher and Live Wallpaper

  4. Cool Emoji Editor and Sticker

  5. Amazing Wallpaper

  6. Simple Note Scanner 

  7. Universal PDF Scanner 

  8. Private Messenger

  9. Premium SMS

  10. Blood Pressure Checker

  11. Cool Keyboard

  12. Paint Art

  13. Color Message

  14. Vlog Star Video Editor

  15. Creative 3D Launcher

  16. Wow Beauty Camera

  17. Gif Emoji Keyboard

  18. Instand Heart Rate Anytime

  19. Delicate Messenger

We repeat -- in their original form there was nothing wrong with these apps. According to Google, scammers have changed them to make them dangerous.

If you have an iPhone, you can move on to the next ConsumerAffairs story – but if you have an Android device, your next move should be to look at all the a...

Article Image

Feds seize millions of stolen login credentials but you could still be at risk

The U.S. Department of Justice (DOJ) this week rolled into Wisconsin, waving badges, seizing computers, and taking the personally identifiable information of millions of Americans off the market.

It’s about time.

Coming to the rescue is “Operation Cookie Monster,” a high-level all-hands-on-deck effort where the DOJ utilized 45 FBI field offices and international partners from Sweden to Romania to seize Genesis Market’s motherlode of consumer usernames and passwords for email, bank accounts, and social media.  

All in all, millions of passwords and email addresses were provided from a wide range of countries and domains. These emails and passwords were sold on Genesis Market and were used by Genesis Market users to access the various accounts and platforms that were for sale. Then, down stream, cybercriminals used this data for purposes ranging from identity theft to phishing attacks to credential stuffing

“Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the Department to identify, locate, and arrest on-line criminals,”  said Deputy Attorney General Lisa Monaco. “The Department of Justice is shining a light on the internet’s darkest corners – in the last year alone, our agents, prosecutors, and partners have dismantled the darknet’s largest marketplaces – Hydra Market, BreachForums, and now Genesis. Each takedown is yet another blow to the cybercrime ecosystem.” 

Were you part of the personal data that Genesis had?

While the DOJ prevented Genesis from pushing consumer ID information any further, you, me, and everyone else is still at risk because of what’s already rung the cash register for the data seller on the black market.

The FBI has reached out to Have I Been Pwned (HIBP), a free resource for people to quickly assess whether their access credentials have been compromised (or “pwned”) in a data breach or other activity. Victims can visit HaveIBeenPwned.com to see whether their credentials were compromised by Genesis Market so that they can know whether to change or modify passwords and other authentication credentials that may have been compromised.

And whether you know that you’re a victim or just think you’re a Genesis victim, it would be smart to see if any of your email addresses at any time in the last several years turned up on the dark web.

When ConsumerAffairs checked Have I Been Pwned against our personal email accounts, there were breaches that have widespread implications: Adobe, Dropbox, and Zynga (the creator of Words with Friends) which exposed 173 million unique email addresses alongside usernames and passwords.

Prepared in conjunction with the FBI, HIPB provides the recommended guidance for those that find themselves in this latest collection of data. Those steps are detailed in the section with the gold background on this page.

The U.S. Department of Justice (DOJ) this week rolled into Wisconsin, waving badges, seizing computers, and taking the personally identifiable information...

Article Image

Hackers have used ChatGPT brand to take over Facebook accounts

When the artificial intelligence (AI) platform ChatGPT burst into public consciousness early in the year, cybersecurity experts warned it wouldn’t be long before the bad guys made use of it. They were right.

In a recent post, Nati Tal, head of Guardio Labs, warns that hackers have hidden fake ChatGPT functionality inside a Chrome browser extension. Hackers entice Facebook users to load the extension using ads on the platform.

Once the extension has been loaded, it gives hackers the ability to hijack Facebook accounts and give them nearly complete control, including “super-admin permissions.”

Tal says his company's research found that the fake extension is being used to target well-known Facebook business accounts. Once in control, the hackers can create Facebook bots and other malicious items.

In his post, Tal said his team has uncovered “endless” campaigns abusing the ChatGPT brand, distributing malware and phishing for credit cards.

“On 3/3/2023, our team detected a new variant of a malicious fake ChatGPT browser extension, part of a campaign started in early February with several other ChatGPT branded malicious extensions,” Tal wrote. “This time upgraded with a threatening technique to take over your Facebooks accounts as well as a sophisticated worm-like approach for propagation.”

Guardio researchers found the "Quick access to Chat GPT" extension was downloaded as many as 2,000 times per day since March 3. The company says it was pulled by Google from the Chrome Web Store on March 9.

'Quick access to ChatGPT'

The fake extension, identified as “Quick access to ChatGPT,” was offered as a quick way to get started with ChatGPT directly from your browser. Guardio says the extension does, in fact, provide that. However, it also “harvests” as much data as it can from your browser. It steals “cookies of authorized active sessions to any service you have, and also employs tailored tactics to take over your Facebook account.”

The takeaway, says Tal, is web users must be even more careful than in the past. Hackers have managed to stay one step ahead of major players like Google so individuals have to take precautions to protect themselves.

“These activities are, probably, here to stay,” Tal concludes. “Thus we must be more vigilant even on our day-to-day casual browsing — don’t click on the first search result, and always make sure you won’t click on sponsored links and posts unless you are pretty sure who is behind them!”

When the artificial intelligence (AI) platform ChatGPT burst into public consciousness early in the year, cybersecurity experts warned it wouldn’t be long...

Article Image

Growing success against cyberattacks just means hackers will work harder

Over the last few months, hackers have had to step up their game, finding new targets and developing even harder-to-detect attacks. That’s because defenses have improved.

A new report from Cybersecurity firm Trend Micro found a huge 55% increase in overall threat detections in 2022 and a 242% surge in blocked malicious files, as threat actors indiscriminately targeted consumers and organizations across all sectors.

But the bad guys don’t just accept a drop in “business.” The report illustrates how hackers have adjusted, putting even more people and organizations at risk.

“To combat waning ransomware revenues — a staggering 38% decrease from 2021 to 2022 — active ransomware actors have increased their level of professionalism to ensure higher ransomware payouts,” the report’s authors write. “In the past year, we’ve seen them take a page out of the corporate handbook to diversify, rebrand, and even offer professional services such as technical support, with the goal of keeping their attacks potent.”

Emerging trends

The report identified a number of emerging trends in cyberattacks, including these:

  • The top three MITRE ATT&CK techniques show that threat actors are gaining initial access through remote services, then expanding their footprint within the environment through credential dumping to utilize valid accounts.

  • An 86% increase in backdoor malware detections reveals threat actors are trying to maintain their presence inside networks for a future attack. 

  • The number of critical vulnerabilities doubled in 2022. 

  • The Zero Day Initiatives (ZDI) observed an increase in failed patches and confusing advisories.

  • Webshells were the top-detected malware of the year, surging 103% on 2021 figures. LockBit and BlackCat were the top ransomware families of 2022.

Hackers are operating like a business

The researchers say ransomware groups rebranded and diversified in a bid to address declining profits. In the future, Trend Micro expects these groups to move into adjacent areas that monetize initial access, such as stock fraud, business email compromise (BEC), money laundering, and cryptocurrency theft.

Jon Clay, vice president of threat intelligence at Trend Micro, says hackers’ attempts to boost their profits pose a threat to everyone.

“A surge in backdoor detections is particularly concerning in showing us their success in making landfall inside networks,” Clay said. “To manage risk effectively across a rapidly expanding attack surface, stretched security teams need a more streamlined, platform-based approach."

Over the last few months, hackers have had to step up their game, finding new targets and developing even harder-to-detect attacks. That’s because defenses...

Article Image

Most Americans are at risk of 'digital crimes,' security firm warns

This statistic might want to make you throw your computer or smartphone in the trash can but you need to hear it: A frightening 91% of all Americans are between “moderate to extreme risk” of digital crimes.

And if that number didn’t move you, let’s try this one: Federal Trade Commission (FTC) data show consumers lost nearly $8.8 billion to scams in 2022.

According to a new Digital Crime Index from Aura, a firm engaged in intelligent safety for consumers, not only are few of us safe, but some of us are in even great peril.

Aura’s researchers found that demographics that have become extremely susceptible to digital crimes are Black Americans, women, parents, veterans/active-duty military, and members of the Gen-Z generation.

The data show:

  •  Compared to those without children, parents carry a bigger financial toll from being a victim of a digital crime -- seeing 15 times greater loss with an average of $24,188 lost per incident. And Aura says the finger needs to be pointed at all those devices parents have around the home. On average, parents have three more devices in their home compared to most Americans.

  • Gen-Z faces a significant risk of digital crime compared to other generations surveyed, which rank at high risk. When Gen-Z respondents were asked if they protect themselves from digital crimes, only 52% said yes. Gen-Z’s older sibling Gen-X does the best of the four generations surveyed, with 68% saying they protect themselves digitally.

  • Black Americans are five times more likely than White Americans to be at severe risk of a digital crime.

  • Even though men statistically have more violent crimes committed against them, Aura found women are at an elevated risk of a digital crime and stand to lose 6 times more financially. Perhaps what is most alarming is the difference between the average loss for a woman who falls victim to a digital crime vs. a man. On average, women lose over $10,000 more than men per crime. Just ask Rebecca…

  • One in every two veterans and active-duty service members who have experienced digital crime have been victims of more than one type of digital crime. Most of those were victims of a government data breach, the researchers said.

"There's no question that technology has enabled incredible progress in society and in our individual lives, but by oversharing online and over-trusting our digital interactions we're putting ourselves and our families at extreme risk," said Aura founder & CEO Hari Ravichandran. "In fact, the Index shows that 60% of Americans have already reported being a victim of at least one online crime and that number is growing every day.”

AI could make things worse, too

With all the hoopla surrounding AI – artificial intelligence – that 91% high-water mark could go even higher. In fact, it’s already starting to show its ugly side with more fake job scams starting to emerge.

"Consumers should be aware that as artificial intelligence becomes more sophisticated, it may be used by marketers in ways that put their privacy at risk,” Nicky Watson, founder of Cassie, a pioneer in consent and preference management, told ConsumerAffairs.

She said that AI-powered search engines will be able to gather and share more data about consumers than ever before. And, since no one’s trying to regulate AI, Watson says the prospect of those search engine companies selling large sets of consumer data to other companies could lead to real-world consequences for consumers. 

“For example, imagine a consumer is concerned about a health issue, so they search the issue online and visit websites relating to the condition. If an AI-powered search engine company sells that consumer’s online activity to a health insurance company, data about the consumer could impact the cost of their health insurance premiums,” she suggested.

“Consumers should proceed with caution when using AI tools and they should think about the long-term unintended consequences of how their data could be used against them.”

This statistic might want to make you throw your computer or smartphone in the trash can but you need to hear it: A frightening 91% of all Americans are be...

Article Image

Beach towel? Sunscreen? Anti-scam spray? Cybersecurity expert alerts vacationers to spring break scams

If you’re headed out for spring break, you’ll likely have some unwelcome company. From its perch, online security provider NordVPN says that from booking platforms to apps, holiday scammers have their suitcases packed and ready to make as many vacationers' lives as miserable as possible.

Marijus Briedis, cybersecurity expert at NordVPN, laid out everything a spring breaker needs to protect themselves and ensure a scam-free time.

Briedis’ first warning starts with anyone who may still be searching for deals on accommodations, airfares, etc. 

“Most of us will have used booking platforms or comparison sites to find our perfect break, but how do you know you’re getting the best price for your vacation?” he asked.

“As well as the time of year, your location and tracking data can also play a role in the type and price of deals you are offered by travel companies. If you are visiting a website you have used before, clear your cookies beforehand and hide your location through your browser’s ‘incognito’ mode to see if it gives you access to better offers.”

While it may be a bit of shameless self-promotion, Briedis did offer one unique advantage of having a VPN, which basically masks who and where an online surfer is -- and could pave the way for a better deal.

“You might even find that using the booking website for a country you’re visiting, by using a VPN, is cheaper than booking from home," he offered. "Our researchers found that for six days’ car hire in Dublin, Ireland, this March the price they were quoted going through Expedia’s Irish site was less than half that for exactly the same rental package through the US site.”

Phishing poles, un-updated apps, and free wi-fi traps

Given their success over the 2022 holidays, scammers are likely to amp up their phishing efforts, too. Briedis said that scammers will be out in force with fake offers designed to target things like a person’s details and bank balances and mimic genuine customer loyalty schemes.

“Check any offer by visiting the company’s website separately and don’t click on any email links or attachments unless you are sure you’re dealing with a legitimate business,” he said.

Other things people should consider strengthening include:

App updates: Hackers constantly watch for vulnerabilities in apps and try to figure out how to make some hay off those holes. Briedis suggests making sure all your apps are up to date before you take off.

Stay off of social media: This may be tough to do, but leaving Facebook, Instagram, Twitter, and any other social media platform you use alone while you’re vacationing could help keep scammers’ curiosity in check. 

“Not only can burglars looking at your feed discover your home is empty, seeing you on real-time social media like Instagram Live can reveal that you’re not around to defend your property. Even those very familiar with online privacy can still give away a stack of personal information through mistimed posts including upcoming travel plans.”

Public wi-fi is loaded with prying eyes: Briedis suggests that whether you’re in an airport or a hotel lobby, try to resist using the free public wi-fi those places may offer.

His reasoning is that free wi-fi is an added opportunity for cybercriminals to access and compromise your security. Not only can criminals set up fake hotspots, but they can also hack into unsecured public routers and monitor your online activity as well as drop some malware onto your device.

If you’re headed out for spring break, you’ll likely have some unwelcome company. From its perch, online security provider NordVPN says that from booking p...

Article Image

Could clicking on Google search results cost you all your passwords? Maybe…

If anyone needs proof that cybercriminals leave no stone unturned, all they need to do is check out this claim from MakingUseOf (MUO): Clicking on Google search results could cost you all your passwords!

This new twist on phishing is built around attracting eyeballs to the very top of Google’s search results where Google’s algorithms attempt to reflect the things someone is looking for or a paid placement by a company.

MUO said that these evil-doers might include an excerpt taken from a dictionary or a website, a range of similar questions to your query, two or three ads, and then the actual search results from Google.

And if someone clicks on one of the fabricated links or ads, they’re immediately transported to a brilliantly spoofed website where a hacker will gladly take passwords, personally identifiable information, and other important digital credentials off their hands.

MUO’s David Rutland pointed to Microsoft Outlook as a prime example. He said that if a user was searching for “Outlook help” and clicked on a malicious link, they could easily wind up at what they think is a real Microsoft-driven site where they put in their Outlook username and password to log in.

“The visual style of most of these elements is different enough from the meat of the results that it's easy to scan past them and scroll down,” Rutland wrote. “The adverts, however, are not immediately recognizable. They use the same link color as regular results, and have the same length of summary and selection of site links to URLs within the website.” 

And to an unassuming user, that could spell trouble – particularly for older users.

“Clicking adverts by accident is a familiar and frustrating feeling. It's made worse by the fact that there's a tendency among older computer users to simply type the name of the service they want to use into the search field and then click on the top result, rather than type in the actual URL,” Rutland said.

Google comments

When ConsumerAffairs asked Google to verify MUO’s claims, a spokesperson said it is, indeed, aware of what’s going on, and it’s voluminous – to the tune of blocking over 100 million phishing attempts every day. Nonetheless, the company said it’s doing everything it can to get these hackers out of its – and our – lives.

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.”

Safety suggestions for consumers

Google said that even though it’s the company’s job to do everything it can to block bad ads on its platform, “sometimes bad actors can temporarily evade our detection.” 

To help consumers prevent being sucked up in this fake ad vortex, Google shared some tips and tools. 

Learn more about the ads you see and the advertisers behind them: Google said that by clicking on the three dots that appear next to an ad, a user can go to My Ad Center which includes basic information about the advertiser, including whether or not they are a verified business. 

When ConsumerAffairs tried out that trick, we have to admit it was pretty impressive. Not only were we shown when the source was first indexed by Google, but also if our connection to the site was secure or not.

It also has a nifty feature where a user can remove a specific search result so it doesn’t pop up in the future.

In the coming months, Google said it will be rolling out additional transparency tools so that searchers can learn even more about the advertisers behind an ad.

Spot malicious behavior and double-check URLs: Hackers love big brands because if someone is in a hurry to get something fixed or a question answered, they may not take the time to fully inspect the validity of a site’s URL or whether a phone number is real or not. And, being careless can lead to being fleeced by a cybercrook pretending to be one of those big brands.

To get around that issue, Google recently started adding site names to search results and ads on mobile, so users can more easily identify the website that’s associated with each result at a glance.

“You should always be wary if someone is urgently requesting you to do something like send money, provide personal information, or click on a link. Chances are, it could be a scam,” the company said.

Enroll in 2-Step Verification (2SV): Google – as well as Apple and Microsoft – have been working toward a passwordless future, but we’re not there yet, so for now, passwords are here to stay. And that calls for extra precaution.

Google is encouraging everyone to, at minimum, enroll in 2-Step Verification (2SV). Taking that step adds another layer of protection to online accounts by requiring the user to not only enter their password, but an additional piece of information as well. 

“This way, if your password is stolen, a bad actor still needs more information to gain access to your account. And to keep those credentials safe in the first place, we also encourage the use of Google Password Manager,” the company told ConsumerAffairs.

“Google Password Manager will not only create unique passwords that are hard to crack but will also store them all for you so you don’t need to keep that little piece of paper in your drawer you write them all down on.”

