Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mobile Security. Show all posts
User Safety
Data Privacy Mobile Security Public Charging Stations USB Attacks User Safety

Here's Why You Shouldn't Use Public USB Charging Ports

 

We've all been there: stranded in a coffee shop with a dropping phone battery and no connector, only to find a free USB charging station nearby. Relieved, you plug in your device and go about your business, unaware that a potential threat lurks behind that seemingly benign USB port. 

That concern is "juice jacking," a cybersecurity vulnerability that has received enough attention in recent years to warrant an advisory from the FBI. So, what exactly is juice jacking and how risky is it? Here's all you need to know, along with some recommendations for keeping your mobile devices safe while charging on the road. 

What is juice-jacking? 

Juice-jacking is when hackers siphon your phone's data while it is charging. It achieves this using software placed in a kiosk that allows you to quickly charge your phone, or through a cable connected to a charging station. It can do this by plugging the USB charger directly into the socket. USBs, unlike two-pronged plugs, may transmit data as well as electricity. 

The methodology is similar to how a "skimmer" steals your bank or credit card information; however, juice-jacking has the potential to collect all of the data on your cell phone, including passwords, account information, contacts, emails, and so on. While this form of hacking is not yet widespread, it has the potential to become so. However, there are techniques to defend yourself from this type of hack. 

Prevention Tips 
  • Do not plug your phone directly into a USB charging port. Keep your data secure by using a 2-prong electrical charger.
  • Don't use the provided cord or someone else's 2-prong attachment since it might contain software designed to steal your information. 
  • Use a "sync stop" device to prevent attackers from accessing your phone. When charging your phone, leave it locked or switched off. 
  • Most phones cannot access your information while locked or switched off. Don't rely on others; bring your own personal power bank to charge your mobile device. 

When your phone's battery goes low in the airport, hotel, or coffee shop, be sure you're prepared to give it the power it requires without leaving you powerless.
Read more »
Twilio Alerts
CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Mobile Security Phone number Security Risks Twilio Alerts

Twilio Alerts Authy Users of Potential Security Risks Involving Phone Numbers

 


The U.S. messaging giant Twilio has been accused of stealing 33 million phone numbers over the past week as a result of a hacker's exploit. Authy, a popular two-factor authentication app owned by Twilio that uses the phone numbers of people to authenticate, has confirmed to TechCrunch today that "threat actors" can identify the phone numbers of users of Authy. It was recently reported that a hacker or hacker group known as ShinyHunters entered into a well-known hacking forum and posted that they had hacked Twilio and received the cell phone numbers of 33 million subscribers from Twilio. 

As a spokesperson for Twilio Ramirez explained to TechCrunch, the company has detected that threat actors have been able to identify phone numbers associated with Authy accounts through an unauthenticated endpoint, however, it's yet to be known how this happened. According to a report by TechCrunch earlier this week, someone has obtained phone numbers related to Twilio's two-factor authentication service (2FA), Authy, of which it is a part. 

An alert from Twilio on Monday warned of possible phishing attacks and other scams using stolen phone numbers, which the company described as "threat actors" trying to steal personal information. An incident that happened in 2022 occurred following a phishing campaign that tricked employees into using their login credentials to gain access to the company's computer network. During the attack, hackers gained access to 163 Twilio accounts as well as 93 Authy accounts through which they were able to access and register additional devices. It has been revealed that Twilio traced this leak to an "unauthenticated endpoint" that has since been secured by the company. 

As the dark web was abuzz last week with the release of 33 million phone numbers from Authy accounts, the threat actor ShinyHunters published a collection of the data. The threat actor, as pointed out by BleepingComputer, appears to have obtained the information by using the app's unsecured API endpoint to input a massive list of phone numbers, which would then be checked to see whether the numbers were tied to the application. 

During the investigation into the matter, it was found that the data was compiled by feeding an enormous number of phone numbers into the unsecured API endpoint for an unsecured API. Upon validity of the number, Authy's endpoint will return information about the associated accounts registered with Authy once the request is made. Since the API has been secured, these are no longer able to be misused to verify whether a phone number is being used with Authy because the API has been secured.

Threat actors have used this technique in the past, as they exploited unsecure Twitter APIs and Facebook APIs to compile profiles of tens of millions of users that contain both public and private information about the users. Although the Authy scrape contained only phone numbers, such data can still prove to be valuable to users who are interested in conducting smishing and SIM-swapping attacks to breach the accounts of their consumers. 

A CSV file containing 33,420,546 rows is available for download. Each row contains an account ID, phone number, an "over_the_top" column, the account status of the account, as well as the number of devices according to the site. According to reports on Authy's blog, the company has acknowledged that it was attacked. Twilio has confirmed a recent data breach affecting its Authy two-factor authentication app users. 

While the company experienced two separate cyberattacks in 2022, it emphasized that this latest incident is not related to the previous breaches. In light of this development, Twilio is urging all Authy users to exercise extreme caution when dealing with unsolicited text messages that appear to be from the company. According to Sean Wright, Head of Application Security at Featurespace, the primary threat stemming from this incident is the potential for targeted phishing attacks. Exposure to users' phone numbers significantly increases the risk of such attacks. 

Wright reassures users that direct access to their Authy accounts remains unlikely unless the attackers can obtain the seeds for the multi-factor authentication (MFA) tokens stored within the app. Despite this, he stresses the importance of remaining vigilant. Users should be particularly wary of messages from unknown senders, especially those that convey a sense of urgency or threaten financial loss if no action is taken. 

To enhance security, Wright suggests that users consider switching to an alternative MFA application or opting for more secure hardware keys, such as the Yubico YubiKey. Additionally, if any user experiences difficulty accessing their Authy account, Twilio advises immediate contact with Authy support for assistance. Furthermore, Twilio recommends that users update their Authy app on iOS and Android platforms to address potential security vulnerabilities. 

