"Real" ID on your phone

 

In June 2021, Apple announced an upcoming update to its Wallet app that will give the ability to scan your State issued ID and save it with encryption securely within the app. The digital identification could then be used wherever accepted. And that’s the hold up at this point.

Four years ago I wrote a blog about the REAL-ID Act and a little history about how driver’s licenses became forms of identification. You can read that blog at "Real" ID

The post was closed with, “While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane”. Well here we are in the 2020’s and we can use our phones to digitally access more services and places everyday. The coronavirus pandemic pushed companies to contactless services which helped increase the use of digital tickets, keys, payment, and identification,

We can use digital boarding passes to board planes. Concert and sporting events have digital tickets. Pretty much every cash register has some sort or digital payment system. But the question still remains, can you use a digital ID as an official identification? Companies like Apple are providing the tools. Venues and other services have to decide how to adapt.

States exploring the use of digital driver’s licenses is growing. As exploration continues, individual state’s are starting to implement programs. Colorado was the first state to implement a functional program that officials say is accepted by law enforcement throughout the State. Louisiana, Oklahoma, Delaware, and Arizona all have programs. Maryland, Wyoming, and Idaho have test programs. Utah, Iowa, and Florida will be launching programs in the next year.

As state’s begin accepting their own digital licenses there will have to be reciprocity between all of the state’s, as there is currently with card based driver’s licenses. And then there is the federal government. While there is not currently a federal identification system government agencies will have to be prepared to accept the individual state digital ID’s. Apple is working with the TSA to develop policy to accept ID’s contained in its Wallet app. Once enough state’s go digital, Congress will probably pass some sort of legislation that recognizes digital ID’s contained on phones. 

Juice Cleanse

While I am not educated in computer programming or repair I am knowledgeable and proficient enough to make computers do what I need and understand how that occurs. Because of my lack of formal training I never doubt what can be done with computers, I just assume that I do not know how to make it happen. Anything is possible. So when I hear of new smart devices or electronic conveniences that make our life easier, I figure it only a matter of time until someone compromises the security. 

In November 2019, the Los Angeles County District Attorney published a public service message warning travelers of using public USB charging stations.

http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff

How it works

Criminals either conceal a computer in charging stations or load malware onto the stations. Much like credit card skimmers at gas pumps. When someone plugs their device into the charging station via USB the criminals computer can access the device.  Or the malware is transferred to the device so that the criminal can access at a later time. 

There have been mixed reactions to the LA County DA report. But no one is saying that it can’t been done. More likely it is the effort versus the reward. Snopes.com reported, "While it is technically possible for crooks to steal information or install malware via public USB ports, this practice doesn't appear to be widespread".

Best practice-Use your own charging cables with a transformer and plug directly into an AC outlet.

Lasers as keys

Another threat to smart devices or rather smart homes is lasers. Researchers at the University of Michigan have created attacks using focused light to manipulate smart speakers. From as far as one hundred yards researchers could transform their voice commands into light beams aimed at the speaker. Once beamed the speaker reacts as if someone were speaking to it.

The results of the discovery mean that criminals could trick smart speakers into opening garage doors, smart locks, lights, whatever security feature that is linked to the smart speaker.

In our brave new world one has to suspect that someone is always watching or listening. And no computer, mobile device, or now the things that charge them, are secure.

Find other posts on skimming, WiFi, and smart device security in my blog archive. 

What Real-ID means to Maryland drivers

Maryland Real ID

You may have seen news reports about the need for Maryland drivers to further document their identification and citizenship or risk confiscation of driver’s licenses. This isn’t hype. It is true and deadlines are fast approaching. If affected drivers do not update their status with the MD MVA, their license will not be considered valid. Which means a police encounter could result in the confiscation of your license and TSA will not accept the license as proper ID.

REAL ID Act

The REAL ID Act was passed in 2005 setting the benchmark for personal forms of identification and establishing minimum security standards for driver’s license issuance and production. The act prohibits federal agencies, like the TSA, from accepting driver’s licenses from states that do not meet the standards. The deadline set by the Act is October 1, 2020. After that date residents of all states will need a Real ID Act compliant driver’s license to pass through airport security. 

How does this affect Maryland?