If anyone needs proof that cybercriminals leave no stone unturned, all they need to do is check out this claim from MakingUseOf (MUO): Clicking on Google s...

Article Image

Hackers actively attempting to attack Apple, Microsoft, Adobe, and Mozilla systems

It’s been relatively quiet in the hacker world when it comes to major companies, but Valentine’s Day brought an all-out alert from the Cybersecurity and Infrastructure Security Agency (CISA).

It noted that several major software companies and service providers were asking users to update their systems to address vulnerabilities in multiple products and prevent hackers from taking control of an affected device.

CISA informed ConsumerAffairs that attackers are actively attempting to break into products from Apple, Adobe, Microsoft, and Mozilla. According to WindowsReport, several of these are “critical” as far as severity is concerned – such as Adobe Photoshop and Adobe InDesign. 

The following is a list of the affected products and links to the updates for those products:

Apple 

CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:

•   Safari 16.3.1

•   iOS 16.3.1 and iPadOS 16.3.1

•   macOS 13.2.1

Adobe

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

Mozilla

Mozilla has released security updates to address vulnerabilities in Firefox 110. 

CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 110 and Firefox ESR 102.8 for more information and apply the necessary updates.

Microsoft

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. CISA encourages users to review Microsoft’s February 2023 Security Update Guide and Deployment Information and apply the necessary updates.

It’s been relatively quiet in the hacker world when it comes to major companies, but Valentine’s Day brought an all-out alert from the Cybersecurity and In...

Article Image

Is your home being invaded by ‘digital burglars?'

Chances are your home has a few “smart devices,” things like video doorbells or a thermostat you can control with your smartphone. They can make life easier but cybersecurity experts warn that “digital burglars” can use them to virtually burglarize your home.

Steve Grobman, chief technology officer (CTO) at McAfee, points to a recent study by the Florida Institute of Technology that found that the companion apps for several big brand smart devices had security flaws. That's a problem since all of these devices connect to the internet.

“Eight of the 20 apps associated with connected doorbells, locks, security systems, televisions, and cameras they studied…could allow attackers to intercept and modify their traffic,” Grobman told ConsumerAffairs. “This could lead to the theft of login credentials and spying, or it could lead to the compromise of the connected device itself. That’s unsettling, given that we’re talking about things like smart door locks.”

The experts we consulted said smart home devices are like any other device that connects to the internet. They need strong protection.

Start with strong passwords

Lumen Technologies Chief Privacy Officer (CPO) Hugo Teufel, a former CPO at Dept. of Homeland Security, says all of these devices need strong passwords and should have access to regular software updates. 

“The best decision anyone can make? Make sure their smart device’s operating software and apps are updated when that update becomes available,” he told us.

Michael Gibbs, the CEO of Go Cloud Careers, says not all smart devices are created equal when it comes to security. Some are more hackable than others. 

Some of the things that determine a smart device’s strength against a hack include the operating system firmware, and the degree of security integrated into the product. Older devices may be more vulnerable.

“If consumers' devices are hacked many problems can occur, ranging from doors being unlocked, personal information being stolen, and cameras recording peoples’ private lives, to life-threatening problems like fires in ovens and other appliances if they were to be remotely hacked and turned on,” Gibbs said.

What to do

What can consumers do to protect themselves? First, be aware of the potential threat. Then, mount a strong defense.

“Broadly speaking, they involve two things: protecting your devices and protecting the network they’re on,” Grobman said. “These security measures will look familiar, as they follow many of the same measures you can take to protect your computers, tablets, and phones.”

And it should go without saying that consumers should create strong user names and passwords. Most devices will come with default security credentials. If you don’t change them – and many consumers don’t – even a novice hacker can break in.

Since many smart devices can be controlled with a smartphone, Teufel says it’s important to keep the phone’s operating system up to date.

“Using the most current operating system, apps and web browsers help defend your phone and its contents against online threats,” he said.

In addition to smartphones, your home internet network is also a first line of defense. Grobman says you may need to upgrade to a new router if you’re using an older one lacking strong security features. Gibbs agrees that protecting the network is critical.

“If a hacker can get on the network, they can hack these devices,” Gibbs told us. “The best protection is to keep hackers out by using a firewall to protect the network, using strong passwords, patching all systems to protect against security vulnerabilities, and leveraging security software like antivirus and antimalware to protect the systems on the network.”

Chances are your home has a few “smart devices,” things like video doorbells or a thermostat you can control with your smartphone. They can make life easie...

Article Image

Are you a Chase, Citibank, Bank of America, Capital One customer? Be careful – here comes the “Hook!”

If you have an iPhone, you can move on for now, but if you have an Android phone, you should pay close attention – particularly if you are a customer of Chase, Citibank, Bank of America, Capital One or Wells Fargo.

There’s a new piece of malware called “Hook” that is being spread through fake banking apps claiming to be from some major bank brands (here’s a complete list of banks).

Once Hook gets on your Android device, hackers can take over and remotely control your phone from anywhere in the world, pulling off normal functions like unlocking the device and taking a screenshot.

The new ‘Hook’ malware is the stuff of nightmares for Android users, boasting the power to pillage mobile files, ransack WhatsApp accounts or even send money from a user’s phone,” Marijus Briedis, a cybersecurity expert at NordVPN, told ConsumerAffairs.

And Hook is one bad dude, too. Briedis said that it’s a cut above most of the weaponry in a hacker’s arsenal. Because it’s so good at what it does, bad actors are paying as much as $7,000 a month to subscribe to the software so they can make some serious bank of their own from the comfort of their basement.

When a hacker subscribes to Hook, they also get access to a special console that uses the same virtual network technology many workers have to access their office computer from home.

“This means your device can be taken over even while you’re holding it,” Briedis said.

How you can stop Hook from getting its claws on your phone

Defending against Hook ruining your life is doable, but you have to pay attention. Briedis said that it’s important for Android users to keep their system software updated regularly – an easy task on most Android smartphones.

All you have to do to check for system updates is go to Settings and if an update is available, there should be a prompt to download and install it.

For those of you who have newer Android phones, system updates should happen automatically. But, for those with older phones, you should be aware that malware loves older operating systems that don’t know how to fend off ilk like Hook.

Briedis’ recommendation for those users is to make sure to only download banking apps from an official marketplace like the Google Play Store and check how often it has been reviewed and downloaded before you install it yourself. 

If you have an iPhone, you can move on for now, but if you have an Android phone, you should pay close attention – particularly if you are a customer of Ch...

Article Image

The most digitally vulnerable state in the U.S. is…

What state do you think is the most vulnerable when it comes to people’s digital life?

After a year in which the FBI’s Internet Crime Complaint Center received close to 3 million complaints of cyber attacks and malicious cyber activity, Secure Data Recovery polled Americans from all 50 states to find out which residents are most vulnerable to digital threats. What did their analysts discover?

The South rocks, so does R$k35*5ErFhX, and the battle of the sexes is a draw 

On a positive note, the majority of Americans take some steps to protect their devices from hacking. Of those who stay digitally safe, 71% do so by keeping their phone number, email address, and home address off social media. 

People in Kentucky may want to pour themselves a glass of bourbon and toast the fact that the Bluegrass State is the most digitally secure of all 50 – with 54% of Kentuckians checking every permission related to a new app when they download one to their phone, and only 26% of its residents listing their address, email, or phone number on social media.

In fact, Southern states smoked all other regions in the digitally-secure rankings – holding down nine slots in the over-50% range. Louisiana was number two, Tennessee number 5, Mississippi number six, North Carolina number seven, and South Carolina number 10.

If you’re looking for a battle of the sexes, women are more digitally vulnerable than men, overall. However, women get a victory when it comes to backups because they back up their information more frequently than men. Staying with the backup category, just a little more than half of those surveyed back up their devices automatically on a regular basis, and even fewer (39%) keep a copy on the cloud. 

The saddest takeaway is that 79% of Americans leave themselves open to being hacked because they don't use auto-generated passwords, preferring to stay with easy-to-crack things like "Memaw!" which can be hacked inside of 2 seconds. Yes, what we're talking about are the long, multi-character type like “R$k35*5ErFhX” that a good password manager would create.

If you live in the Empire State, sorry, but upon hearing the news, hackers everywhere must be blasting “I Love New York” on their stereos. According to the survey, New York ranks as the most digitally vulnerable. One in three have clicked on suspicious ads, links, or attachments in the past year.

We have our work cut out for us

Yevgeniy Reznik, the Laboratory Operations Manager at Secure Data Recovery Services, said that Americans have five things they need to improve if they want to stay hack-free and digitally secure:

Keep your private information off of social media: That means your email, your phone number, and the address where you live.

Don’t click on anything suspicious: That’s ANYTHING! If you don’t recognize the name, the email address, don’t know why someone is sending you an attachment, or there’s a link in any text message or email from anyone you don’t personally know and trust, keep your hands to yourself.

Install antivirus software on your computer: If your computer gets hit with a virus attack, be prepared to write a check for anywhere from $100-$300 to repair it. Comparatively, dropping $25-$50 a year on antivirus protection seems like a much better investment.

Use unique passwords for each account: That means one for Adobe, another for YouTube, another one for Google, etc.

Keep two or more copies of important information: A backup of your backup? If you’ve ever lost important information to a hard drive crash, you know the pain, so yes, double down.

What state do you think is the most vulnerable when it comes to people’s digital life?After a year in which the FBI’s Internet Crime Complaint Center r...

Article Image

The baddest of the bad Black Friday scams is ready and waiting to sucker-punch consumers

New research from cybersecurity company NordVPN shows that cyber scammers have their sights on the four in five Americans who might take part in Black Friday/Cyber Monday – or what Nord’s Chief Technology Officer Marijus Briedis called a “honeypot for scammers.”

Their favorite targets are people who’ll gladly exchange some private, personal information in return for a big discount or freebie. As they say, forewarned is forearmed, so let’s get on with what the "baddest of the bunch" is and how you can protect yourself.

“Please to meet you – won’t you guess my name?

Rob Shavell, the CEO of DeleteMe, an online privacy company that removes a person's data from Goolge, and security analysts from RedFlagDeals say that the hottest scam this shopping season might just be the “Fake Seller Scam” which involves scammers quickly producing storefronts in 3rd party marketplaces like Amazon and Walmart where they then:

  • List legitimate popular brand name products

  • Offer these products at the cheapest price on the platform

  • Are algorithmically promoted by Amazon (or other retailers) for their great price

  • Support their listings with fake, positive reviews

  • Provide fake order tracking details to bide time to scam more people before complaints start pouring in

  • Offer one-week free shipping - more time to dupe customers before negative reviews come in

  • Present themselves as a real seller by lining their storefronts with hundreds of other products

“When you buy, you either don't receive the product, receive the wrong product, or receive a broken/used/unusable version of the product, with no real means for recourse, refunds, or support from the retailer themself,” Kate Musgrove, director of RedFlagDeals told ConsumerAffairs.

Amazon is doing what it can to throw these bad actors over the cliff, but how can the consumer spot this scam? The big clues and most common factors appear to be:

  • A low, low price. Products are typically the cheapest you can find and have anywhere from a 20-80% discount. If you are shocked by the price, then it's a good indicator that you should do some double-checking.

  • Is this a real brand? Start by checking the "ships from/sold by" information under the "Buy Buttons", where you will see the brand listed. If the brand listed isn't the brand of the product, a known, popular 3rd-party brand, or Amazon itself, you should do some investigating. Start by clicking on the 3rd party's Amazon Seller Page to see if they seem like a real business. If nothing is listed, the seller's name seems fake and contains long, non-sensible names or strings of random numbers, it could be a sign of a scammer.

  • Is this brand established? On the seller's "About Page" (example), you can see recent feedback, the sentiment of that feedback, and how it has trended over time. A good rule of thumb is that if you plan to buy from 3rd party sellers, you want to buy from the ones with positive feedback ratios and who have lots of feedback data going back for more than a year.

How to protect yourself

Shavell says the single thing that a consumer can do to keep away from a fake merchant is to stick to trusted vendors.

“Fraud artists create fake companies promoting high-discount offers during high-volume sales periods; if you’re going to do comparison shopping looking for the best price, do so among retailers with whom you already have accounts and have successfully done business with in the past,” he told ConsumerAffairs.

The second of Shavell's smart moves is to stick to payment methods that have consumer protection features and the ability to execute chargebacks. He said that if consumers use a credit card with limits, it usually provides better security features than mobile payments, or is faster to respond to fraud claims than services like Paypal, which he said can be slow and difficult to document after the fact.

His third piece of advice is to consider using a “card masking service” to protect your account information.

“Particularly when doing business with new vendors, it may be safer to use a one-time payment service that prevents the vendor from retaining your account information beyond the individual transaction, and protects you in the event they experience any data breach,” Shavell concluded.

New research from cybersecurity company NordVPN shows that cyber scammers have their sights on the four in five Americans who might take part in Black Frid...

Article Image

Hackers are targeting hospital networks. Is your patient data at risk?

Common Spirit Health is one of the latest major hospital groups to grapple with cybersecurity issues that not only affect operations but could compromise patient privacy.

In October the hospital system reported it was the victim of a ransomware attack, interrupting operations at the Chicago-based system that operates 140 hospitals and more than 1,500 care sites in 21 states.

The cybersecurity experts we consulted said attacks on hospitals are likely to increase, posing risks to patient privacy.

Matt Mullins, senior security researcher at Cybrary, a cybersecurity training firm, says hospital networks are significantly more vulnerable than standard networks for the simple reason that healthcare has a unique focus compared to other industries. That’s because the data has to always be readily accessible for practitioners.

Not only is it easier for hackers to access that data, Mullins says the data is highly prized information.

“It can be used for blackmail or phishing, and it can be used for fraud,” Mullins told ConsumerAffairs. “This data is more useful in that it is easier to access and it allows for identity theft. Identity theft is much harder to ‘shut down’ than it is to roll a new credit card number or account!”

Valuable data

In a cyber attack, Frank Ricotta, CEO & founder at BurstIQ, a health data management company, says hackers go for patients’ personally identifiable information (PII) and personal health information (PHI) because it’s considered more valuable.

“The value of health data sold on the dark web can get upwards of 500 times more than other personal information such as Social Security numbers or credit cards,” Ricotta told us. “This data can be used to file false medical claims, get prescriptions and medical treatment, and more. And unlike a credit card breach that can be identified and resolved quickly, PII and PHI can be used long after a breach has been detected and used repeatedly.”

Irina Tsukerman, president of  Scarab Rising, Inc., a media and security strategic advisory group, says networks aren’t the only area of hospital technology vulnerable to hackers. That vulnerability poses the risk of more than just compromised data.

“A recent study found that half of internet-connected devices in hospitals are vulnerable to exploitation, with IV pumps - a direct risk to patients - being a particular vulnerability,” Tsukerman said. “The Cynerio report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform. This makes hospital one of the most desirable targets for hackers.”

Hospitals spend less on security

Sanjay Raja, vice president of Product Marketing and Solutions at Gurucul, a security analytics firm, says economic factors also play a role. He says hospitals continue to bear the financial burden of treating COVID-19 patients which reduces other, more profitable services.

“This has led to a shortfall in revenues from other services causing constrained budgets, a lack of resources, and overburdened security teams,” Raja said. “Threat actors have purposefully targeted healthcare providers knowing how overwhelmed IT and security staff already are and how catastrophic ransomware or other disruption can be in the treatment of patients.”

Is there anything hospitals can do to better protect their networks from attack? Raja says perimeter defenses and patches have proved “fairly useless” against a hacker determined to get inside. 

He recommends an accurate and more automated threat detection, investigation, and response solution that provides earlier and more accurate threat detection. 

Mullins says he believes that, up until now, hospitals haven’t approached cybersecurity with enough “seriousness.”

Tsukerman says hospitals need to train all personnel in "best industry" practices in cybersecurity and enforce and reevaluate recommended security protocols, which should include physical maintenance and strengthening of networks.

Common Spirit Health is one of the latest major hospital groups to grapple with cybersecurity issues that not only affect operations but could compromise p...

Article Image

If you use a prayer app someone else could be listening in, report finds

As part of its review process on products that connect a person’s privacy and security online and with other companies, a new report from the Mozilla Foundation takes aim at apps that it says are “super creepy” when it comes to users’ privacy.

The report focuses its attention on mental health and prayer apps, saying their privacy standards are worse than any other product category.

The foundation’s analysts claim some of those apps routinely share data, permit weak passwords, bombard powerless users with personalized ads, and live off the premise of hazy and unintelligible privacy policies. 

“They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,” said Jen Caltrider, Mozilla’s *Privacy Not Included lead.

“Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.”

The study looked at 32 mental health and prayer apps and anointed all but four with a *Privacy Not Included warning label and said most were “exceptionally creepy.” One of those 28 offenders is the faith-based app, Pray.com.

The app serves a number of functions, including as a social media platform for religious communities. Churches and other religious organizations use the platform to engage in discussions, Livestream services, and solicit and receive donations.

Individuals using the app may participate in “prayer communities” where users can ask for and answer prayer requests.

It sounds innocent enough but the question may arise over how this highly personal data is handled. ThreatPost reported that in late 2020, data from Pray.com leaked private data for up to 10 million people.