Keeping the application up-to-date is critical in safeguarding against future threats and ensuring the highest level of protection for user accounts. This proactive approach will help mitigate the risks associated with the recent breach and reinforce the security of the authentication process for all Authy users.
Read more »
Mobile Security
CSAM Data Privacy European Union Messaging Apps Mobile Security

EU Proposes New Law to Allow Bulk Scanning of Chat Messages

 

The European elections have ended, and the European football tournament is in full flow; why not allow bulk searches of people's private communications, including encrypted ones? Activists around Europe are outraged by the proposed European Union legislation. 

The EU governments' vote on Thursday in a significant Permanent Representatives Committee meeting would not have been the final obstacle to the legislation that aims to identify child sexual abuse material (CSAM). At the last minute, the contentious question was taken off the agenda. 

However, if the EU Council approves the Chat Control regulation later rather than sooner, experts believe it will be enacted towards the end of the difficult political process. Thus, the activists have asked Europeans to take action and keep up the pressure.

EU Council deaf to criticism

Actually, a regulation requiring chat services like Facebook Messenger and WhatsApp to sift through users' private chats in order to look for grooming and CSAM was first put out in 2022. 

Needless to say, privacy experts denounced it, with cryptography professor Matthew Green stating that the document described "the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR.” 

“Let me be clear what that means: to detect “grooming” is not simply searching for known CSAM. It isn’t using AI to detect new CSAM, which is also on the table. It’s running algorithms reading your actual text messages to figure out what you’re saying, at scale,” stated Green. 

However, the EU has not backed down, and the draft law is currently going through the system. To be more specific, the proposed law would establish a "upload moderation" system to analyse all digital messages, including shared images, videos, and links.

The document is rather wild. Consider end-to-end encryption: on the one hand, the proposed legislation states that it is vital, but it also warns that encrypted messaging platforms may "inadvertently become secure zones where child sexual abuse material can be shared or disseminated." 

The method appears to involve scanning message content before encrypting it using apps such as WhatsApp, Messenger, or Signal. That sounds unconvincing, and it most likely is. 

Even if the regulation is approved by EU countries, additional problems may arise once the general public becomes aware of what is at stake. According to a study conducted last year by the European Digital Rights group, 66% of young people in the EU oppose the idea of having their private messages scanned.
Read more »
User Safety
Data Privacy Juice Jacking Lockdown Mode Mobile Security User Safety

Android 15's Lockdown Mode Safeguards Your Phone Against "Juice Jacking"

 

You shouldn't use any random cable that is provided to you to charge your favourite Android phone—or any other device, for that matter—at a public charging station for a few very good reasons. More importantly, there are always a number of security issues, so you might not receive the fastest charging speeds. Even though they are not scalable, "juice jacking" attacks that weaponize charging stations are common; however, Android 15's Lockdown mode now includes defences against such types of attacks. 

Google is still working on Android 15, which is now in beta testing. The most recent development, spotted by apex tech sleuth Mishaal Rahman (via Android Authority), suggests that the operating system update will have built-in protections against fraudulent individuals who attempt to use juice-jacking devices. These attacks have the ability to install malicious apps, run commands, transmit malicious payloads to your device, and maliciously control how the USB connection handles data.

However, Rahman claims there is no reason to be concerned about juice jackers because Android currently prevents you from enabling USB Debugging before you unlock your smartphone. Access to files on the device is similarly restricted until you change the USB connection mode to explicitly allow file transfers. These safety nets work together to prevent attempts to execute ADB commands or tamper with your device's files. Lockdown mode, on the other hand, takes safety to the next level, and it just gets better with Android 15.

Put things on lockdown

Lockdown mode, which was introduced as a safety feature alongside Android 9 in 2018, was made available as a default in the power menu on Pixel phones with Android 12. Other device manufacturers are free to place the option elsewhere, but once selected, it disables all notifications and requires your original PIN, password, or pattern to restore device functionality.

After testing with a Pixel 6 Pro running Android 15 and another device running Android 14, Rahman confirmed that the most recent firmware prevents USB data access. Any current connections to the ADB terminal or linked input devices are likewise terminated when Lockdown mode is enabled. It should work as soon as eligible Pixel phones receive the Android 15 upgrade, but other OEMs must update their devices' USB HAL to include the necessary APIs for this implementation to function. 

In any case, the Android 15 upgrade includes additional safeguards against juice jacking, even if you were already adequately protected on older versions. However, it's worth noting that taking precautions like avoiding unfamiliar chargers at airports and malls is the greatest and most effective defense.
Read more »
Threat Landscape
cyber threat iPhone Malware Mobile Security Spyware Threat Landscape

Is Your iPhone at Risk? Understanding iPhone Spyware Issue

 

Surprisingly, one iOS user has successfully identified Apple's iPhone Spyware Problem. Unfortunately, iPhone spyware attacks have extended to 92 nations. And it can be one of the most scary threats in the realm of technology. 

The blog post below will explore how these Spyware Attacks are potentially growing. We will share some interesting and easy-to-do strategies to ensure your privacy. 

Alarming rise 

Almost three weeks ago, Apple sent out a notification to all iOS users in 90+ countries. The alert message included a warning about iPhone spyware attacks. However, it quickly got viral, and users were incredibly wary and concerned regarding their privacy.

Apple, on the other hand, explicitly said that "the increasing use of spyware against iPhone users across the world". The company has not provided any further updates on cyberattacks, and the situation remains unclear.

Pegasus issue

Why has Apple's iPhone spyware problem become so serious? Don't mistake them as typical spying or malware. However, these assaults disrupt the weaknesses of the deployed apps. And their major goal is to gain access to your WhatsApp and iMessage. They usually install silently on your iPhone.

You will not be required to perform any actions, thus the hacker has complete control of your device. Surprisingly, the Israeli Pegasus was designed similarly and is extensively used for such spyware attacks. 

It gives you control over your microphone, camera, location, text, media, and other features. Furthermore, the Israeli Pegasus was frequently employed against journalists and political associates for a long time. 