Maryland began issuing Real ID Act compliant licenses in 2016 and is listed as a state compliant with the Act. The licenses feature the state flag as the backdrop and the Real ID star logo. The license has multiple security features to guard against counterfeiting and was touted at the time as the most secure license in the U.S. 

The problem? While Maryland issued a license that met all of the Real ID Act physical security features the MVA did not always require the license holder to submit proper documentation for proof of identity or citizenship. Now those with the new “Flag” license are in danger of either losing their license or not being able to pass through federal security. 

MD MVA estimates that over a million drivers have the new license but not the necessary documentation on file. Trying to alleviate a renewal nightmare Maryland officials have set staggered renewal dates in June and November 2019 to clear the backlog before the federal October 2020 deadline. Over sixty-six thousand drivers have deadline dates in June 2019 to provide documentation. 

Is your license compliant?

Those holding the older licenses with the blue banner and crab logo are not required to update their records and may maintain their licenses until they expire. However, after October 1, 2020, these style licenses will not be accepted by TSA or other federal agencies. Even if you have been issued a flag design license you may still need to update your documentation with MVA.

You should get a notice by email and/or mail notifying of the MVA need for documentation. Rather than wait for the MVA renewal notice you can check if your license is compliant at this link RealID Lookup . After searching your license number you will be told if anything further is required and what to do next.

Documentation

If you are required to update your records you will need,

1) Proof of age and identity-Original or certified copy of your birth certificate OR a valid U.S. passport

2) Proof of Social Security-Original Social Security card or W-2 form, or SSA-1099

3) Proof of Maryland residency-Two documents required: insurance card, vehicle registration, credit card bill, utility bill, or bank statement. Any must have your name, Maryland address and be from two separate entities.

This link has further information on Real ID FAQs .

Good luck!

Previous blog about licenses at "Real" ID .

Shut down Apps?

The thought for this blog post started with the idea of security regarding remaining logged in to mobile apps. The question being does that open any doors for hackers to access data on either other apps or your phone? It ended up going down quite a rabbit hole of security and hacking techniques that only go to show that cybercrime and security is ever-present and evolving.

Cross-Site Request Forgery (CSRF) has been a known vulnerability since 2001. According to The Open Web Application Security Project CSRF is defined as:

A type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. 

If you are logged in to sites and the cybercriminal can get you to visit one of their web sites or open an infected email or IM they then can make your browser send requests to the other sites posing as you. Thus, gaining access to whatever you have open. This kind of attack generally only occurs within the same browser. In other words, having clicked on a malicious site the attack could flow across any other sites you have open within that browser. Not jump to another browser say Safari to Firefox. An open browser could not transfer the attack to an open app as the two store their own credentials or cookies and do not share. The same goes for apps themselves. They store their own data. The malware would need a conduit to access other apps or your phone.

Heck of an opening to a business blog. Why do you need to know this? It is why it is important to log out of company websites and software either on your desktop or your mobile.

Developing security

Over the years sites and apps have become more security conscious. Shutting down your logon after a period of non-activity and/or making you log in every time. Sometimes a pain to log back in but it’s for your own security. With the addition of biometric features on mobiles, even the pizza ordering apps require a fingerprint to gain access. Games and social media apps/sites tend to keep you logged in. The term being “frictionless” because the developers want you to have easy access, at all times, to keep you engaged in their product.

We do a lot of browsing and an increasing amount on our mobile devices. Lots of times your thumbs get fat and you errantly click on the wrong thing. It doesn’t take much to click on the wrong link, even if you close it right away it may be too late. The same goes for links within emails. We get a ton of email to business accounts. It’s hard to distinguish every email between real and spam. Spam emails and links get opened. When employees are accessing company databases and files they are using those same computers to access their company email. Depending on computer use policies or adherence to the policy, employees may also be accessing their personal email accounts and browsing the web. This is when the company system becomes vulnerable to CSRF attacks and others.

Watering hole attack

It is what the name implies. A cybercriminal monitors a company’s employees to determine where they congregate, e.g.-restaurants, bars, etc. The criminal bets that one or more of the employees will access the “watering hole’s” website for menu information, reservations, etc. The criminal places malware on the establishment’s site. When an employee does visit the site the criminal then has access to the employee’s computer or phone. Any company files or databases that are open (logged in to) are now free game for the criminal.

