Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label User Privacy. Show all posts
User Privacy
Biometric Authentication Cyber Security Facial Recognition Threat Intelligence User Privacy

Ban the Scan - Is Facial Recognition a Risk to Civil Liberties?

 

There are numerous voices around the world opposing the use of facial recognition technology. Many people believe facial recognition poses a severe threat to individual privacy, free speech, racial inequality, and data security. People who oppose it have solid grounds for doing so, and they have strong reservations of employing this technology in any form, citing its extremely high false positive rate and its implications for civil and personal liberties, specifically individual privacy.

Critics argue that facial recognition is biassed towards people of color, women, and children. Surveillance cameras are more common in places where immigrants live, which adds fuel to the flames. The explanation is the greater crime rate in those areas. Facial technology has not matured sufficiently, and its usage under such an environment worsens an already complex situation. The flaws in the justice system will expand as a result of the technology's inefficiency, contributing to harsher sentences and higher bails for those affected. 

Forced deployment

Despite its flaws, facial recognition technologies are used by police and other law enforcement agencies across the world. Surveillance is the key industry in which it is most widely applied. It is also commonly used in airports for passenger screening, as well as for housing and employment decisions. In 2020, San Francisco, Boston, and a few other localities restricted the use of facial recognition. 

According to an article on the Harvard blog by Alex Najibi, “police use face recognition to compare suspects’ photos to mugshots and driver’s license images; it is estimated that almost half of American adults – over 117 million people, as of 2016 – have photos within a facial recognition network used by law enforcement. This participation occurs without consent, or even awareness, and is bolstered by a lack of legislative oversight.” 

Private companies are also attempting to capitalise on biometric scanning in various ways and collecting user data for a variety of purposes. It is not new to blame Google and Meta for collecting excessive amounts of user data. The most recent clamour came when the World Coin initiative, founded by OpenAI CEO Sam Altman, suggested iris scanning as a requirement for coin ownership. These private-sector initiatives are troubling. 

Compared to other biometric systems such as fingerprints, iris scanning, and voice recognition, facial recognition has the highest error rate and is the most likely to cause privacy problems and bias against marginalised people and children.

The Electronic Frontier Foundation (EFF) and the Surveillance Technology Oversight Project (S.T.O.P.) oppose the use of facial recognition in any form. S.T.O.P. is based in New York, and its work focuses on civil rights. It also conducts study and activism on issues of surveillance technology abuse. 

Regarding the ban on the scan movement, S.T.O.P. says, "when we say scan, we mean the face scan feature of facial recognition technology. Surveillance, particularly facial recognition. It is a threat to free speech, freedom of association, and other civil liberties. Ban the Scan is a campaign and coalition built around passing two packages of bills that would ban facial recognition in a variety of contexts in New York City and New York State.”
Read more »
User Privacy
Data Breach Data Leak GMA Social Security Number U.S. Firm User Privacy

Hackers Siphon 340,000 Social Security Numbers From U.S. Consulting Firm

 

Greylock McKinnon Associates (GMA) has discovered a data breach in which hackers gained access to 341,650 Social Security numbers. 

The data breach was disclosed last week on Friday on Maine's government website, where the state issues data breach notifications. In its data breach warning mailed to impacted individuals, GMA stated that it was targeted by an undisclosed cyberattack in May 2023 and "promptly took steps to mitigate the incident." 

GMA provides economic and litigation support to companies and government agencies in the United States, including the Department of Justice, that are involved in civil action. According to their data breach notification, GMA informed affected individuals that their personal information "was obtained by the U.S. Department of Justice ("DOJ") as part of a civil litigation matter" supported by GMA.

The purpose and target of the DOJ's civil litigation are unknown. A Justice Department representative did not return a request for comment. 

GMA stated that individuals that were notified of the data breach are "not the subject of this investigation or the associated litigation matters," adding that the cyberattack "does not impact your current Medicare benefits or coverage.” 

“We consulted with third-party cybersecurity specialists to assist with our response to the incident, and we notified law enforcement and the DOJ. We received confirmation of which individuals’ information was affected and obtained their contact addresses on February 7, 2024,” the firm noted. 

GMA notified victims that "your private and Medicare data was likely affected in this incident," which included names, dates of birth, home addresses, some medical and health insurance information, and Medicare claim numbers, including Social Security numbers.

It remains unknown why GMA took nine months to discover the scope of the incident and notify victims. GMA and its outside legal counsel, Linn Freedman of Robinson & Cole LLP, did not immediately respond to a request for comment.
Read more »
User Privacy
Dark Web Data Breach Data Leak Private Data Tech Firm User Privacy

Private Data of 7.5 million BoAt Users Leaked in Massive Data Breach

 

More than 7.5 million boAt customers' customer information has surfaced on the dark web. It is possible to purchase personally identifiable information (PII) such as a name, address, contact number, email ID, customer ID, and more. The threat actor leaked around 2GB of data on the forum. 

On April 5, a hacker dubbed ShopifyGUY claimed to have accessed the data of audio products and smartwatch maker boAt Lifestyle. The threat actor leaked data breach files comprising 75,50,000 entries of personally identifiable information (PII) from consumers. Forbes India validated the report by speaking with a number of the consumers who have recently purchased boAt items. 