How to detect spyware 

Detecting Apple iPhone Spyware Attacks can be difficult, but it is not impossible. No doubt, these are highly developed to be cleverly disguised in your gadgets, but here are some key signs: 

Constant battery drain; Slow or odd performance; Suspicious installation; Increased data use. 

Steps to ensure your privacy 
  • Make sure your device is running the most recent iOS version. It applies all of the security fixes and can definitely serve as a shelf for you. 
  • Using strong passwords and multi-factor authentication can help add an extra degree of security to your applications and accounts.,
  • Try to avoid any dubious messages or links. Avoid downloading attachments or documents shared by strangers.
Read more »
Tech Giant
Application Vulnerability Mobile Security Phone Alarm Social Media Tech Giant

Apple Working to Patch Alarming iPhone Issue

 

Apple claims to be working rapidly to resolve an issue that resulted in some iPhone alarms not setting off, allowing its sleeping users to have an unexpected lie-in. 

Many people rely on their phones as alarm clocks, and some oversleepers took to social media to gripe. A Tiktokker expressed dissatisfaction at setting "like five alarms" that failed to go off. 

Apple has stated that it is aware of the issue at hand, but has yet to explain what it believes is causing it or how users may avoid a late start. 

It's also unknown how many people are affected or if the issue is limited to specific iPhone models. The news was first made public by the early risers on NBC's Today Show, which sparked concerns. 

In the absence of an official solution, those who are losing sleep over the issue can try a few simple fixes. One is to prevent human error; therefore, double-check the phone's alarm settings and make sure the volume is turned up. 

Others pointed the finger at Apple designers, claiming that a flaw in the iPhones' "attention aware features" could be to blame.

When enabled, they allow an iPhone to detect whether a user is paying attention to their device and, if so, to automatically take action, such as lowering the volume of alerts, including alarms. 

According to Apple, they are compatible with the iPhone X and later, as well as the iPad Pro 11-inch and iPad Pro 12.9-inch. Some TikTok users speculated that if a slumbering user's face was oriented towards the screen of a bedside iPhone, depending on the phone's settings, the functionalities may be activated. 

Apple said it intends to resolve the issue quickly. But, until then, its time zone-spanning consumer base may need to dust off some old gear and replace TikTok with the more traditional - but trustworthy - tick-tock of an alarm clock.
Read more »
User Safety
Data Surveillance Data tracking Mobile Security User Privacy User Safety

An Unusual Tracking Feature Identified on Millions of iPhone Users

 

Millions of iPhone users across the globe discovered an interesting new setting that was automatically switched on in their iPhones. The latest software version included a new setting called "Discoverable by Others''. It can be located under 'Journalling Suggestions' in iPhone's privacy and security settings. Journalling Suggestions was included in the new Journal app, which was launched with iOS 17.2 in December 2023. 

When enabled, the feature accesses past data stored on the user's iPhone. Music, images, workouts, who they've called or texted, and significant locations are all included in the data. It is used to suggest what times to write about in the Journal app.

The feature is enabled by default and stays so even after a user deletes the Journal app. According to Joanna Stern, a senior personal technology correspondent for The Wall Street Journal, Apple has confirmed that customers' phones can use Bluetooth to locate nearby devices associated with their contact list. However, the phone does not save any information about the detected contacts. This feature offers context to enhance Journalling suggestions.

The firm has also denied disclosing users' identities and locations to anyone. To clarify their point, Apple provided an example of holding a dinner party at your home with pals listed in your contacts. According to the tech behemoth, the system may prioritise the event in Journalling Suggestions. This is because it recognises that the number of guests made it more than just another night at home with your family.

As per Apple's support page, if you disable the 'Discoverable by Others' option to avoid yourself from being counted among your contacts, the 'Prefer Suggestions with Others' feature will also be turned off. This implies that the Journalling Suggestions feature will be unable to determine the number of devices and contacts in your vicinity.
Read more »
Social Media
Cyber Criminal Cyberattacks CyberCrime Cybersecurity Cyberthreats Instagram Mobile Security Passwords Social Media

Heightened Hacking Activity Prompts Social Media Security Warning

 


Having social media software for managing users' privacy settings, and security settings, and keeping track of recent news and marketing opportunities can provide a great way to keep in touch with family, and friends, and stay updated on recent news. However, it is important to abide by these settings to keep information safe. 

When social media is used improperly, it can introduce several risks to a person's personal information, as online criminals are devising new and in-depth methods for exploiting vulnerabilities more frequently than ever before. There are many things users need to know about keeping their Facebook, X and Instagram accounts secure - from finding out how accounts are hacked, to recovering accounts. 

When fraudsters gain access to the details of the users' accounts, they can take advantage of their contacts, sell their information on the dark web, and steal the identity of the users. According to reports by Action Fraud, some victims of email and social media hacking have been forced into extortion by criminals who have stolen their private photos and videos and used them to extort them. 9 out of 10 of the people who participated in the survey (89%) stated that they knew or were aware of people whose profiles had been compromised, and 28% said they knew at least five to ten people who had been hacked. 

The survey found that 15 per cent of the respondents knew someone who was hacked on social media more than ten times. With 76% of respondents indicating they have increased concerns within the last year compared to the previous year, it appears that the fears are growing. What scammers do to hack accounts Online users' accounts can be accessed in a variety of ways by fraudsters to gain access to their money. 

The hacked account user may be wondering how they managed to gain access to one of their accounts if they discover that one of theirs has been hacked. There are times when hackers gain access to a system which carries highly confidential data about a person and causes the system to be breached. This information is then used by fraudsters to gain access to accounts that have been compromised. 

Phishing attacks are designed to entice users into divulging their details by impersonating legitimate companies and containing links that lead them to malicious websites that can harvest their data. As a result, users may end up downloading malicious code to the devices they use to steal their information once they enter the information on the website. 

A chain hack which takes place on a social media platform involves a fraudster posting links to dubious websites in the comment section of a post. After the victim clicks on the link, the fraudster will then ask them to enter their social media account details. This will allow the fraudster access to the victim's account information. It has been reported that fraudsters are known to send messages to victims impersonating one of their contacts in an attempt to get them to share their two-factor authentication code with them. 

