November 2019 Savvy Cybersecurity Alerts

Welcome to your November Savvy Cybersecurity newsletter. It is hard to believe that Fall is well underway.

But for now, let’s cover the cybersecurity happenings this month, including:

  • Majority of Americans fail digital knowledge quiz
  • A student loan scam making the rounds
  • How airlines are getting more cyber-secure
  • Why you may get a check from LifeLock
  • And more

Majority of Americans fail digital knowledge quiz

Nearly three-fourths of U.S. adults cannot identify an example of two-factor authentication, according to a new Pew Research Center survey. Of the ten-question poll, the median number of correct answers was four while only 20% got seven or more questions right.

While cybersecurity seems to be in the news regularly, it is apparent that most Americans are still unsure about best practices for protecting their data and identity from hacks and breaches. For example, more than half of those surveyed did not know that a URL beginning with “https://” indicated that information shared with the site was encrypted. The majority of respondents also did not know that private browsing mode only prevents someone using the same computer from seeing online activities.

Respondents did better when it came to phishing—about two-thirds knew that phishing messages could be sent via email, text message, social media, or websites. The majority also knew how cookies worked.

Many of the questions included in the survey are addressed in the Savvy Cybersecurity program. Those who have been educated in the program should have a much better understanding of two-factor authentication than the general public indicated in this survey. Setting up two-factor authentication on key accounts is the third rule in “1 Hour to Savvy Cybersecurity.”

Surveys like this are a good reminder that we should all review our current cybersecurity action plan. We need to ensure that we have taken steps to improve our cybersecurity as well as understand the threats we face. Maybe you’ve completed the first three items on your cybersecurity action plan but have put off some of the more difficult actions. Take some time in the next few weeks to tackle those. If your cybersecurity is solid, reach out to someone in your life who may need help getting secure.

Cybersecurity shorts

Officials look to make airlines more secure following reports that hackers could launch cyberattacks on planes. A program led by the Department of Homeland Security is being revived to identify cybersecurity aviation risks and assist airlines in improving their cybersecurity. Most cyberattacks thus far have targeted airlines’ information technologies, such as the British Airways hack, which exposed information on 500,000 people.

Beware of a student-loan scam making the rounds. The Federal Trade Commission is warning against a scam that has tricked 40,000 people thus far. The scam begins with a phone call from a fraudulent “loan” company that tells borrowers they can pay $1,000 upfront for lower monthly payments or even loan forgiveness. Instead, the fake company takes the money and runs. Remind clients that no third-party company can forgive your loan and you do not need to pay for loan consolidation.

Twitter misused users’ phone numbers and email addresses–which were supposed to help protect accounts–for ad targeting. The social media company disclosed the “inadvertent” misuse this month in an effort to be transparent. Twitter users added phone numbers and email addresses to their accounts to help secure their accounts through two-factor authentication. The information, however, was used by the company’s ad-targeting system. The Federal Trade Commission fined Facebook earlier this year for a similar issue.

NordVPN, a popular virtual private network, is hacked. The program is used to create an encrypted tunnel between your device and the Internet allowing you to browse privately even when connected to public Wi-Fi. The company, however, says an internal private key was exposed and that allowed hackers to create servers imitating NordVPN. The vulnerability allegedly occurred at a data center holding NordVPN’s server. The contract has since been terminated.

Hackers can bypass some forms of two-factor authentication, warns the FBI in a briefing. The first method involves SIM swapping, where hackers take over your mobile account number and can, therefore, receive your two-factor authentication codes sent via text message. The second strategy is to create phishing pages that trick users into entering their codes and sends the information to a hacker. The hacker is then able to get into the real account.

Antivirus software Avast detected a breach affecting its CCleaner application. The program allows Windows users to clean up and create more space on their device. The breach occurred between May and October of 2019. Avast took the software offline and sent an update to all users earlier this month. If you use the program, be sure you are running the newest version.

Better Business Bureau (BBB) warns consumers to think twice before purchasing apparel seen on social media ads. Many consumers have reported purchasing merchandise from a small business advertising on Facebook and Instagram that claims proceeds will be donated to a charity. However, after ordering ,your merchandise is never delivered and you cannot contact the company. The BBB advises consumers to research any company before purchasing to ensure they are a real business.

Is your newborn already a victim of identity theft? Security experts are noting a new trend of criminals claiming not-yet-issued Social Security numbers to create a fake identity. However, when those Social Security numbers are assigned by the government to a newborn, it could mean they already have a credit history! The best thing you can do to protect your child is to check for a credit report as soon as they are born and immediately freeze it.

The Federal Trade Commission (FTC) has begun sending refund checks to consumers who were part of the class-action lawsuit against LifeLock. The settlement reached in 2015 cost LifeLock $100 million with $68 million going to consumers. Now, the FTC is using an additional $31 million to compensate consumers who were Lifelock members between 2012 and 2014 but were not part of the class-action lawsuit. About one million checks are being sent out, averaging about $29 each. If you receive a check, be sure to deposit or cash it within 60 days.

What should you do when a doctor’s office asks for your Social Security number? Experts say don’t share it. Generally, you are not obligated to share your SSN with a healthcare provider, but many ask for it in case a billing issue arises. When you can, leave the space blank–but if you get pushback, try to discuss the matter and explain your concerns about identity theft.

Which presidential candidates have the best cybersecurity? An industry report ranked Sen. Elizabeth Warren and Sen. Cory Booker at the top, each with an A-. Sen. Bernie Sanders scored a B+ while President Trump received a B. The grades were based on how integrated cybersecurity was in the candidates’ platforms and how well their websites were protected. The study found that over half of the candidates’ sites used outdated software.

Is your printer putting you at risk for identity theft? It could be. Many are unaware that most printers save your data. If you throw your printer away without clearing the memory, your personal data could be at risk. The BBB recommends that consumers remove any storage cards or clear the printer’s hard drive before getting rid of the device. 

The Consumer Product Safety Commission (CPSC) has suffered a data breach after not properly handling consumer data, according to a Senate Commerce Committee report. The report found that the commission made improper disclosures to nearly 30 entities over two years. These disclosures contained information such as address, age, and gender of about 30,000 consumers. Over 10,000 manufacturers also had information improperly shared.

Software updates

Apple:  iTunes users need to update their software as a zero-day exploit is spreading. Be sure you are running 12.10.1 if you still use iTunes. Remember that earlier this year Apple announced the end of iTunes. If you do not need the software, you should remove it from your device. You can read more here.

Microsoft: Microsoft has released updates for over 60 security issues this month. This includes updates to Internet Explorer, Remote Desktop Client, Excel, and Office 365. Your device should prompt you to update automatically. You can learn more about the updates here.