These data breaches have implications that extend beyond the immediate loss of private data. People are more susceptible to monetary fraud, phishing scams, and identity theft. Threat Intelligence Researcher Saumay Srivastava notes that sophisticated social engineering assaults could be carried out by threat actors who employ users' personal information to get access to bank accounts, carry out transactions, and fraudulently use credit cards.

“The consequences for companies include a loss of customer confidence, legal consequences and reputational harm. The major implications make it even more essential to implement adequate security practices,” Saumya added. 

The leaker's profile (ShopifyGUY) is rather new, with only this leak under his belt. Because the data is genuine, the hacker will establish a good reputation among the forum community, increasing future data purchases, explains Rakesh Krishnan, senior threat analyst at NetEnrich. 

"Considering the timeline, we can assume that the hackers gained access to the boAt customer database at least one month ago and put the data on the forum yesterday.”

Ideally, the company should notify all users, conduct a thorough investigation into how the attackers gained access and what else they could access, and then overhaul their security measures to ensure this does not happen again, but realistically, it will deny and move on, explains Yash Kadakia, founder of Security Brigade. 

The data is available for eight credits on several forums, thus it practically costs two euros to purchase it. It will most likely be available for free on Telegram within a few days. Many scammers will use this information to carry out various phone and email scams, Kadakia noted. 

According to an IDC report, boAt, which was founded in 2016 by Aman Gupta, a judge on Shark Tank, and Sameer Mehta, is now the second most popular wearable brand as of the third quarter of 2023. The Gurugram-based business is well-regarded by Indian customers and is renowned for its affordable headphones and other audio equipment. In addition, it produces speakers and smartwatches.
Read more »
User Safety
Data Surveillance Data tracking Mobile Security User Privacy User Safety

An Unusual Tracking Feature Identified on Millions of iPhone Users

 

Millions of iPhone users across the globe discovered an interesting new setting that was automatically switched on in their iPhones. The latest software version included a new setting called "Discoverable by Others''. It can be located under 'Journalling Suggestions' in iPhone's privacy and security settings. Journalling Suggestions was included in the new Journal app, which was launched with iOS 17.2 in December 2023. 

When enabled, the feature accesses past data stored on the user's iPhone. Music, images, workouts, who they've called or texted, and significant locations are all included in the data. It is used to suggest what times to write about in the Journal app.

The feature is enabled by default and stays so even after a user deletes the Journal app. According to Joanna Stern, a senior personal technology correspondent for The Wall Street Journal, Apple has confirmed that customers' phones can use Bluetooth to locate nearby devices associated with their contact list. However, the phone does not save any information about the detected contacts. This feature offers context to enhance Journalling suggestions.

The firm has also denied disclosing users' identities and locations to anyone. To clarify their point, Apple provided an example of holding a dinner party at your home with pals listed in your contacts. According to the tech behemoth, the system may prioritise the event in Journalling Suggestions. This is because it recognises that the number of guests made it more than just another night at home with your family.

As per Apple's support page, if you disable the 'Discoverable by Others' option to avoid yourself from being counted among your contacts, the 'Prefer Suggestions with Others' feature will also be turned off. This implies that the Journalling Suggestions feature will be unable to determine the number of devices and contacts in your vicinity.
Read more »
User Privacy
Data Breach Data Leak Financial Firm SEC filing User Privacy

Prudential Financial Notifies 36,000 Victims of Data Leak

 

Last Friday, Prudential Financial began informing over 36,000 people of a data incident that occurred in early February 2024. 

The breach, first disclosed in a regulatory filing with the SEC in February, occurred on February 4 and was purportedly discovered the next day. 

Prudential reported at the time that the attackers had gained access to systems including business administrative and user data, as well as employee and contractor accounts. 

A week later, the ransomware gang Alphv/BlackCat claimed credit for the attack and added Prudential to their Tor-based leak site. This organisation was also responsible for a large outage in the US health system last month, hitting Change Healthcare systems and services. 

As per a March 29 complaint with the Maine Attorney General's Office, Prudential has verified that the hackers have gained access to the personal data of 36,545 people. 

We discovered through the investigation that on February 4, 2024, an unauthorised third party gained access to our network and removed a small percentage of personal information from our systems, the report reads. 

“Companies are always likely to remain wary of really rapid disclosure, given the financial impact these things can have on them, and use all the ‘tricks’ they can to delay,” commented Nick France, chief technology officer at Sectigo. 

“Ultimately, I believe that the new SEC regulations should make these processes work faster; however, given the wording of the regulation and the fact that it only came into effect at the very end of 2023, it may take some time before we see disclosures happening at the 4-day pace.” 