Hackers who use credentials they have previously been successful in obtaining access to other accounts belonging to a particular person are known as credential stuffers. When a scammer watches a user log into an account while an account is being used, they are shoulder surfing the user. It is possible to download a malicious app to the users' phones, which will, in turn, install malware onto their devices, enabling the fraudster to steal the username and password for their account and use it to steal users' money. 

When users' accounts have been hacked, take precautions to avoid recovery scammers contacting them on social media and saying they can retrieve their accounts for them if only they would follow their instructions. This is just another scam that they cannot fall victim to, and they would not be able to do this. 

Find out who to contact to get help with a hacked account by going to the help page of the account provider. All devices must be logged out of the users' accounts as well as their passwords must be changed on all devices. Please examine to ascertain the presence of any newly instituted protocols or configurations within users' email accounts, which may have been established without their explicit authorization. 

These modifications could potentially dictate the redirection of emails about their accounts. It is incumbent upon users to promptly notify their contacts of a potential security breach and advise them to exercise caution, as any received messages may not be legitimately sent by them.
Read more »
User Privacy
Credential Phishing iPhone Users Mobile Security Phishing Campaign User Privacy

Novel Darcula Phishing Campaign is Targeting iPhone Users

 

Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.

With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.

One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.

Darcula's phishing service

Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents. 

Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit. 

The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information. 

The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment. The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.

According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those. Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday. 

Abandoning SMS 

Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL. The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS. Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.

According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage

Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.

Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.
Read more »
Mobile Security
Android Cyber Hacking Cyber Security MaaS Malware Attack Mobile Cyber Attacks Mobile Security

Unveiling the MaaS Campaign: Safeguarding Android Users in India

 

In the vast landscape of cybersecurity threats, a new campaign has emerged, targeting Android users in India. Dubbed as the "MaaS Campaign," this nefarious operation has caught the attention of security experts worldwide due to its sophisticated nature and potential for widespread damage. Let's delve into the intricacies of this campaign, understanding its modus operandi and the measures users can take to protect themselves. 

The MaaS Campaign, short for Malware-as-a-Service, represents a significant evolution in cybercrime tactics. Unlike traditional cyberattacks that require substantial technical expertise, the MaaS Campaign allows even novice hackers to deploy sophisticated malware with minimal effort. This democratization of cybercrime poses a severe threat to users, particularly in regions like India, where Android devices dominate the market. 

At the heart of the MaaS Campaign lies the exploitation of Android's vulnerabilities. Android, being an open-source platform, offers a fertile ground for cybercriminals to exploit security loopholes. Through various means, including malicious apps, phishing emails, and compromised websites, hackers lure unsuspecting users into downloading malware onto their devices. Once the malware infiltrates a device, it operates stealthily, often evading detection by traditional antivirus software. One of the primary objectives of the MaaS Campaign is to steal sensitive information, including personal data, financial credentials, and login credentials for various online accounts. 

This information is then used for a range of malicious activities, including identity theft, financial fraud, and espionage. What makes the MaaS Campaign particularly concerning is its targeted approach towards Android users in India. With India's burgeoning smartphone market and increasing reliance on digital services, the country has become a lucrative target for cybercriminals. 

Moreover, the diversity of Android devices and the prevalence of outdated software versions exacerbate the security risks, leaving millions of users vulnerable to exploitation. To mitigate the risks associated with the MaaS Campaign and similar cyber threats, users must adopt a proactive approach to cybersecurity. Firstly, maintaining vigilance while downloading apps or clicking on links is crucial. Users should only download apps from trusted sources such as the Google Play Store and avoid clicking on suspicious links or email attachments. 

Additionally, keeping software and operating systems up-to-date is paramount. Developers frequently release security patches to address known vulnerabilities, and failing to update exposes devices to exploitation. Users should enable automatic updates wherever possible and regularly check for updates manually. 

Furthermore, investing in robust cybersecurity solutions can provide an added layer of defense against malware and other cyber threats. Antivirus software, firewalls, and anti-malware tools can help detect and neutralize malicious activity, safeguarding users' devices and data. Education also plays a pivotal role in combating cyber threats. Users should familiarize themselves with common phishing tactics, malware warning signs, and best practices for online security. By staying informed and vigilant, users can avoid falling victim to cyberattacks and protect their digital identities. 

In conclusion, the MaaS Campaign represents a significant threat to Android users in India and underscores the importance of robust cybersecurity measures. By understanding the tactics employed by cybercriminals and adopting proactive security practices, users can minimize the risk of falling victim to such campaigns. Ultimately, safeguarding against cyber threats requires a collective effort involving users, cybersecurity professionals, and technology companies to create a safer digital environment for all.
Read more »
WhatsApp updates
Authentication Mobile Security user data security WhatsApp WhatsApp security features WhatsApp updates

WhatsApp Beta Testing Expanded Authentication Methods for App Lock Feature

 

In a world where privacy and security are increasingly important, WhatsApp continues to prioritize the protection of user data through encrypted messaging. Recently, the app has been testing a new label to highlight chat encryption, further emphasizing its commitment to safeguarding user conversations. 

Additionally, WhatsApp has released utilities such as chat lock and app lock to enhance chat security and privacy. One notable feature is chat lock, which allows users to hide private conversations from the main chat lists. By enabling chat lock on a per-conversation basis, users can ensure that sensitive chats remain secure. When activated, users are prompted for biometric authentication, either through face or fingerprint recognition, before accessing locked chats. For users who require comprehensive protection for all their chats, WhatsApp offers app lock functionality. 

This feature, available at a device level on certain Android skins by major OEMs, allows users to secure the entire app with biometric authentication or device passcodes. Recently, in the latest WhatsApp beta version 2.24.6.20, the app's app lock feature underwent significant enhancements. According to findings by WABetaInfo, app lock is expanding to include additional authentication methods beyond just biometric fingerprint recognition. 

