New Malware Bypasses Two Factor

Just to be clear before I start, this is not a technical hack. It relies on human beings to make mistakes. Human beings are almost always the weak link.

A new banking trojan is stealing financial information from Android users in the United States, UK, Germany, Italy, Spain, Switzerland and France.

Even though this particular malware is currently going after Android users, there is no reason to think that it would not work on iPhones, because it is dependent users not paying attention.

The malware is dubbed EventBot by the researchers who discovered it, the malware targets over 200 different financial applications including money transfer services, cryptocurrency and banking.

Currently, this malware is NOT being distributed by the official Playstore, so this is one that you can’t blame Google for not detecting. Users who load software from shady providers often get their software with a side of malware. These sites usually provide some form of illegal content – you name the type.

The main thing the people that are getting hacked do is not paying attention to the permissions their apps are asking for and being granted.

In this case, the app asks to run in the background, ignore battery optimization, prevent the processor from sleeping, etc.

One key permission the app asks for is to turn on Android’s accessibility services, which is really designed to support the physically challenged. If you do not have a physical disability, you should NEVER give an app this permission.

These apps, of course, use social engineering to convince users to give them an entire boatload of permissions. Users, who are not security experts, don’t understand all this permissions stuff anyway, and trust developers to be honest.

Trusting developers to be honest is, well, a bit of an oxymoron.

While 99+% of developers are, in fact, honest, its the ones that are not who steal you blind. In this case, empty your bank account.

This particular apps asks for the permission to launch itself after boot (Nope – don’t do it, ever). That way it is always running in the background.

When you launch one of the apps that it understands, it looks to see if you have two factor authentication turned on. If you don’t it just steals your password and empties your account. If you do AND THE TWO FACTOR IS A TEXT MESSAGE, it logs in and waits for the text message to come in (yes, it asked for permission to read your text messages) and then empties your bank account.

Two ways to defeat this cold.

  1. Pay attention to the permissions an app asks for. If it asks for too many permissions or permissions that you don’t understand why it needs, either don’t install the app or revoke the permissions immediately after installation.
  2. Don’t use text messages as the second factor. If you use a Time-Based One Time Password (TBOTP like Google Authenticator or one of the many others), this attack doesn’t work because try as they might, there is no text message to steal.

Bottom line, it is a real attack, it is happening now, has happened before, will happen in the future and is dependent on fooling users.

Credit: Bleeping Computer

Phone Scams Gone Wild

It used to be that when the phone rang, it was someone with an African accent telling you that he was from Windows technical support calling you because your computer was infected. You hung up.

Scammers have gotten much smarter. Unfortunately. Here are two recent examples.

This guy got taken for $10,000. Mitch (him, not me, thank goodness) got a call a couple of Fridays ago from someone claiming to be from his bank saying there was fraud detected on his bank card. The callerid had the same number as was printed on the back of his card. He logged into his account and did, in fact, see several fraudulent charges going back several weeks (NOTE 1 – see tips below). They were relatively small – under $100 each. But there were also two withdrawals from cash machines in Florida for $800 each (NOTE 2).

He figured that if this was a scam, the caller would have asked him for information, which she did not (NOTE 3). She said they would reverse the charges and send him a new card (NOTE 4). He thanked her and hung up.

This was part of the hook in the scam.

The next day he got another call about suspected fraud on his bank account. He thought this is weird, so he called his bank on another phone and asked if they were talking to him. They said yes. This is known as a man in the middle attack (or woman in the middle. These scams often use women because, after all, women aren’t crooks, right?). The hacker calls the bank pretending to be you, then they call you pretending to be the bank and magic, they have everything they need to do the fraud.

Mitch said that the bank, in the past, might send him a one time code via not-very-secure text message, so when the attacker asked him to give him the text message code (which the bank had asked the attacker for, he gave it to her. Again they said they would fix it.

Over the weekend he looked at his account and saw no more activity and figured it was handled. Not so.

On Monday Mitch saw a $9,800 outgoing wire posted to his account (NOTE 5). He was now out over $10,000.

To add some intrigue, the destination of the wire was an online-only bank in Mitch’s name. The bank figured it was a Mitch to Mitch transfer, so they figured it was okay. Banks are required by law to “know your customer” or KYC. For online banks, “know” is a relative term and until the feds start fining those banks millions of dollars, this fraud will continue.

