Broker Check
JULY SAVVY CYBERSECURITY NOTES

JULY SAVVY CYBERSECURITY NOTES

July 18, 2018

In this issue:

  • Credit freezes to be free under new law
  • Emerging threat: Select Google IoT devices leaking consumer data 
  • Cybersecurity shorts
  • Software updates

Credit freezes to be free under new law

Security experts have long recommended a credit freeze as one of the best methods to protect your credit and identity from thieves. A credit freeze restricts access to your credit file by freezing it with a special PIN. In order for any new credit to be opened, the freeze needs to be lifted with the PIN.

Currently, the cost of a credit freeze depends on your state. In many states, it is free to freeze and unfreeze your credit. In some, however, you must pay a fee of up to $10 to freeze your credit. Luckily, you will soon be able to freeze your credit for free regardless of your state thanks to The Economic Growth, Regulatory Relief and Consumer Protection Act that was signed into law last month.

The new law goes into effect September 21 and it will allow residents of every state to freeze their credit at the big three credit bureaus (Equifax, Experian, and TransUnion) for free. Hopefully, this new law will encourage those who have waited to freeze their credit to take action now. If you have not frozen your credit file, you absolutely should in September (if not earlier). The new law also aims to make the process easier by having the Federal Trade Commission create a single webpage where consumers can freeze their credit file at all three credit bureaus at once. Previously, you had to contact each bureau individually.

(If you have already placed a credit freeze on files, you do not need to do anything come September.)

The Economic Growth, Regulatory Relief and Consumer Protection Act also makes it easier to protect minor children from identity theft. Child identity theft continues to rise and currently only 20 or so states allow parents or guardians to open a credit file in their child's name and then place a credit freeze on the file. The new law allows parents and guardians to get a free credit freeze for children under 16 years of age. (If you would like to read more about child identity theft be sure to read our blog post from last month.)

This change is a great win in the fight against child identity theft. Parents and guardians, however, must remember to freeze their children's credit beginning on September 21, 2018.

While these changes are good, there are some concerns from security experts about the new law. Many states will see weakened credit freeze laws as the state's tough standards are replaced with potentially weaker federal standards. States will no longer be able to pass individual laws to protect residents.

Overall, the law looks to be a step in the right direction for consumers' security.   

Emerging threat: Select Google IoT devices leaking consumer data 

Your Google Home or Chromecast device may be leaking your location according to security researcher Craig Young. The security flaw in the devices allows hackers to access a user's location if they can get the user to open a link while connected to the same Wi-Fi that the device is connected to. Experts say that this location information could help criminals make their phishing attacks seem more legitimate. Google expects to release a fix for this vulnerability in the coming weeks. You can read more about the security issue here.

Cybersecurity shorts

Over 500,000 routers have been infected with VPNFilter malware. The malware has infected routers made by many companies such as Linksys, MikroTek, Netgear, Asus, and more. Infected routers together form something called an IoT botnet. Hackers can push commands to all botnet members  simultaneously, which can cause large-scale global attacks. All router users should check their router's firmware and update to the latest version as soon as possible.

Facebook is under fire for data-sharing partnerships. In its early days, Facebook reportedly shared user data with device makers such as Apple, Amazon, BlackBerry, Microsoft, and Samsung. According to The New York Times, Facebook allowed these companies to access data on users' friends without explicit consent. Facebook does not believe the partnerships violate privacy policy or a Federal Trade Commission policy crafted in 2011. Facebook does plan, however, to end these partnerships in April.

MyHeritage database discovered on the Internet. A security researcher discovered an Internet file with email addresses and hashed passwords of over 90 million MyHeritage users. The genealogy company is requiring users to change their passwords even though it believes that no passwords were actually exposed.

AT&T, Sprint, and Verizon will stop sharing your location data with third parties following a scandal broken by The New York Times last month. The story highlighted a data broker, Securus, that allowed police departments to look up cell phone locations across the United State—location data that was provided by major cell phone networks. Securus was then hacked—leaving sensitive location information up for grabs. In response, AT&T, Sprint, and Verizon have ended practices of sharing location data with any third parties.

Beware your iPhone's suggestion on who is calling you. A security company has discovered a new way criminals are making phishing phone calls to iPhone users. In this scam, the phisher starts by sending a spoofed email from an account impersonating the victim's bank. The scammer will put their phone number in the signature. Then, they will call your phone and Apple's software will look at the email and show "Maybe: your bank name" on the home screen. The security company reported this to Apple in April but it has not been addressed as of yet.

Fraudulent mobile app transactions have increased 600% over the past three yearsaccording to a report by security company RSA. The report found that nearly 40% of fraudulent transactions stem from mobile apps. This may be due to the increase in popularity of mobile banking and other mobile payment apps. Mobile app developers must continue to improve the security of their apps and users should be aware of scams and fraud attempts.

Millions of dollars in Social Security benefits are deposited in the wrong accounts according to a report by the Inspector General. Many of these millions may be related to an increase in Social Security benefit theft. In this scheme, a scammers use your Social Security number and information to create an account with the Social Security Administration and apply for your benefits, directing the monies to their own  bank account. If you are already receiving benefits, they will attempt to redirect the deposits to their account. The best way to prevent this fraud is to create your account with the Social Security Administration. Check periodically to ensure that no one has altered your account or applied for benefits.

Be on the lookout for a new variation of this phone scam making the rounds. The scam begins when a fraudster spoofs a phone number that has the same area code as the victim to appear legitimate. They tell the victim that there has been a car accident and they found his or her number in the injured person's phone. The scammer says the injuries are bad but then demands money to help the "accident victim." While many people realize it is a scam at this point, the adrenaline already flowing can cause people to share financial information and lose money. 

Librarian wins $600 in Equifax breach lawsuit. Jessamyn West, a 49-year-old librarian in Vermont sued Equifax in small claims court for $5,000 following the 2017 breach. West explained that her mother had died in July and having to sort her mother's finances while responding to the breach created extra work and stress. West encourages others to file suit as well. Others have had success in small claims court against Equifax, including data privacy professional Christian Haigh who was awarded $5,500 in court.

Software updates

Adobe: A zero-day flaw that distributed malware was discovered in Adobe Flash this month. The security hold affected Windows users, but all Adobe Flash player users should be sure they are running the most up-to-date version (v. 30.0.0.113). Remember to update your browsers as well.

Microsoft: Microsoft released software updates closing nearly 50 security vulnerabilities this month. Many of the patches are considered "critical." Microsoft should prompt you to update your device automatically. You can read more about the updates here.