Broker Check


November 06, 2018

In this issue:

  • The latest Facebook hack: What you need to know and do
  • Savvy Cybersecurity quick links
  • Emerging threat: Voice phishing scams
  • Software updates

The latest Facebook hack: What you need to know and do

Thirty million Facebook users may have been affected by a recent hack of the social media platform, according to the company. Late last month, Facebook discovered a security vulnerability that they then believed to affect 50 million accounts.  In fact, you may have been one of 90 million people who were forced to log back into their account and were notified of the security issue via Facebook notification.

What exactly happened?

Facebook engineers discovered a security vulnerability in the "View As" feature of the social media platform. This tool allows users to see how their Facebook profile appears to friends and non-friends on the website. It has been a very helpful tool in allowing users to understand their security settings.

The feature, however, had a flaw in its code that allowed hackers to steal something called "access tokens" from various Facebook users' accounts. An access token is what allows you to stay logged into your Facebook app without entering your password every time. Obtaining these access tokens allowed hackers to log in as other users and obtain their data.

When Facebook originally announced the hack, it was believed that 90 million users were affected. After investigating, however, they have dropped that number to 30 million. Of those 30 million, 15 million had their names and contact information exposed. Fourteen million had hackers access their most recent check-in, 15 most recent searches, device information, birthdate, relationship status, and other information listed on their profile.

At this time, Facebook believes the hack was carried about by spammers who presented themselves as a digital marketing agency. It appears as though they downloaded the large amounts of data for financial gain. Facebook is currently working with the Federal Bureau of Investigation on the manner.

What should you do?

You can check to see if your account was affected by the hack by visiting the Facebook Help Center. If you were not affected, you don't have to worry about taking any action.

If your account was affected, you may want to consider changing your password. Facebook has said that affected users do not need to change their password but it never hurts to do so. You should, however, look at your login activity. This page will show what devices and locations you have logged into your Facebook account. You can log out of any sessions you do not recognize from this page. To view your login activity, click here.

Regardless of whether you were affected or not, you should review the data you have shared with Facebook. It is important to understand that this data can be stolen or viewed by anyone. You may want to think twice about some of the information you choose to share.

Emerging Threat

Beware: Voice phishing scams are back and trickier than ever. Security expert Brian Krebs reported on an uptick in convincing scam phone calls making the rounds. In his report, Krebs tells the story of Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack. Haughey got a call from an 800 number that matched the number of the credit union he uses. The caller said they had blocked charges that they believed were fraudulent and gave Haughey the last 4 digits of his card. The caller said they would send him a new card and asked him to confirm his mother’s maiden name and the security code on his card. Haughey was hesitant but gave the information. Haughey then went to his credit union who told him that they had never called. The representative then told him there were fraudulent charges--but they were made after the call he got. You can read more stories like this and some preventative information here.

Cybersecurity Shorts

Eighty-three percent of routers are vulnerable to attacks,according to a new report. The report by the American Consumer Institute Center for Citizen Research found that the vast majority of wireless routers are running outdated firmware which leaves them open to hacks. The report notes that this problem stems from the difficult process of knowing what firmware your router is running and learning how to update it. You can learn more about the study here.

Google’s first smart city plan raises cybersecurity and data concerns. Sidewalk labs, a company owned by Google, is developing a smart city plan for the Toronto waterfront. The plan includes amenities like heated sidewalks, robotic waste-sorting garbage cans and more. While it sounds great, security experts are concerned about the data that will be collected and how it will be used. As smart cities become more common, we must consider the privacy and cybersecurity side of the technology picture. 

Bloomberg releases a controversial story on Chinese microchip hacks. The story alleges that Chinese spies planted eavesdropping microchips on devices being bought by major U.S. companies such as Apple and Amazon. The story states that these chips allowed the companies to be spied on. The companies included in the report dispute that their networks were ever compromised by such a hack. You can read the original Bloomberg report here.

Generation Z and millennials are most likely to fall for online tech support scams according to research done by Microsoft. This goes against the belief that older computer users are more likely to be victims of online fraud. Microsoft explains that the younger generations may be falling victim more regularly because of their overconfidence. The study found while younger people fell for online fraud, older users were more likely to fall for phone-based tech support scams.

Amazon customers may have had their email addresses shared with an outside seller, according to the company. Amazon announced that an employee had shared email addresses with a seller earlier this month. This comes after a report by The Wall Street Journal that found Amazon sellers bribing employees for customer information. The employee was fired and the seller was blocked from Amazon.

The Securities and Exchange Commission fined Voya Financial $1 million following a cybersecurity incident. In 2016, hackers impersonating Voya advisors called Voya personnel asking for client usernames and passwords. Voya gave information on 5,600 clients to the crooks. Voya is being fined by the SEC for not following recent cybersecurity rules that require cybersecurity procedures and protocols be written and tested regularly. Voya had a recent procedure--but it had not been tested.  

Facebook friend request scam is back. If you are on Facebook, you have likely seen a post from a friend warning you not to accept a friend request that appears to come from them because their account has been cloned. You even may have gotten a message from a friend saying they received another friend request from you. This is most likely false. This scam, in actuality, is a viral chain letter. You do not need to forward the post or do anything with your account. 

Google+ shuts down following software bug that exposed users' information. Google announced this month that its social media platform will be discontinued after revealing a data leak had been swept under the rug. Google discovered the leak and decided not to tell users, so as not to affect its reputation. Over 500,000 people may have been affected.

New scam is after your direct deposit. The FBI issued a warning this month regarding phishing emails after your paycheck. The emails appear to come from HR or payroll and ask recipients to log into their work website. The hackers gather the username and password and then use those credentials to log into the payroll website and redirect direct deposit payments to their own bank account. This scam seems to be targeting universities, hospitals, and school districts. 

New Windows 10 update is causing files to disappear. Microsoft has pulled the latest Windows 10 update following reports that files and data were being deleted from devices during the update process. If you have updated and lost files, Microsoft recommends a System Restore to a date before you applied the update. If you have not updated, you can’t right now until Microsoft re-releases the update. When you do, we recommend you back-up your files before updating.

Government agencies begin two-factor authentication implementation. Agencies with a .gov website will now require employees with registrar accounts to use Google Authenticator when logging into accounts. Google Authenticator is a two-factor authentication app. After entering your username and password, a code is sent to the app. You must enter that code to access your account. This protects accounts from being hacked, as it requires something you have in addition to your username and password. This new rule will be fully implemented by February 2019.

Software Updates

Microsoft: Microsoft has released an update this month closing nearly 50 security vulnerabilities. One vulnerability has been exploited in the wild so it is imperative to update as soon as possible. Microsoft will prompt you to update your devices but you can see more about the update here.