"Real" ID on your phone

 

In June 2021, Apple announced an upcoming update to its Wallet app that will give the ability to scan your State issued ID and save it with encryption securely within the app. The digital identification could then be used wherever accepted. And that’s the hold up at this point.

Four years ago I wrote a blog about the REAL-ID Act and a little history about how driver’s licenses became forms of identification. You can read that blog at "Real" ID

The post was closed with, “While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane”. Well here we are in the 2020’s and we can use our phones to digitally access more services and places everyday. The coronavirus pandemic pushed companies to contactless services which helped increase the use of digital tickets, keys, payment, and identification,

We can use digital boarding passes to board planes. Concert and sporting events have digital tickets. Pretty much every cash register has some sort or digital payment system. But the question still remains, can you use a digital ID as an official identification? Companies like Apple are providing the tools. Venues and other services have to decide how to adapt.

States exploring the use of digital driver’s licenses is growing. As exploration continues, individual state’s are starting to implement programs. Colorado was the first state to implement a functional program that officials say is accepted by law enforcement throughout the State. Louisiana, Oklahoma, Delaware, and Arizona all have programs. Maryland, Wyoming, and Idaho have test programs. Utah, Iowa, and Florida will be launching programs in the next year.

As state’s begin accepting their own digital licenses there will have to be reciprocity between all of the state’s, as there is currently with card based driver’s licenses. And then there is the federal government. While there is not currently a federal identification system government agencies will have to be prepared to accept the individual state digital ID’s. Apple is working with the TSA to develop policy to accept ID’s contained in its Wallet app. Once enough state’s go digital, Congress will probably pass some sort of legislation that recognizes digital ID’s contained on phones. 

Juice Cleanse

While I am not educated in computer programming or repair I am knowledgeable and proficient enough to make computers do what I need and understand how that occurs. Because of my lack of formal training I never doubt what can be done with computers, I just assume that I do not know how to make it happen. Anything is possible. So when I hear of new smart devices or electronic conveniences that make our life easier, I figure it only a matter of time until someone compromises the security. 

In November 2019, the Los Angeles County District Attorney published a public service message warning travelers of using public USB charging stations.

http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff

How it works

Criminals either conceal a computer in charging stations or load malware onto the stations. Much like credit card skimmers at gas pumps. When someone plugs their device into the charging station via USB the criminals computer can access the device.  Or the malware is transferred to the device so that the criminal can access at a later time. 

There have been mixed reactions to the LA County DA report. But no one is saying that it can’t been done. More likely it is the effort versus the reward. Snopes.com reported, "While it is technically possible for crooks to steal information or install malware via public USB ports, this practice doesn't appear to be widespread".

Best practice-Use your own charging cables with a transformer and plug directly into an AC outlet.

Lasers as keys

Another threat to smart devices or rather smart homes is lasers. Researchers at the University of Michigan have created attacks using focused light to manipulate smart speakers. From as far as one hundred yards researchers could transform their voice commands into light beams aimed at the speaker. Once beamed the speaker reacts as if someone were speaking to it.

The results of the discovery mean that criminals could trick smart speakers into opening garage doors, smart locks, lights, whatever security feature that is linked to the smart speaker.

In our brave new world one has to suspect that someone is always watching or listening. And no computer, mobile device, or now the things that charge them, are secure.

Find other posts on skimming, WiFi, and smart device security in my blog archive. 

How secure are apps?

Every business is pushing their mobile apps. Some are highly interactive, giving access to secure accounts. Others are merely informational almost static platforms. Everyday we become more and more dependent on our phones. The Pew Research Center estimates that 77% of Americans have a Smartphone. A conglomerate of different studies from 2017 reported that Americans average five (5) hours a day using mobile devices and of that time 90% is spent using apps. Now when you allow that everything on your phone is an app of some sort it kind of diminishes the 90%, but the point being is that we are on are phones a lot.

Why have an app?

Phones are now like appendages. We are rarely without them. This is a big reason why companies push apps. That and because the phones create a focal point for data collection. Most apps require some sort of registration. That provides a modicum of security but it is mostly for data collection. Location services on smart phones allow app users to be tracked and pinpointed where they are using the app. This let’s the business collect, not only, your personal information but how, why and where you’re using the app, and what you are buying. All of this data is used to target advertising and reshape sales.

Since 2014 mobile Internet use has been more common on mobile devices than desktops. You can accomplish so much on your phone now you probably could go days without turning on a laptop or desktop. Apple has a cute commercial where the camera follows a girl throughout her day using her iPad.

A neighbor asks her what she is doing on her computer. She answers, “What’s a computer?”