None of this is or the precautions are new. The same security tenets we’ve heard over and over still hold true.  

Don’t open or click on suspicious emails or links in emails texts/IMs especially while logged into other accounts.

Don’t keep sites open-Logout

Change passwords frequently

Don’t use the same password for multiple sites

Don’t save passwords on your browser

Keep system security updated

I’m not a cybersecurity expert just a security conscious user. Hope that this information has been helpful.

Regarding the initial reason, I started doing this research, open mobile apps. It appears that it is OK to leave them open. Again most security conscientious apps like financial will time out and require login. So a criminal gaining access to your phone and then entering your bank account through your bank app is probably low.

Most risks to mobile apps occur at the server level or through poor app development, not actions by the user. Although using public WiFi (Wifi for dummies) is one of the biggest user faults to app security.

Research for the blog revealed information debunking an iPhone myth. Quitting apps does not help save battery life. The iPhone OS is designed for multitasking and places the app in suspension until needed. Closing and reopening the app actually causes the phone to use more power as it is starting the app from scratch. So keeping open frequently used apps doesn’t affect battery life.

Please feel free to share. Check the archives for other posts about privacy and online security.

How secure are apps?April 2018

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

Locking down the Internet of Things

WiFi security on the Internet of Things

Have you gotten all of your new tech gadgets hooked up after Christmas? Seems like every gift that had a plug also had a phone app and connected to Wi-Fi. Throughout the year as new toys or even appliances enter your home, setting up individual devices isn’t that noticeable. But after Christmas rolls through and you start setting up all the new goodies it really makes you sit back and notice-You have entered the new age of a smart home. Without realizing it we have created our own attachment to the Internet of Things (IoT).

That's a lot of things

Leichtman Research Group in 2018 found that 74% of U.S. homes had at least one smart device. Statista estimates that there will be 42.2 million smart homes in 2019. Spending on IoT devices was $23.3 billion (yes, billion) and is estimated to be $75 billion by 2025.  While there are Bluetooth connections, the primary connection for IoTs is Wi-Fi. Statista reported that the average number of connected devices per person, worldwide, in 2015 was 3.47 and is estimated to be 6.58 by 2020. That is connected devices per person. Multiply that by people in your home and the for-the-common-good devices like appliances, cameras, plugs, bulbs, etc, and that’s a lot of connectivity. 

If you want to keep up with technology it is how it’s going to be. I didn’t set out to convert the ol’ analog home to “smart”. It just happened. Garage door opener, a new appliance here and there, TVs, Hey Google, Hey Siri, Alexa, before you know it you’re your home is smart. The router sent me a message, yes it communicates as well, that the network was getting full. You’re aware of connectivity for your phones and computers but forget about the other electronics-appliances/TVs/cameras/power strips/gaming systems/eBooks, etc-that are on all the time and trying to communicate with the mother ship. Not only are these devices taxing on your home network they are all portals for security breaches.

Anyone of these connected devices can be hacked at the source, through the controlling app, or the company that provides the service. All the more reason to review your home network security.  If you haven’t done so recently, with the onset of all your new tech wonderness, you’ll need to upgrade your Internet service.  Most times these types of upgrades come with new routers. 

Security

One of the first actions you should take on all routers and new devices is set up your own logins and passwords. Many people still use the default settings, which cybercriminals are aware. Changing this information will at least slow them down. I say slow down because, as we’ve seen, anyone can be hacked. At least changing the settings will offer some protection.

For all of your connected devices actually, read the setup instructions and pay attention to what you are agreeing to during the process. Data collection is big business and those companies want your data. As consumers get more privacy savvy the product providers are finding counteractions. I recently loaded an app that wanted access to my phone’s camera, microphone, location, and to send user data. Answering no to any of those requests denied the user access. Or sometimes certain features are denied or dampened if the user doesn’t agree to the terms.

Devices that listen, your phone, TV, Echo, Google home, are also collecting data and have been proven to also be recording your conversations. In the interest of improving their service, of course. Again, go through the setup and privacy menus carefully. Understand what the device, i.e.-manufacturer is asking you to allow.

Overall, you have to understand that if you allow “smart” devices into your home you are giving up privacy. It’s hard not to get caught up in the technology craze, but understand that what you’re getting yourself into.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

It’s Cyber Monday, Y'all!

