Posted August 8, 2019
This week, we salute August to a groan as news of several big data breaches that could affect our financial lives comes out. Then we will swing to talk about how you can stay safe when you squeeze in one last summer holiday before the fall comes, and we round things off with a follow-up to a follow-up. It's in the name of the show ̵
- The Bad / Worse Breach
- 7 Tips for Trips
- A Stronger Little Snitch
Let's not waste time while taking embark on a journey into the latest in security news.
The Bad / Worse Breach
We have stories of two different and significant data breaches that can start us today. First, let's turn your attention to one you may have already heard about in the news: the big breach of Capital One.
According to a report published by the BBC, a person recently robbed detailed information of more than 100 million people in both the United States and Canada. The BBC says the names, addresses and phone numbers provided by people applying for Capital One credit cards were hacked. However, the credit card number was not stolen. It might not be also if things ended there, but the hacker was able to do more than just that. More than 100,000 social security numbers and nearly as many bank account numbers for US customers were also stolen, along with about a million social security numbers for Canadian citizens.
All that, says the BBC, put it in the realm of the biggest violations "in banking history" – although it seems that every time we have a new violation to talk about, it's always high on the list! If you do the math, this break can hit between a quarter and a third of all adults in the United States. So what kind of problems could those caught in the face?
While it may sound good that credit card numbers were not stolen, we might all prefer if they had been part of the hacking – you can cancel your credit card number. However, you cannot change your address that easily, and in almost every case you are stuck with the SSN you received when you were born. While these everyday personal details may seem innocuous in isolation, they can be extremely useful for bad actors looking for weaknesses and opportunities to cause a little trouble.
For example, they can call an affected individual's bank, for example, and say, "Hi, I forgot my account number, can you give it to me?" – which usually causes the bank to ask for confirmation, for example Well, they have it in the hack, so when they provide it with information like your address, the helpful bank staff on the phone gives the account number – they practically have the keys to the realm – and they can take that information and go to other institutions at to use the same tactics.
With enough information, they could even start signing up for brand new accounts that they have full control over, leaving you out in the cold and damaging your credit in the process. of applying for a home or car loan just to find that someone else took out a $ 20,000 loan in your name that is now criminal, in short, there are no end to the number of ways someone with access to a lot of personal information can cause problems
Of course, we are not just talking about this topic today because of the number involved and the threat. We'll also do a bit of a "postmortem" analysis on Capital One's response to everything, so let's run down how they handled this crisis and evaluate the response.
Capital One began informing users about the breach and whether they were potentially involved within just a few weeks of the breach on July 19. However, the hacking happened back in March. Although it is very nice to see a company update security failures sooner and later, the extra weeks still meant more time for users to be in the dark about the risk they had already unknowingly faced for months. Of course, Capital One also insisted that it was "unlikely" that the information had been used for fraud – something they cannot honestly say with confidence, since this type of information is only good for fraud.  The company has also said it will take steps to inform the affected individuals and provide them with "free credit monitoring and identity protection." Is it just us, or does it appear to be the Go-to Band-Aid response from financial companies when they lose our information? They take no responsibility beyond telling you "Hey, you may have a problem" and then leaving the ball on your field. Another problem here is that Capital One's answer does not account for the fact that identity theft is not always limited to attacks on credit.
Capital One also made a formal apology, but if we're honest, we think they could have done more. Capital One, like other companies that have allowed data breaches due to poor security, should explain why someone should continue to do business with them, for example by showing what steps they will take to prevent future problems. Giving real, actionable insight into what to do if someone steals your identity would also be a good step.
Although Capital Ont's answer is not perfect, it is ultimately okay. At least it's far better than any other way a company may have chosen to respond to a data breach. That's what leads us into other of the two data breaches we have to discuss today – a question around an app known as StockX, a platform for buying, selling and trading fashion accessories. They have set up a clinic to not respond to a security problem.
According to TechCrunch, the company that develops and runs StockX believed that they could try to keep the problems down. They were not exactly successful. This happened.
3. August, StockX reset user passwords – all at once. Each user received a password reset email saying that "system updates" necessitated a change from everyone. At first, this caused a great deal of confusion, panic and chaos among users, as many wondered if they had been subjected to a phishing attack. StockX was quick to make it clear that yes, the email was legitimate and yes, everyone needed to change their password. However, they did not provide further details about what these "system updates" meant or an explanation of why they did not warn users in advance of such an important change.
There was a "good" reason why they didn't, however, warn anyone: StockX was trapped in a data breach. After a bit of nonsense from some persistent journalists, a spokesperson similar to TechCrunch admitted that "suspicious activity" had been detected on their site, leading to the action. Then the journos discovered the whole story: a data broker contacted TechCrunch directly, claiming they had nearly 7 million StockX user listings stolen by a hacker in May. The data apparently sold for around $ 300 per copy on the dark web, and TechCrunch was able to confirm that a sample provided to them contained legitimate, active user information.