The procession to apps began with the advent of online access to accounts and shopping. To encourage electronic account access, some companies even threatened higher fees for receiving paper documents through the mail. Then everything moved to our phones. Businesses lure customers into their apps with rewards or deals for using them. Some put more effort into their apps than their websites.

Secure?

How secure are all these apps we’re either using voluntarily or “forced” to use by companies? The transmission of data between the users phone and the app servers usually has end-to-end encryption. Meaning the data being sent and received is encrypted. The problems arise from the users lack of security awareness and hacks into the apps servers.

A high percentage of our phone use is in public. If you’re concerned about data usage you’re always looking for a WiFi signal. Logging into public WiFi is one of the most unsecure actions a Smartphone user can do. If you don’t inadvertently log into a hackers signal then you’re sending a signal that your phone is publically available. Once a hacker zeros in on your phone they can intercept your transmissions to and from the apps you are using. Intercepting the phone’s connection to the router is commonly known as “man in the middle”. While that is still a popular hack it is time consuming and much more work than going after the bigger treasure. Company servers.

Why is it important to frequently change passwords? And not use the same passwords or login/password pair for more than one account? More sophisticated cyber criminals know where the money is. It’s in the servers of big companies. If not the financial records then the personal data. Recently, Under Armour announced that their app had been breached. They assured users that no financial data had been accessed only user names and emails. While that may give some a sigh of relief there’s still a problem. Hackers will sell those users names, emails, and passwords on the dark web. They’re valuable because many users will use the same login information across many accounts. Hackers can use the data gleaned from one breach to access your other accounts.

Using apps are as safe as the host makes their server data and how you use the app. Most of the security issues are out of your hands. If you are not compromised in public more than likely the company’s servers or app itself will be hacked, exposing your data. All you can do is be as safe and aware as possible on your end. Monitor accounts and change passwords frequently.

Please feel free to share. Check the archives for other posts about privacy and online security.

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

One born every minute

You are security conscious and know all the Internet do and don’ts, but sometime it is going to happen. You’re going to fall for click bait, open an infected email attachment, or fall for a social media hoax. You’re not dumb. You’re not gullible. You’re not alone. People of all ages, backgrounds, and intelligence will fall for social media hoaxes. Including this writer.

As with any scam, whether it is a criminal affair or a joke, the perpetrators play on our human nature and how we react to stimuli. Must notably anything that threatens our family or personally well being. Fear. As with any con, the perpetrator uses broad, widely known information, with some truth sprinkled in for good measure. Sometimes, as the case with privacy issues, will use functions of the app to make it believable. Instructing the victim to perform a function within the app that produces a result. When the result happens, it further validates the hoax.

The ones that get you are intelligently written in a generic style or tone that could be from any close friend or relative that you would normally trust. They either forward the item to you, or worse, endorse it with a message that reads something like, “Tried it. It works!” or “This is true”. Most people don’t do research. If so and so posted it must be true, and we quickly click ‘share’. After fourteen years, Facebook is still having trust issues with its users. Anything that hints at a privacy scandal runs wild and users react.

Hoaxes, just like malware, circulate, mutate, and resurface, sometimes years after being launched. The one that got me was the ‘Following me’ security check on Facebook. [Spoiler alert-It’s a hoax] You receive a message from someone you trust that reads like the photo heading of this blog post. And trust me, it will read like the above photo because the original language just keeps getting forwarded. Following the steps outlined in the post you’ll find these unknown people “following” you on Facebook. You quickly go to the next step and start deleting all of these unwanted followers. How dare they intrude onto my highly secure and private Facebook page! The nerve.

After testing the theory and seeing that it does indeed reveal hidden followers, you forward the message on with your own endorsement. Because it does work, it must be true. You have to alert all of your friends. I didn’t go that far. But it did give me an idea for a blog post. A couple minutes of research had me SMH. Got me!

Snopes.com addressed this very hoax in a January 2017 article that was updated in September 2017.(Are Facebook users secretlyfollowing you?) Snopes traced the origin to a rumor post being circulated that Facebook security teams were paid to follow individual accounts. The post read similar to the one pictured except the user was instructed to enter ‘Facebook security’ in the block users search box. While this did return a list of people, it was determined to be people who had used ‘Facebook security’ in their profiles. In September 2017, the hoax took on the form we have pictured. However, now following the instructions returns a list of people that have “me” in their profiles.

In fact, the search box reads

So the hoaxers set you up with instructions that return what they want, a list of people you’ve never heard of, which gives validity to the hoax. Which gets it forwarded. And on and on and on it goes.