Cyber Monday credit card security

It’s Cyber Monday, Y'all! Do you know where your credit card is? Of course, you do. It’s in your wallet, or purse, or poised on your keyboard, ready to be put into service. I should have asked do you know where your credit card number is? 

In 2017, according to the National Retail Federation, 81 million people in the U.S. shopped online on Cyber Monday.  About 15 million more than on Black Friday. The only way to snatch up on those cyber deals is to pay with a credit card. And pay we did. Business Insider reported that we spent six and a half billion dollars in 2017. Over $1.5 billion than on Black Friday that same year.

We’ve become trained to look for https or the little padlock to indicate we are dealing with a secure site. And that is true for the transaction. E-commerce is mostly protected by encrypted communications. The security issue here is saving your personal and financial data on the company’s website. Creditcards.com posted a story in 2017 in which they conducted a poll of credit card users. The poll found that 94 million Americans store their card information online

There may be encryption for the transaction but when you store your data you’re giving the site all the information a cyber thief needs. That data sits in a database on the company’s servers for who knows how long. See a previous post on this blog about Cleaning Up Your Online Presence. 

Storing your card information makes it much easier to check out but also exposes your data to hacking. Think about all the stories in the news this year alone about companies getting hacked. And if not directly then through third party vendors. It’s so common that we almost stop paying attention to the reports. If we do feel we’ve been affected, we change our password and move on. It’s become so a part of our lives we’ve become complacent about e-commerce and our privacy.

Tips

·     You have to use plastic to shop online. When you do use credit instead of debit. 

·     Best not to store your information, especially if it’s a little used site or one-time purchase. Type your card in each time. Don’t create accounts. Check out as a guest.

·     Research with whom you’re shopping. The bigger the company the better, to some extent. As opposed to smaller businesses that have less traffic and do not have the resources to support update to date and effective security. 

·     Considering having a card you use specifically for online shopping with a low limit

·     Monitor your accounts. Especially after a shopping spree or big shopping day like Cyber Monday.

Not trying to be Chicken Little. Just trying to remind people to take a beat and check their online shopping practices. Coming back from identity theft or online fraud is not an easy path.

Even though it’s not credit card related here’s another tip that could help protect your card. If you‘re shopping Amazon or looking at reviews on Yelp or TripAdvisor, run the link to the product through a review analytics site like Fakespot. 

The results will give you an idea about how reliable the seller is and if it a reliable company. If using Fakespot, after you find a product on Amazon copy the link from the search bar and past into Fakespot. The results will be a grade regarding the site and advisement on whether you should proceed or not.

Please feel free to share. Visit the blog archive for more posts about Privacy. https://mazzellainvestigations.blogspot.com/search/label/privacy

How secure are apps?

Every business is pushing their mobile apps. Some are highly interactive, giving access to secure accounts. Others are merely informational almost static platforms. Everyday we become more and more dependent on our phones. The Pew Research Center estimates that 77% of Americans have a Smartphone. A conglomerate of different studies from 2017 reported that Americans average five (5) hours a day using mobile devices and of that time 90% is spent using apps. Now when you allow that everything on your phone is an app of some sort it kind of diminishes the 90%, but the point being is that we are on are phones a lot.

Why have an app?

Phones are now like appendages. We are rarely without them. This is a big reason why companies push apps. That and because the phones create a focal point for data collection. Most apps require some sort of registration. That provides a modicum of security but it is mostly for data collection. Location services on smart phones allow app users to be tracked and pinpointed where they are using the app. This let’s the business collect, not only, your personal information but how, why and where you’re using the app, and what you are buying. All of this data is used to target advertising and reshape sales.

Since 2014 mobile Internet use has been more common on mobile devices than desktops. You can accomplish so much on your phone now you probably could go days without turning on a laptop or desktop. Apple has a cute commercial where the camera follows a girl throughout her day using her iPad.

A neighbor asks her what she is doing on her computer. She answers, “What’s a computer?”

The procession to apps began with the advent of online access to accounts and shopping. To encourage electronic account access, some companies even threatened higher fees for receiving paper documents through the mail. Then everything moved to our phones. Businesses lure customers into their apps with rewards or deals for using them. Some put more effort into their apps than their websites.

Secure?