Included in that data leak were lists of a church’s attendees containing information for each churchgoer such as names, home and email addresses, phone numbers, and marital status. In addition, ThreatPost reported that the information exposed in a public cloud bucket also included church-donation information, photos, and users’ contact lists

Pray for your privacy

On a recent Freakonomics Radio podcast, author Stephen Dubner investigated the landscape of faith-based apps, of which Pray.com is only a part. Dubner expressed concern that these apps were sharing user data with Facebook. The Mozilla Foundation report said that is a real concern.

“If you use Pray.com, you'd better pray for your privacy. Because Pray.com is absolutely awful when it comes to their users' privacy and security,” the Mozilla analysts wrote. 

The primary stress point for the analysts was the figurative ton of personal information that’s spun into an asset and a healthy revenue stream. 

“Pray.com then says they can use all this data to target you with ads, share with third parties to target you with ads and share with other ‘faith-based organizations’ so they can target you too,” the report said.

“We don't mean to be, well, mean, but Pray.com really feels like it might be a data harvesting business targeting Christians for purposes that go way way way beyond helping them on their prayer journey. … It all feels kinda icky to us.” 

Mozilla Foundation’s advice? “Find another prayer app.”

ConsumerAffairs reached out to Pray.com and Facebook for comment but did not receive answers to the questions we posed regarding privacy policies, personal data that is being shared, and for what purposes personal data is shared.

Whatever the app, you still need to be careful

Are there prayer apps that the Foundation spared from being labeled “*Privacy Not Included”? Yes, one. Among those listed, the only one ConsumerAffairs found that met that criteria and readers did not qualify as “Super Creepy” was the “Hallow” app.

To Hallow’s credit, the researchers said the company was the only one who replied to all its questions and even updated its password requirement to require users to log in with a strong password when the Foundation noted that the app allowed the use of a relatively weak password like “11111.”

Alongside Pray.com, others in the category not meeting the criteria by both researchers and readers were the King James Bible Daily Verse and Audio and Abide. There was one app – Glorify – that was a split decision. Foundation researchers gave it a thumbs-up, but readers pegged it as “Super Creepy.”

So, what’s someone who wants to engage with a prayer app to do? If you do decide to find another, be careful, Harold Li, vice president at ExpressVPN, told ConsumerAffairs. 

“This is not the first time that faith-based apps are caught sharing data with third parties. Last year, ExpressVPN conducted extensive research on location trackers embedded in 450 social, messaging, and faith-based apps to measure the extent to which they intrude on location privacy for individuals around the world,” Li said, highlighting the fact that those investigated apps were downloaded by users 1.7 billion times in total.

As part of its review process on products that connect a person’s privacy and security online and with other companies, a new report from the Mozilla Found...

Article Image

Searching for that hard-to-find product? A scammer knows that too, and will make you pay!

The reports of phishing attacks over the holidays are starting to grow. The new wrinkle for hackers it seems is the use of artificial intelligence (AI) to improve a hacker’s ability to gather information and target a specific victim. 

Most of those targeted victims are online shoppers who hackers have discovered have gotten lackadaisical in what they click on and are clicking wily-nily on anything and everything. That’s especially true in emails.

Cybercreeps are sending out offers by the ton, bombarding users' inboxes with links to deep discounts knowing that there are enough people who’ll click on links and hand over credentials.  

“E-shopping continues to be a prime target because people are pre-programmed to click on links," Phishfirewall CEO, Joshua Crumbaugh told ConsumerAffairs. "Online deals bombard users' inboxes with links to deep discounts, and this adds fuel to the fire, creating the perfect scenario to get people to click on links and hand over credentials.

“With scams getting increasingly sophisticated, it's hard to say precisely what tactics the bad guys will use, but they are only after just a few things: Stealing your account credentials, your identity/financial information, or infecting your computer with malware/ransomware.”

A new PlayStation 5 or Dyson product on your wishlist?

Crumbaugh said that his company found that phishing attacks centered on hot but scarce items, and using those as bait are paying off for hackers.

“Fake discounts on hard-to-find items such as PS5's and Dyson hair products with the goal of stealing credentials are growing," he said. "We’ve also seen fake purchase alerts that attempt to infect your computer with ransomware and fake Amazon security alerts with the intent to steal your credentials.”

How to keep the phishers away

If you think that it’s Google’s or Microsoft's or Apple’s job to keep phishing emails out of your inbox, you might want to reconsider thinking that.

Yes, Gmail or Hotmail or Apple iCloud Mail try to keep phishing emails from getting in with their email spam filters, but scammers are cunning enough to find ways around those filters.

The Federal Trade Commission (FTC) warns consumers that it would be wise to add extra layers of protection to protect themselves from phishing attacks.

One of the agency's strongest suggestion is to protect your cell phone by setting software to update automatically. These updates could give you critical protection against security threats.

Here's how to do that on an iPhone and how to do it on an Android device.

And that password of yours? How long do you think it would take a hacker to crack it?

Another smart move is getting a password manager. Because if you do...

  1. It allows you to use harder-to-crack passwords. (If you want to see how weak or strong your password is, check it here)
  2. You don’t have to remember all of them. 
  3. Plus -- and it's huge plus -- you can have a different password for every site.

That last point is a move that Dustin Heywood, a password specialist at IBM X-Force Red, says maximizes a person's password security.

"The reason passwords should not be the same between sites is that systems get breached, and then attackers [can] reuse passwords or even get passwords out of plaintext through phishing," Heywood told ConsumerAffairs. "This makes a password manager critical."

The reports of phishing attacks over the holidays are starting to grow. The new wrinkle for hackers it seems is the use of artificial intelligence (AI) to...

Article Image

Geico, Humana, J&J, and PBM Nutrionals agree to class action settlements

Several more major corporations have agreed to class action settlements, handing out millions of dollars. But affected consumers have no time to waste as the deadlines for filing a claim expire this month.

For starters, Humana has agreed to settle a lawsuit brought over its 2020 data breach. Settlement documents did not disclose how much the health benefits provider has agreed to pay. It affects those who were notified by Humana that their personal health information was compromised when hackers broke into the company’s network.

Hackers got access to sensitive health information as well as personal identifying information, such as Social Security Numbers. The deadline for filing a claim is Nov. 15.

Two Geico settlements

Geico is settling two class actions this month. In the first, the auto insurance company is paying $19.1 million to resolve claims that it did not pay sales tax and other fees when paying California customers who suffered a total loss.

The settlement covers California policyholders who did not get compensated for the tax and fees for total loss claims submitted between June 27, 2015, and Aug. 27, 2020. The deadline to file a claim in the settlement is Nov. 11. 

Geico has also agreed to pay an undisclosed amount to resolve a class action suit that it underpaid healthcare providers in Florida for treating covered patients. That claim deadline is Nov. 28.

Consumers who purchased the drug Remicade (infliximab) between April 5, 2016, and Feb. 28, 2022 may be eligible for a cash settlement from Johnson & Johnson and its subsidiary Janssen. The companies have agreed to a combined $25 million payment to settle claims they violated antitrust laws by suppressing generic competitors.

The suit claimed that action resulted in higher prices for Remicade, a prescription medication to treat Chrone’s disease. To be eligible for compensation, consumers must submit claim forms by Nov. 30.

Baby formula misinformation

Amidst an ongoing baby formula shortage, PBM Nutritionals has agreed pay $2 million to settle a class action lawsuit that claimed the company’s baby formula product doesn’t produce the advertised number of servings.

Consumers who purchased Well Beginnings, Meijer Baby, Little Journey, Wesley Farms, Burt’s Bees Baby, Berkley Jensen, Parent’s Choice, Earth’s Best Organic, Comforts, Up & Up, Babies “R” Us, Member’s Mark or Bobbie Baby brand baby formula between Jan. 1, 2017, and July 21, 2022 may be eligible for compensation.

Claims in that case must be filed by Nov. 30.

Several more major corporations have agreed to class action settlements, handing out millions of dollars. But affected consumers have no time to waste as t...

Article Image

Consumers can get free hamburgers to as much as $3,500 in settlements from GE, Toyota and others

In ConsumerAffairs latest round-up of class action settlement announcements, we found another pile of cash that companies are paying consumers to settle claims brought against them in a variety of class action lawsuits. 

At TopClassActions, we found all the details of the settlement and how to apply. 

General Electric (GE): In early 2020, GE confessed that its current and former employees may have had their information stolen through a data breach of one of GE’s providers. The breach reportedly compromised sensitive information such as names, addresses, Social Security numbers, driver’s license information, bank account numbers, passport data, and birth dates.

As the terms of the settlement are spelled out, class members can receive reimbursement for lost time and out-of-pocket expenses. Depending on the time lost, money spent on things like credit freezes, etc., compensation could range from $18 to $3,500.

Applicants have until Dec 22, 2022 to file. Full details and enrollment are available on this website.

Toyota/Lexus: If you’re one of the nearly 3 million former or current Toyota or Lexus owners whose vehicle was recalled due to a faulty Denso fuel pump, the parties have reached a settlement and are ready for those affected by the situation to file for damages.

Under the terms of the settlement, class members can receive reimbursement for out-of-pocket repairs, an extended warranty, a customer support program, and loaner/towing coverage.

The only box left to check is the one for final approval on the settlement and that’s scheduled for Dec. 14, 2022. Then, the deadline to seek reimbursement is 90 days after the final judgment, estimated to be March 14, 2023. 

To find out more about the settlement and application process, go to this website or phone 1-833-512-2318.

Automotive Parts that affected a variety of cars: The latest round of settlement distributions that’s part of a massive $1.2 billion settlement resolving antitrust allegations is ready to go.

The settlement will benefit lots of consumers – everyone from A to V (Acura owners to Volvo owners_ – who purchased or leased certain new vehicles in the U.S. between 2002 and 2018 – or who paid to replace one or more qualifying vehicle parts (many of them being electric or hydraulic braking systems). A full list of eligible vehicles and applicable time periods can be found on the settlement website.

Smashburger: Smashburger fans should check out the sizzle the chain has agreed to in settling claims that it falsely advertised its hamburgers as containing “double the beef.” And the good thing is that consumers do not need proof of purchase to benefit from the settlement.

The settlement benefits consumers who purchased Triple Double hamburgers, Bacon Triple Double hamburgers, French Onion Triple Double hamburgers and/or Pub Triple Double hamburgers from Smashburger anytime between July 1, 2017, and May 31, 2019.

It’s not like class members will get a giant windfall like burgers for life, but they will receive a $4 cash payment per purchased product for a maximum payment of up to $20 per household. If they’d rather get a voucher instead, the people who opt into vouchers will receive up to 10 vouchers with each voucher having a $2 cash value. 

Go here to find out more about the settlement and to apply as a class member. Applicants have until late January 2023 to get their application in.

In ConsumerAffairs latest round-up of class action settlement announcements, we found another pile of cash that companies are paying consumers to settle cl...

Article Image

Doing your holiday shopping early? Are you ready for package delivery humbugs?

Anyone who is doing their holiday shopping early, heads up! Two new studies show there may be trouble on the way.

One says that one in seven experience package theft; another says that shipping scams are mounting up, adding another layer of woe.

In C+R Research’s latest annual package theft report, more than a quarter of Americans said they’re concerned that they could lose their gifts to porch pirates. And those thefts can be costly, too, with the average value of stolen packages ringing up at $112.30.

Where you live apparently matters to thieves. According to C+R, thieves may be zip code snobs. The researchers said that about half (49%) of those who’ve had a package stolen live in the suburbs, 39% are city dwellers, and 12% live in rural areas.

Delivery services are on alert, too

Unfortunately for delivery services, they’ve got two problems. One is that nearly half of those surveyed don’t think retailers and delivery companies do enough to prevent package theft. The other is that scammers seem to be loving delivery scams like there’s no tomorrow.

According to its latest Brand Phishing Report, Check Point Research (CPR) says hackers are imitating one major shipper and one major retailer in attempts to lure people into giving up personal data. 

DHL places at the top of the list for most impersonated, accounting for 22% of all phishing attempts worldwide. DHL also has a make-believe affiliate named “BHL” that some scammers are using to leverage cybertheft, too.

Another major firm scammers are impersonating is Walmart, which has 5% of all phishing attacks globally.

How consumers can protect themselves and their packages

To beat porch pirates at their game the C+R researchers said there are several things consumers can do to protect their online purchases.

“If you know a package is expected to be delivered – be diligent in collecting it as soon as possible to lessen the opportunity for porch pirates to steal it,” the researchers suggested.

“That's why most people (60%) keep a close eye on delivery tracking, and 43% sign up for delivery alerts.”

Some consumers stay home when they know a package is on the way, but not everyone can afford to do that. In those situations, the researchers suggest more preventative measures, such as installing a doorbell camera, sending the package to their workplace or a relative’s home, or opting to pick up their online order in the store.

When it comes to packages being delivered, many – if not most – consumers simply don’t know if DHL, UPS, the Postal Service, Amazon, or FedEX is in charge of the delivery.

“DHL is the brand most likely to be imitated, it’s crucial that anyone expecting a delivery goes straight to the official website to check progress and/or notifications,” Omer Dembinsky, Data Research Group Manager at Check Point said in an email to ConsumerAffairs. 

“Do not trust any emails, particularly those asking for information to be shared. In [the latest quarterly analysis], we saw a dramatic reduction in the number of phishing attempts related to LinkedIn, which reminds us that cybercriminals will often switch their tactics to increase their chances of success.”

Anyone who is doing their holiday shopping early, heads up! Two new studies show there may be trouble on the way.One says that one in seven experience...

Article Image

Five signs your phone may be spying on you

If your phone is acting a little sluggish, it may be because spyware has wormed its way into your phone’s system -- tracking every click you make, every step you take, and anything and everything you do. And the situation could get worse before it gets better, too. 

Like the rest of the world, malware took 2020 off, but now it’s back with a vengeance. In 2021, Malwarebytes detected 77% more malicious software than in 2020. The study said that malware threats made on consumers last year eclipsed 150 million. 

Consumers have their work cut out for them

Before you go pointing fingers at Google or Apple or your carrier, they’re doing all they can. For its part, Apple unleashed Lockdown Mode to protect iPhone owners.

Google’s been busy protecting its Play Store from Potentially Harmful Applications (PHAs), too. It’s gotten the number of PHAs down to less than 1% of the total apps installed, but spyware accounts for 48% of those. 

Still, when you look at how many apps installed from Google Play, that sub-1% still adds up to the possibility that hundreds of millions of spyware-laden apps are winding up on people’s phones.

How do you know if spyware is on your phone? Cybersecurity experts from VPNOverview have collected the top five warning signs that could indicate that hackers are using your phone to spy on you. The study also details how you can prevent and remove spyware that hackers may have installed onto your phone.  

The Top 5 signs you’re being spied on

1. Slow performance 

The number one indication that spyware is on your phone is that your device is constantly slow – slow because it’s running rampant in the background uploading your personal data, your photos, your documents, and other files to an external server.

The VPNOverview experts say you can make sure this isn’t happening by checking your phone for any unfamiliar apps and scanning any hidden apps using an antivirus program. If you find an app that seems suspicious, deleting it may improve the performance of your device.

“Whilst some spyware is hidden by hackers, some spyware programs will appear amongst your apps," the VPNConnect cybersecurity team told ConsumerAffairs.

"These apps may show up as parental control apps intended to be used to monitor a child’s cyber safety, however, they could have been installed by a jealous ex-partner to spy on you," 

What are some apps that you should look for? The analysts singled out these: mSpy, Spyera, Flexispy, Umobix, Ikey Monitor, and Clevguard.

2. Random reboots 

Another tell-tale sign that spyware is on the loose is that your phone reboots without your authorization or because it overheated or is doing a typical system update. 

“This can indicate that someone has remote, administrator-level access to your phone. The hacker can do whatever they want with your device if this is the case,” VPNConnect analysts said. “To rule out the presence of spyware, you can update your phone’s operating system, and delete any malfunctioning apps. If neither of these solutions solves the random reboots, you may have spyware on your phone.”

3. Strange text messages 

With robocalls being throttled thanks to new rules from the Federal Communications Commission (FCC), smishing has taken its place and, with that, hackers are employing text messages to take a screenshot, detect your location or even gain control of your phone. 

“You should be not only vigilant of incoming texts but also outgoing texts as a hacker can send text messages from your phone to communicate with their own server," VPNConnect warned. 

"Any message that looks unfamiliar, sounds like gibberish, or appears outright strange should be ignored. This is especially the case for unfamiliar texts containing links; these links can allow a hacker access to your phone if clicked on.” 

4. Overheating 

Summer is pretty much gone so a phone being overheated naturally from the elements should be dwindling. However, if your phone is still overheating, it’s possible that the heat is coming from a malicious app running in the background, especially if the overheating occurs when the phone is on standby. 

How can you make sure if it’s spyware or not? First, make sure that your phone doesn’t have a hardware issue or check that the apps you have installed are not large resource consumers.

To do that, the VPNConnect folks suggest going into your phone’s settings and checking your app list to see which apps use the most resources (apps are usually presented in order of most resource use, by the way).

“Some apps will have legitimate reasons for taking up energy on your phone, but any that use more than they should (may) be the culprit and should be deleted,” the analysts said.

5. Unusually high data usage 

If you’re not a big data hog – like watching a ton of videos – but still see your data usage higher than you think it should be, it may be a cause for concern. 

“A hacker’s primary goal is to harvest your data, to sell it to the black market, or use it to blackmail you. To gather this information, a hacker will remotely access your phone and transfer your files to their server, which requires data usage on your end,” VPNConnect privacy pros said.

“Therefore, if your cellular data usage seems unusually high, this could indicate that something suspicious is going on with your phone. It is a good idea to keep track of your monthly data use to identify any unexpected spikes.”