Individuals impacted by the Prudential breach are being notified of the issue by written notice. Names and other personal identifiers, as well as driver's licence numbers or non-driver identity card numbers, were among the compromised data.
Read more »
User Privacy
Car manufacturers Data Breach Data Privacy Smart Cars User Privacy

Here's How Smart Card Are Tracking Your Private Data

 

Smart cars are already the norm on our roads, thanks to increased connectivity and technological breakthroughs. However, beneath the slick exteriors and technological capabilities is a worrisome reality: your vehicle may be spying on you and documenting every step, including your private life. A recent study undertaken by the Mozilla Foundation revealed the alarming truth about how much personal data automakers collect and share.

The study analysed 25 different car brands and concluded that none of them passed consumer privacy criteria. Surprisingly, 84 percent of automakers have been found to review, share, or even sell data collected from car owners. The private data gathered significantly exceeds what is required for the vehicle's features or the car brand's relationship with its drivers. 

Six automakers go to alarming lengths to gather personal data about their drivers, including their driving habits, destinations, genetic makeup, and even their favourite music. This was discovered by Mozilla's research. Nissan even goes so far as to include "sexual activity" in the data it gathers, and in their privacy policy, Kia freely admits that it may collect data on your "sex life." 

According to Kia's privacy statement, it is allowed to handle "special categories" of data, which include private information on racial, religious, sexual, and political affiliations. The scope of data collecting goes beyond the in-car systems and includes linked services as well as external sources such as internet radio services and navigation apps. 

This massive amount of data isn't just dangling around; it's being utilised to develop profiles and draw conclusions about you, from your intelligence to your preferences. As the car industry embraces connectivity and autonomous driving, sales of services such as music and video streaming, driver assistance, and self-driving subscriptions are expected to increase. Carmakers can maximise profits by collecting more customer data through these services. 

Even Tesla, despite its dominance in the electric vehicle sector, failed Mozilla's security, data control, and AI tests. Tesla has previously been criticised for its privacy procedures, including cases in which staff exchanged recordings and photographs captured by customer car cameras. 

As the automotive sector evolves, concerns regarding data security and personal privacy grow. It remains to be seen if automakers will take the necessary safety measures to safeguard your personal information as the smart car revolution advances. In the meanwhile, it's critical to keep informed and cautious about the negative aspects of smart cars.
Read more »
User Privacy
Credential Phishing iPhone Users Mobile Security Phishing Campaign User Privacy

Novel Darcula Phishing Campaign is Targeting iPhone Users

 

Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.

With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.

One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.

Darcula's phishing service

Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents. 

Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit. 

The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information. 

The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment. The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.

According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those. Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday. 

Abandoning SMS 

Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL. The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS. Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.

According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage

Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.

Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.
Read more »
User Privacy
Cyber Security Data Encryption Data Leak Message Snooping Secret Project User Privacy

Facebook Spied on Users' Snapchat Traffic in a Covert Operation, Documents Reveal

 

In 2016, Facebook initiated a secret initiative to intercept and decrypt network traffic between Snapchat users and the company's servers. According to recently revealed court filings, the purpose was to better analyse user behaviour and help Facebook compete with Snapchat. Facebook dubbed it "Project Ghostbusters," an apparent homage to Snapchat's ghost-like emblem.

On Tuesday of this week, a federal court in California disclosed fresh documents acquired during the class action case between consumers and Meta, Facebook's parent company. 

The newly revealed documents show how Meta attempted to gain a competitive advantage over its competitors, namely Snapchat and later Amazon and YouTube, by analysing network traffic to see how its users interacted with Meta's competitors. Given that these apps use encryption, Facebook had to design specific technology to get around it. 

Facebook's Project Ghostbusters is described in one of the documents. In the letter, the customers' attorneys stated that the project was a part of the company's In-App Action Panel (IAPP) programme, which employed a method for "intercepting and decrypting" encrypted app traffic from users of Snapchat, and later from users of YouTube and Amazon. 

The document includes internal Facebook emails about the project. 

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.” 

Facebook developers' idea was to employ Onavo, a VPN-like service that the company acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that the business had been secretly paying teens to use Onavo so that it could monitor all of their web activity. 

Following Zuckerberg's email, the Onavo team took on the project and proposed a solution a month later: so-called kits that can be installed on iOS and Android to intercept traffic for specific subdomains, "allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage," reads a July 2016 email. "This is a 'man-in-the-middle' approach.” 

A man-in-the-middle attack, also known as adversary-in-the-middle, is one in which hackers intercept internet communication passing from one device to another over a network. When network communication is not encrypted, hackers can read data such as usernames, passwords, and other in-app activity.

Given that Snapchat's traffic between the app and its servers is encrypted, this network research technique is ineffective. This is why Facebook developers advocated adopting Onavo, which, when engaged, scans all of the device's network data before it is encrypted and transferred over the internet. 

Sarah Grabert and Maximilian Klein filed a class action lawsuit against Facebook in 2020, alleging that the company misled about its data collecting activities and used the data it "deceptively extracted" from users to find competitors and then unfairly compete with the new firms.
Read more »
User Safety
Data Breach Data Theft Footwear Firm User Privacy User Safety

Vans Warns Consumers of Fraudsters Following ALPHV Data Breach

 

Vans customers have been alerted to the possibility of fraud or identity theft as a result of an ALPHV data breach at the parent firm. 