How secure are all these apps we’re either using voluntarily or “forced” to use by companies? The transmission of data between the users phone and the app servers usually has end-to-end encryption. Meaning the data being sent and received is encrypted. The problems arise from the users lack of security awareness and hacks into the apps servers.

A high percentage of our phone use is in public. If you’re concerned about data usage you’re always looking for a WiFi signal. Logging into public WiFi is one of the most unsecure actions a Smartphone user can do. If you don’t inadvertently log into a hackers signal then you’re sending a signal that your phone is publically available. Once a hacker zeros in on your phone they can intercept your transmissions to and from the apps you are using. Intercepting the phone’s connection to the router is commonly known as “man in the middle”. While that is still a popular hack it is time consuming and much more work than going after the bigger treasure. Company servers.

Why is it important to frequently change passwords? And not use the same passwords or login/password pair for more than one account? More sophisticated cyber criminals know where the money is. It’s in the servers of big companies. If not the financial records then the personal data. Recently, Under Armour announced that their app had been breached. They assured users that no financial data had been accessed only user names and emails. While that may give some a sigh of relief there’s still a problem. Hackers will sell those users names, emails, and passwords on the dark web. They’re valuable because many users will use the same login information across many accounts. Hackers can use the data gleaned from one breach to access your other accounts.

Using apps are as safe as the host makes their server data and how you use the app. Most of the security issues are out of your hands. If you are not compromised in public more than likely the company’s servers or app itself will be hacked, exposing your data. All you can do is be as safe and aware as possible on your end. Monitor accounts and change passwords frequently.

Please feel free to share. Check the archives for other posts about privacy and online security.

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

One born every minute

You are security conscious and know all the Internet do and don’ts, but sometime it is going to happen. You’re going to fall for click bait, open an infected email attachment, or fall for a social media hoax. You’re not dumb. You’re not gullible. You’re not alone. People of all ages, backgrounds, and intelligence will fall for social media hoaxes. Including this writer.

As with any scam, whether it is a criminal affair or a joke, the perpetrators play on our human nature and how we react to stimuli. Must notably anything that threatens our family or personally well being. Fear. As with any con, the perpetrator uses broad, widely known information, with some truth sprinkled in for good measure. Sometimes, as the case with privacy issues, will use functions of the app to make it believable. Instructing the victim to perform a function within the app that produces a result. When the result happens, it further validates the hoax.

The ones that get you are intelligently written in a generic style or tone that could be from any close friend or relative that you would normally trust. They either forward the item to you, or worse, endorse it with a message that reads something like, “Tried it. It works!” or “This is true”. Most people don’t do research. If so and so posted it must be true, and we quickly click ‘share’. After fourteen years, Facebook is still having trust issues with its users. Anything that hints at a privacy scandal runs wild and users react.

Hoaxes, just like malware, circulate, mutate, and resurface, sometimes years after being launched. The one that got me was the ‘Following me’ security check on Facebook. [Spoiler alert-It’s a hoax] You receive a message from someone you trust that reads like the photo heading of this blog post. And trust me, it will read like the above photo because the original language just keeps getting forwarded. Following the steps outlined in the post you’ll find these unknown people “following” you on Facebook. You quickly go to the next step and start deleting all of these unwanted followers. How dare they intrude onto my highly secure and private Facebook page! The nerve.

After testing the theory and seeing that it does indeed reveal hidden followers, you forward the message on with your own endorsement. Because it does work, it must be true. You have to alert all of your friends. I didn’t go that far. But it did give me an idea for a blog post. A couple minutes of research had me SMH. Got me!

Snopes.com addressed this very hoax in a January 2017 article that was updated in September 2017.(Are Facebook users secretlyfollowing you?) Snopes traced the origin to a rumor post being circulated that Facebook security teams were paid to follow individual accounts. The post read similar to the one pictured except the user was instructed to enter ‘Facebook security’ in the block users search box. While this did return a list of people, it was determined to be people who had used ‘Facebook security’ in their profiles. In September 2017, the hoax took on the form we have pictured. However, now following the instructions returns a list of people that have “me” in their profiles.

In fact, the search box reads

So the hoaxers set you up with instructions that return what they want, a list of people you’ve never heard of, which gives validity to the hoax. Which gets it forwarded. And on and on and on it goes.