If your phone is acting a little sluggish, it may be because spyware has wormed its way into your phone’s system -- tracking every click you make, every st...

Article Image

Have a Samsung device? Guess what – the company says it’s suffered another user data breach

Samsung reports that it’s suffered another data breach – its second this year and one that exposed the names of customers and their demographic information like birth dates.

On Friday, the company announced that the breach happened in late July when an unauthorized third party acquired information from some of Samsung’s U.S. systems. When the company completed its investigation the first week of August, the probe revealed that personal information of certain customers was affected. 

“We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement,” the company said in its notice to customers about the incident.

Should you be worried?

ConsumerAffairs reached out to Samsung asking how many personal information records were involved but the company didn’t offer an answer in its response. Still, with nearly a billion consumers worldwide using a Samsung phone and another billion with a Samsung TV, the situation could be concerning for a great number of consumers.

MakeUseOf’s David Rutland says that on top of what Samsung “officially” revealed as to what data was exposed, contact details “likely” include home address, phone number, and email. Rutland thinks that it could go even deeper because the additional information Sansung collects during product registration includes gender, geolocation data, Samsung Account profile ID, username, and more. 

“Even just your email address can be valuable to criminals,” he said. “Samsung's half-hearted reassurance may console some customers that the criminals aren't using their credit card details to, for instance, buy untraceable cryptocurrency. However, the amount of information which the company admits may have been taken is staggering, and not something so easily passed off as immaterial.”

Steps that should be taken

Some cybersecurity experts warn the world has reached a dangerous crossroads where companies want as much personal data as they can amass and cybercriminals want as much as they can steal. 

In an email to ConsumerAffairs, Scamicide's Steven Weisman says that the lesson every consumer needs to learn is to limit just how much private information they give to companies when they sign up for an account or register a product.

“For example, your doctor doesn't need your Social Security number for his or her records,” Weisman said.  

Until this issue is resolved completely, anyone who has any sort of Samsung device might be wise to freeze their credit at the major credit reporting agenciesExperian, Equifax, and TransUnion. If whoever laid hands on the Samsung data wants to try and leverage someone’s personal information, they’ll be blocked from credit-related records. If freezing your credit report sounds like a hassle, it’s really not. 

“This is offered through all three major credit bureaus and certain software and can conveniently be switched on and off in order to allow approved third-parties to access reports when needed,” Hari Ravichandran, founder and CEO at Aura, an online privacy safety service, told ConsumerAffairs in the recent “Pandemic to Scamdemic” report.

“If you suspect that your personal information has been compromised in a data breach or otherwise, seriously consider freezing your credit in order to prevent bad actors from opening accounts or taking out loans in your name,” Ravichandran said.

Samsung reports that it’s suffered another data breach – its second this year and one that exposed the names of customers and their demographic information...

Article Image

Is nothing private anymore? The FTC says apparently not as it sues a data collection company

The Federal Trade Commission (FTC) has served notice that there are limits to how far a person can be tracked. In a new lawsuit against data broker Kochava Inc. the agency claims that Kochava sold geolocation data from “hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” 

And sensitive it is. The FTC said that Kochava’s data has the potential to reveal everything from someone’s visit to reproductive health clinics to places of worship, and even deeply personal facilities like homeless and domestic violence shelters, and addiction recovery locations. 

By selling data that tracks people, the FTC considers that Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. 

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected. 

While Kochava may not be a household name, it’s a considerable force when it comes to data. The company claims it has more than 4,500 “partner integrations” and its clients are a who’s who of consumer-focused companies including Airbnb, Kroger, McDonald’s, Disney, John Hancock, Chick-fil-A, and CBS.

ConsumerAffairs reached out to Kochava, but did not receive an immediate response.

FTC wants this type of collection stopped now

The Kochava lawsuit may be the tip of the iceberg when it comes to data collection. The FTC’s not showing its hand, but recently it went on record as saying that almost everything a consumer touches and places they go can be collected. 

“Smartphones, connected cars, wearable fitness trackers, ‘smart home’ products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users,” the agency said. 

“These data points may pose an incalculable risk to personal privacy. Now consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now.”

How people can minimize their exposure to location tracking

Location tracking is important to not just Kochava, but lots of agencies that collect data and then offer it to advertisers and vendors who want to provide a better user experience or feed information that might be of more interest to the user, says Jon Clay, vice president of Threat Intelligence at Trend Micro

“While this may be a good thing as it delivers relevant information to the user as they change locations or visit areas where they've never been before, there is a potential for this to be abused by malicious actors,” Clay told ConsumerAffairs. “From scammers to criminals to worse, if this data gets into the wrong hands, these people could target the user."

Clay says that where the question of risk comes up is the crossroads of whether the benefits outweigh the potential harm that could occur.

“The FTC suing an organization that sells this data to others is a potential game changer as it should cause other data processors to rethink their business practices and ability to secure their customer data,” he said.

If consumers are lucky, Clay said that they’re likely to see regulations start to be created that help consumers be more in charge of their data instead of "the opposite as it is now.” Until then, what can someone do? Clay offered these suggestions on how people can help manage their data now:

  • Turn off location tracking on your mobile devices. On an iPhone, go to Settings > Privacy, then select Location Services. Select an app, then turn Precise Location on or off. On an Android device, open your phone's Settings app. Under "Personal," tap Location access. At the top of the screen, turn Access to my location on or off.

  • Look to use browsers that don't gather your data or limit what your browser can track

  • Opt out of ad tracking and opt out of ads altogether. Here’s one way to do that.

  • Control what permissions you give apps on your mobile devices. Here’s how to do that on an Android device and how to do it on an Apple device.

  • Install a modern security app that can detect scams or threats in email, texts, and voice. Clay said his company's free Trend Micro Check tool can do that, as well as identify fraud and misinformation.

  • Regularly check your online accounts for suspicious activity

The Federal Trade Commission (FTC) has served notice that there are limits to how far a person can be tracked. In a new lawsuit against data broker Kochava...

Article Image

Many Apple devices are vulnerable to hackers, security experts say

While vigilance with cybersecurity is always of the utmost importance for consumers, experts are now urging Apple users to update their devices to run the latest version of the operating systems. This includes iPhone model 6S and later, iPod touch 7th generation, iPad Air 2 and later, iPad 5th generation and later, all of the iPad Pros, and the iPad mini 4 and later. 

The company released security updates for the devices last week after discovering that they may be susceptible to two different security flaws that could be abused by hackers. One vulnerability was to the kernel, which is the hub of Apple’s operating systems, and the other was to WebKit, which works to run several apps, including Safari. 

The biggest risk is a hacker fully invading the device. Security experts explained that because these security flaws are based in the operating systems of the devices, it makes it easy for hackers to access users’ personal data. Additionally, because there are two vulnerabilities, it makes it easier for hackers to bypass different security measures and get into a device. 

Though many Apple devices are set to update automatically, the updates aren’t always completed immediately, and may not begin until a device is plugged in. This makes it all the more important for consumers to check for software updates and manually update their devices to the latest operating software as soon as possible. 

Another Mac security flaw

This news comes on the heels of another recent story about vulnerabilities many Mac users were facing with the Zoom app. 

Patrick Wardle, founder of the nonprofit organization Objective-See, discovered a flaw in Zoom’s automatic update tool that could allow hackers to infiltrate Mac computers. He explained that when this tool runs an update, it looks for a signing certificate – or a unique digital verification code – that matches Zoom. 

Since automatic updates do not require a password to be installed, hackers could create packages that mimic Zoom’s signing certificate to install malicious files or programs onto users’ Macs. This could allow them to completely take over the device to delete files, steal passwords, or alter documents. 

Similar to this most recent notice to update Apple devices, Mac users specifically were encouraged to update Zoom to its most recent version to protect themselves from hackers.

While vigilance with cybersecurity is always of the utmost importance for consumers, experts are now urging Apple users to update their devices to run the...

Article Image

New Zoom bug makes Mac users more vulnerable to hackers

Zoom rapidly gained popularity during the COVID-19 pandemic as more consumers shifted to remote work. However, users have faced several security and privacy issues over the years in connection to the service. Now, one researcher says a new bug is putting Mac users at risk. 

Patrick Wardle, founder of the nonprofit organization Objective-See, stated at a recent DefCon event that a flaw in Zoom’s automatic update tool could allow hackers to infiltrate Mac computers. He explained that when this tool runs an update, it looks for a signing certificate – or a unique digital verification code – that matches Zoom. 

Since automatic updates do not require a password to be installed, Wardle says hackers could create packages that mimic Zoom’s signing certificate to install malicious files or programs onto users’ Macs. This could allow them to completely take over the device to delete files, steal passwords, or alter documents. 

Get the latest version of Zoom

Wardle initially told Zoom about his findings back in December, which prompted the company to create a fix for the issue. Unfortunately, that fix reportedly included a bug that still allowed the automatic updater vulnerability to be effective. 

Following Wardle’s DefCon presentation, Zoom issued a new patch under update 5.11.5 (9788). Mac users should download this update immediately to protect themselves from hackers.

Zoom rapidly gained popularity during the COVID-19 pandemic as more consumers shifted to remote work. However, users have faced several security and privac...

Article Image

Twitter confirms major hack that exposed personal data on millions of users

Twitter has confirmed that 5.4 million accounts were plundered in a recent data breach, with the hackers hauling away personal data such as physical locations, profile photos, email addresses, and phone numbers associated with those account profiles. 

The hackers are already trying to make money off their theft. Bleeping Computer reports that the data the hackers tapped into is being offered for close to $30,000. Two different threat actors reportedly purchased the data for less than the original selling price, and all that information will likely be released for free in the future.

The attack came about as the result of a zero-day exploit – a maneuver in which hackers target a software vulnerability that software vendors or antivirus vendors are not aware of at launch. AndroidPolice reports that the Twitter hackers used a vulnerability that allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information. 

Twitter responds

When it comes to zero-day exploits, Twitter is not alone. Over the last few years, GoogleApple, and Microsoft have all been hit by them. After being fined $150 million for failing to protect consumer data already this year, Twitter is trying its best to get ahead of this situation. The company said it deeply regrets the situation and fully understands the risk this poses to its users.

While the social media company is powerless to fix this current situation, it does have some recommendations that users can use to protect their personal data in the future. The first thing it suggests is making sure a Twitter account does not have a publicly known phone number or email address attached to it.

Even though passwords weren’t stolen, Twitter also strongly suggests enabling two-factor authentication by using authentication apps or hardware security keys. This can help protect a user's account if someone does steal their password.

The company says it’s also offering users access to its Office of Data Protection, where they can inquire about the safety of their account or ask questions about how it protects their personal information. Anyone who is interested in gaining access to that information can contact Twitter through this form.

Twitter has confirmed that 5.4 million accounts were plundered in a recent data breach, with the hackers hauling away personal data such as physical locati...

Article Image

Lawmakers ask FTC to examine promises made by VPN providers

The safety of Virtual Private Networks (VPN) – which are internet tools that prevent users from being tracked or interfered with – has come under scrutiny from two members of Congress.

In a letter to Federal Trade Commission (FTC) Chair Lina Khan, Congresswoman Anna Eshoo (D-CA) and Senator Ron Wyden (D-OR) are trying to persuade the agency to address deceptive practices in the VPN industry. Specifically, they point to VPN practices related to people attempting to mask their digital fingerprints in the wake of the Supreme Court’s decision to overturn Roe v. Wade.

In their letter, Eshoo and Wyden said some VPN providers are not only making false and misleading claims about their services, but they are also negating their promise of anonymity by selling personal data and providing user activity logs to law enforcement.

Consumers should do their VPN homework

To show that VPN providers are being less-than-honorable in their pitches to consumers, the lawmakers cited a study that found 75% of leading VPN providers misrepresented their products and technology or made exaggerated claims about the protection they provide users.

“It’s extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations,” Eshoo and Wyden wrote. “There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims.”

The lawmakers urge consumers not to jump into a VPN subscription without researching the services first. Reports indicate that two out of three free VPN users have experienced technical issues on their networks. In some cases, VPN providers have claimed that they have a right to share users' data with a wide array of third parties.

“The Password manager privacy policy, as written and provided at install, reads in such a way that no one in their right mind would use Kaspersky software,” Brian of Semans, Saskatchewan, claimed in a ConsumerAffairs review of Kaspersky Anti-Virus. “Their policy states they wish to have the right to share users' private info with anyone including third world countries... This is security?”

The safety of Virtual Private Networks (VPN) – which are internet tools that prevent users from being tracked or interfered with – has come under scrutiny...

Article Image

Lincoln College forced to permanently shutdown following cyberattack

After more than a century and a half, Lincoln College in Illinois is no more. Over the course of its history, it was able to stave off the Great Depression, the Spanish flu, and a couple of World Wars, but the wrath of COVID-19 and a cyberattack that hindered access to all of the college’s data proved to be too much for the predominantly Black college.

“Lincoln College has been serving students from across the globe for more than 157 years,” said David Gerlach, president of Lincoln College. “The loss of history, careers, and a community of students and alumni is immense.”

Gerlach said things were looking good up until 2019, with enrollment at Lincoln at an all-time high. But when the coronavirus hit town, recruitment, fundraising, athletics, and campus life was brought to their knees.

Added to the economic burdens brought about by the pandemic that required significant investments in technology and campus safety measures, many students decided to put college on the back burner. That put an even greater crunch on the school’s finances. Supporters of the school tried their hand at a GoFundMe campaign in hopes of raising $20 million, but the effort barely raised $2,000.

Cyberattack delivers knockout punch

The knockout punch for Lincoln came in the form of a cyberattack from Iran in December 2021, one that held the college’s computer systems hostage and made all systems required for recruitment, retention, and fundraising efforts inoperable.

By the time the school paid the ransom and got everything restored four months later, the recruitment projections showed significant enrollment shortfalls that required a transformational donation or partnership to sustain Lincoln College beyond the current semester.

“The cyberattack was just another kick in the shin,” for the struggling college, Gerlach told Forbes. 

We’re likely to hear about cyberattacks and colleges again. Cybercriminals have come to love targeting colleges and universities because, by and large, they just don’t have the cyber defenses to stave off ransomware attacks. So far this year, North Carolina A&T State University, North Orange County Community College District, the Ohlone Community College District in California, and Midland University in Nebraska have also reported ransomware attacks.

Ransomware attacks like these cost colleges an average of $112,000 in ransom payments. But that ransom payment is just a drop in the bucket compared to the total cost of resolving the attack, which averages about $2.7 million per incident, according to Chester Wisniewski, a principal research scientist at security software and hardware company Sophos.

“The average cost to an organization in the private sector was $1.8 million U.S. dollars after a ransom attack,” Wisniewski told Forbes. “So it was almost a million dollars higher cost for educational institutions to recover versus a normal private sector organization.”

After more than a century and a half, Lincoln College in Illinois is no more. Over the course of its history, it was able to stave off the Great Depression...

Article Image

Massive Android hack compromises device cameras and microphones

Android users around the world are facing the threat of being attacked after a security issue was uncovered that leaves a device’s microphone and camera vulnerable to remote access.

Writing about its discovery, Check Point Software Technologies said hackers could leverage the vulnerability to snoop on users' audio/video media and even listen in on phone calls.

The phones that are most prone to danger are ones that have Qualcomm or MediaTek chips. Unfortunately, 98% of Android devices are powered by those two processors, so the impact could be enormous.

Closing the vulnerability

The Check Point researchers stated that they disclosed their findings to both chipmakers, and each company has apparently patched the security issue. However, anyone who has an Android device will need to update their system software to keep their device secure.

Failing to apply the update could be especially dangerous since all it would take is for a hacker to send someone a doctored audio file to compromise their device.

"The...issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file," the researchers explained. "RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.

"In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations."

Android users around the world are facing the threat of being attacked after a security issue was uncovered that leaves a device’s microphone and camera vu...

Article Image

Google sends out warning to billions of Chrome browser users

The “the bigger they are, the harder they fall” axiom couldn’t be more accurate. Google has announced that the 3.2 billion people who use its Chrome browser have been left vulnerable following a series of new hacks aimed at dismantling Chrome. And no one – not Mac users, not PC users, not Linux users – are safe. 

Google confirmed the hacks on its company blog, saying that nine of the 11 hacks that were discovered pose a "high level threat." The company said it’s working on a patch to close off the vulnerabilities.

What should Chrome users do?

To guard against the latest hacks, Forbes reports that Google released the Chrome 100.0.4896.88 update. Nonetheless, some patience will evidently be required. Google said the update will not be made available to everyone all at once. Instead, it will "roll out over the coming days/weeks." 

To manually check for the update, click the three dots in the top right corner of the Chrome browser and navigate to Settings > Help > About Google Chrome. An option to update your browser will be there if it is available.

For those who don't want to move away from the Chrome browser, using Enhanced Safe Browsing mode may be a viable option to keep your web surfing more secure.

The “the bigger they are, the harder they fall” axiom couldn’t be more accurate. Google has announced that the 3.2 billion people who use its Chrome browse...

Article Image

Security experts encourage two-step authentication for enhanced security

More websites and business organizations are requiring two-step authentication for access as a way to increase security. Security experts say requiring a second step is highly effective at blocking intrusions, just as adding a deadbolt lock to a door is more likely to deter burglars.

Even though hackers have recently set their sights on large organizations, that doesn’t mean consumers are in the clear. Scammers are still looking for ways to take over people’s online accounts.