Vans claims that in December 2023, VF Group discovered "unauthorised activities" on a section of its IT systems. It also claimed that no passwords or detailed financial data were stolen.

However, it also stated that "it cannot be excluded" and that attackers may try to make use of the customer data they had taken hold of. The North Face, Dickies, Timberland, and other brands are owned by VF Group.

In an email to its customers, Vans stated that the data breach was discovered by VF Group on December 13 and was "apparently carried out by external threat actors."

The firm says it "immediately took steps" to address the threat, which included shutting down affected IT systems and hiring cybersecurity experts. By 15 December, it says, the hackers were ejected. 

"Our investigation revealed that the incident has affected some personal information of our customers that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, and shipping address," the email reads. 

However, it stated that the company did not "collect or retain" payment or financial data, such as bank account or credit card information, therefore there was "no chance that any detailed financial information was exposed to the threat actors." 

It said that no customers had been affected as of yet, but warned that the issue "may result in attempts at identity theft, phishing, and possibly fraud in general." 

It has warned users to be wary of unfamiliar emails, texts, and phone calls seeking personal information. Vans says it has informed the relevant law enforcement agencies and will evaluate its cybersecurity protocols.
Read more »
Voice Phishing
Cyber Fraud Financial Scam User Privacy Vishing Campaign Voice Phishing

Sophisticated Vishing Campaigns are Rising Exponentially Worldwide

 

Voice phishing, also known as vishing, is popular right now, with multiple active campaigns throughout the world ensnaring even savvy victims who appear to know better, defrauding them of millions of dollars. 

South Korea is one of the global regions hardest hit by the attack vector; in fact, a fraud in August 2022 resulted in the largest amount ever stolen in a single phishing case in the country. This transpired when a doctor sent 4.1 billion won, or $3 million, in cash, insurance, stocks, and cryptocurrency to criminals, showing how much financial harm one vishing scam can inflict.

According to Sojun Ryu, lead of the Threat Analysis Team at South Korean cybersecurity firm S2W Inc., sophisticated social engineering strategies used in recent frauds involve imitating region law enforcement officers, giving individuals a false sense of authority. Ryu will present a session on the topic, "Voice Phishing Syndicates Unmasked: An In-Depth Investigation and Exposure," at the upcoming Black Hat Asia 2024 conference in Singapore. 

Vishing attempts in South Korea, in particular, take advantage of cultural differences that allow even those who do not appear to be susceptible to such scams to be victimised, he claims. For example, in recent frauds, cybercriminals have posed as the Seoul Central District Prosecutor's Office, which "can significantly intimidate people," Ryu adds. 

By doing so and acquiring people's private data ahead of time, they are successfully intimidating victims into completing money transfers — sometimes in the millions of dollars — by convincing them that if they do not, they will suffer serious legal penalties. 

Vishing engineering: A blend of psychology and technology 

Ryu and his companion speaker at Black Hat Asia, YeongJae Shin, a threat analysis researcher who previously served at S2W, will focus their talk on vishing in their own nation. However, vishing scams identical to those seen in Korea appear to be sweeping the globe recently, leaving unfortunate victims in their wake.

Even savvy Internet users appear to fall for the law-enforcement frauds; one such reporter from the New York Times, who explained in a published story how she lost $50,000 to a vishing scam in February, is one of these people. A few weeks later, when fraudsters working in Portugal pretended to be both national and international law enforcement agencies, the author of this piece almost lost 5,000 euros to a sophisticated vishing operation. 

Ryu explains that the combination of social engineering and technology enables these modern vishing scams to exploit even individuals who are aware of the risks of vishing and how their operators function. 

"These groups utilize a blend of coercion and persuasion over the phone to deceive their victims effectively," he stated. "Moreover, malicious applications are designed to manipulate human psychology. These apps not only facilitate financial theft through remote control after installation but also exploit the call-forwarding feature.” 

This suggests that there are several vishing groups active throughout the world, emphasising the need to be cautious even when dealing with the most convincing schemes, according to Ryu. To prevent compromise, it's also essential to train staff members on the telltale signs of frauds and the strategies attackers typically implement to trick victims.
Read more »
User Privacy
Data Breach Data Leak Streaming Platform Tech Giant User Privacy

Roku Data Breach: Over 15,000 Accounts Compromised; Data Sold for Pennies

 

A data breach impacting more than 15,000 consumers was revealed by streaming giant Roku. The attackers employed stolen login credentials to gain unauthorised access and make fraudulent purchases. 

Roku notified customers of the breach last Friday, stating that hackers used a technique known as "credential stuffing" to infiltrate 15,363 accounts. Credential stuffing is the use of exposed usernames and passwords from other data breaches to attempt to enter into accounts on other services. These attacks started in December 2023 and persisted until late February 2024, as per the company. 

Bleeping Computer was the first to reveal the hack, pointing out that attackers used automated tools to undertake credential-stuffing assaults on Roku. The hackers were able to bypass security protections using techniques such as specific URLs and rotating proxy servers. 

In this case, hackers probably gained login credentials from previous hacks of other websites and attempted to use them on Roku accounts. If successful, they could change the account information and take complete control, locking users out of their own accounts. 