Obviously, at some time his debit card and maybe PIN (NOTE 6) was compromised and the rest was an elaborate social engineering scheme.

The bank did give him back his money (under federal law CONSUMERS but **NOT** BUSINESSES are giving the benefit of the doubt and will usually, but not always and sometimes are a fair bit of screaming, will get their money back). Businesses are assumed to know what they are doing and don’t get a free pass.

So what about all the notes. Okay, here goes.

NOTE 1 – All decent banks can send you a text message (better than an email because you are more likely to look at it quickly) every time your card or bank account is used. If your bank can’t do this simple anti-fraud measure, find a new bank. BTW, this includes credit cards too. Usually there are a lot of options in terms of what/when/how much, but in my opinion, opt for being over notified. That way, the first fraudulent transaction that cleared, Mitch would have said “hey wait, I didn’t use my card” and he would have called the bank, they would have killed the card and maybe this would not have happened. If, after Mitch did all of this, a second fraudulent transaction happened, Mitch would have known that not only was his card compromised, but so was his account.

NOTE 2 – $800 withdrawal from a cash machine. Banks will let you specify how much cash you want to be allowed to withdraw per day from the ATM. I do not EVER withdraw $800 in one day from an ATM. That limit is too high. Set your limit at $50 above the max you want to risk losing. You can always go into the branch and withdraw more in some weird circumstance. Also, your spouse’s card has a separate and likely equal (could be different) limit, so if you set the limit low, you can get your spouse to get more cash. Again, if you had followed NOTE 1 above, you would have known about the $800 cash withdrawal as soon as it happened.

Side note. I got a text alert a while back and immediately called my wife. Wasn’t her. I called the bank, in this case it was Wells and they did a great job. WHILE I WAS ON THE PHONE WITH FRAUD and he was working diligently to kill the card, he saw three more transactions attempting to be authorized. He was able to “decline” those charges, kill the card and issue a new one via overnight mail. Problem solved.

Your choice is convenience in not having to deal with those text messages or a pain in the ^%$# trying to get your money back. YOUR CHOICE.

NOTE 3: Banks also often choose convenience over security. Since the hacker spoofed Mitch’s callerid, the bank’s security mechanism got scammed. They would rather eat a few billion dollars in losses which you pay for in fees than annoy you. They figured the call was coming from Mitch, so why bother using the security protocol. I’m not fond of that strategy.

NOTE 4: The bank said they would send him a new card. Since there was fraud on the card – as well as fraud on the phone – they should have said they were going to kill the card. Apparently they didn’t say that. That should have been a flag to Mitch. When there was a supposed additional fraudulent charge the next day, that really should have been a red flag to Mitch again. If they say the card was disabled, you can easily test it by trying to make an online transaction. If it is a hacker saying the card is disabled, you will be able to complete the transaction. Big red flag. It should be declined. If it is not, call your bank yourself.

NOTE 5: That $9,800 outgoing wire. You should be able to tell your bank that you do not want to allow outgoing wires ONLINE or you want to set the limit to $500 or whatever. Sometimes you will have to make a stink, but banks can do almost anything. Also, that wire should have generated an alert (see Note 1).

NOTE 6: Some people insist on using their PIN when they buy gas or go to the grocery store. I am not sure why. Maybe they like dealing with the nice people in the fraud department. The only place you should ever use your PIN is at the ATM. Period. End of conversation. There is NO reason to use your PIN anywhere else. If you don’t use your PIN then your PIN can’t be compromised and your bank account emptied out.

In this case, Mitch got his money back. That doesn’t always happen and it doesn’t always happen quickly. The quicker you notify your bank about fraud, the more likely it is that you will get your money back. In the case of businesses, this is super critical because with wire fraud, money usually only stays in the first bank account for a few minutes. Literally.

Credit: Brian Krebs

I said at the beginning that I had two examples, but this post is already too long. Here is the link to the other example.

All I can say is be proactive or deal with the results.

If you have questions, please reach out to me. I am happy to help you protect yourself. AND, share this post with your family.

Privacy Pros Say Uptick in Privacy Requests as a Result of COVID-19

According to one survey, 92% of companies are concerned about the new rights that consumers have under the California Consumer Privacy Act (CCPA), with just over half saying that this is the hardest part of complying.

Of course, no one is thinking about what happens after a breach, but prior to a breach, this is probably the correct thinking.

56% of the privacy pros expect an increase in rights requests as a result of COVID-19.