The update will introduce options such as face unlock and device passcodes, providing users with more flexibility in securing their chats. The inclusion of multiple authentication methods serves as a backup for fingerprint authentication, ensuring accessibility even in scenarios where fingerprint recognition may not be feasible. 

For example, users wearing gloves can still unlock the app using alternative methods. Moreover, the expansion of authentication options enhances accessibility for users who may face limitations with certain authentication methods. While the introduction of new authentication methods represents a significant improvement to WhatsApp's app lock feature, users are advised to exercise caution when installing the latest beta version. The current beta release may be prone to crashes, potentially compromising the app's core functionality. 

Therefore, it is recommended to await a wider release before attempting to access the new features. In conclusion, WhatsApp's dedication to user privacy and security is evident through its continuous efforts to enhance encryption and introduce innovative security features. The expansion of authentication methods for the app lock feature underscores WhatsApp's commitment to providing users with robust security options while maintaining accessibility and ease of use.
Read more »
TRAI
Fraud Calls Mobile Security SIM SIM swap Spam Call telecommunications TRAI

TRAI Updates Regulations to Prevent SIM Swap Fraud in Telecom Porting

 

The Telecom Regulatory Authority of India (TRAI) recently announced updated regulations aimed at combating SIM swap fraud in the telecom sector. According to the new regulations, telecom subscribers will be prohibited from porting out of their current network provider if they have recently "swapped" their SIM card due to loss or damage within the past seven days. 

This amendment is intended to prevent fraudulent activities by disallowing the issuance of a "unique porting code" (UPC), which is the initial step in changing providers using mobile number portability. 

The TRAI highlighted that this measure is part of its broader efforts to address concerns related to fraudulent and spam calls, which have been on the rise in recent years. In addition to SIM swap fraud, spam calls and messages have become a significant nuisance for telecom subscribers, leading to increased efforts by regulatory authorities to combat such activities. 

Previous anti-spam measures undertaken by TRAI include the establishment of a do-not-disturb registry, the release of an app for filing complaints against telemarketers, and the enforcement of regulations on transactional SMS messages by businesses. 

However, despite these efforts, fraudulent activities continue to pose challenges for both regulators and consumers. In addition to the prohibition on porting after SIM card swapping, TRAI has recommended to the Department of Telecommunications (DoT) the implementation of a feature that would display the legally registered name of every caller on recipients' handsets. This proposal aims to enhance transparency and enable recipients to identify the origin of incoming calls more accurately. 

However, the proposal has faced criticism on privacy grounds, with concerns raised about the potential misuse of caller identification information. To further address concerns related to fraudulent communication, the DoT has introduced its own portal called Chakshu for reporting suspected fraud communication. This platform allows users to report instances of suspected fraud, helping regulatory authorities to track and investigate fraudulent activities more effectively. 

Furthermore, the TRAI is considering a suggestion from the DoT regarding the verification of subscriber identity during the porting process. Currently, porting requires only the possession of an unblocked SIM, with know-your-customer (KYC) processes conducted anew. This policy has implications for minors and other dependents whose SIMs may not be registered in their names. 

The suggestion to double-check KYC during porting will be examined separately by TRAI. Overall, TRAI's efforts to strengthen regulations in the telecom sector aim to enhance security and protect consumers from fraudulent activities such as SIM swap fraud. By implementing measures to prevent unauthorized porting and enhancing transparency in caller identification, TRAI seeks to safeguard the interests of telecom subscribers in India. However, as fraudsters continue to evolve their tactics, regulatory authorities will need to remain vigilant and adapt their strategies accordingly to stay ahead of emerging threats.
Read more »
Trojan
Cybersecurity Precautions data security iPhone Malware Mobile Security Trojan

Securing Your iPhone from GoldPickaxe Trojan

 

In recent times, the digital realm has become a battleground where cybercriminals constantly devise new tactics to breach security measures and exploit unsuspecting users. The emergence of the GoldPickaxe Trojan serves as a stark reminder of the ever-present threat to our personal data and privacy. As reported by 9to5Mac, this insidious malware has targeted iPhone users, raising concerns about the safety and security of our devices. 

The GoldPickaxe Trojan is a sophisticated form of malware designed to infiltrate iPhones, compromising sensitive information and potentially causing significant harm to users. This malicious software operates covertly, often masquerading as legitimate applications or using social engineering tactics to trick users into installing it. Once installed on a device, the GoldPickaxe Trojan can execute a range of malicious activities, including stealing personal data such as login credentials, financial information, and sensitive communications. 

Moreover, it may grant unauthorized access to the device, allowing cybercriminals to control its functionalities remotely. Given the severity of the threat posed by the GoldPickaxe Trojan, it is imperative for iPhone users to take proactive measures to safeguard their devices and personal data. Here are some essential steps to enhance your device's security and protect against this insidious malware. 

Ensure that your iPhone's operating system, as well as all installed applications, is up to date. Manufacturers regularly release security patches and updates to address vulnerabilities and strengthen defences against emerging threats like the GoldPickaxe Trojan. Exercise caution when downloading and installing applications from the App Store or third-party sources. Verify the authenticity of the developer and scrutinize app permissions before granting access to your device's resources. Avoid installing apps from unknown or untrusted sources, as they may contain malicious payloads. 
 
Activate two-factor authentication (2FA) wherever possible to add an extra layer of security to your accounts. By requiring a secondary verification method, such as a one-time code sent to your phone, 2FA can thwart unauthorized access attempts even if your login credentials are compromised by the GoldPickaxe Trojan. Use strong, unique passwords for all your online accounts, including your iPhone's lock screen and iCloud account. Avoid using easily guessable passwords or reusing the same password across multiple platforms, as this can significantly increase the risk of unauthorized access and data breaches. 

Consider installing reputable antivirus and security software on your iPhone to detect and remove malicious threats like the GoldPickaxe Trojan. These applications can provide real-time protection against malware, phishing attacks, and other cyber threats, helping to safeguard your device and personal information. Remain vigilant against suspicious activities and phishing attempts, such as unsolicited emails or messages requesting sensitive information. Stay informed about the latest cybersecurity threats and trends, and educate yourself on best practices for online safety and privacy. 