The publication also uncovered that stolen accounts are being sold for as few as 50 cents each on hacking marketplaces. Purchasers can then employ the stored credit card information on these accounts to purchase Roku gear, such as streaming devices, soundbars, and light strips. 

Roku stated that hackers used stolen credentials to acquire streaming subscriptions such as Netflix, Hulu, and Disney Plus in some instances. The company claims to have safeguarded the impacted accounts and required password resets. Furthermore, Roku's security team has discovered and cancelled unauthorised purchases, resulting in refunds for affected users. 

Fortunately, the data breach did not compromise critical information such as social security numbers or full credit card information. So hackers should be unable to perform fraudulent transactions outside of the Roku ecosystem. However, it is recommended that you update your Roku password as a precaution. 

Even if you were not affected, this is a wake-up call that stresses the significance of proper password hygiene. Most importantly, change your passwords every few months and avoid using the same password across multiple accounts whenever possible.
Read more »
User Privacy
AI technology API accounts ChatGPT Cyber Threats data security Digital Security Multi-factor authentication OpenAI Technology User Privacy

OpenAI Bolsters Data Security with Multi-Factor Authentication for ChatGPT

 

OpenAI has recently rolled out a new security feature aimed at addressing one of the primary concerns surrounding the use of generative AI models such as ChatGPT: data security. In light of the growing importance of safeguarding sensitive information, OpenAI's latest update introduces an additional layer of protection for ChatGPT and API accounts.

The announcement, made through an official post by OpenAI, introduces users to the option of enabling multi-factor authentication (MFA), commonly referred to as 2FA. This feature is designed to fortify security measures and thwart unauthorized access attempts.

For those unfamiliar with multi-factor authentication, it's essentially a security protocol that requires users to provide two or more forms of verification before gaining access to their accounts. By incorporating this additional step into the authentication process, OpenAI aims to bolster the security posture of its platforms. Users are guided through the process via a user-friendly video tutorial, which demonstrates the steps in a clear and concise manner.

To initiate the setup process, users simply need to navigate to their profile settings by clicking on their name, typically located in the bottom left-hand corner of the screen. From there, it's just a matter of selecting the "Settings" option and toggling on the "Multi-factor authentication" feature.

Upon activation, users may be prompted to re-authenticate their account to confirm the changes or redirected to a dedicated page titled "Secure your Account." Here, they'll find step-by-step instructions on how to proceed with setting up multi-factor authentication.

The next step involves utilizing a smartphone to scan a QR code using a preferred authenticator app, such as Google Authenticator or Microsoft Authenticator. Once the QR code is scanned, users will receive a one-time code that they'll need to input into the designated text box to complete the setup process.

It's worth noting that multi-factor authentication adds an extra layer of security without introducing unnecessary complexity. In fact, many experts argue that it's a highly effective deterrent against unauthorized access attempts. As ZDNet's Ed Bott aptly puts it, "Two-factor authentication will stop most casual attacks dead in their tracks."

Given the simplicity and effectiveness of multi-factor authentication, there's little reason to hesitate in enabling this feature. Moreover, when it comes to safeguarding sensitive data, a proactive approach is always preferable. 
Read more »
User Security
Camera Spy Cyber Security Eavesdrop EM Eye User Privacy User Security

Hackers can Spy on Cameras Through Walls, New Study Reveals

 

A new threat to privacy has surfaced, as scientists in the United States have discovered a technique to eavesdrop on video feeds from cameras in a variety of devices, including smartphones and home security systems. 

The EM Eye technique has the ability to take pictures through walls as well, which raises serious concerns regarding potential misuse. 

Kevin Fu, a professor of electrical and computer engineering at Northeastern University, conducted the research, which focuses on a vulnerability in the data transfer cables found in modern cameras. These connections unintentionally serve as radio antennas, emitting electromagnetic information that can be detected and decoded to provide real-time video. 

According to Tech Xplore, the threat exists because companies focus on protecting cameras' valuable digital interfaces, such as the upload channel to the cloud, while ignoring the possibility of information leaking via inadvertent channels. "They never intended for this wire to become a radio transmitter, but it is," Fu said. "If you have your lens open, even if you think you have the camera off, we're collecting." 

The EM Eye approach has been tested on 12 different kinds of cameras, including smartphones, dashcams, and home security systems. The distance required to eavesdrop varies, although it is possible to do so from as far away as 16 feet. 

The method does not require the camera to be recording, thus any device with an open lens is potentially vulnerable. Fu recommends that people use plastic lens covers as a first step in mitigating this threat, while he warns that infrared signals can still penetrate them. 

Fu believes that these discoveries serve as a wake-up call for manufacturers to fix this security hole in their designs. "If you want to have a complete cybersecurity story, yes, do the good science, but you also have to do the computer engineering and the electrical engineering if you want to protect against these kinds of eavesdropping surveillance threats," he stated. 