The evidence of this is that 51% of the companies are receiving more than 10 requests a week and 20% are receiving more than 100 requests a week.

The survey happened during the first two weeks of April.

59% of the folks are buying new tools. At 10 requests a week, you can process them by hand, but at some point, doing it by hand is going to overwhelm the team. If you have to add just one person to the team, that likely represents $50k a year including overhead, maybe more, forever. Tools become attractive if you have to add 2, 3 or more people.

A curious statistics is that 55% of the legal pros say their solution is automated, but only 13% of the IT folks say it is automated. My guess is that the 13% number is much closer to reality.

The California legislature added a 1 year moratorium on granting employees rights under CCPA and that ends on December 31. 92% of the pros said that they plan to extend privacy rights to employees (probably from a PR standpoint, it is a problem if they do not) and 62% said they plan to offer it to employees outside of California as well.

15% said they plan to wait until they are forced to offer it by the law. A forward thinking group.

Of course, California is only one state. 74% say that they are watching what other states are doing. This is one place where COVID-19 will likely help – there will probably be far fewer states implementing new privacy laws this year. 64% say the fact that other states may implement similar laws is the reason they are looking at automation. If it is 10 requests a week now, does it become 50 or 100 in a year or two.

Bottom line is that no one knows what will happen in the future, but COVID-19 has, apparently, not stopped some people from being concerned about their privacy. Credit: HelpNet Security

Security News for the Week Ending April 24, 2020

Corona Virus Puts Brakes on 5G Deployment

A research reports says that global cloud revenue from the operation of core 5G networks will fall 25% to 30% shy of the $9 billion forecasted for this year.

They predict that this will only be a short term problem and that 5G deployment will pick up next year.

*I* think a bigger problem is going to be network congestion, but what do I know; I am not trying to sell consumers and businesses a dream.

Samsung just demonstrated a 5G phone on a commercial cell site (TEST) was able to transmit at 4.2 gigabits a second. Two phones doing that fully consumes one 10 gigabit fiber. 100 of those at one cell site would consume 50 fiber strands from that site. One hundred cell sites with each filling up 50 fiber strands would, in the aggregate fill up 50×100= 5,000 strands of fiber and that is for just 100 cell sites. The forecast is for hundreds of thousands of cell sites in the U.S. Where do we get all of that network capacity? The answer of course, is to throttle down your speed to something they can digest, unless you pay a lot of money (which they would like). Most people will say that it is not worth it. That spells a problem, I predict. Credit: Computer Weekly.

Space Crime – Astronaut Accused of Hacking Spouse’s Bank Account from Space

In possibly the first space crime ever, the spouse of an astronaut on the U.S. space station, who was separated and filing for divorce, accused the astronaut of hacking into her bank account from outer space. I used to say that you could hack from half way around the globe, but I guess now I have to amend that to include outer space. It turns out that the spouse is now being charged with lying to the cops – she had given her spouse access to that bank account years earlier and never changed the password, even though she said that she had. Credit: CNN

Ticketmaster Changes Refund Policy After the Fact

While this is not really a security issue, I find the numbers staggering. And a warning.

Ticketmaster has postponed or cancelled 30,000 events and still has another 25,000 events scheduled for the rest of this year. Just the cancelled events represents $2 billion in ticket sales and, I am sure, hundreds of millions of dollars of profit. As a result, Ticketmaster decided to change their refund policy, AFTER PEOPLE PURCHASED THEIR TICKETS to say that you won’t get a refund unless the event is cancelled and not “indefinitely postponed”. Since the performer, venue and Ticketmaster all have a vested interest in keeping people’s money, many events will be “indefinitely postponed”. Not surprisingly, Ticketmaster is being sued.

Ticketmaster is working on offering refunds for 18,000 postponed events, likely due to a combination of the shaky legal strategy of changing contract terms after the fact and the bad publicity, but that still leaves maybe 30,000 to 40,000 events, representing maybe 100-500 million tickets (depending on average venue size), in limbo.

For consumers, this is a bit of a security warning in the sense that you should consider that any money that you spent on tickets for concerts and travel should be treated as a total loss for now. Plan for the worst and be happy if you wind up better than that. I assume that no one is buying tickets right now, but consider this when that option resumes.

For example, a high school class trip got cancelled here in the Denver area and the travel agency refunded 25% of the cost of the trip. The other 75% is, apparently, unknown.