If your account is only protected by a username and password, you could be vulnerable, says Dominic Chorafakis, a cybersecurity expert at Akouto. Millions of usernames and passwords have been stolen in massive data breaches so a hacker can easily access the account by purchasing the username and password on the dark web.

‘Something-you-have’

The hacker’s task gets more difficult when the consumer is employing two-factor authentication. Chorafakis calls this the “something you know” authentication method.

“Two-factor authentication requires two different types of information to be used by the authentication process, something-you-know and something-you-have,” Chorafakis told ConsumerAffairs. “The something-you-know factor is usually the familiar username and password combination. The something-you-have factor can be many different things, the most common being your mobile phone.”

After entering the username and password, a one-time code is sent via text to the mobile number registered with the account. Even if a hacker has your username and password, they can’t access the account because they don’t have your smartphone. It’s a way to significantly increase security, but it isn’t foolproof.

“Unfortunately, hackers have found ways around this,” Chorafakis said. “One of the most common techniques is to trick people into installing mobile apps disguised as games that are actually malware able to steal login information including one-time-passwords. If you unknowingly install one of these malicious apps and then use your mobile phone to log into a service, hackers can get all the information they need to take over your account.”

Security keys offer more protection

The point is to be very careful and selective about the apps you install on your smartphone, even if they appear to be legitimate. To add an even higher level of security, some people are using hardware security keys instead of their smartphones. 

“These are physical USB sticks that plug into your computer and act as the second factor of something-you-have,” Chortafakis said. “You can think of them as physical keys that you need to insert into a lock, in addition to providing your username and password, to gain access to your accounts.”

Many large tech companies have made these hardware keys a routine part of security. Chortafakis says companies that have taken this additional step for their employee logins have virtually eliminated account breaches caused by password theft.

More websites and business organizations are requiring two-step authentication for access as a way to increase security. Security experts say requiring a s...

Article Image

Okta suffers data breach affecting thousands of businesses and agencies

Okta, an authentication services provider, announced that it has suffered a data breach. The company told Reuters that hackers have already gone as far as posting screenshots of parts of Okta’s internal company environment.

If the hack is real, the snowball effect could be large. Okta claims to serve more than 15,000 brands by securing their digital interactions with consumers and employees. T-Mobile, Albertson’s, FedEx, Sonos, and Nasdaq are all clients of the company -- and those companies are potentially loaded with a cornucopia of personal data.

The hackers appear to be from a group called Lapsus$ – the same extortion group that took responsibility for the Samsung Galaxy breach earlier this month. The group claims that it has had “Superuser/Admin” access to Okta’s systems for more than a month; however, the hackers said their focus was “only on Okta customers.”

In a statement, Chris Hollis, a Senior Manager of Security and Crisis Communications at Okta, said the breach might be related to a previous incident in January that the company previously addressed.

"We believe the screenshots shared online are connected to this January event," he said. "Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Putting consumer’s data security on heightened alert

With the possibility of the Russia-Ukraine conflict spilling over into a cyberattack on Americans and U.S. businesses, President Biden is not leaving anything to chance. In a roundtable discussion with CEOs on Monday, he said one of the tools Russia is most likely to use is cyberattacks. 

“The private sector, all of you, largely decides the protections that we will or will not take in order to protect your sources,” the president warned.

“But let me be absolutely clear about something: It’s not just in your interests that are at stake with their potential use of cybersecurity … the national interest is at stake."

How do consumers protect their data?

Mark Kapczynski of OneRep – a company that assists the public in removing their private data from the web –  says many people use careless internet habits and run the risk of compromising their own privacy.

“Remember that cool site with a giveaway that you gave your personal information to? Well, more than likely they sold it to a larger data aggregator like TransUnion, which pulls in millions of consumer data points and then sells all of our consumer personal information in bulk to these people search sites,” he said.

Kapczynski says consumers should take advantage of different privacy tools to ensure that their personal information stays secure.

“If you are going to share your information online with various sites, use some of the new email and phone number hiding tools within your iPhone, and/or get an email address and phone number that is dedicated only for your online activities and can easily be deleted or discarded. Most importantly, never give out personal data to online sites unless you know them to be trustworthy and respect consumer privacy,” he suggested.

Okta, an authentication services provider, announced that it has suffered a data breach. The company told Reuters that hackers have already gone as far as...

Article Image

Consumers would be impacted if Russia launches a cyberattack on the U.S., experts say

While Russia and Ukraine are duking it out on the ground, there’s growing concern that Russia might take to the digital sphere to pay back the U.S. for the economic sanctions it made against it.

Russia has long been associated with trying to cripple the U.S. via cyberattacks. The country is thought to have been associated with the attacks on the world’s largest meat producer JBS and the global supply chain. Just last week, the Senate passed the Strengthening American Cybersecurity Act of 2022 to shore up the U.S.' cybersecurity.

Fearing that Russia-backed hackers might have their sights set on banks, the Financial Crimes Enforcement Network (FinCEN) issued an alert on Monday that advises all financial institutions to be vigilant against potential Russian efforts to evade the U.S.’ expansive sanctions. FinCEN put financial institutions that deal in cryptocurrency on the highest alert because gaining access to cryptocurrencies might be an easy target that could help Russia replenish its coffers after the U.S. placed economic pressure on the country.

Experts weigh in on the overall issue

Watching the Russia-Ukraine conflict unfold on TV is one thing, but if Russia decided to punish the U.S. for its role, what would the stateside effect be? ConsumerAffairs asked Dr. Aaron Brantly, Director of the Tech4Humanity Lab at Virginia Tech, to comment on the situation. 

“I would say that the threat of Russian cyber attacks against US infrastructure is high. But that such attacks have been defined by the administration as an escalatory red-line that could possibly involve the US and by extension NATO into the war in Ukraine,” Brantly told us. “Regarding individual consumer attacks to current financial constraints on the Russian Federation make such attacks less attractive as the money launder routes are increasingly closed.”

As far as what the FinCEN or American Cybersecurity Act were designed to do, Brantly thinks it’s a good move to start.

“Each act and move towards more robust cybersecurity is a step in the right direction. Yet any notion that any system or country will be largely invulnerable to cyber-attacks in the future does not pair up with the technical reality of software and hardware development.”

Consumers can protect themselves

How much could a cyberattack against the U.S. impact consumers? Therese Schachner, a cybersecurity consultant at VPNBrains, says the average person would likely feel some of the fallout.

“Organizations providing critical infrastructure are prime targets for cyberattacks since these organizations provide services that are essential for consumers," Schachner told ConsumerAffairs. "When the public loses access to power, healthcare, or other key services due to system outages caused by cyberattacks, massive disruptions are caused in the economy and in consumers' everyday lives.”

She added that government agencies -- like the Social Security Administration and the Veterans Administration – are also at risk because they provide key services and have access to confidential information that adversaries can use to gain a political or military advantage.

Schachner says consumers who are concerned about a major cybersecurity incursion can make some proactive efforts that may lessen the impact of an attack if it happens. For one thing, she suggests consumers keep their software up to date with the latest security fixes. 

“Older versions of software often have security vulnerabilities that attackers can leverage as initial entry points to computer systems to damage or disable them or gain access to confidential data,” she said.

“Strong passwords are harder to crack, and two-factor authentication adds an extra layer of security into the user authentication process, allowing users to provide additional proof that they are the true owners of their accounts.”

Schachner’s last suggestion to consumers is to keep an eye on their bank and credit card accounts. 

“Monitor accounts for unusual activity, such as suspicious purchases and logins from unrecognized locations and devices, then report and address potentially malicious activity in a timely manner before it escalates into more serious problems,” she suggested.

While Russia and Ukraine are duking it out on the ground, there’s growing concern that Russia might take to the digital sphere to pay back the U.S. for the...

Article Image

Dozens of U.S. critical infrastructure organizations breached by ransomware group

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning to organizations that operate in critical infrastructure sectors that there’s a heightened possibility of new ransomware attacks.

In the warning, the agencies state that the Ragnar Locker ransomware group has launched 52 attacks in 2022 that focused on the manufacturing, energy, financial services, government, and information technology sectors.

"Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the agencies said. 

Officials say Ragnar Locker has encrypted files on systems and apps that include Windows software, Mozilla Firefox, Internet Explorer, Recycle Bin, Google software, and Opera software.

FBI seeks help from ransomware victims

The FBI says organizations that are targeted with ransomware by Ragnar Locker should not pay the group's ransom to get their files back.

“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities. Paying the ransom also does not guarantee a victim’s files will be recovered,” the Bureau said. 

Although it believes that companies shouldn't pay ransom demands, FBI officials admit that some businesses may need to pay a ransom if they cannot function without certain files. They say company executives should evaluate all options to protect their shareholders, employees, and customers. 

“Regardless of whether you or your organization decides to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks,” the agency stated.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning to organizations that opera...

Article Image

Samsung reports major hack of Galaxy phones

Samsung has announced that a data extortion gang named Lapsus$ has breached the company’s internal data and stolen confidential source code related to its Galaxy-branded devices (smartphones, tablets, smartwatches, etc.). The company did not disclose exactly what information was hacked, but it did note that it does not foresee any impact on its end-user products or private customer data.

Lapsus$ is certainly making the rounds. It recently released what it claimed to be data and employee passwords stolen from Nvidia, a company that designs graphics processing units (GPUs) for the gaming and professional markets. BleepingComputer reports that it is unclear if Lapsus$ contacted Samsung for a ransom, as it claimed in the case of Nvidia. 

“We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” a Samsung spokesperson told CNBC.

“According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”

This is just the latest setback that Samsung has faced in recent weeks. Last week, Samsung made the news when phone owners reportedly experienced a slowdown of more than 10,000 apps.

Samsung has announced that a data extortion gang named Lapsus$ has breached the company’s internal data and stolen confidential source code related to its...

Article Image

Senate passes bill to require reporting of cyberattacks and ransomware

The U.S. Senate has taken a proactive approach to combat possible cybersecurity threats in the face of the Russia-Ukraine situation.

In a package authored by U.S. Senator Gary Peters (D-MI), the Senate has passed the Strengthening American Cybersecurity Act of 2022. The legislation would require infrastructure entities and federal agencies to report cyberattacks to the government within 72 hours; ransomware threats would also need to be reported within 24 hours. The bill awaits passage in the House of Representatives.

“The legislation is urgently needed in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine,” Peters stated.

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government. As we have seen repeatedly, these online attacks can significantly disrupt our economy – including by driving up the price of gasoline and threatening our most essential supply chains – as well as the safety and security of our communities.”

Guaranteeing online security in the U.S.

Peters said he will continue his efforts to make the bill a law. He's urging his colleagues in the House to “urgently” pass the legislation to ensure that the nation's online security is kept safe.

Danielle Jablanski, an operational technology cybersecurity strategist at Nozomi Networks, told CNN that the reporting deadlines written into the legislation may be difficult for some companies to handle because information sharing may not be the top priority in a crisis.

Tight or not, the potential consumer impact could be monumental, as the U.S. found out when the Colonial pipeline was hacked. The breach led to increased gas prices and gas shortages. Meat producer JBS was also hit by a cyberattack that prompted shutdowns at company plants and threatened meat supplies all across the nation.

The U.S. Senate has taken a proactive approach to combat possible cybersecurity threats in the face of the Russia-Ukraine situation.In a package author...

Article Image

Stolen T-Mobile data found for sale on the dark web

Florida Attorney General Ashley Moody says her office has learned that personal information stolen during last year’s T-Mobile data breach has begun showing up for sale on the dark web.

Hackers stole the data last August, obtaining consumers’ names, dates of birth, Social Security numbers, and driver’s license information. It’s estimated that the thieves hauled in personal information on as many as 53 million people.

“It is extremely important that consumers who had their personal information exposed during last year’s T-Mobile data breach take immediate action to secure and protect their identities,” Moody said. “A large subset of the information is being sold on the dark web, increasing the likelihood that the data breach victims could have their identities stolen and personal finances compromised.”

Credit monitoring

Some affected consumers have obtained the services of one of the credit monitoring companies to alert them to fraudulent activity.

Paul, of Reynoldsburg, Ohio, opened an account with Identity Guard and was initially unimpressed with the company's service. However, he improved his rating for the company after a representative reached out and offered to provide personal assistance.

"We appreciate the feedback as we always make sure to review and research all issues and concerns. We will have a specialist from our Alerts and Restoration department reach out to you to obtain more details and to offer assistance," the company told Paul.

Unfortunately, that kind of turnaround doesn't happen for everyone. Richard, of Boulder, Colo., signed up with AllClear ID and hasn’t found that service to be that useful, even though the company informs him when his data is found on the dark web.

“They'll also say ‘password found,’ but ‘For your security, we do not display your password in an effort to stop further exposure.’ Because there's not even a hint of which password it was, and there's also not an indication of which site(s) it was associated with, there is literally nothing to do with this notification except feel bad -- unless you want to change your passwords across every single site you use,” Richard wrote.

Actually, security experts say that isn’t a bad idea. They saw all passwords should be changed on a regular basis.

Credit Freeze offers the best protection

Moody says there are other proactive steps consumers can take to protect their identities. She suggests placing a credit freeze on credit reports. That will block identity thieves from opening credit accounts in the victim’s name.

To place a credit freeze, consumers must contact each of the three credit bureaus to request it. Here’s the contact information:

Equifax: Visit: Equifax.com/Personal/Credit-Report-Services/Credit-Freeze/ or call 1(888) 766-0008.

Experian: Visit: Experian.com/Freeze/Center or call 1(888) 397-3742.

TransUnion: Visit: TransUnion.com/Credit-Freeze or call 1(800) 680-7289.

A less extreme step is to place a “fraud alert” on all three credit reports. A fraud alert tells lenders and creditors to take extra steps to verify a consumer’s identity before issuing credit. Fraud alerts can be placed by contacting any one of the three major credit bureaus.

Florida Attorney General Ashley Moody says her office has learned that personal information stolen during last year’s T-Mobile data breach has begun showin...

Article Image

Toyota suspends all factory operations in Japan after suspected cyberattack

A suspected cyberattack hit one of Toyota’s suppliers of electronic components and plastic parts at one of its plants in Japan, wiping out 13,000 cars' worth of output. The automaker said it is suspending all Japanese operations until the company has an opportunity to investigate the situation and restore factory operations to normal.

CNBC reports that it’s unknown who was responsible for the attack or what their reason was, but NikkeiAsia reports that malware was involved. Russia has been implicated due to Japan joining Western allies and blocking Russian banks’ access to the SWIFT international payment network in response to Russia’s invasion of Ukraine.

Fumio Kishida, Japan’s Prime Minister, said the government would launch a probe into the incident to determine whether Russia was involved or not.

“It is difficult to say whether this has anything to do with Russia before making thorough checks,” he told reporters. As for Toyota’s official stance on the matter, a spokesperson for the company described it as a “supplier system failure.” 

The effect on production

All told, 28 lines at 14 Toyota plants – plus some plants operated by Toyota’s affiliates Hino Motors and Daihatsu – were shut down because of the incident.

Toyota has not said exactly how long the shutdown will last, but the spokesperson said it will last for more than a day.

Toyota has experienced cyberattacks in the past in Japan and Australia. This time around, though, the company also has to contend with supply chain issues that have been exacerbated by the pandemic. Those conditions were made worse when protesters prevented trucks from passing through U.S-Canadian borders to deliver parts to North American Toyota factories.

A suspected cyberattack hit one of Toyota’s suppliers of electronic components and plastic parts at one of its plants in Japan, wiping out 13,000 cars' wor...

Article Image

Telecoms ask FCC for $5.6 billion to replace ZTE and Huawei equipment

Several U.S. telecoms are asking the Federal Communications Commission (FCC) to pay them $5.6 billion for “reasonable expenses” they incurred after removing ZTE and Huawei ZTE and Huawei from their networks.

Previously, officials designated Huawei and ZTE as “national security threats” and voted in concert to ban U.S. carriers from offering service from either company and demanded that their equipment be replaced. The FCC originally thought it would cost carriers more than $1.8 billion to satisfy the order, so it set aside $1.9 billion. However, the telecom companies say that number only covers about a quarter of what they need.

“Last year Congress created a first-of-its-kind program for the FCC to reimburse service providers for their efforts to increase the security of our nation's communications networks,” said FCC Chairwoman Jessica Rosenworcel.  

“We’ve received over 181 applications from carriers who have developed plans to remove and replace equipment in their networks that pose a national security threat. While we have more work to do to review these applications, I look forward to working with Congress to ensure that there is enough funding available for this program to advance Congress’s security goals and ensure that the U.S. will continue to lead the way on 5G security.”

Consumers beware

Since the FCC has banned ZTE and Huawei, people who own one of those brands' devices would be smart to start shopping for a replacement.

Raymond, from Danville, Penn., told ConsumerAffairs that he recently purchased a ZTE device and had trouble activating it. Eventually, he took it to a Verizon store for assistance.

"The person there attempted to activate it took my prepaid card and after 45 minutes told me he could not activate it and handed it back to me. I tried returning it without luck," Raymond wrote in a ConsumerAffairs review. "I'm out over 100 dollars and still have nothing."

Several U.S. telecoms are asking the Federal Communications Commission (FCC) to pay them $5.6 billion for “reasonable expenses” they incurred after removin...

Article Image

Venmo and other financial app users to get $58 million in settlement

If you’re one of the tens of millions of consumers who use Venmo, American Express, Robinhood, Ally Financial, Capital One, Citi, Rocket Loans, TD Ameritrade, Venmo, or Wells Fargo apps to make banking transactions, you may be in for a pleasant surprise.