This research reveals a substantial and ubiquitous risk to privacy in a society where cameras are everywhere. In the words of Fu, "Basically, anywhere there's a camera, now there's a risk.”
Read more »
User Privacy
Banking Trojan Data Safety iPhone Users malware User Privacy

Beware, iPhone Users: iOS GoldDigger Trojan can Steal Face ID and Banking Details

 

Numerous people pick iPhones over Android phones because they believe iPhones are more secure. However, this may no longer be the case due to the emergence of a new banking trojan designed explicitly to target iPhone users.

According to a detailed report by the cybersecurity firm Group-IB, the Android trojan GoldDigger has now been successfully repurposed to target iPhone and iPad users. The company claims that this is the first malware designed for iOS, posing a huge threat by collecting facial recognition data, ID documents, and even SMS. 

The malware, discovered for the first time last October, now has a new version dubbed GoldPickaxe that is optimised for iOS and Android devices. When installed on an iPhone or Android phone, GoldPickaxe can collect facial recognition data, ID documents, and intercepted text messages, all with the goal of making it easier to withdraw funds from banks and other financial apps. To make matters worse, this biometric data is utilised to create AI deepfakes, which allow attackers to mimic victims and gain access to their bank accounts. 

It is vital to note that the GoldPickaxe malware is now targeting victims in Vietnam and Thailand. However, as with other malware schemes, if this one succeeds, the cybercriminals behind it may expand their reach to target iPhone and Android users in the United States, Europe, and the rest of the world. 

Android banking trojans are typically propagated via malicious apps and phishing campaigns. It is more difficult to install a trojan on an iPhone since Apple's ecosystem is more locked off than Google's. However, as hackers often do,they've figured out a way. 

Initially, the malware was disseminated via Apple's TestFlight program, which allows developers to deploy beta app versions without going through the App Store's authorization process. However, after Apple removed it from TestFlight, the hackers shifted to a more complicated way employing a Mobile Device Management (MDM) profile, which is generally used to manage enterprise devices. 

Given how successful a banking trojan like GoldDigger or GoldPickaxe can be, especially since it can target both iPhones and Android phones, this is unlikely to be the last time we hear about this spyware or the hackers behind it. As of now, even the most latest versions of iOS and iPadOS appear to be vulnerable to this Trojan. Group-IB has contacted Apple about the flaw, so a solution is likely in the works.
Read more »
User Privacy
Cyber Security Data Safety Passkeys Passkeys authentication User Privacy

Here's Why Passkeys is a Reliable Option to Safeguard Your Data

 

We all use way too many passwords, and they are probably not very secure. Passkeys are the next step in password technology, aiming to replace passwords with a more secure alternative.

Trouble with passwords 

For a long time, we used usernames and passwords to access websites, apps, and gadgets. A fundamental issue with passwords is that their creators are largely to blame. You have to remember the password, thus it's easy to fall into the trap of using real words or phrases. It's also fairly typical to use the same password across several websites and apps in favour of having unique passwords for each one. 

Although it is obviously not very safe, many individuals continue to use passwords like their birthday or the name of their pet. If they are successful, they can attempt it in every other place you use the same password. Using two-factor authentication and special passwords is essential as a result of this. Password managers, which produce random character strings for you and remember them for you, have been developed to solve this issue. 

Passkey vs. password: What distinguishes them 

Over time, not much has changed with regard to the login and password system. Think of passkeys as a full-fledged alternative for the outdated password system. Basically, the process you use to unlock your phone is the same one you use to sign into apps and websites. 

It is among the fundamental distinctions between passkeys and conventional passwords. All locations where Facebook is accessible accept your Facebook password. On the other hand, a passkey is bound to the machine where it was made. The passkey is far more secure than a password because you're not generating a universal password. 

The same security process can be employed to verify a QR code you scanned with your phone to log in on another device. There are no passwords used, thus nothing can be stolen or leaked. Because you must sign in with your phone in hand, you don't need to be afraid about a stranger across the nation using your password.

Device compatibility

Passkeys are still very new, but they already work with all the best phones and a majority of the best laptops. This is because the tech behemoths Microsoft, Google, Apple, and others collaborated to create them using the FIDO Alliance and W3C standards. 

Apple launched passkeys to the iPhone with the release of iOS 16 in the previous fall. Passkeys eliminates the need for a master password on its devices by using TouchID and FaceID for authentication. Here's how to set up passkeys on an iPhone, iPad, or Mac if you want to try them out for yourself. 

Your passkeys are stored and synchronised using the Google Password Manager if you have one of the top Android phones or an Android tablet. If you want to use passkeys with it, you must first enable screen lock on your Android device, as this stops people with access to your smartphone from utilising your passkeys.

In both Windows 10 and Windows 11, you can use Microsoft's Windows Hello to sign into your accounts using passkeys. Because your passkeys are linked to your Microsoft account, you may use them on any device as long as you're signed in.

Regarding your web browser, passkeys are currently supported by Chrome, Edge, Safari, and Firefox. For Chrome/Edge, you must be using version 79 or above, for Safari, version 13 or higher, and for Firefox, version 60 or higher.
Read more »
User Privacy
Class Action Lawsuit Data Breach Data Leak Ransomware attack User Privacy

South Staffs Water Faces a Group Action Following Clop Ransomware Attack

 

Following the theft and disclosure of their data by the Clop/Cl0p ransomware group, nearly one thousand victims recently filed a class action lawsuit against South Staffordshire Plc. 