Please feel free to share. See the blog archive for more posts about privacy.
Are you being watched? February 2018

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

Are you being watched?

Do you feel safe in your home? Your exterior is probably pretty well defended against intruders with metal doors and deadbolts, locking windows, and maybe an alarm system. How about intruders from within?  “…The call is coming from inside the house”, an oft repeated quote from the 1979 movie, When a Stranger Calls, can still make your skin crawl when you’re all alone, think you heard a noise, and then the phone rings. Just the thought of an intruder with you in your home can be terrifying. There may not be physical intruders inside your home at this moment, but someone may be listening or quite possibly watching.

Internet of things

Kevin Ashton of Procter & Gamble first coined “Internet of things” in 1999. It is defined as network of devices, appliances, vehicles, etc. that connect and exchange data through the Internet. It is estimated the Internet of things will be populated with 30 billion devices by 2020.

Technology has always invaded our homes as we excitedly open the boxes to the latest modern conveniences. In the early days of the 1900’s telephones began appearing in homes. The 1950’s saw televisions showing up in living rooms. People started bringing home desktop computers in the 1980’s. Those computers were connected to the Internet in the 1990’s.  Phones went on our belts and into our pockets in the 2000’s and then became handheld computers. The first Internet connected appliance was a LG refrigerator released in 2000. According to Statista.com, there were nearly 36 million smart home devices sold in the U.S. in 2017. Over 40 million smart TV’s were sold in the U.S. in 2016 and 244 million worldwide.

Privacy

The remote accessibility of household devices creates new security issues everyday. As appliances get “smarter” their vulnerability also increases. Smart devices only work to their full capability if they are connected to the Internet. Once that occurs they are searchable and hackable. When the device reaches out to the web it declares itself open for business. Hackers are always looking for unsecure networks and devices to exploit. If not for gain then just because then can.

We first heard about these types of intrusions in 2015 two years after consumers starting bringing home smart TV’s.  Samsung released TV’s in 2013 that could listen to voice commands from their owners. The problem? The TV has to be listening all the time to pick up the commands. What was “heard” was being transmitted via the Internet. Samsung warned consumers, through privacy policies, that spoken words are being captured and transmitted through the voice recognition system. Consumers were further warned not to hold personal conversations in front of the television. But who read or reads the privacy policies, right?

Another popular device entering our homes are web accessible cameras. We set these up to watch the nanny, housekeeper, or house in general. There are even petcams available that not only allow owners to watch their pets but speak to them and deliver treats remotely. The first cameras imbedded in teddy bears, sold as a “nanny cams”, began appearing on the market in 1992. The first cameras to transmit remotely via IP were sold by Axis Communications in 1996. Today, the market is flooded with cameras and phone apps that allow web transmission of live video. It’s fun to watch Mr. Snugglekins romp around the house. But if you can access your webcam remotely, so can someone else.

Hacking

The device most people have heard stories about and are aware is the camera on your computer. Yes, they can be used against you. Unlike the movies, your home computer usually has to be “infected” with malware that you allowed in my clicking on a link or visiting a sketchy website. As with all of your devices, locally, you have to let someone in for them to be monitored. Not to say that you and your devices could not be specifically targeted and intruded. With the effort it could be done. Hackers and, yes, governments have the capability to access the television microphones, computer and remote cameras, turning them on and off and recording at will. However, most likely you’ve been the victim of malware.

The privacy and security issue with smart appliances is the collection and transmission of data. First, your viewing habits, conversations, actions are being collected. Second, the data is being transmitted to the Internet and held on third party servers. All of which can be hacked. So no matter the security measures you take at home, your personal data is vulnerable once it hits the WWW.

The thing is, you allow them into your home with the purchase, unpacking, and setup to connect to your network. Data transmissions you are unaware of because you have most likely allowed the device to set itself up per the manufacturer’s settings. Any warning or setup recommendations were clicked through and unread. Admit it. You’ve done it. Who reads the privacy settings on a new device? Or whenever you allow an update? That’s what the manufacturers are counting on. The key word in the previous paragraph is “allow”. You’re inviting the snooping by purchasing the device, bringing it into your home, and allowing self setup.