Please feel free to share. See the blog archive for more posts about privacy.
Are you being watched? February 2018

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

If you ever want to see your files again…

One computer in the office has a warning that it is being held ransom, “Provide 500 bitcoins to unlock the system”, is the message emblazoned on the screen. Any computer that requested data from the original would fall prey to the malware, which is now spreading through the office. The IT department had already been notified and the tech is running through the office unplugging data cables trying to isolate the attack.  No, this isn’t a mega corporation. It was a less than 100 employee accounting firm.

An automotive service center with less than 20 employees had a similar experience. The office manager starts the computers for the day and she sees a message that her computer has been locked. Pay up if you want the decryption key. An ordinary Joe is surfing the net when a warning appears on his monitor that all of his photographs have been encrypted. If he wants to have access ever again, he’ll need to pay $1200.

Ransomware has been in the news lately. More than likely you’ve heard the stories of hospitals, police departments, or large corporations having their computers locked and given a price to pay to have them set free. Or the more common terminology, held for ransom.  But cybercriminals are not just targeting institutions or corporations. As security features are improved, the criminals move on to more vulnerable prey. Any size business or any person can fall victim. Yes, the bigger fish will offer a more lucrative payday, but stack enough pennies and eventually you will have a dollar.

Definition and history

Ransomware is a type of malware that infects a computer or network preventing users from accessing the system until a ransom is paid for the decrypt key. There are two kinds. The first is called “locker” which locks the user’s computer. The second and more sophisticated is called a Crytovirus, which targets specific files (Photos, personal, financial), encrypting them until a ransom is paid. Ransom payment is usually requested in the form of the electronic currency Bitcoin. (Bitcoin converts to roughly $575 U.S. dollars) Symantec estimates that over 60% of the malware detected is of the cryptovirus variety and the average ransom paid in the U.S. is $300.

The Symantec white paper, Evolution of Ransomware, August 2015, gives this chronology of ransomware appearances: The first ransomware appeared in 1989, but wasn’t that effective due in large part to the lack of the Internet. Crypto ransomware came on the scene in 2005. As each version was detected and defended against, the writers would learn from mistakes and rewrite the code to make the malware more resistant to computer security features. In 2008, the criminals began secreting the malware in the form of fake antivirus programs. The programs would appear to scan and identify problems and then ask the user for up to $100 to fix the fake problems. In 2011, cybercriminals moved away from the antivirus attacks and began completely disabling the victim’s computers. Criminals then stopped mimicking anti virus problems and jumped to directly locking the computer using a law enforcement warning style of hoax. This was so effective that law enforcement themed ransomware became quite popular between 2012 and 2014.

Like most malware, ransomware is delivered via an attachment to an email. The user clicks on the legitimate looking file and the malicious code is delivered. However, as users became savvier to suspicious emails and clicking on attachments, malware developers have learned to hide their code in websites. Either bogus sites setup for the purpose of delivering malware or within legitimate sites. Once the malware infects a computer it begins encrypting files. If the infected computer is attached to a network the malware spreads as that computer interacts with the network.

On the FBI website, FBI Cyber Division Assistant Director James Trainor writes, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Who is vulnerable?

Institutions, government agencies, big or small business, even personal computers can be targeted or infected. Some attacks are targeted and some are just malware creator’s phishing for victims.  For most small business and individuals it is the latter. Anyone or any business can be victimized. As with identity fraud it is not a matter of if but when. The world is so electronically social that malware gets passed around like a rhinovirus. Eventually, someone close to you will be victimized or you yourself.

Smaller businesses and individuals are more susceptible due to a lack of computer knowledge and access to technical support. They also lack an effective backup system. Files being held ransom or the threat of a fake criminal charge coupled with the lack of technical support make personal computers users more likely to pay.

The FBI, Internet Crime Complaint Center (IC3) reports that while companies and organizations are the primary targets, the IC3 continues to receive reports from individuals. According to reports to the IC3, most individuals are told that their personal/financial information or photos will be publicly released if a bitcoin ransom is not paid within a certain timeframe. Ransom amounts range from $250 to $1,200.

Prevention

For business and individuals alike one of the main defenses is education. Know what the dangers are and be prepared. Businesses need to educate their employees on the tactics of cyber criminals and how to react if they feel they have been victims. After providing education and training, some companies will send their own “suspicious” emails to employees. The emails will look legit enough with the guise of signing up for training or providing personal information for system updates. However, each email will have the telltale signs of phishing that was thoroughly explained to employees. The IT department will monitor how many fall for the trick and how many reported it. Then they will provide further training and education to the employees.