South Staffordshire Plc, which owns South Staffordshire Water and Cambridge Water, served 1.6 million Midlands customers when Clop targeted its networks in August 2022.

The cyber attack on its systems became well-known at the time because Clop falsely claimed it had targeted Thames Water, which serves consumers in Greater London and other parts of south-east England. 

The inept cyber crooks published a lengthy rant against Thames Water, criticising its alleged cyber malfeasance and urged customers to come together to sue them. Two and a half years later, Manchester-based Barings Law is seeking legal action over the breach, for which South Staffs has admitted liability. 

Bank sort codes, account numbers used for direct debit payments and bank transfers, names, residences, and other sensitive information were among the details that Barings said its claimants saw published on the dark web. It states that South Staffs did not fulfil its obligation to safeguard its clients' personal information.

“This cyber attack has exposed a significant number of individuals to potential risks and damages,” stated Adnan Malik, head of data breach at Barings Law. “Our clients are seeking not only financial compensation, but also accountability from South Staffs Water for the lapses in data protection. We are regularly fielding enquiries from the public who are concerned they may have been victims of this terrible incident.” 

“This data breach is a serious infringement of privacy rights, and we will robustly pursue justice on behalf of the claimants to ensure that they receive fair compensation for the potential repercussions of this breach. Barings Law remains committed to championing the rights of those affected and holding accountable any entity that neglects its responsibility to protect sensitive data,” Malik added. 

Barings was established in 2009 and is becoming known for specialising in similar collective claims involving cyberattacks that resulted in the theft and disclosure of personally identifiable information (PII). Notable actions against Capita and Carphone Warehouse have advanced in the last 12 months. 

The Capita lawsuit pertains to two 2023 incidents that compromised common people's data: the first was a ransomware attack that impacted multiple pension funds, and the second was an inadvertent leak of data housed in an insecure Amazon Web Services (AWS) S3 storage bucket. As of mid-January 2024, over 5,000 people had signed up to join. 

Capita has denied the legitimacy of this claim, stating that "no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity".
Read more »
User Privacy
Data Breach Data Leak France Health Care Firm User Privacy

Millions are at Risk After a French HealthCare Services Firm's Data Leak

 

Viamedis, a French healthcare services provider, suffered a cyberattack that exposed the private data of policyholders and medical professionals in the country. Though the company's website is currently not accessible, an announcement concerning the data breach has been posted on LinkedIn. 

The data revealed in the hack includes a beneficiary's marital status, date of birth, social security number, health insurer's name, and guarantees that can be paid by third parties.

The firm has clarified that the compromised systems did not contain people's banking details, postal addresses, phone numbers, or emails. Viamedis states that different alerts on the data that was exposed will be sent to healthcare professionals. 

In light of this, Viamedis has contacted the relevant authorities (CNIL, ANSSI), impacted health organisations, and the public prosecutor via complaint. The business is still looking into the implications of the breach. 

Since Viamedis oversees payments for 84 healthcare organisations that serve 20 million insured people, it is evident that the hack has a considerable impact. However, the exact number of individuals impacted has not been disclosed. 

An investigation is being launched to determine the extent of the breach, according to Agence France-Presse (AFP) and the company's general director, Christophe Cande. 

"To date, we do not have the number of insured individuals impacted; we are still in the process of investigation." - GD Viamedis' Cande.

Additionally, Cande stated that ransomware wasn't employed in the cyberattack. Instead, he claimed that the threat actor gained access to its systems through a phishing attempt that was successful against an employee. 

A warning confirming the indirect impact of the Viamedis data breach has been posted on the website of Malakoff Humanis, one of the organisations that works with Viamedis. 

Malakoff Humanis, one of the organisations associated with Viamedis, has put a notification on its website confirming the indirect effects of the data breach. 

In addition, the company is notifying affected consumers of the hack and service disruption through data breach notifications.

The statement reiterates the information mentioned in the Viamedis notification and informs customers that no banking, medical, or contact information saved on the platforms has been compromised.

According to Malakoff Humanis, users can still access their accounts and submit reimbursement claims. However, the temporary disconnection of the Viamedis platform is expected to disrupt the delivery of certain healthcare services. Similar circumstances are foreseen for other Viamedis service providers, such as Carte Blanche Partenaires, Itelis, Kalixia, Santéclair, and Audiens.
Read more »
User Privacy
Cyber Fraud Financial Data KYC Scam RBI Threat Landscape User Privacy

RBI Issues Warning Against Scam Via KYC trick

 

On February 2, 2024, the Reserve Bank of India (RBI) reiterated its prior warning to the public, offering further suggestions in response to a rising tide of scams involving Know Your Customer (KYC) updates. RBI amplified the cautionary tips issued earlier to the public on September 13, 2021, citing continuing incidents/reports of consumers falling victim to scams being perpetrated in the name of KYC updation. 