Plaid – a California-based data transfer network that powers fintech and digital finance products – will be paying $58 million to users to settle charges that it took more financial data than was needed by a user’s app. 

On top of getting more personal financial data than necessary, the company is alleged to have obtained log-in credentials through the app’s “Plaid Link” interface. Regulators say the interface mimicked the look and feel of users' own bank account login screen, leading people to believe that the data they were sharing was really with the bank and not a third-party source. The plaintiffs in the class action suit alleged that Plaid then used that information to access and sell transaction histories. 

Major settlement in the fintech market

Consumers flocked to digital banking during the pandemic, and federal regulators started raising concerns. Early last year, the Justice Department stepped in to oppose Visa's efforts to acquire Plaid, saying that the deal was anti-competitive. This latest settlement could be monumentally important when it comes to policing the fintech market.

"This is a major settlement in the fintech privacy area, as the collection and use of consumer data has become more scrutinized in the past few years, especially amidst the wave of fintech and money transfer apps that have become popular with consumers," said attorney Jeffrey D. Neuburger, co-head of Proskauer’s Technology, Media & Telecommunications Group. 

Plaid might be out $58 million, but it’s remaining steadfast about its innocence. 

“We don’t share your personal information without your permission,” the company stated on its website. It also denies any wrongdoing and claims that it adequately disclosed and maintained transparency about its practices to consumers.

This is real, not a hoax

Snopes reports that earlier this month, Google users went on the hunt to find out if an email for Plaid’s class action settlement was a “scam or legit,” as people frequently do after receiving such notices. But this is real, and consumers have already started to receive a Notice of Settlement either by postal mail or email.

However, anyone who's due some money as part of this settlement might want to hold off on making any big plans with their check. The suit likely includes "tens of millions" of plaintiffs, so the payouts may not wind up being that big. 

Nonetheless, if you want to find out if you're eligible for some part of the settlement money, the settlement website has a complete searchable list of the companies linked to the Plaid app. You can also call the settlement administrator toll-free at 855-645-1115 to find out whether or not you are a class member.

Anyone who feels their data was misappropriated by Plaid has until April 28, 2022, to file a claim. Full settlement details and the consumer’s legal rights are available here.

If you’re one of the tens of millions of consumers who use Venmo, American Express, Robinhood, Ally Financial, Capital One, Citi, Rocket Loans, TD Ameritra...

Article Image

Major cryptocurrency exchange suffers multi-million dollar hack

Crypto.com – a cryptocurrency exchange app company – says it was the victim of a hack totaling $15 million in stolen funds.

In a statement, a Crypto spokesperson told ConsumerAffairs that the incident affected 483 customers and that the company prevented unauthorized withdrawals in the majority of cases. In all other cases, customers were fully reimbursed.

Breaking those 483 instances down into values, the company said the unsanctioned withdrawals totaled 4,836.26 ether, 443.93 bitcoins (BTC), and approximately $66,200 in other currencies.

To ensure a hack like this doesn’t affect users the next time one happens, the company said it has “hardened” its security systems and is introducing a program to offer additional protection and security for up to $250,000 in funds held in the Crypto.com app and exchange.

The company appears to be in solid enough financial shape to withstand the losses claimed by the hack. Crypto.com CEO Kris Marszalek recently told Fortune that the company's revenue surged 2,000% in the last 12 months. 

Security firm says not all funds are safe

Peckshield, a China-based blockchain security firm, questioned Crypto.com’s stance that only $66,000 USD was stolen, claiming that its analysis shows that the unauthorized withdrawals amounted to $33 million.

"I’m sorry, but all funds are not safe. I had BTC withdrawn from my account that I did not authorize," tweeted J8Arnold, one of Crypto’s customers. "These funds have yet to be returned to me… I have always had passcode & 2FA [two-factor authentication, a method for protecting identity theft] enabled. I have reached out to Customer Support using every channel possible with no response."

ConsumerAffairs asked Crypto to speak directly to Peckshield’s claims, but the company has not yet replied.

Shaky ground?

While protections are improving for cryptocurrency investors, the digital money world is still in its "Wild West" phase and is not yet completely under the same regulations that the Securities and Exchange Commission (SEC) requires other trading sectors to follow. That allows some wiggle room for hackers to continue trying to break into cryptocurrency exchanges whenever they can, forcing many investors into "buyer beware" mode.

Roger Aliaga-Díaz, Vanguard America’s Chief Economist, cautions investors that while cryptocurrency may seem attractive, it’s no substitute for stocks and bonds.

"The biggest risk for all investors would be to assume that demand growth will continue just because their prices have recently gone up," he said. "That's speculation, not investment."

Crypto.com – a cryptocurrency exchange app company – says it was the victim of a hack totaling $15 million in stolen funds.In a statement, a Crypto spo...

Article Image

Goodwill suffers another customer data hack

Goodwill has reportedly become the victim of a data breach that is directly impacting the users of its ShopGoodwill.com e-commerce platform. 

TechRadar reports that hackers made their way into the company’s platform via an exploitable vulnerability that allowed them access to customer names, phone numbers, email addresses, and postal addresses. The larger unanswered question is how many customers the breach actually affected. 

Goodwill responds

Goodwill stated that it patched the vulnerability that led to the exposure. In a letter sent to customers affected by the hack, company Vice President Ryan Smith said the silver lining in this attack is that no customer financial data was stolen. 

"We were recently alerted to an issue on our website which resulted in the exposure of some of your personal contact information to an unauthorized third party,” Smith said. “No payment card information was exposed; ShopGoodwill does not store payment card information. While the third party accessed buyer contact information, they did not access your ShopGoodwill account."

Still, this is not a good look for the donation-driven company. In 2014, an estimated 868,000 credit and debit cards were compromised when the company’s computer network was infected with malware that gave hackers access to customer credit card data. 

Stolen data could lead to more trouble

Although financial information wasn't included in this hack, that information that was stolen could still lead to future problems for consumers. 

Hackers have been known to use stolen personal information for identity theft, which was on the rise in 2021. They could also combine the information with stolen passwords from other hacks in password spraying attacks to compromise other important accounts. 

For more information on identity theft trends and statistics, check out ConsumerAffairs' guide here.

Goodwill has reportedly become the victim of a data breach that is directly impacting the users of its ShopGoodwill.com e-commerce platform. TechRadar...

Article Image

Health care system hack exposes private details of 1.3 million customers

A hack of one of the largest health care systems in the U.S. has compromised the personal and private data of more than a million people who were exposed.

A recent filing showed that 1,357,879 were impacted by the breach in October 2021. In a letter to customers, Broward Health stated that the stolen information may have included names, dates of birth, addresses, phone numbers, financial or bank account information, Social Security numbers, insurance information, driver’s license numbers, email addresses, and various medical information.

Ransomware is the new hot hospital hack

In ConsumerAffairs review of identity theft in 2021, Rob Douglas – a leading authority on cybersecurity – said the pandemic helped create an “easier and more lucrative path” for attackers to launch ransomware. 

Mandiant, an enterprise-scale threat intelligence company, agrees. In its tracking of foreign hackers, it stated that a group dubbed FIN12 has taken a shine to companies that provide critical care functions. The company said nearly 20% of FIN12 victims were in the health care industry and were warned that they were more likely to be targeted during the COVID-19 pandemic.

Mandiant says the hackers are primarily focused on finding financial data, particularly annual income, because of the perception that it justifies proportionally large ransom demands.

Customers urged to take preventive action

In response to the incident, Broward Health said it is taking steps to prevent similar incidents from happening down the line, including adding password resets and multifactor authentication for all users of its systems.

While that may help going forward, Broward customers have a lot to do on their end to protect any of their personal information that may have been hacked. The company suggests that its customers do the following:

  • Regularly review the explanation of benefits statements that you receive from your health plan. Broward asks that if anyone sees a service that they did not receive, to contact the health plan at the number on the statement.

  • Monitor your financial accounts. If you see any unauthorized activity, promptly contact your financial institution. Broward stated that it would be a good idea to also take a look at your credit report for any discrepancies. 

A hack of one of the largest health care systems in the U.S. has compromised the personal and private data of more than a million people who were exposed....

Article Image

T-Mobile reports details of another hack of its systems

Hackers had another field day at T-Mobile, or so it appears. After a massive data breach compromised the accounts of six million users in August, the T-Mo Report is citing internal documents that show the company uncovered “unauthorized activity” on some customer accounts. 

The organization said the activity was most likely either the viewing of customer proprietary network information (CPNI), an active SIM (subscriber identity module) swap by a malicious actor, or possibly both.

If it was CPNI, then the hackers could have taken advantage of a customer’s account name, phone number, rate plan, and more. “That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers,” T-Mo said. 

On the other hand, if it was a SIM swap, things could be worse. Hackers could gain control of a customer’s phone number. In that situation, it could lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number, T-Mo said. However, the document shared with T-Mo indicated that anyone affected by a SIM swap had lucked out and that action was reversed.

T-Mobile responds

When ConsumerAffairs asked T-Mobile for a comment about the breach, the company confirmed the issue and said that it has corrected it.

“We were informed [by] a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed. Unauthorized SIM swaps are unfortunately a common industry-wide occurrence, however this issue was quickly corrected by our team, using our in-place safeguards, and we proactively took additional protective measures on their behalf,” a company spokesperson said in an email.

In addition, T-Mobile Help responded to a question posted on Twitter by saying that it was “taking immediate steps to help protect all individuals who may be at risk from this cyberattack.” It followed by saying users could send it a direct message to discuss steps to increase account security.

T-Mo also reported that customers who notified T-Mobile of unauthorized activity on their account have had notes added to their account for reps to see when accessing them.

Hackers had another field day at T-Mobile, or so it appears. After a massive data breach compromised the accounts of six million users in August, the T-Mo...

Article Image

Meta says 50,000 users may have been stalked by private surveillance companies

Meta has encountered its first major headache under its new moniker. The company formerly known as Facebook has notified 50,000 global users of Facebook, WhatsApp, Instagram, and Messenger that they may have been targeted by private surveillance companies. 

Meta said those seven firms carried out a mix of “reconnaissance, engagement, and exploitation,” but they have now been completely barred from the company’s platforms.

Collecting information and compromising accounts

In a blog post describing the issue, Meta said the global “surveillance-for-hire” companies targeted people to collect intelligence and compromise their devices and accounts – not only on Meta’s platforms but across the whole internet in more than 100 countries.

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists,” explained Meta officials David Agranovich and Mike Dvilyanski.

Agranovich and Dvilyanski said Meta is trying to prevent this from happening again by sharing its findings with security researchers, other platforms, and policymakers. The company also issued cease and desist warnings to the companies involved and alerted people who may have been targeted to help them strengthen the security of their various Meta-connected accounts.

What actual good could come out of this

Despite the immediate concern, Meta said in its threat report that there’s actually some good that can come out of this situation. The company is requesting that governments and tech companies come together to work on three key components:

Greater transparency and oversight: Meta sees a need for more international oversight that establishes transparency and “know your customer” standards. These standards would cover social platforms and surveillance-for-hire entities so that they are held accountable.

Industry collaboration: Surveillance efforts show up differently depending on individual platforms, but Meta stated that industry-wide collaboration is critical if Big Tech wants to fully understand and stop adversarial surveillance efforts before they spin out of control.

Governance and ethics: While Facebook’s history is covered with faux pas that put the company’s trustworthiness in question at congressional hearings, Meta says it now welcomes domestic and international efforts to raise accountability through legislation, export controls, and regulatory actions. 

“We also encourage broader conversations about the ethics of using these surveillance technologies by law enforcement and private companies, as well as creating effective victim protection regimes,” Agranovich and Dvilyanski said.

Meta has encountered its first major headache under its new moniker. The company formerly known as Facebook has notified 50,000 global users of Facebook, W...

Article Image

The internet is ‘on fire’ due to the biggest zero-day exploit in history

If you find things a little squirrely with the internet as you begin your week, it may relate to a “zero-day” exploit called “Log4Shell” that has sent security experts scrambling. 

The vulnerability is a critical security flaw in an open-source logging software called “Log4j,” which is used by countless companies and data centers around the world. The difficult part is that when analysts attempt to plug holes created by Log4Shell, others seem to pop up as a result.

“The internet’s on fire right now,” Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike, told The Associated Press. “People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.”

Why it’s such a threat

Log4Shell appears to be a major threat to internet companies. Reports have already circulated that iCloud, Amazon’s cloud service AWS, and Minecraft were targeted by hackers who used the vulnerability.

Hackers who use Log4Shell are reportedly able to run code inside of server systems and remotely take full control. Making the situation far more dangerous is the fact that this hack doesn’t require any interaction from the victim. Hackers can simply worm their way, gain access, and do their damage.

“This is far worse than if individual devices were vulnerable, and I think it's an open question at this point exactly what kind of data attackers are probably pulling from Apple's services as we speak,” Thomas Reed, Malwarebytes director of Mac offerings, told Ars Technica.

“I’d be hard-pressed to think of a company that’s not at risk,” Joe Sullivan, a Cloudflare security officer, told the AP. He said that untold millions of servers might have the utility installed. 

If you find things a little squirrely with the internet as you begin your week, it may relate to a “zero-day” exploit called “Log4Shell” that has sent secu...

Article Image

Microsoft seizes control of malicious websites used by China-based hacking group

In its latest move to stop global hackers in their tracks, Microsoft’s Digital Crimes Unit (DCU) has throttled the activities of a China-based hacking group that it calls Nickel. 

A federal court in Virginia granted the company’s request to seize websites that Nickel planned to use to attack organizations in 29 countries, including the U.S. The upshot of Microsoft’s sheriff-like effort is that Nickel’s access to victims has been cut off and that the malicious websites it was using no longer have the ability to carry out attacks. 

Microsoft didn’t name Nickel’s specific targets but said at the top of the list of those spared were government agencies, think tanks, and human rights organizations because of the wealth of information the hackers could tap into for intelligence gathering. 

“There is often a correlation between Nickel’s targets and China’s geopolitical interests,” said Tom Burt, Microsoft’s Corporate Vice President, Customer Security & Trust. According to Burt, Nickel also targeted diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. 

Microsoft says it will remain relentless

Nickel may be the latest snake in the grass that Microsoft has gone after, but it’s not the first. The company said that DCU’s pioneering efforts have taken control of more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors so far. The tech giant said it has also proactively blocked the registration of some 600,000 sites to prevent hacking groups from using them to cause harm in the future.

However, Microsoft admitted that Nickel was not completely killed off, and it could come back for more. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Burt remarked.

He went on to say that nation-state attacks continue to proliferate in number and sophistication. While China may be the head of the Nickel snake, DCU has also disrupted nefarious attempts from Iran, Russia, and North Korea. 

“Our goal … is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace. We will remain relentless in our efforts to improve the security of the ecosystem and we will continue to share activity we see, regardless of where it originates,” Burt concluded.

In its latest move to stop global hackers in their tracks, Microsoft’s Digital Crimes Unit (DCU) has throttled the activities of a China-based hacking grou...

Article Image

GoDaddy data breach exposes private data of 1.2 million customers

In a data breach alert published by the Securities and Exchange Commission (SEC), GoDaddy reported that the private data of as many as 1.2 million of its customers was exposed by hackers who wormed their way into the company's Managed WordPress hosting ecosystem.

Unfortunately, GoDaddy was a little late in putting measures in place to curb the incident. The company told the SEC that it determined hackers first breached their systems on September 6, 2021, but that it didn’t take measures to block the hackers until November 17.

What happened

Demetrius Comes, GoDaddy’s Chief Information Security Officer, said the hack was pretty straightforward. Using a compromised password, the hackers accessed the provisioning system in GoDaddy’s code base for Managed WordPress. Managed WordPress hosting is something GoDaddy offers its clients -- sort of a jack of all trades platform where all the technical aspects of running a website are handled by GoDaddy, freeing the website owner from having to take care of those things.

When the company first spotted the hack, it immediately began an investigation with the assistance of an IT forensics firm. Comes said GoDaddy also contacted law enforcement. 

“Upon identifying this incident, we immediately blocked the unauthorized third party from our system. … Our investigation is ongoing,” Comes said. As to what the hackers had access to, he offered the following: 

  • Up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer numbers exposed. The exposure of email addresses is serious because it presents a risk of phishing attacks.

  • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.

  • For active customers, FTP and database usernames and passwords were exposed. GoDaddy says it reset both passwords.

  • For a subset of active customers, the SSL private key was exposed. Comes said the company is in the process of issuing and installing new certificates for those customers.

Are you a GoDaddy customer?

Comes said the company is in the process of contacting everyone who was impacted directly by the hack. However, he stated that customers can also contact GoDaddy via its help center.

“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down,” Comes said in closing. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

In a data breach alert published by the Securities and Exchange Commission (SEC), GoDaddy reported that the private data of as many as 1.2 million of its c...

Article Image

Robinhood hack exposes data on 5 million users

Robinhood, the trading app comprised of users who drove this year’s Reddit stock craze, reports that it has suffered a data breach in which the names and email addresses of millions of traders were stolen. In a blog post, the company emphasized that no Social Security or bank account numbers were compromised, and none of its users suffered any financial loss.

The company said the hacker gained access to Robinhood’s network systems by impersonating an authorized party to a customer-support employee on the phone. Officials said the breach was discovered late Wednesday of last week and quickly contained.