The FBI confirms that ransomware has been around for several years. But there was an increase in 2015 with incidents still on the rise in 2016 due to lack of preparedness and protection. The FBI doesn’t support paying a ransom. Cyber Division Assistant Director James Trainor said, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

What the FBI does recommend is prevention and a business continuity plan. The FBI website offers the below tips for businesses and individuals when dealing with a ransomware threat:

Prevention Efforts

•  Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
• Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
• Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
• Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
• Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.Disable macro scripts from office files transmitted over e-mail. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts

• Back up data regularly and verify the integrity of those backups regularly.
• Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

At the very least, educate your employees and have a conversation with whoever manages your computer system. At home, resist the urge to fall for “click bait” and pay attention to where you’re surfing. As for your smartphone? Don’t be lulled into a false sense of security. Your phone is a connected device. Someone, somewhere is figuring out a way to get in.

See our blog archive for other posts relating to security issues:

There's been a breach February 18, 2015

What did you say? August 4, 2015

Keys to the vault August 14, 2015

Keys to the vault

iPhone®s have a feature that enable users to share files via Bluetooth®. You simply activate Bluetooth® on your phone and search for the other person’s phone signal. Rather than send several emails or texts with photos it is simple file transfer. We successfully completed this method of file sharing in a public setting. Very simple and convenient. What was noted was the number of open Bluetooth® connections that were also within range. This is like walking around with your purse wide open or leaving your car keys in the door lock.

Bluetooth® use developed slowly, but once other technology caught up it’s use exploded. Bluetooth® was developed in the early 1990’s. It wasn’t until 2000 that the first mobile phone with Bluetooth® technology came to market. In 2001, laptops and peripherals (printer, ear pieces, car kits) came to market. The next several years produced everyday items that could connect via Bluetooth®, such as TVs, glasses, watches, and appliances. Around 2005 is when Bluetooth® became a popular feature on phones. After Smartphone’s took off in 2007, it became a standard feature and every year since more uses between phones and other devices have been released.

Hacking into Bluetooth began almost as soon as it became widely available on phones. Once consumers began using their phones for more financial exchanges and social media hackers seized on the opportunity to exploit users lack of knowledge in regards to security and Bluetooth® connections. Most phones at startup activate the Bluetooth® feature. The user has to purposely turn off the connection. However, few do, either because they are unaware or actually use features such as earpieces or car connections. When not using the devices users leave their phones in the discoverable mode.

Hacking exposure

As with Wi-Fi, hackers love sitting in public places scanning for phone signals in public places. They setup shop in common, high traffic (use) areas by sending an open Wi-Fi signal or intercepting Bluetooth® connections between phones and peripherals. Bluebugging is a term to describe identity theft by hacking access to mobile commands on Bluetooth®-enabled devices that are in discoverable mode. Your phone is tricked into thinking that it is connected to the peripheral when it is actually connected to the hacker’s device. Once intercepted the hacker can take control of the device and/or retrieve data.

In July 2015, hackers successfully hacked into the system of a Jeep Liberty, taking control of the vehicle’s comfort, operational, and safety systems too include braking. This was done purposely to prove the vulnerability to automakers. But if one person figured it out you can be sure there is a long line of others.

As of this writing, research revealed there was little data regarding the number of Smartphones or personal accounts used on Smartphones that are hacked. It is doubtful that the lack of data is due to a low occurrence, but rather lack of realization, little reporting and/or notice by the media. You may occasionally see a flip phone or non-Smartphone but these types of phones are becoming rare. Many carriers do not offer these types of phones. There are an estimated 183 million Smartphone users in the U.S. alone, 2 billion worldwide. Next time you’re in public take a moment to look around and let it sink in how people around you have phones. Probably safe to say everyone.

New target

Just as your home computer  became vulnerable in the 1990’s, your phone is now the target. Only with your home computer you almost have to invite the hacker in through malware or ill advised website visit. Your phone on the other hand is with you all the time exposing it’s signals to the public wherever you go.

Most times you won’t even realize that your phone has been hacked. Not until strange social media posts surprise you or you notice withdrawals from your bank account. You home computer will get a virus. You’re email account will be hacked. Your credit card information will be stolen. And growing every year, someone will be kind enough to file your taxes for you, for the small fee of receiving your refund.

Eventually your phone will be hacked.  The best you can do is try to limit your vulnerability by keeping the doors shut.  Limit you public broadcasting of a Bluetooth® signal and use of public Wi-Fi. Turn off your Bluetooth® when not needed. If you do use password protected accounts through public connections, change your passwords after each use. Watch your data usage for spikes. Constantly check your financial accounts as part of your regular security routine.