Cyber 321: 6th May 2022 - Cybersecurity Without Insanity

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: Is the end of passwords in sight? Why is a bank warning us about taxis? Why worry about smart glasses? And why do bad guys love crypto wallets and Android devices?

This week’s action: It’s time to do a health check on your Android devices.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1: On World Password Day, Apple, Google, and Microsoft announce the end of passwords

As I am sure you know, yesterday was World Password Day, celebrating one of the technology world’s biggest headaches.

And on this day, Microsoft, Apple and Google announced plans to support a common passwordless sign-in standard, which “will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms“. Users will sign in [to a website or app] using the same login process that they already use to log in to their device – For example, “simple verification of their fingerprint or face, or a device PIN“.

Apparently, this new approach will be rolled out to devices over the coming 12 months.

2: Don’t let your bank card travel alone

This next article from the Irish Independent arises from a security alert sent by AIB to its customers last week. It is slightly bizarre but as AIB’s email states, “it shows the lengths fraudsters will go to get their hands on your [bank] card.”

The email from AIB to its customers is titled ‘Don’t put your bank card in a taxi’.

In the email, AIB informs us that “We’ve heard about cases where a fraudster, pretending to be from AIB, calls or texts you to tell you your card details are already in the wrong hands of criminals and we (AIB) have arranged for a taxi to collect your card from you. A genuine taxi arrives, collects the card, and innocently delivers it into the hands of a real criminal. They now have access to the money in your account.”

AIB then reassures customers that “We will never send a taxi to collect [your] card.”

I wonder will AIB need to send another email next week to clarify that they will never send a courier or anyone else to collect the card and that in any circumstances where there is a suspicion that your card may have been compromised, the only action is to shred the card immediately.

3: Ray-Ban Stories are coming. Ready or not, you may soon be the star of a Facebook video.

This last article arises from a full-page ad which appeared in the Sunday Times last weekend.

Titled ‘Your guide to smart glasses’, the ad from Meta (aka Facebook) and Essilor Luxottica (Ray-Ban’s parent company) explained that smart glasses (such as the Ray-Ban Stories devices that will soon be launched by ~~Facebook~~ Meta) are not recording you as you go about your business.. unless the small LED light in the top corner of the frame is illuminated.

When Google launched their smart glasses a number of years ago, there was a public outcry about the devices invading the privacy of anyone who came within a few feet of the wearer. This ad is trying to get ahead of a similar outcry arising in the future.

I have written a short article about the advertisement, and my own views on the potential implications of these more covert recording devices.

TWO NUMBERS

1: 17%

According to BitDefender, an anti-virus vendor, 45% of the fake domains used in the phishing attacks that it detected last month were trying to fool people into thinking they were accessing hotmail.com or gmail.com. This is not particularly surprising.

But what is surprising to me is the next most popular phishing target: 17% of phishing emails attempted to spoof a site called myetherwallet.com. This site is described as ‘your gateway to the Ethereum blockchain’ and enables cryptocurrency enthusiasts to buy and sell cryptocurrency.

Mary had a crypto wallet,

Its contents were white as snow,

And everywhere the wallet went

The bad guys were sure to go.

2: 41%

Also according to the same BitDefender research, 41% of the malware infections detected on Android devices last month was malware called SMSSend.AXW. As the name suggests, this malware sends a copy of every sent or received text message to the bad guys. If you have protected your accounts with multi-factor authentication, and it involves a security code being sent to you as a text message to your Android mobile phone, this malware would ensure the bad guys also see this security code.

This is one reason why security experts recommend that you don’t use SMS text messages for multi-factor authentication, but use an authenticator app like Google Authenticator instead. It is also why people like me have a bias against Android devices, due to the perceived (real?) security holes in that platform.

ONE ACTION

1: If you use an Android device, it’s time for a health check.

Following up on BitDefender’s report, a regular health check of your Android devices is always worthwhile.

I have no personal experience of Android since about 2013, when I decided the platform was too much of a Wild West for my risk appetite. Luckily, there is plenty of advice online, so I recommend you take a look at some of these:

AVG has a detailed step-by-step guide on what to do, and offers a free scanning tool to help you – https://www.avg.com/en/signal/remove-phone-virus

Norton also describes how you can identify signs that there is something amiss with your phone and what to do about it- https://us.norton.com/internetsecurity-malware-how-to-remove-malware-from-android-phones.html

Google also provides some guidance – https://support.google.com/accounts/answer/9924802?hl=en&co=GENIE.Platform%3DAndroid