Robinhood said the hacker demanded a ransom payment at one point, but the case was turned over to law enforcement to handle. The company also retained the services of Mandiant, a cybersecurity firm.

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.” 

5 million email addresses

The company says an investigation into the hack shows that the hacker was able to steal a list of email addresses for approximately five million users, as well as full names for a different group of approximately two million people. 

Robinhood also believes the hackers gained more extensive data on about 310 users. Again, it doesn’t think any financial information was compromised, but hackers may have gained access to names, dates of birth, and zip codes for that small group of customers.

Robinhood gained millions of customers during the pandemic when homebound Americans used its app to trade stocks, in many cases driving up the price of so-called “meme” stocks like Gamestop and AMC.

Disruptive force

The company has been a disruptive force in the financial services industry by not charging commissions on trades. Now, nearly all online trading platforms have done away with commissions on stock trades.

Robinhood customers seeking information on how to keep accounts secure can visit Help Center, then tab through My Account & Login and Account Security. 

When in doubt, users may log in to view messages from the company. It also points out that it will never include a link to access a user’s account in a security alert. 

Robinhood, the trading app comprised of users who drove this year’s Reddit stock craze, reports that it has suffered a data breach in which the names and e...

Article Image

Hackers breached several government sectors in recent cyberattack, security firm says

Foreign hackers are suspected to have forced their way through the computer systems of nine organizations in the defense, education, energy, health care, and technology sectors. Those organizations are spread throughout the world, but according to findings that security firm Palo Alto Networks shared with CNN, at least one is in the U.S. 

Security analysts believe the hackers are set on stealing key data from U.S. defense contractors and other sensitive targets. The hackers reportedly targeted organizations with passwords that could provide ongoing access to government networks. 

Ryan Olson, a senior Palo Alto Networks executive, told CNN that it was sort of a race to the finish. Once the intruders laid their hands on the passwords, it’s possible that they would be in a good position to intercept sensitive data sent via email or stored on computer systems.

NSA and U.S. Cybersecurity and Infrastructure Security Agency (CISA) officials said they are tracking the threat. 

Eyes on China

Olson said the nine confirmed targets are the "tip of the spear" of the surveillance campaign, and he expects that even more victims will be revealed. Olson couldn’t lay blame at any particular group’s feet, but he said some of the tactics the hackers employed are similar to those used by a known Chinese hacking group.

China state hackers have been behind a number of cyberattacks over the course of the last year. Just this summer, France claimed that China state hackers were using compromised routers in a massive attack campaign. The Biden administration also accused China of being behind major cyberattacks like the Microsoft Exchange hack. 

In July, a federal grand jury charged four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities, and government entities in the U.S. and abroad. In October, the Federal Communications Commission (FCC) recognized potential security risks connected to China Telecom and banished the company from the U.S. 

Foreign hackers are suspected to have forced their way through the computer systems of nine organizations in the defense, education, energy, health care, a...

Article Image

Facebook shuts down use of facial recognition and pledges to delete data

People who have shied away from Facebook over privacy issues will be happy to know that it’s shutting down its facial recognition system. The company announced that the recognition technology that automatically recognized when a member appears in a photo is officially going away…for now.

Facebook’s active daily users who had previously opted into allowing the technology won’t have to lift a finger; they’ll simply no longer be automatically recognized in photos and videos on the platform. The company said it’s not going to archive anything it has in its system. It will delete more than a billion people’s individual facial recognition templates. 

Facebook users who were hoping to continue using the facial recognition technology to see suggested tags with their names in photos and videos are out of luck. The company says those people will have to tag posts the old-fashioned way -- manually. 

“We need to weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules,” Jerome Pesenti, VP of Artificial Intelligence, said in a blog post.

The change will likely save Facebook some money in the long run. Over the past few years, the company ran afoul of its users when it launched its '10-Year Challenge'  promotion, and it has forked over hundreds of millions of dollars to settle facial recognition lawsuits.

One of the largest shifts in facial recognition history

Pesenti said Facebook’s move is momentous on a privacy level and represents one of the largest shifts in facial recognition usage in the technology’s history. 

However, the company still believes that facial recognition has a place in the world -- like at airports where the Department of Homeland Security uses facial recognition to identify people wearing face masks because of the pandemic. Because of that, it left the door slightly ajar for using the technology again on some level in the future.

“Looking ahead, we still see facial recognition technology as a powerful tool, for example, for people needing to verify their identity, or to prevent fraud and impersonation,” Pesenti said. “We believe facial recognition can help for products like these with privacy, transparency and control in place, so you decide if and how your face is used. We will continue working on these technologies and engaging outside experts.”

People who have shied away from Facebook over privacy issues will be happy to know that it’s shutting down its facial recognition system. The company annou...

Article Image

FCC bans China Telecom from operating in the U.S.

As of December 26, 2021, China Telecom Americas will no longer be doing business in the U.S. Citing security concerns, the Federal Communications Commission (FCC) issued an order on Tuesday that prevents China Telecom from providing any domestic or international services in the U.S.

The move is a major blow for China Telecom because its mobile virtual network in the U.S. includes more than 4 million Chinese Americans, 2 million Chinese tourists a year visiting the United States, 300,000 Chinese students at American colleges, and more than 1,500 Chinese businesses.

However, it wasn’t completely unexpected. In 2020, the Executive Branch warned that it was considering shutting down the U.S. operations of state-controlled Chinese telecommunications companies, including China Telecom Americas. 

Officials had offered China Telecom a chance to disprove the agency’s findings, and they established a process that allowed for China Telecom, the U.S. Executive Branch agencies, and the public to present any remaining arguments or evidence regarding the matter.  

“The Federal Communications Commission has a long history of working to open American markets to foreign telecommunications companies when doing so is in the public interest,” Chairwoman Jessica Rosenworcel said.  

“These connections can make us stronger because they help share our democratic values with the rest of the world.  But we also recognize not every connection is consistent with the national security interest of the United States. That’s because some countries may seek to exploit our openness to advance their own national interests.  When we recognize this is the case and cannot mitigate the risk, we need to take action to protect the communications infrastructure that is so critical to our national security and economic prosperity.”

FCC offers to help China Telecom’s U.S. users

Fortunately for China Telecom’s U.S. users, the FCC is not leaving them out in the cold. The agency said it will help customers transition to other mobile service providers. Officials say they will issue a guide that outlines what other options consumers might consider for mobile services.  

This document will be available in English, Simplified Chinese, and Traditional Chinese and made available on the FCC’s website

As of December 26, 2021, China Telecom Americas will no longer be doing business in the U.S. Citing security concerns, the Federal Communications Commissio...

Article Image

Microsoft accuses Russian hackers of attacking the global technology supply chain

Cybersecurity specialists at the Microsoft Threat Intelligence Center (MSTIC) claim that the Russian-linked hacking group behind the attacks on SolarWinds, JBS, and others last year is at it again -- this time going after key players in the global technology supply chain.

The group, known as Nobelium, has “been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain” according to Tom Burt, Microsoft’s corporate vice president of customer security and trust. So far, the group has allegedly targeted more than 140 IT resellers and service providers and compromised as many as 14 since May. 

“Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling … targets of interest to the Russian government,” Burt said in a blog post.

Hackers use "password spraying" technique

The hackers’ favorite technique this time around is reportedly something called a “password spray.” This attack is a procedure that tries to access a vast number of account usernames via commonly used passwords such as “123456789,” “Password123,” and “picture1.”

DoubleOctopus -- a cybersecurity company focused on password protection -- says even though password spraying is a slow-and-go technique, it does allow hackers to stay undetected by avoiding rapid or frequent account lockouts. That makes it different from traditional attacks that attempt to gain unauthorized access by guessing an account’s password.

In this situation, online users appear to be at the mercy of the service providers and platforms they use to protect their accounts. To that end, Microsoft recommends that companies with online customer systems implement a specific set of protocols to thwart recent Nobelium activity.

Putting protective measures in place

While consumers may need to depend on companies to protect them to some extent, there are still some things they can do to gain an advantage against hackers. In an interview with USAToday, Craig Danuloff, CEO of The Privacy Co., offered these tips to make personal passwords and information less susceptible:

Do not reuse passwords on any important accounts. Keeping your passwords unique helps ensure that hackers can’t access all of your important accounts if they figure out just one of your passwords.

Use two-factor authentication wherever possible. Amazon, Apple, Google, and other major tech players use this method because it works well. Here’s a guide that goes over two-factor authentication and other cybersecurity steps you can take to protect yourself.

Choose platforms that use end-to-end encryption. This is a method that Zoom now uses after learning a valuable lesson without it. “Files or photos sitting in cloud storage can be stolen,” Danuloff said. “If they’re in a database that has no keys or just one master key, all of your personal data has a much higher likelihood of being stolen, accessed, and maybe even shared publicly.”

Don’t give up your data to every site that asks for it. “Data that isn’t there can’t be stolen,” Danuloff said. All kinds of services ask for your address, phone number, or even your Social Security number. “The vast majority of them don’t need it,” he said. So give them “alternative facts.” Use burner email accounts. 

Use a personal monitoring service -- aka ID theft protection -- that informs you when your data has been stolen in a hack or when there are signs of identity theft. 

Cybersecurity specialists at the Microsoft Threat Intelligence Center (MSTIC) claim that the Russian-linked hacking group behind the attacks on SolarWinds,...

Article Image

U.S. bolsters efforts to go after cryptocurrency crime

October is turning out to be a bad month for cryptocurrency lawbreakers. On Thursday, the U.S. Department of Justice announced that it has created a special team of its own to keep criminal misuses of cryptocurrency to a minimum. 

In the agency’s announcement, Deputy Attorney General Lisa O. Monaco said the National Cryptocurrency Enforcement Team (NCET) will not only tackle thorny investigations and prosecutions of criminal misuses of cryptocurrency. She said it will also be especially vigilant regarding crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering. 

The new team will also assist in tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups, such as the one involved in the Colonial Pipeline attack earlier this year.

“Today we are launching the National Cryptocurrency Enforcement Team to draw on the Department’s cyber and money laundering expertise to strengthen our capacity to dismantle the financial entities that enable criminal actors to flourish — and quite frankly to profit — from abusing cryptocurrency platforms” said Monaco. “As the technology advances, so too must the Department evolve with it so that we’re poised to root out abuse on these platforms and ensure user confidence in these systems.”

Diving deep to find crypto criminals

The NCET realizes that the people behind cryptocurrency crimes can be sneaky, often doing their deeds in what the agency called “dark markets” -- the underbelly of the internet where illegal drugs, weapons, hacking tools, and malware are sold. To get to those people, the DOJ will use the expertise of the Criminal Division to “deter, disrupt, investigate, and prosecute criminal misuse of cryptocurrency, as well as to recover the illicit proceeds of those crimes whenever possible.”

Because those dark markets and bad actors are difficult to find and bring to justice, the NCET said it will foster the development of a higher level of expertise in cryptocurrency and blockchain technologies across all aspects of the Department’s work. 

The DOJ said it isn’t just doing this on a national scale. The new group said it will be providing support to international, federal, state, local, tribal, and territorial law enforcement authorities that are grappling with these new technologies and new forms of criminal tradecraft.

October is turning out to be a bad month for cryptocurrency lawbreakers. On Thursday, the U.S. Department of Justice announced that it has created a specia...

Article Image

Twitch streaming platform suffers major hack

Twitch -- Amazon’s streaming service that’s focused on live video game broadcasts -- has experienced a massive data breach. The hacker responsible for the act says they have taken all the information they found on Twitch, including source code and user payout data, and leaked it online.

The anonymous hacker went further, posting a link to its bounty to 4chan on Wednesday and stating that their reason for leaking their stolen goods was to “foster more disruption and competition in the online video streaming space” because Twitch’s “community is a disgusting toxic cesspool.”

VideoGamesConsole (VGC), which first reported the hack, verified the leak as legitimate and that the files mentioned on 4chan are publicly available to download.

What to do

VGC advises anyone who uses Twitch to change their password and turn on two-factor authentication immediately. To change your password on Twitch, users can do the following::

  • Go to Twitch and log on with your existing username and password.

  • Click on your avatar in the top-right corner and choose Settings.

  • Go to the Security and Privacy option, locate the option that says “change password,” and complete the prompts to do so. 

VGC recommends that users opt for a longer password when making the change because they tend to be safer. Adding both uppercase and lowercase characters, numbers, and a special symbol or two (like $ or &) can make them even stronger.

Twitch -- Amazon’s streaming service that’s focused on live video game broadcasts -- has experienced a massive data breach. The hacker responsible for the...

Article Image

Google issues major warning for 2 billion Chrome users

Google has put 2 billion Chrome users on high alert that its browser has suffered “zero-day” exploits that “exist in the wild” and affect Apple, Linux, and Windows systems. This is the ninth such attack so far this year.

In order to buy itself some extra time so users can upgrade to a safer version of Chrome, Google’s Srinivas Sista said the company is limiting access to bug details and links “until a majority of users are updated with a fix.” 

What Chrome users need to do ASAP

To get ahead of the situation for the short term, Google has released a critical update. Gordon Kelly, a Consumer Tech specialist at Forbes, says the company tends to roll out updates in a staggered fashion, so not everyone will get the notice at the same time. 

To check if you are protected, you can take these steps:

  • Click on the vertical three-dot icon in the upper right-hand part of your Chrome browser.

  • Then, go to Settings > Help > About Google Chrome.

  • If your Chrome version is 94.0.4606.71 or higher, then consider yourself safe. If your version is below that number, make it a point to check at least once a day to see if there’s an upgrade.

  • If the update is not yet available for your browser, check regularly for the new version.

Are there safer browsers than Chrome?

One of the reasons many people use Chrome is because the integration between Google Docs, YouTube, Google Drive, Google Calendar, G-Mail, their Android devices, etc. makes things easier. But cybersecurity watcher Zak Doffman says Google’s latest issue should give users some serious pause.

“If you’re one of those users, this nasty new surprise just gave you a reason to quit,” he wrote following the announcement of the latest Chrome issue.

Do consumers have other decent choices? Doffman says yes. There’s Apple’s Safari, DuckDuckGo, Mozilla Firefox, and a fairly new browser called Brave. Each of those browsers tries to upset Google’s apple cart by placing an extra emphasis on privacy. In Brave’s case, it automatically blocks both ads and website trackers as part of its default settings. 

Even though Google announced it was phasing out third-party tracking cookies in its Chrome browser earlier this year, Doffman is still championing a different browser. 

“While it’s Firefox, DuckDuckGo and Brave that most vocally push the browser privacy agenda, it’s really Safari that has done the best job of exposing Chrome’s avaricious data harvesting machine at scale,” he wrote.

Even though much of Apple’s recent press has been about its new iPhones, Doffman says the company’s recent Safari update is a “genuine game changer” for privacy and security because of the addition of a new privacy weapon called Private Relay. 

“Put simply, this breaks the identity chain between you, the websites you visit and the ISP through which you access the internet,” he explained.

Google has put 2 billion Chrome users on high alert that its browser has suffered “zero-day” exploits that “exist in the wild” and affect Apple, Linux, and...

Article Image

Neiman Marcus reports data breach affecting millions of customers

Neiman Marcus has alerted customers that a data breach last year may have exposed the payment records of 4.6 million customers.

The personal information for affected customers may have included names and contact information; payment card numbers and expiration dates but without CVV numbers; Neiman Marcus virtual gift card numbers without PINs; and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts. 

The company said it has alerted law enforcement and retained the services of a cybersecurity firm to investigate. The preliminary investigation shows that around 3.1 million payment and virtual gift cards were exposed, but the vast majority -- more than 85% -- were expired. 

The company said no active Neiman Marcus-branded credit cards were exposed and that there is no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.

"At Neiman Marcus Group (NMG), customers are our top priority," said Geoffroy van Raemdonck, the company’s CEO. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."

Incident occurred 17 months ago

The breach is believed to have occurred in May 2020, but the company only learned of it in recent days. Once it was aware that payment records had been exposed, the company said it began steps to protect customers.

The company required an online account password reset for affected customers who had not changed their password since May 2020. It also set up a call center to answer customers’ questions. The number is (866) 571-9725, and it is open Monday through Friday, 8 a.m. to 10 p.m. CST; Saturday and Sunday, 10 a.m. to 7 p.m. CST. Callers should be prepared to provide engagement number B019206. There’s also a webpage that provides additional information.

Cyberattacks on corporate entities have become more common in the last five years. Corporations are major targets for hackers. Earlier this year, a ransomware attack shut down a major gasoline pipeline.

Neiman Marcus has alerted customers that a data breach last year may have exposed the payment records of 4.6 million customers.The personal information...

Article Image

Security researchers discover Apple Pay and Visa contactless payment hack

A team of security researchers has uncovered a new hack that could allow bad actors to make unauthorized charges through victims’ iPhones. 

In a demonstration to the BBC, researchers from the Computer Science departments of Birmingham and Surrey Universities in the U.K. showed how cyber thieves can exploit a feature in Apple Pay that could leverage unauthorized contactless payments. According to the researchers, the problem lies in how Visa cards are set up in “Express Transit” mode in an iPhone's wallet. 

Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without having to unlock their phone. It’s similar to how a commuter might pay for a ride on New York City’s MTA, Los Angeles’ TAP, or Chicago’s CTA. 

How it works

In the demo, researchers showed how easy it was for them to make a Visa payment of £1,000 [$13,460 USD] without unlocking the phone or authorizing the payment. 

