Pete Recommends – Weekly highlights on cyber security issues December 1 2018

Subject: You Snooze, You Lose: Insurers Make The Old Adage True
Source: NPR via ProPublica Snooze, You Lose: Insurers Make The Old Adage Literally True

Millions of sleep apnea patients rely on CPAP breathing machines to get a good night’s rest. Health insurers use a variety of tactics, including surveillance, to make patients bear the costs. Experts say it’s part of the insurance industry playbook.

This story was co-published with NPR. Last March, Tony Schmidt discovered something unsettling about the machine that helps him breathe at night. Without his knowledge, it was spying on him.

As many CPAP users discover, the life-altering device comes with caveats: Health insurance companies are often tracking whether patients use them. If they aren’t, the insurers might not cover the machines or the supplies that go with them.

In fact, faced with the popularity of CPAPs, which can cost $400 to $800, and their need for replacement filters, face masks and hoses, health insurers have deployed a host of tactics that can make the therapy more expensive or even price it out of reach.

From his bedside, the device was tracking when he was using it and sending the information not just to his doctor, but to the maker of the machine, to the medical supply company that provided it and to his health insurer.

Schmidt, an information technology specialist from Carrollton, Texas, was shocked. “I had no idea they were sending my information across the wire.”

“The doctors and providers are not in control of medicine anymore,” said Harry Lawrence, owner of Advanced Oxy-Med Services, a New York company that provides CPAP supplies. “It’s strictly the insurance companies. They call the shots.”

Schmidt’s privacy concerns began the day after he registered his new CPAP unit with ResMed, its manufacturer. He opted out of receiving any further information. But he had barely wiped the sleep out of his eyes the next morning when a peppy email arrived in his inbox. It was ResMed, praising him for completing his first night of therapy. “Congratulations! You’ve earned yourself a badge!” the email said.

In an email, a Blue Cross Blue Shield spokesperson said that it’s standard practice for insurers to monitor sleep apnea patients and deny payment if they aren’t using the machine. And privacy experts said that sharing the data with insurance companies is allowed under federal privacy laws. A ResMed representative said once patients have given consent, it may share the data it gathers, which is encrypted, with the patients’ doctors, insurers and supply companies.

Schmidt returned the new CPAP machine and went back to a model that allowed him to use a removable data card. His doctor can verify his compliance, he said.

[+ discussion of rental fees, purchase, and insurance coverage/deductibles …]

Dr. Douglas Kirsch, president of the American Academy of Sleep Medicine, said high rental fees aren’t the only problem. Patients can also get better deals on CPAP filters, hoses, masks and other supplies when they don’t use insurance, he said.

Cigna, one of the largest health insurers in the country, currently faces a class-action suit in U.S. District Court in Connecticut over its billing practices, including for CPAP supplies. One of the plaintiffs, Jeffrey Neufeld, who lives in Connecticut, contends that Cigna directed him to order his supplies through a middleman who jacked up the prices.

see also:

RSS feed for site:

Subject: Your Credit Score Isn’t a Reflection of Your Moral Character. But the Department of Homeland Security Seems To Think It Is
Source: Slashdot

What kind of person racks up debts and doesn’t pay them? Your credit score is an attempt to answer this question. A report elaborates: These important three-digit numbers summarize our statistical risk for lenders. The allure of the credit score is its clarity: It cuts through appearances and converts our messy lives into an easily readable metric. The difference between a score of 750 and 600 is obvious. One is an excellent bet for a lender to make; the other is not. On balance, credit scores have made borrowing more convenient, and fairer, for consumers. But the U.S. Department of Homeland Security wants to use credit scores for an entirely different purpose, one they were never built for and are not suited for.

The agency charged with safeguarding the nation would like to make immigrants submit their credit scores when applying for legal resident status. The new rule, contained in a proposal signed by DHS Secretary Kirstjen Nielsen, is designed to help immigration officers identify applicants likely to become a “public charge” — that is, a person primarily dependent on government assistance for food, housing, or medical care. According to the proposal, credit scores and other financial records (including credit reports, the comprehensive individual files from which credit scores are generated) would be reviewed to predict an applicant’s chances of “self-sufficiency.” The proposal is open for public comment until Dec. 10. Setting aside the proposal’s moral abdication when it comes to the needy, we should be troubled by another injustice: its abuse of personal metrics.

Subject: Scammers edit Google Maps bank listings to trick and defraud people
Source: Business Insider

  • Scammers are using Google Maps to trick people into giving up their bank details.
  • The app lets users edit and update listings, so the fraudsters are changing banks’ phone numbers to their own.
  • Victims then call them up and give up their details without ever realise something’s gone wrong.

The Google-run online map service lets users submit changes and corrections to listings — so would-be fraudsters are changing the contact details listed for banks on the app. Then, when unsuspecting bank customers ring up what they think is their financial institution, the scammers extract their private banking details and use it to empty their accounts.

Subject: With DigitalOcean, Jigsaw’s Private VPN Gives a Line Out to Journalists
Source: DigitalOcean

Imagine you’re a journalist covering an uprising against a military regime. You film a riot on your phone, then quickly send it to your server over the virtual private network (VPN) you found in the Android app store that promised high security. That night, when you finally make it back to your hotel room and boot up your laptop to write the story, you realize the video is nowhere to be found.

Unbeknownst to you, this government forced your VPN provider to give them access to all the data streaming through their VPN as a condition for operating in their country. Censors grabbed your video and the pictures worth a thousand words never make it to your server. But that fact was never mentioned anywhere in the Android store’s description of the product.

This type of scenario isn’t hypothetical. “Journalists should be aware that their online activities might be subject to surveillance either by government agencies, their internet service providers or a hacker with malicious intent,” said Laura Tich, technical evangelist for Code for Africa, a resource for African journalists. This is exactly the problem that the new private VPN Outline was created to solve.

Alphabet’s cybersecurity division Jigsaw designed the product for ease of use and maximum data security. Outline, which is open source and audited by the Radically Open Security, is targeted to journalists and activists working for change on a large scale. Those who are disproportionately more valuable to society because they are carriers of societal change, said Santiago Andrigo, Jigsaw’s product manager, who manages Outline.

“Their work makes them more vulnerable to attack,” he said. “It can get really scary when they’re outed and you’re passing over information.”

Subject: How to Protect Yourself From Cellphone Phishing Attacks
Source: Digital Trends

The cell phone in your pocket is a wonderful thing, and it has led to a massive overhaul of the way our lives function. In conjunction with the internet, the humble smartphone means you have access to an enormous amount of data whenever you need it.

Unfortunately, that access is reciprocal, and stopping your personal data from getting out there is tough. While it may seem trivial, little bits of information are all some criminals need to try and scam you out of more valuable data, like your bank details or passwords. One of the ways this is done is known as “phishing,” and it’s becoming more commonplace every year.

tagged MOBILE:


Subject: Half of all Phishing Sites Now Have the Padlock
Source: Krebs on Security via beSpacific

Krebs on Security – “Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”. Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.

NB Krebs on Security tagged this article:
Bibox, IDN, internationalized domain names, John LaCour, phishing, PhishLabs, punycode, SSL

Example RSS feed for this tag:

Subject: Protecting Against Identity Theft
Source: DHS US-CERT – As the holidays draw near, many consumers turn to the internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:

If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan.

RSS feed for US-CERT Current Activity:


Subject: USPS Informed Delivery Concerns
Source: various

(this is a cyber issue, not a porch pirate one /pmw1)


(signup to pre-empt some scammer)

other KoS informed delivery articles:

Posted in: Cybersecurity, Financial System, Privacy