The GoldPickaxe Trojan represents a significant threat to iPhone users, highlighting the importance of robust security measures and proactive defence strategies. By following the guidelines above and adopting a security-conscious mindset, you can mitigate the risk of falling victim to this malicious malware and protect your device, data, and privacy from harm. Remember, safeguarding your iPhone is not just a matter of convenience; it's a crucial step in safeguarding your digital identity and maintaining control over your online presence in an increasingly interconnected world.
Read more »
WiFi
Consumer Geofencing Mobile Security Technology WiFi

Geofencing: A Tech Set to Transform the Consumer Landscape?

Geofencing

One technological advancement that is subtly changing the marketing and customer engagement scene is Geofencing. It effortlessly connects your device to companies and services by drawing virtual borders around real-world locations. As soon as you cross these lines, you get relevant messages that are tailored to your area, including discounts, event reminders, or special offers.

Even if this technology helps some industries more than others, it poses serious privacy issues because it tracks your whereabouts and may generate issues with consent and data protection.

Let's examine the workings of this technology, consider how important your mobile device is to this procedure, and consider the privacy issues in more detail.

Geofencing: What is it?

Digital technology known as "geofencing" creates imaginary borders around a predetermined region. It's similar to encircling a location, such as a park, coffee shop, or neighborhood, with an invisible fence on a map.

As people enter or leave these designated regions, this equipment keeps an eye on gadgets like cell phones that depend on GPS, WiFi, or cellular data. Additionally, it monitors the movement of radio-frequency identification (RFID) tags—compact devices that wirelessly transmit data, similar to contactless vehicle keys—across these virtual boundaries.

How does Geofencing work?

1. Specifying the Geofence: To establish a geofence around their store, a retailer first chooses a location and then enters geographic coordinates into software to create an invisible boundary.

This could cover the immediate vicinity of the store or cover a broader neighborhood, establishing the context for the activation of particular digital activities.

2. Granting Access to Location Data: For geofencing to function, users must allow location access on their cell phones. With this authorization, the device can use:

  • GPS for accurate location monitoring
  • WiFi uses neighboring networks to estimate closeness
  • Cellular data uses cell towers to triangulate the device's location

These permissions guarantee that the device's position can be precisely detected by the system. (We'll talk about the privacy issues this has raised later.)

3. Getting in or out of the fence: The geofencing system tracks a customer's smartphone location in the geofenced geographical area as they get closer to the store. When a consumer enters this region, the system is triggered to identify their entry based on the GPS data that their smartphone continuously provides.

4. Setting Off an Event: A predetermined action, such as delivering a push notification to the customer's smartphone, is triggered by this entry into the geofence.

The action in this retail scenario could be a notification with a marketing message or a unique discount offer meant to entice the customer by offering something of value when they are close to the business.

5. Carrying Out the Response: The customer knows a promotion or discount has been sent straight to their smartphone with a notice that appears on their device.

The customer's experience can be greatly improved by this prompt and location-specific interaction, which may result in more people visiting the store and a greater rate of sales conversion.

Industries where Geofencing is used

  1. Child Safety and Elderly Care
  2. Workforce Management
  3. Smart Home Automation
  4. Transport and Logistics

Future and Geofencing

Geofencing technology is anticipated to undergo a substantial transformation in 2024 and beyond, mostly because of the progress made in IoT (Internet of Things) technology. IoT encompasses physical objects, automobiles, household appliances, and other products that are integrated with sensors, software, electronics, and communication.

Read more »
Vishing
Cyber Fraud Cybersecurity Federal Trade Commission Mobile Security Scammers Vishing

Watch Out for Phone Scams

 


At the extent of people's gullibility, there is an increasing cybersecurity threat known as "vishing" which has become a cause for concern, impacting unsuspecting individuals and even businesses. Vishing, short for voice phishing, involves scammers attempting to trick people into revealing sensitive information over the phone. These calls often impersonate authorities like the IRS or banks, creating urgency to manipulate victims. In 2022 alone, victims reported median losses of $1,400, per the Federal Trade Commission (FTC).

What Is Vishing?

Vishing operates on social engineering tactics, relying on psychological manipulation rather than malware. The scammers may pose as government officials or company representatives to extract financial details, Social Security numbers, or other sensitive data. Notably, technological advancements, such as caller ID spoofing and AI-driven voice mimicking, contribute to the rising prevalence of vishing attacks.

Detecting a Vishing Attempt

Identifying vishing calls involves recognizing key signs. Automated pre-recorded messages claiming urgent matters or unsolicited requests for sensitive information are red flags. Scammers may pose as government officials, exploiting the authoritative tone to create a sense of urgency. The use of aggressive tactics during the call is another indicator.

What To Do? 

To safeguard against vishing scams, individuals can adopt practical strategies. Screening calls carefully and letting unknown numbers go to voicemail helps avoid falling prey to scammers who may attempt to spoof caller IDs. Remaining suspicious of unsolicited calls and refraining from sharing personal data over the phone, especially Social Security numbers or passwords, is crucial. Joining the National Do Not Call Registry can also reduce exposure to illegitimate calls.

Preventive Measures

Taking preventive measures can further fortify against vishing attacks. Signing up for the National Do Not Call Registry informs marketers about your preference to avoid unsolicited calls. Additionally, services like AT&T's TruContact Branded Call Display provide an extra layer of security, displaying the name and logo of the business calling AT&T customers.

In case one suspects falling victim to a vishing scheme, prompt action is essential. Contacting financial institutions, placing a security freeze on credit reports, and changing passwords, especially for sensitive accounts, are immediate steps. Reporting any attempted scams to the FTC and FBI adds an extra layer of protection.

As vishing scammers continually refine their tactics, individuals must stay vigilant. Being sceptical of unsolicited calls and refraining from sharing personal information over the phone is paramount in protecting against these evolving threats.