All a hacker has to do is set up a commercially available piece of radio equipment near where the iPhone might be used to make a payment, such as a retail store. The hacker can then trick the iPhone into thinking it’s dealing with a legitimate point-of-contact. 

The scary thing is that the crook’s phone and the payment terminal that’s being used don't need to be anywhere near the victim's iPhone. "It can be on another continent from the iPhone as long as there's an internet connection," said Dr. Ioana Boureanu of the University of Surrey.

Apple and Visa aren’t worried...yet

While the researchers may think the incursion is a real possibility, neither Apple nor Visa are sweating it quite yet. According to the BBC, Apple said the matter was "a concern with a Visa system.” Visa said its payments were secure and attacks of this type were impractical outside of a lab.

Visa told the BBC that it took all security threats seriously, but it says this isn’t something that consumers should worry about. 

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” the company said. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world".

Protecting yourself

Regardless of whether this particular threat is viable, there are things consumers can do to lessen the chances of being victimized by a hacker trying to create unauthorized payments. First off, if you lose your phone, you can use Apple's iCloud to block Apple Pay or wipe the phone. You can also alert Visa and block any future payments.

"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy,” Apple said.

A team of security researchers has uncovered a new hack that could allow bad actors to make unauthorized charges through victims’ iPhones. In a demonst...

Article Image

Over 10 million Android phones infected with malware that delivers monthly charges

Android phone owners got an unpleasant surprise on Tuesday. Researchers at mobile security company Zimperium reported the discovery of a piece of malware called “GriftHorse” -- a trojan that’s been unleashed on more than 10 million Android devices in 70+ countries. 

This isn’t your ordinary household malware. Its mission is to sucker users into permissions that allow the cybercrooks to force monthly premium service charges. Business is good, too. So far, researchers estimate that the GriftHorse mob is making between $1.5 million to $4 million per month.

Where trouble ensues

Zimperium’s zLabs team said the malware is delivered to consumers by malicious Android apps that appear harmless at first. However, chaos ensues after the apps hoodwink users into granting certain permissions. At that point, victims start getting charged every month for premium paid services that they get subscribed to without their knowledge or consent. 

“Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately. These pop ups reappear no less than five times per hour until the application user successfully accepts the offer. Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification,” Zimperium’s Aazim Yaswant and Nipun Gupta explained.

“But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 [$40 USD] per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.”

Zimperium warned Google about the threat, and the company responded by verifying and removing the malware apps from its Play Store. However, the malicious applications might still be available on unsecured third-party app repositories or on an Android user’s phone. To help users identify the problem-causing apps, Zimperium offers a full list of the affected apps here.

Android phone owners got an unpleasant surprise on Tuesday. Researchers at mobile security company Zimperium reported the discovery of a piece of malware c...

Article Image

Microsoft warns hackers are exploiting a Windows vulnerability

Microsoft has issued a security alert to Windows users, warning that hackers have found and are currently exploiting a vulnerability in the operating system.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows,” the company reported. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

The company said the hackers were likely to target victims through their use of Office documents. If users open a malicious document, they’ll end up with malware on their system.

The best way to protect yourself is to make sure your antivirus software is up to date. Microsoft said Microsoft Defender Antivirus and Microsoft Defender for Endpoint can effectively detect the vulnerability. Meanwhile, the company said it is investigating the source.

Investigation underway

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company said. “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Krebs on Security, an authoritative security blog, reports Microsoft has not yet released a patch for the flaw, but it says users can mitigate the threat by disabling the installation of all ActiveX controls in Internet Explorer. Krebs says the vulnerability is currently being used in targeted attacks on both PCs and servers.

Microsoft has issued a security alert to Windows users, warning that hackers have found and are currently exploiting a vulnerability in the operating syste...

Article Image

FBI Terrorist Watchlist containing nearly 2 million records mistakenly posted online

An FBI terrorist watchlist containing 1.9 million records mistakenly found its way onto the internet unguarded, allowing anyone and everyone to view it.

Volodymyr "Bob" Diachenko, Comparitech’s Head of Security Research, is the person who first stumbled onto the treasure trove. In sharing the details of his find, he said the watchlist came from the Terrorist Screening Center (TSC), a multi-agency group administered by the FBI -- the same agency that’s in charge of the U.S.’ no-fly list. 

Stopped in its tracks

Donning his white hat, Diachenko said he immediately reported the leak to Department of Homeland Security (DHS) officials before he went any further. He said DHS acknowledged the incident and thanked him for his efforts. However, the agency did not provide any further official comment.

Diachenko said a typical record in the list contained these details:

  • Full name

  • TSC watchlist ID

  • Citizenship

  • Gender

  • Date of birth

  • Passport number

  • Country of issuance

  • No-fly indicator

The name alone -- terrorist watchlist -- sounds ominous, and it is. According to PCMag’s investigation of the situation, the list consists of people who are suspected of terrorism but who have not necessarily been charged with any crime yet. 

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” reported Matthew Humphries.

One of those "personal problems" made headlines in 2017 when consumers misidentified as terrorists won a $60 million verdict against TransUnion when it misidentified them in their credit reports as terrorists and drug traffickers. 

Could this happen to you?

The no-fly list has proven to be a double-edged sword. While the FBI can justify its reasons, the American Civil Liberties Union (ACLU) has long found fault with the list because people placed on it aren’t always notified. 

Could something like this happen to anyone? The short answer is yes. As an example, infants have been prevented from boarding planes at airports across the U.S. because their names happened to be the same as, or similar to, those of possible terrorists on the government's ''no-fly list."

The ACLU says both U.S. citizens and “lawful permanent residents” have rights that the DHS and TSC are supposed to review before any action is taken. The ACLU offers tips to anyone who is mistakenly caught in the no-fly snare. A complete list of dos and don’ts is available here.

An FBI terrorist watchlist containing 1.9 million records mistakenly found its way onto the internet unguarded, allowing anyone and everyone to view it....

Article Image

Big Tech to spend billions of dollars on cybersecurity after meeting with Biden administration

There’s barely a week that goes by without a high-profile cybersecurity incident. Not only do these scourges affect everyday life for businesses, but consumers are also impacted as hackers go after any amount of personal data they can access.

In a face-to-face meeting with President Biden on Wednesday, Big Tech stalwarts Amazon, Apple, Google, IBM, and Microsoft all agreed to write big, fat checks to help the nation as a whole address the rising tide of cybersecurity threats. The companies also plan to address the ever-widening abyss of high-growth jobs in the tech sector. 

Spending billions to shore up cybersecurity

Here’s what Big Tech told President Biden they’ll commit to:

Google says it’s good for $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance security. The company also promised to assist 100,000 Americans in earning industry-recognized digital skills certificates. 

Apple announced that it will create a new program -- one that includes more than 9,000 U.S. suppliers -- to drive continuous security improvements throughout the technology supply chain. 

Another plus for tech education came from IBM, which announced that it will train 150,000 people in cybersecurity skills over the next three years. The company will place a special focus on historically Black colleges and universities to create “Cybersecurity Leadership Centers” in an effort to grow a more diverse cyber workforce.

Microsoft -- which has been on the wrong end of some serious hacks this year -- announced that it will invest $20 billion between now and 2026 to up the ante on cybersecurity both by design and in delivery throughout its systems. To prime the pump, the company said it will immediately make available $150 million in technical services to help federal, state, and local governments upgrade their current security protection. It will also invest heavily in tech training by expanding partnerships with community colleges and non-profits.

For its part, Amazon said it will make the same security awareness training it offers its employees freely available. It also plans to offer a free multi-factor authentication device to protect against cybersecurity threats like phishing and password theft to all of its Amazon Web Services account holders. Those account holders include companies like Facebook, Netflix, Adobe, ESPN, Ticketmaster, Samsung, and Disney.

Increasing tech education and jobs

One huge challenge facing these Big Tech companies is that nearly half a million cybersecurity jobs remain unfilled. A spokesperson at the Computing Technology Industry Association (CompTIA) told ConsumerAffairs that, as of this week, it was tracking 454,366 job ads for cybersecurity in the U.S. -- 13% more than the year before.

The education effort isn’t being carried solely by Big Tech. To get people trained quickly, colleges and organizations are investing heavily in “micro-credentialing” and training that doesn’t call for a four-year college degree. To that end, Girls Who Code announced that it will establish a micro-credentialing program for historically excluded groups.

The University of Texas System told the White House it will make available entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute to help grow new short-term credentials in cyber-related fields by more than 1 million workers.

“To meet the scale of the demand for cybersecurity skills, we need to be considering creative alternatives to the classic college pathway into the profession. The majority of cyber jobs don’t require a four-years computer science degree,” Todd Thibodeaux, president and CEO at CompTIA, told ConsumerAffairs.

“We can have people come through community college programs, through for-profit university programs, through online university programs, through paid apprenticeships and through industry certification programs that can be completed in a matter of months to accelerate this process.”

If there’s any doubt that a tech education can pay off, recent data shows that tech professionals in 9 of the 10 top-paying U.S. states make over 70% more than the average worker. Life as a techie in places like Alabama pays off especially well. The average salary for someone in technology in Alabama is $86,720 a year -- 85% higher than the $46,840 that salary workers in other fields in the state bring home.

There’s barely a week that goes by without a high-profile cybersecurity incident. Not only do these scourges affect everyday life for businesses, but consu...

Article Image

Massive Microsoft data leak puts 38 million records at risk

According to researchers, an estimated 38 million records from more than 1,000 apps that use Microsoft's Power Apps portals platform have been exposed. Those records are not only jam-packed with the typical personal data like phone numbers and addresses, but it also includes data from COVID-19 contact tracing efforts, vaccine registrations, and employee databases.

The security leak also reportedly exposed data from large companies and agencies alike, including Ford, American Airlines, logistics company JB Hunt, the Indiana Department of Health, and New York City public schools, according to Wired magazine. 

Caught in the nick of time

Research analysts from security risk platform company UpGuard first uncovered the issue in May when they found unprotected data from several Microsoft Power Apps portals online.

After investigating the matter further, UpGuard sent a vulnerability report to Microsoft in late June. The researchers showed what specific pieces of data were accessible and made suggestions about what Microsoft could do to disable anonymous access to it. 

By mid-July, Microsoft said it had the situation under control and that most of the data from the Power Apps portals had been made private.

Indiana consumers luck out 

In the Indiana Department of Health’s (IDOH) situation alone, there were nearly 750,000 Hoosiers whose data from the state’s COVID-19 online contact tracing survey was accessed. The information supposedly included names, addresses, emails, genders, ethnicities and races, and dates of birth.

While that might seem dire, those people were actually pretty lucky. According to an announcement made by the state, it was able to get the company that accessed the data to sign a “certificate of destruction.” The agreement confirms that the data was not released to any other entity and was destroyed by the company.

“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” said State Health Commissioner Kris Box, M.D., FACOG. “We will provide appropriate protections for anyone impacted.”

According to researchers, an estimated 38 million records from more than 1,000 apps that use Microsoft's Power Apps portals platform have been exposed. Tho...

Article Image

T-Mobile says six million additional accounts were affected by recent data breach

T-Mobile said Friday that the data breach it disclosed earlier this week affected significantly more people than initially believed. 

In a filing with the Securities and Exchange Commission, the carrier said an additional 5.3 postpaid accounts and 850,000 active T-Mobile prepaid accounts were affected. This brings the total number of affected consumers to more than 54 million. 

On Wednesday, the company confirmed that hackers were able to access data on 7.8 million of its postpaid customers, along with the records of 40 million former and prospective customers. 

Information stolen included customers’ first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. In its latest filing with the SEC, the carrier said phone numbers and IMEI and IMSI details (identifiers for mobile devices and SIM cards respectively) were also compromised.

Mitigating the impact

T-Mobile maintained that it has "no indication" that affected customers’ financial details were exposed. The company said its investigation into the breach is ongoing, and more details will be provided as they’re uncovered. 

T-Mobile emphasized that it’s "confident” that it has successfully “closed off the access and egress points the bad actor used in the attack.” 

The company said it has notified affected account holders and taken steps to safeguard accounts. Customers who think they may have been affected are being offered two years of identity protection services. 

Although no accounts PINs were compromised, T-Mobile has recommended that all postpaid customers proactively change their PIN by going online into their T-Mobile account or calling the Customer Care team by dialing 611 on their phone.

T-Mobile said Friday that the data breach it disclosed earlier this week affected significantly more people than initially believed. In a filing with t...

Article Image

T-Mobile confirms that data on millions of customers was stolen in breach

T-Mobile says its investigation of a breach of its network shows that hackers were able to access data on 7.8 million of its postpaid customers, along with the records of 40 million former and prospective customers.

“We were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals,” the company said in a statement. “We also began coordination with law enforcement as our forensic investigation continued. While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.”

The company said the access point used by the hacker was located and closed. It said no financial or credit card information was compromised. However, officials confirmed that hackers apparently stole customers’ first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. In short, criminals obtained the information needed to steal customers’ identities.

T-Mobile offers assistance to compromised customers

T-Mobile said it is taking the following steps to support customers whose data may have been compromised:

  • Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.

  • Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling the Customer Care team by dialing 611 on their phone. This precaution is being taken despite the fact that we have no knowledge that any postpaid account PINs were compromised.

  • Offering an extra step to protect mobile accounts with Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.

  • Publishing a unique web page later on Wednesday for one-stop information and solutions to help customers take steps to further protect themselves. 

T-Mobile said it was also able to confirm that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were compromised in the breach. 

“We have already proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away,” T-Mobile said. “No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.”

Other steps consumers can take

T-Mobile customers affected by the breach may also take other steps to prevent identity theft. The first step should be placing a freeze on credit reports maintained by Experian, Equifax, and Transunion.

The freeze should be placed with all three companies. Someone using a stolen Social Security number will not be able to open new credit accounts as long as the freeze is in place. Fortunately, the process has gotten less complicated over the years. Here are the links to freeze credit information at the three companies:

Freezing credit reports prevents a criminal from opening a credit account in your name, but it prevents you from doing so as well. All three credit agencies make it possible to establish a PIN or password so that your credit can be unfrozen when you are applying for a loan or credit account.

T-Mobile says its investigation of a breach of its network shows that hackers were able to access data on 7.8 million of its postpaid customers, along with...

Article Image

Poly Network offers job to hacker that breached its systems

Cryptocurrency platform Poly Network has offered a job to the hacker who stole nearly $600 million in cryptocurrency tokens from it.

A hacker known as “The White Hat” recently made off with a massive amount of crypto, only to later return most of it. The perpetrator claimed that they stole the funds “for fun” and that it was “always the plan” to return the assets. However, some speculated that the hacker either feared legal consequences or realized how difficult it would be to launder such a large amount of stolen crypto. 

Poly Network has since invited the hacker to become an advisor to the firm. It has also promised a $500,000 “bug bounty” reward in exchange for providing the password needed to retrieve more than $200 million in stolen funds. 

In a message embedded in a transaction last week, an anonymous person claiming to be the perpetrator said they would "PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY,” but that hasn’t happened yet. 

Retrieving the remaining funds

On Monday, the hacker said they were “considering taking the bounty as a bonus for public hackers if they can hack the Poly Network.” Poly Network said its offer of a $500,000 reward to “Mr. White Hat'' is still on the table. It also said the hacker could have a role as its “chief security advisor.” 

“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the firm said in a statement.

The platform said it has no plans to levy legal charges against Mr. White Hat. On the contrary, it plans to use what it’s learned from the attack to bolster its security measures. The firm said Tuesday that it hopes to implement a “significant system upgrade” to prevent future incidents. However, it says it can’t do so until the remaining funds are returned. 

Cryptocurrency platform Poly Network has offered a job to the hacker who stole nearly $600 million in cryptocurrency tokens from it.A hacker known as “...

Article Image

Memorial Health System hit by ransomware attack that crippled hospitals

Computers owned by Memorial Health System were hit by an attack from the Hive ransomware group on Sunday, causing a system outage. Memorial Health announced that it suffered “an information technology security incident in the early morning hours this morning, August 15, 2021.” 

“As a result, we suspended user access to information technology applications related to our operations,” the non-profit health system said in a statement

The company is still struggling to get operations back to normal. In the meantime, medical personnel have been forced to rely on paper records and cancel radiology exams and non-urgent surgical cases. The organization said it didn’t believe patient records were stolen in the attack. 

"At this time no known patient or employee personal or financial information has been compromised," said Memorial Health System president and CEO Scott Cantley. "We are continuing to work with IT security experts to methodically investigate to precisely understand what happened and are taking the appropriate actions to resolve any and all issues."

Hive ransomware group

Memorial Health System represents 64 clinics, including the Marietta Memorial, Selby General, and Sistersville General hospitals in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio. 

The party that carried out the attack is allegedly the Hive ransomware gang, a group that began targeting businesses this summer. Although Memorial Health officials said they didn’t believe any information was compromised, Hive typically links to data stolen from its victims. 

“Like most ransomware gangs, Hive has a leak site called HiveLeaks and hosted on the dark web, where they published links to data stolen from almost two dozen victims that did not pay the ransom,” reported Bleeping Computer. “Most of the businesses listed on the leak site appear to be small to medium sized, many having around or less than 100 employees.”

Computers owned by Memorial Health System were hit by an attack from the Hive ransomware group on Sunday, causing a system outage. Memorial Health announce...

Article Image

Apple releases new details on plan to monitor phones for child sexual content

Apple has released new details about its plan to scan consumers’ devices for evidence of child sexual abuse material (CSAM). Following criticis