Your appliances aren’t the only ones listening. There’s been conspiracies floated the last couple of years that Facebook is listening to your conversations to better target ads. While feasible it is unlikely and has been debunked by several sources. Facebook may not be overhearing conversations but they, as is Google, “listening” by recording your search habits and even communications in messaging and emails apps to better address advertising. Netflix was recently caught by tweeting about the number of times a few viewers had watched one of its programs, trying to be funny. Netflix admitted that it did track viewing habits of subscribers.

Security

When you invite smart appliances into your home you give up your privacy. You have to consider these devices as other persons and guard your privacy accordingly. Take the time to read the manufacturer privacy policies. Read the manual setup instructions and adjust the device settings accordingly. Block cameras in sensitive areas or turn them towards the wall when you’re home.

This reads like an Orwellian or tinfoil hat conspiracy. It wasn’t meant to be or to keep you from enjoying the conveniences of technology. Just be aware of the surroundings you’ve created. Any smart device has to be considered to be listening or watching. Alexa, Siri, Google, they all have to be listening all the time to be able to pick up your commands.

Please feel free to share. Read other posts about security in the blog archive.

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

Time expired on parking meters

You approach the parking meter. It is a standalone machine in the parking lot; not connected to a building or a visible wired connection. While the meter does accept cash, it also has a credit card slot. You unsheathe your card and slide into the slot as instructed by the screen instructions. The meter reads your card and communicates, wirelessly, with the bank. If the card is authenticated, the transaction is approved and the meter distributes a receipt. Transaction complete. So what just happened? 

In the digital communication-everything is hackable world we live in how are parking meters safe? Research on this topic seems to indicate a risk reward scenario or more likely a Not worth the effort scenario. As we have seen in recent years, any system of any entity is subject to hacking. No matter the type of hardware or the owner. This article continues the discussion regarding the security of parking meters raised in the post Skimmers, August 2017.

The parking meter

Before we get into the security of the parking meter, first a little history.

According to Wikipedia, Massachusetts entrepreneur Roger Babson filed the first patent for a parking meter in 1928. The electric meter was meant to be powered from the battery of the parked car. Either due to design or necessity at the time the Babson meter never caught on. In 1935, Oklahoma City newspaper publisher Carl C. Magee had identified parking issues in the business district and was asked to find a solution. His idea was to regulate parking through coin operated meters associated with spaces determined by lines painted perpendicular to the curb. Magee asked Oklahoma State University engineering professors Holger Thuesen and Gerald Hale to develop a machine. The result was the Park-O-Meter, which Magee received a patent in 1938. The first Park-O-Meter was installed in downtown Oklahoma City in July 1935. Retailers loved the meters as they encouraged a quick turnover of cars and potential customers. Drivers, initially opposed, were forced to accept them. The cost for that first hour was five-cents.

The first meters accepted coins and had a dial to engage the timing mechanism with a red flag to indicate expiration of time. Those meters required a service person to keep the mechanism wound. Later iterations by other companies provided a system that remained wound by the action of the user setting the time, eliminating the need for service personnel. Since the parking meter made its debut there have been many styles and mechanisms deployed. All of which have completed the same task, measuring an amount of time for a price. Manual mechanisms remained in service for fifty some years until advancement in technology allowed for digital operations in the 1980’s.

At this point in our history lesson drivers looking to park their cars still had to use coins. Some machines only accepted one kind of coin. Different variations of the parking meter existed depending on the maintenance and replacement by local governments.  

Again Wikipedia tells us that in 2007 the IPS Group from San Diego, California introduced the solar powered credit card accepting parking meter. (Wikipedia is used as a source because there isn’t much out there in the way of the history of the parking meter)  The so called smart parking meter was born.

Smart parking meters

Advances in wireless technology have been applied to parking meter design to develop the “smart meter”. These meters are solar powered with wireless connectivity. This gives the meters the capability to talk to maintenance crews and banks, allowing for service calls and electronic transactions. This type of technology also allows drivers to pay through the use of phone apps and single machines to regulate multiple spaces. They also can be designed to alert enforcement personnel when cars are over parked.

The market is flooded with types and styles from a variety of vendors. Some municipalities use single pole meters per space and others use machines that regulate multiple spaces. All use wireless connectivity. Which brings up the question-Can they be hacked?

Are smart parking meters secure?