To look at the bigger picture, vishing poses a significant risk in the digital age, and awareness is key to prevention. Individuals can strengthen themselves against these deceptive attacks by staying informed and adopting precautionary measures. Remember, scepticism is a powerful tool in the fight against vishing scams, and every individual can play a role in ensuring their cybersecurity. Stay informed, stay cautious.


Read more »
Social Media App
Data Safety iOS Mobile Security Passkey Social Media App

X Launches Secure Login with Passkey for iOS Users in US

 

X (formerly known as Twitter) is set to allow users to login in with a passkey rather than a password, but only on iOS devices.

X earlier announced its intention to roll out passwordless technology, and it has now made the option available to iPhone customers. It enables a faster login process by allowing users to authenticate with whatever they use to lock their device, such as their fingerprint, FaceID, or PIN. 

They are also regarded to be safer, because the device generates the underlying cryptographic key, which is unknown to anyone, even the user. This means they are impervious to phishing, which means cybercriminals cannot use fake emails and social engineering strategies to lure them out of targets.

Only for iPhones

The FIDO Alliance designed passkeys and set technological guidelines for them. They employ the WebAuthn standard, which is a vital component of the FIDO2 requirements. The alliance's board of directors includes the majority of top technology firms, including Apple, Google, and Microsoft. 

To set up passkeys on X, open the X app on iPhone and go to "Settings and privacy" under "Your account". Then navigate to "Security and account access" and then "Security". Choose "Passkey" under "Additional password protection" and comply with the on-screen directions. You can remove a passkey from the same menu at any moment. 

Although X does not make passkeys necessary, it highly encourages users to start using them. Currently, users must have a password-protected account with X before they can set up a passkey, however the company advises customers should "stay tuned" on this.

As iOS devices are the only ones capable of logging into X using a passkey (for the time being), users' passkeys will be synced across their Apple devices via Apple's Keychain password manager, allowing multiple iOS devices to login to X with an identical passkey.
Read more »
Technology
internet access Mobile Security Online Safety Sensitive data Technology

Why Limiting Online Access Risks More Than Teen Safety



In the age of increasing online presence, especially amplified by the COVID-19 pandemic, the safety of young people on the internet has become a prominent concern. With a surge in screen time among youth, online spaces serve as crucial lifelines for community, education, and accessing information that may not be readily available elsewhere.

However, the lack of federal privacy protections exposes individuals, including children, to potential misuse of sensitive data. The widespread use of this data for targeted advertisements has raised concerns among young people and adults alike.

In response, teens are voicing their need for tools to navigate the web safely. They seek more control over their online experiences, including ephemeral content, algorithmic feed management, and the ability to delete collected data. Many emphasise the importance of reporting, blocking, and user filtering tools to minimise unwanted encounters while staying connected. 

Despite these calls, legislative discussions often seem disconnected from the concerns raised by teens. Some proposed bills aimed at protecting children online unintentionally risk limiting teens' access to constitutionally protected expression. Others, under the guise of child protection, may lead to censorship of essential discussions about race, gender, and other critical topics.

Recent legislative efforts at the federal and state levels raise concerns about potential misuse. Some proposals subject teens to constant parental supervision, age-gate them from essential information or even remove access to such information entirely. While the intention is often to enhance safety, these measures could infringe on young people's independence and hinder their development.

In an attempt to address harmful online outcomes, some bills, like the Kids Online Safety Act, could fuel censorship efforts. Fear of legal repercussions may prompt technology companies to restrict access to lawful content, impacting subjects such as LGBTQ+ history or reproductive care.

In some cases, laws directly invoke children's safety to justify blatant censorship. Florida's Stop WOKE Act, for instance, restricts sharing information related to race and gender under the pretext of protecting children's mental health. Despite being blocked by a federal judge, the law has had a chilling effect, with educational institutions refraining from providing resources on Black history and LGBTQ+ history.

Experts argue that restricting access to information doesn't benefit children. Youth need a diverse array of information for literacy, empathy, exposure to different ideas, and overall health. As lawmakers ban books and underfund extracurricular programs, empowering teenagers to access information freely becomes crucial for their development.

To bring it all together, while teens and their allies advocate for more control over their digital lives, some legislative proposals risk stripping away that control. Instead of relying on government judgment, the focus should be on empowering teens and parents to make informed decisions. 


 

Read more »
User Security
Data Leak Data Privacy Mobile Security Unwiped Data User Security

Here's How Unwiped Data On Sold Devices Can Prove Costly

 

As time passes, it is disturbing to see how many people still have a casual attitude towards their personal data, despite the constant stream of cyber incidents and large data breaches in the headlines. Millions of accounts and sensitive personal information have been compromised, but the general public's attitude towards data security remains carelessly lax.

SD cards

Take SD cards, for example, as portable storage medium. These minuscule yet mighty gadgets are immensely useful, allowing us to carry vital data like images, messages, and recordings. But since it's so simple to store personal data on these cards, security breaches frequently occur. 

When these cards are sold or handed on to others, a prevalent issue arises. Many people do not properly erase their private information, which might remain accessible to the new owner. Regular file deletion does not ensure safety, because data recovery tools can frequently recover what was believed to be gone for good. Surprisingly, some people do not even care to erase their data before handing the cards on, exposing their sensitive information. 

SD cards are frequently mistakenly included in the sale of mobile phones and tablets. This omission, along with a general lack of concern, poses a serious risk. Furthermore, company data is occasionally left on these devices, unnoticed by security agencies and personnel.

A study undertaken by the University of Hertfordshire a few years ago brought this issue to the forefront. Researchers bought roughly 100 discarded memory cards from eBay and used phone stores, then attempted to extract data from them. These cards have been utilised in a variety of devices, including phones, tablets, cameras, and drones. Selfies, document images, contact information, browsing history, and much more sensitive items were discovered in the retrieved data. This data is easily exploitable by criminals, revealing a significant disparity between public recognition of the importance of data security and actual user behaviour. 