Modus operandi 

Customers typically receive unsolicited calls, texts, or emails requesting personal information, account or login credentials, or the installation of unapproved apps via links in the message. 

Frequently, the messages intentionally instil a false feeling of urgency by threatening to freeze or close the customer's account if they don't cooperate. Customers provide fraudsters unauthorised access to their accounts and enable them to commit fraudulent operations when they divulge critical private details or login credentials. 

Quick reporting 

The Reserve Bank of India (RBI) advised victims of financial cyber fraud to report the incident right away on the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) or by calling the cybercrime hotline in 1930. 

Preventive measures 

To prevent people from becoming victims of KYC fraud, the RBI published a list of dos and don'ts. Critical data such as card details, PINs, passwords, OTPs, and account login credentials should never be shared with third parties, the RBI cautions the public. 

Individuals are also advised not to click on dubious or unverified links they receive via email or mobile devices, nor share KYC documents with unrecognised or unknown parties. "Do not share any sensitive information through unverified/unauthorised websites or applications," the central bank advised.

For confirmation and help, get in touch with the bank or financial institution immediately when you get a request for KYC updates. Get phone numbers for customer service or contact information exclusively from the official website or other sources. Report any incidents of cyber fraud to the bank right away. Ask the bank about the possible ways to update your KYC information.
Read more »
User Privacy
Chrome users Data collection Google Google Chrome Incognito mode Privacy User Privacy

Google to put Disclaimer on How its Chrome Incognito Mode Does ‘Nothing’


The description of Chrome’s Incognito mode is set to be changed in order to state that Google monitors users of the browser. Users will be cautioned that websites can collect personal data about them.

This indicates that the only entities that are kept from knowing what a user is browsing on incognito would be their family/friends who use the same device. 

Chrome Incognito Mode is Almost Useless

At heart, Google might not only be a mere software developer. It is in fact a business that is motivated through advertising, which requires it to collect information about its users and their preferences in order to sell them targeted advertising. 

Unfortunately, users cannot escape this surveillance just by switching to incognito. In fact, Google is paying a sum of $5 billion to resolve a class-action lawsuit filed against them, accusing the company of betraying its customers regarding the privacy assurance they support. Google is now changing its description of Incognito mode, which will make it clear that it does not really protect the user’s privacy. 

Developers can get a preview of what this updated feature exactly is, by using Chrome Canary. According to MSPowerUser, the aforementioned version of Chrome displayed a disclaimer when the user went Incognito, stating:

"You’ve gone Incognito[…]Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."

(In the above statement, the text in bold is the new addition to the disclaimer.)

Tips for More Private Browsing 

Chrome remains one of the popular browsers, even Mac users can use Safari instead. Privacy is just one of the reasons Apple fans should use Safari instead of Chrome.) However, there are certain websites that users would prefer not to get added to their Google profile which has the rest of their private information. Thus, users are recommended to switch to Safari Private Browsing, since Apple does not use Safari to track its users (it claims to). 

Even better, use DuckDuckGo when you want to disconnect from the internet. This privacy-focused search engine and browser won't monitor or save the searches of its users; in fact, its entire purpose is to protect users' online privacy.  

Read more »
User Privacy
Consumer Report Data Breach Private Data Social Media App User Privacy

Meta is Collecting Consumers Data from Thousands of Firms

 

Consumer Reports conducted an experiment which revealed that Instagram and Facebook collect your private data from thousands of firms. The company is also the largest reporter of potentially child sexual abuse materials (CSAM), yet many of these reports are sent in a fashion that raises legal concerns.

To find out where parent firm Meta gets its personal data from for targeted advertising, Consumer Reports sought the assistance of over 700 volunteers.

The Markup, an American nonprofit news publication, says the study found that Meta collected data from an average of 2,230 companies. Markup assisted Consumer Reports in finding study participants. The last three years' worth of participant data were retrieved from Facebook settings and sent to Consumer Reports in an archive. 

A total of 186,892 companies shared data concerning them to the social network, according to Consumer Reports. 2,230 companies on average shared the data of each study participant to Facebook. This figure varied widely, with the data from some participants suggesting that over 7,000 companies submitted their data. 

Undoubtedly, data brokers were the most common source of private information that the social media giant collected, but Amazon and Home Depot were also in the top 10. 

The websites you visit are the most frequently acquired sort of data, either through cookies or tracking pixels that allow for the creation of an interest and activity profile. 

If you search for bathroom fittings on Amazon, for instance, adverts for that particular product category or more general ones like home renovations may appear. Similarly, if you visit a lot of tech websites, you may be served gadget ads. 

Meta states that it provides consumers with choices and is open about the data it collects and uses: “We offer a number of transparency tools to help people understand the information that businesses choose to share with us, and manage how it’s used.” 

However, the Electronic Privacy Information Centre argues that suggesting that customers understand the extent and nature of this tracking is foolish. 

“This type of tracking which occurs entirely outside of the user’s view is just so far outside of what people expect when they use the internet […] they don’t expect Meta to know what stores they walk into or what news articles they’re reading or every site they visit online,” the centre stated.
Read more »
Subscribe to: Posts (Atom)