Shortly after the introduction of the smart parking meter three hackers revealed at the Black Hat conference in Las Vegas in 2009 that they had hacked meters in San Francisco. In an attempt to prove the security flaws of the new technology, the hackers’ reverse engineered the technology and found that the machines had little in the way of protection or encryption. They were able to “trick” a variety of meters into providing free parking. This infiltration manipulated the meters but did not attempt to intercept or steal credit card transactions.

Since this report was made public parking meter manufacturers have worked to improve the technology to protect electronic data transfer. Even the FTC issued a report in 2015 encouraging all manufacturers of smart devices (Appliances, thermostats, etc.) to invest more into securing the “Internet of things”

The International Parking Institute released a report titled, "What's What in parking Technology" in 2016. The report describes a point-to-point credit card encryption method, which delivers end-to-end encryption. The method instantaneously converts credit card data into an indecipherable code at the time the card is swiped to prevent hacking. Similar to how Apple Pay creates a token that has no exploitable meaning or value except to the key holders at either end of the transaction. This allows the meters to communicate directly to the banks.

This also means that any credit card data stored on the meter is encrypted as well so that it cannot be read by anyone, including maintenance personnel. As with any electronic transaction it is recommended that you keep your receipt as it contains a bank authorization number on your receipt to reference your transaction with your credit card company.

Hacking the wireless connection to obtain credit data may not be fruitful but there have been a few instances reported regarding skimming. This is when a thief attaches a device over or into the manufacturers credit card slot. The device collects credit card data as they are swiped. The problem is that parking meters are smaller than ATMs and gas pumps. So it is harder to hide the skimming devices. Not that it cannot be done or tried. On ANY type of machine that accepts credit cards you should check for evidence of tampering before swiping your card.  

So, our journey brings us back to the question, is it safe to use your credit card in a smart parking meter? For the most part, yes. The meters themselves either do not store data or the data is encrypted. The transactions also are encrypted. The machines themselves offer little space for skimming devices. Can they be hacked? More than likely a resounding yes as anything can be. Is it worth the criminals’ effort? Other than bragging rights probably not. The pay off is not worth the effort.

Another source of curiosity are vending machines that accept credit cards. There have been no indications that they’ve been targeted. But with what we’ve learned about parking meters, we’ll chalk those up to the pay off is not worth the effort as well.

Please feel free to share any and all posts. See the blog archive for more posts about wireless and personal security

Skimmers August 2017

Public Wi-Fi for dummies July 2017

Pain at the pump October 2016

Taking your identity on vacation June 2013

Teach your employees well

Small business hacking is becoming more prevalent. The payoff isn’t as big but the opportunity is greater and security is lacking. Security firm Symantec reported in 2016 that 43% of cyber attacks were against small business. Small businesses have little in the way of security and employee training. They often have more to lose in the sense that they have less cash flow or all of their money is tied up in their business. Making them more likely to pay ransoms. (Ransomware is explained in more detail in our post-If you ever want to see your files again…)

Attacks can be as simple as rerouting the web address to a porn site, locking all of the computers for a ransom, all the way to hacking financial data and cleaning out bank accounts. More than half of the companies attacked were forced to go out of business. Maintaining sound computer security cannot be emphasized enough.

The website Small Business Trends, in an article posted January 3, 2017, stated that 48% of attacks are caused by an employee error. In addition to updating security software one of the biggest defenses owners can deploy is educating their employees on cyber attack indicators. The malware has to enter the system somehow. Simply clicking on attachments will send the virus into the network to do its work. The more stealthy viruses will enter the system without a show of existence. These are meant to mine data from the system. By the time you find the virus the bank accounts are fleeced.

Regularly train employees on different types of attacks and how to defend against them. Establish a policy for computer usage. Explain what is acceptable Internet use. Malware can be injected via email attachments or links to websites. These links can be introduced through email or social media. Demonstrate what a suspicious email, link, social media contact looks like. Practice solid password policies and change regularly. Encourage employees to speak up when something is suspicious and do not click on the suspicious activity.

Even if you do not think you store valuable data, although customer records are a valuable commodity, the chance of losing your business data or risking a financial attack is too great a chance to take.

See our blog archive for other posts relating to cyber security:

Scam Websites November 2016

If you ever want to see your files again…August 2016 

There’s been a breach February 2015