Hard drives

The Techradar group carried out a study on old hard drives in 2008. They analysed the contents of the drives they bought from internet stores like eBay. The results were alarming: a significant quantity of private information, including records and images, could still be retrieved. 

Smartphones

Similarly, Avast's investigation of used smartphones in 2014 identified an identical issue. Despite the fact that many users thought they had wiped their phones clean, over 40,000 images, including sensitive ones, and financial data were discovered on these devices. 

The aforementioned studies point to a significant knowledge gap regarding digital data security that most people have. Using smartphones' "Restore and reset to factory settings" feature alone does not ensure that personal data is completely erased and permanently lost. Experts in data recovery and hackers can frequently retrieve data that regular commercial tools are unable to. In simple cases, even well-known software tools can retrieve files; however, if a hacker is committed and has the necessary resources, they can go much further.
Read more »
VPN Apps
Android App Data Safety Mobile Security Security Badge User Privacy VPN Apps

Google to Label Android VPNs Clearing a Security Audit

 

Google hopes that better badging alerting to independent audits will help Android users in finding more trustworthy VPN apps.

The ad giant and cloud provider has given independently audited apps in its Play store a more visible display of their security credentials, particularly a banner atop their Google Play page. 

According to Nataliya Stanetsky of Google's Android Security and Privacy Team, in an announcement, VPN apps are the first to receive this special treatment since they manage a sizable quantity of classified data. Therefore, miscreants frequently target them for subversion.

"When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the 'Independent security review' badge in the Data Safety Section," explained Stanetsky.

Google and the App Defence Alliance (ADA) expanded their partnership last year to incorporate the Mobile App Security Assessment (MASA), which verifies the Android apps comply with OWASP-defined security standards. The ADA was founded in 2019. 

The audit isn't very comprehensive. As the ADA's website states, "MASA is intended to provide more transparency into the app's security architecture, however the limited nature of testing does not guarantee complete safety of the application."

Additionally, MASA does not always verify the safety claims made by app developers, according to the ADA. The alliance's MASA endorsement is significant, even though it is understandable that it doesn't want to be held accountable if it overlooks something and an information-stealing app gets through. 

Among its many checks, MASA looks for apparent bad practices, such as whether sensitive data is written to application log files and whether the application reuses cryptographic keys for multiple purposes. Even though it's not safe to say that apps are guaranteed to be secure, it's safe to say that you're better off with those that avoid such mistakes. 

If MASA fails, there are backup security measures available in the Android ecosystem. As Google proudly declares, when your gibberish translator is offline, it attempts to defend against PHAs and MUwS, or potentially malicious applications and unwanted software. It accomplishes this by collecting information about malicious apps, using machine learning and other techniques, performing static and dynamic risk analyses, and more.
Read more »
SEO
Analytics Cybersecurity Google Google URLs Mobile Security SEO

Google Completes Mobile-First Indexing After 7 Years


Google has finally announced that it has completed its mobile-first indexing initiative, which means that it will use the mobile version of websites for indexing and ranking purposes. This is a major change that affects how Google crawls, indexes, and ranks web pages, and it has implications for webmasters, SEOs, and users alike. In this blog post, we will explain what mobile-first indexing is, why it matters, and how you can optimize your website for it.

What is Mobile-First Indexing?

Mobile-first indexing is a process that Google uses to determine which version of a website to use for indexing and ranking. It means that Google will use the mobile version of a website as the primary source of information, and the desktop version as a fallback option. This differs from the previous approach, where Google used the desktop version as the primary source of information, and the mobile version as a secondary option.

Google started experimenting with mobile-first indexing in November 2016 and gradually rolled it out to more and more websites over the years. On October 31, 2023, Google announced that it had completed the switch to mobile-first indexing for all websites and that it would stop using its legacy desktop crawler and remove the indexing crawler information from Google Search Console.

Why Does Mobile-First Indexing Matter?

Mobile-first indexing matters because it reflects the growing importance of mobile devices and user experience. According to Google, more than half of the global web traffic comes from mobile devices, and users expect fast and easy access to information on any device. Therefore, Google wants to ensure that its search results are relevant and useful for mobile users and that its ranking algorithm is aligned with the mobile web.

Mobile-first indexing also matters because it affects how webmasters and SEOs optimize their websites for Google. If a website has different versions for desktop and mobile, or if the mobile version is not optimized for speed, usability, and content, it may suffer from lower rankings and traffic. Therefore, webmasters and SEOs need to make sure that their websites are mobile-friendly and consistent across devices.

How to Optimize Your Website for Mobile-First Indexing?

To optimize your website for mobile-first indexing, you need to follow some best practices that Google recommends. Here are some of them:

  • Use responsive web design, which adapts to the screen size and orientation of the device. This way, you can have one website that works well on both desktop and mobile and avoid having duplicate or conflicting content.
  • Ensure that your mobile version has the same content and functionality as your desktop version and that it is not missing any important information or features. For example, do not hide or remove text, images, videos, or links on mobile, and do not use different URLs or redirects for mobile and desktop.
  • Optimize your mobile version for speed, usability, and accessibility. For example, use compressed images, minified code, and lazy loading techniques to reduce the loading time, use clear and legible fonts, buttons, and menus to improve readability and navigation, and use descriptive and concise titles, headings, and meta tags to enhance the visibility and relevance.
  • Test and monitor your mobile version using Google's tools and resources. For example, use the Mobile-Friendly Test, PageSpeed Insights, and the Lighthouse tools to check the performance and quality of your mobile version, and use the Google Search Console and Google Analytics to track the indexing and traffic of your mobile version. 

What's next for Google?

Mobile-first indexing is a significant milestone for Google and the web industry, as it shows the shift from desktop to mobile as the primary platform for web browsing and searching. It also presents new challenges and opportunities for webmasters and SEOs, who need to adapt their websites to the mobile web and provide the best possible experience for their users. By following the best practices and using the tools that Google provides, you can optimize your website for mobile-first indexing and benefit from the mobile web.

Read more »
Subscribe to: Posts (Atom)