Credit: Blabbermouth. For more information on the behind the scenes challenges that Ticketmaster is dealing with, see this article in Billboard.

Remote Worker’s Lack of Corporate Firewalls Blamed for Rise in Malicious Activity

SC Magazine says that the number of devices that have been commandeered to work for the bad guys has more than doubled since the pandemic.

The researchers believe that many of these devices were infected before the pandemic but the devices were blocked from the Internet by corporate firewalls.

Now that people are home and have a range of protection from NO firewalls to crappy firewalls that have never been patched to OK firewalls – but probably very few great firewalls, the malware can do it’s damage.

As a side note, reports from some corporate IT departments say that the availability of corporate grade firewalls suitable for home deployment is non-existent, so even companies that want to fix the problem by providing firewalls to employees can’t. The study says that the number of OBSERVED compromised companies increased by 400% between January and March in some countries. Credit: SC Magazine

Half a Billion iPhones at Risk Due to Email App Bug

While Apple is claiming that they don’t have any concrete evidence that hackers abused a bug in Apple’s default email application, they are not denying that the bug exposes email users to to having their phones compromised and data stolen just by receiving a blank email.

Apple is also saying that while they are developing a patch, the three bugs in mail that were reported were not enough to compromise phones.

Security firm Zecops says that at least 6 firms were targeted as far back as 2018. The bug dates back to iOS 6 — 2012!

For now, high risk users should not read their emails on their phones.

Credit: Tech Crunch and Engadget

Covid-19 Double Whammy: Losing Your Job and Hit by Identity Theft

Here in Colorado we are hearing stories that are likely being played out elsewhere.

A server went to file for unemployment benefits after being laid off and discovered that someone else was claiming benefits in their name.

This is a rotate on the old tax refund scam where someone claims a tax refund that is due to you.

In this case the crook obtains some personal information like name, birth date and social and filed for benefits IN A DIFFERENT STATE.

Historically, this has not been a problem for state unemployment departments but right now, with unemployment claims up by a factor of 10x and nationally by new claims are up by 20x, departments are probably doing a lot less due diligence than they need to be doing.

What is apparent is, like we saw a few years ago with tax refunds, the government was not and is not prepared to deal with fraud in unemployment claims. Hackers are always the leading edge.

Given that some of the systems that the states are using are 20, 30 and even 40 years old, it is highly unlikely that the states will create a systemic fix any time soon.

This person is apparently out of luck because they don’t know what state the claim was made in. I am guessing the states will need to be on the wrong end of a lawsuit in order for them to change this nationwide.

Even just trying to reach the state unemployment departments on the phone is more than a challenge.

For people who lost their job to be a victim of identity theft and have their safety net ripped out from under them – that is a huge problem with no quick fix.

Source: CNet

House & Senate Can’t Work From Home

While the rest of us are working from home or being laid off, Congress is doing neither. Turns out the problem is not so simple to solve.

The average age of members of the House was 58 years; the average age of the Senate was 63 years at the beginning of the session last year.

The dominant professions are business, law or professional politician, according to the Congressional Research Service.

This demographic is not one that is terribly tech savvy.

Reports indicate that some members of the House and Senate had trouble recently either muting their phones or unmuting their phones during conference calls.

Some members would not be able to navigate two factor authentication for a video call without help from their staff according to other reports.

Then their is the legal question as to whether a “remote vote” would be Constitutionally sound. There is no easy way to answer that question until the men and women in black decide that. This could potentially take years.

Mitch McConnell point blank said the Senate was not going to do anything like that (remote voting). I am not sure what his thinking is, but I appreciate this is not a simple problem.

That being said, Congress does lots of things that don’t involve votes such as hearings and meetings. It seems like that some of that could be done remotely, but not under current rules.

Effectively, for the last month, the House and Senate have done no work other than spending a few minutes voting on the CARES bill.

Some Congress people say that their remote work might be a high value target. Possibly, but most hearings, other than a few classified ones, are open to the public.

So while the White House has been practicing business as usual because the Constitution doesn’t say much about how the White House operates (while it says a lot about how the House and Senate works), the legislative branch has been at a dead stop.

It is unlikely that the House and Senate could implement something that is secure enough and pass legal muster in next few weeks, but you could start with the easy stuff like public hearings.

I do agree that remote voting is problematic because if they pass laws that are later overturned, that could create chaos.

However, doing things the same way we passed laws 225 years ago is also a problem. Credit: Washington Post