StockX did the right thing to require a password change, but it is safe to say that they did pretty much everything else wrong. Capital One owned up to their failure and took the PR hit, while StockX tried to avoid acknowledging that anything went wrong – in the end, causing themselves an even bigger PR nightmare when the truth came out. It should be the first lesson for data breach companies: tell the truth and do it early.
How vulnerable are StockX users as a result of this breach? The stolen information mostly included names, emails and hashed passwords, along with other data. The good news is that this data is far less easy to use for social engineering attacks than Capital One, but hackers are likely to try it. At the very least, they will look for places where they can reuse passwords and usernames.
There's a simple lesson here: Be open and be honest as soon as possible so your users can make informed choices about what to do next.
7 tips for trips
With summer winding down and labor Day on the horizon, you may feel it is time to make room for a quick trip from home to make the most of your time left. If you soon have a holiday on line, we will give you some helpful suggestions to consider before hitting the road, boarding your cruise ship or boarding your plane. Here are seven quick and easy ways to stay safe while traveling and staying connected.
Lock It Down
Do you ever clean your house before you leave, or put other things in order so you don't have to worry about them as soon as you get home? This is a good philosophy to use in your digital life as well. For example, make a backup of your Mac with Time Machine – you won't come home to find a freak surge during a thunderstorm that has fried your hard drive. Also back up your mobile devices and run through the regular update round. And make sure you run the latest versions of macOS and iOS so you have the latest updates in place to protect yourself while traveling.
Don't Pay at the Pump
Have you seen any local news about credit card scammers discovered at gas stations in the area? It may not have happened in your area yet, but it is a widespread problem across the country. Card sliders look like real credit card readers, but they steal your information when you insert the card. Those bad guys can then use your information to make purchases. Consider going in to pay in the registry or just using cash to avoid the threat of frothy. If you have contactless payments like Apple Pay set up on your phone, you can avoid problems.
Free Wi-Fi can cost you
We all want to store our mobile data quota as much as possible, making it tempting to use free public Wi-Fi in places like airports and hotels when you need to keep in touch. However, we know that these networks can be very insecure and that unsecured networks can allow anyone to intercept your data. In the worst case scenario, they may even be able to interact with your device. If you need to use a public connection, you must first boot up your favorite VPN.
Watch your email
Everywhere you go on vacation, you will probably encounter at least one place where you ask for your email, be it a hotel, a museum or a restaurant. Sometimes there are helpful reasons for leaving an address, but for the most part, it only allows marketing departments to send you multiple emails and eventually sell your email to other third parties. Either you choose not to enter your email, or create a "burner", or discard the email account that you do not use for anything else. And whatever you do, don't use the password for your actual email account for your travel account (or any other account, for that matter).
Ask App Averse
Is it just us, or does it feel like everyone has an app these days? Some apps, such as official city guides and museum-developed apps for self-guided tours, can be fun and enhance your travel experience. However, you can't always tell how safe these apps will be, so be careful and ask yourself, "Do I really need this?"
If you download an app while traveling, don't use Google or Facebook accounts to sign in. Use the burner email to create an account and log in directly instead.
Be App Averse
Tourist hotels are magnets for thieves. It's easy to lose a MacBook or an iPhone on vacation or even worse to get a stolen one from you. Before you go home, make sure you have Find My iPhone enabled for all your devices. This way you can easily find the phone if you lose it, or at least make it useless for thieves.
Protect That Mac
If you are planning to use a macOS device in unknown locations or on public Wi-Fi, be prepared to face an increased risk of security threats. Maintain a robust third-party antivirus protection package, or consider downloading a trial version of a recognized solution (say MacScan 3?) To cover you while traveling.
A Stronger Little Snitch
Let's pack things up with a recent follow-up to our summer security blockbuster show from early July.
Remember that during this show we talked about "fencing off" parts of your information infrastructure. Last week we received a friendly email from Corrie, who wanted to know if the Little Snitch app could serve as the fence. Both SecureMac's own Nicholas Ptacek and host August Trometer said "no" to it, because Little Snitch's primary focus is tracking information that leaves your Mac, rather than accessing it. At least that's what we thought! Then listener Paul wrote in after last week's follow-up to say:
You can set up Little Snitch to block all incoming connections; you just have to make a rule. Initially, I created a "Public" profile and added "Reject All Incoming Connections". Then I switched to my public profile from the Little Snitch menu.
According to Nicholas, this seems to be not only a feature that is new to the software, but also something that will actually suit Corrie's needs. This is why we love our listeners – we were unaware, we were made aware of it, and now we can share this security goodness with everyone! Little Snitch is already a great app, and this is a great way to expand functionality.
Once configured in this way, Little Snitch will actually act as an extremely efficient firewall. In other words, your apps can still communicate with the outside world, and they can still receive the inbound connections they need to work, but other incoming connections – say, from the shady guy sitting in the corner of the coffee shop – are denied. But keep in mind that if you do this at home, you may have problems with external devices that need to sync or share files with your Mac. Evaluate these issues on a case-by-case basis.
Also remember that Little Snitch only runs on the Mac. If you want to monitor other Macs in your household, you must also have Little Snitch on these.
Thanks for the good tip, Paul!