December 2019 Savvy Cybersecurity Alerts

Welcome to your December Savvy Cybersecurity newsletter. It is hard to believe that the decade is almost over!

But for now, let’s cover the cybersecurity happenings this month, including:

• Your smartphone is the key to your digital life
• An internet-connected doorbell putting your home network at risk
• Why Google may have collected your healthcare data
• How to stay safe during the online holiday shopping season
• And more

Your smartphone is the key to your digital life

Take a moment and think about the last five things you used your smartphone for. Chances are, not all those actions were phone calls. Our phones have transformed into mini-computers holding our digital lives that we carry around constantly.

And while technology has made life easier, it also puts us more at risk. If your phone is hacked, so much of your life is accessible—your text messages, your contacts, your photos, your banking app, your calendar, your work email—the list goes on. That hack can be very costly.

Take Michael Terpin, who shared his story with The Wall Street Journal. Terpin had $24 million in cryptocurrency stolen after a hacker took control of his phone. The sophisticated hack took over Terpin’s phone and Gmail account—even though he had two-factor authentication. What happened?

The hack began with Terpin’s phone being taken over through a technique called SIM-swapping. In the scheme, hackers impersonate you to convince a mobile carrier retail employee to switch your number to a new phone. Once they had access to Terpin’s phone number, the hackers took over his Gmail account by using the “Forgot password?” feature. Google sent a code to reset the password to Terpin’s phone number—which the hackers controlled.

With control of his phone number and email account, the hackers were able to drain his digital wallets holding millions of cryptocurrency. The only clue that something was wrong was that his mobile phone had lost service.

What can you do

We need to protect our smartphones and phone numbers like we do our most sensitive passwords. The first step in hack-proofing your smartphone is to secure your mobile carrier account to prevent the SIM-swapping scam. To do so, add a passcode to your mobile account by calling your mobile provider. By doing so, a passcode will need to be provided before any changes (such as adding a phone number to a new phone) can be completed.

Next, you need to set up two-factor authentication with an authenticator app or security key. Unfortunately, the uptick in SIM-swapping means that two-factor via text message is no longer the secure option. An authenticator app such as Google Authenticator or a physical security key can add an extra layer of protection. Once you do so, you can turn off SMS authentication on your most sensitive accounts like your email or online banking.

Our smartphones are great tools, but they are very vulnerable to hackers. Be sure to protect your phone from hacks and scams that could let attackers into your full digital life.

Cybersecurity shorts

DNA database used by a million people is vulnerable to attack. The third-party site, GEDmatch allows people to upload their genetic information to find matches within the database. A team of computer researchers, however, have discovered that you can extract genetic data on anyone in the database. This vulnerability leaves users at risk of their information ending up in the wrong hands. 

Only 2% of Equifax victims have signed up for the free credit monitoring offered in the recent class-action settlement. Consumers were offered 10 years of free credit monitoring or up to $125 in cash if you already had credit monitoring. However, it became clear that most people would receive way less than the $125 and credit monitoring was seen as a “better” deal. The best thing to do is freeze your credit, which can now be done for free in all 50 states.

Jenny B gift card scam targeting women around the country. The scam begins by receiving a card congratulating you on your pregnancy from a “Jenny B”—even if you are not pregnant! The card contains coupons and gift cards to a company called Mother’s Lounge. The Better Business Bureau has reported that using the gift card, however, increases the shipping cost. The company has an F rating on the BBB. If you receive a card like this, it is best to throw it out.

California drivers may have had data exposed thanks to a breach at the state’s DMV. The breach, announced this month, affects over 3,000 residents according to the department. Exposed information includes Social Security numbers, driver’s license information, and more. This information was wrongly accessed by seven other agencies such as the IRS, the DHS, and others. The DMV says that these agencies were improperly given access to information on people who were under investigation or serving as witnesses in criminal cases.

Attention Amazon Ring Customers: Your Wi-Fi credentials may have been exposed. A vulnerability discovered by Bitdefender found that users’ Wi-Fi credentials were sent unencrypted to a local network when the Ring Internet-connected doorbell was initially set up. Anyone with access to that network could have stolen these Wi-Fi credentials and hacked into the user’s network. Amazon issued a patch to fix this issue that was updated automatically by devices.

Sophisticated scams are increasing the amount lost to cybercrimes, according to the FBI. Scams such as wire fraud have increased significantly in the past few years. In 2015, $220 million was lost to this scheme—losses will surpass $1.5 billion this year. The FBI believes that this is due in part to more targeted emails. The messages are highly tailored and contain more details than in the past.

Internal passwords from Orvis.com posted online leaving the online retailer at risk of cyberattacks. The credentials, including usernames and passwords for firewall products, servers, wireless routers, mobile payment services, and more, were found on Pastebin.com. Orvis says that many of the credentials were expired and the database was posted inadvertently.

Google has been collecting healthcare data on millions of Americans without patient knowledge, according to The Wall Street Journal. Partnering with the health care chain, Ascension, Google has created “Project Nightingale” to collect patient data in one place to share with doctors and hospitals. Project Nightingale has collected data on patients in over 20 states without patient or doctor knowledge. Google says the project is compliant with federal health laws.

Bug allowed Facebook to open iPhone cameras while users were logged on to the app. The flaw was confirmed by Facebook and a fix has been submitted to Apple. Facebook says no photos or videos were uploaded inadvertently due to this bug. Users who experienced the flaw called it worrying. Facebook users have been suspicious of the app eavesdropping on them to target advertisements. Facebook denies the theory.

Nearly half of those who have experienced identity theft became victims during holiday shopping, according to a survey by Experian. As the holiday season approaches, be sure you are being vigilant about safe online shopping. For example, be sure you are shopping on legitimate websites before sharing your credit card information. Only enter your payment card information when on secure Wi-Fi to prevent hackers from being able to steal your data. And of course, be on the lookout for suspicious charges.

Software updates

Adobe: Adobe released updates for its creative suite this month including Animate, Illustrator, and Bridge. Patches closing over 60 flaws in Acrobat/Reader were also released. If you use any of these products, be sure you have updated.

Google: Chrome users should update their browsers as soon as possible. A zero-day flaw has been found and classified as severe. To update, close your browser and then reopen it.

Microsoft: Nearly 75 security issues were discovered in various Windows programs this month including Internet Explorer and Office for Mac. If you use Internet Explorer, be sure to update immediately as the flaw is considered a zero-day and is currently being exploited. Mac users should also update their Office suite.