Pete Recommends – Weekly highlights on cyber security issues, September 20, 2020

Subject: Are agencies unintentionally contributing to unemployment fraud?
Source: GCN

COVID-19 has had a huge impact on the American job market, and more than 57 million initial unemployment benefit claims have been filed since mid-March. But it’s not just the newly unemployed seeking those benefits — the FBI recently reported a spike in fraudulent claims related to the pandemic by people using stolen identities.

How unemployment fraud is happening

Long before the onset of COVID-19, fraudsters could easily obtain personal identifiable information including names, Social Security numbers and home addresses from the dark web, data breaches, phishing attacks and even by cold-calling victims. Increasingly, fraudsters are using this stolen PII to submit fake pandemic-related unemployment claims online. Once the claim has been submitted, fraudsters can then request an unemployment benefits debit card and reroute all communications to their preferred contact information.

What’s more, once a claim is filed, the state mails a physical letter to the address on file with the claim details, including additional sensitive information of the person being defrauded. The California Employment Development Department Request for Additional Information Form, for example, includes the claimant’s full Social Security number. If the fraudster has already redirected the mailing address, the government is unintentionally exposing critical information that can put the victim at even more risk for continued identity theft.

In many cases, victims don’t know a claim has been filed on their behalf until it’s too late.

The FBI’s advice to look out for suspicious communications and charges doesn’t cover all instances of unemployment fraud as criminals can bypass these communications channels, file fraudulent claims and steal benefits.

Related Articles

Subject: Weather Apps Continue To Share Data With Third Parties
Source: Gizmodo

While I think we can all agree that every app on our phone is probably an invasive little shit, I’d argue that weather apps deserve their own little corner in hell. We’ve seen weather apps sign folks up for services without their say-so, sneakily get location data from users who deliberately turned that function off, and pull all other sorts of stunts that make it clear just how little these companies care about giving its users any choice about opting out.

Case in point: Earlier today, IBM Watson Advertising—aka the advertising arm for IBM’s Weather Company enterpriseannounced it will be rolling out a new way to track and target us all in a way that’s supposedly more privacy-forward than the typical cookie-adjacent tech we’ve all come to know and loathe. Their answer, apparently, is to lump a ton of other types of sensitive data like what we buy and where we shop from the good folks over at Nielsen, and use that instead. As IBM explains:

Up until now, The Weather Channel’s app—just like countless other free-to-download apps—partially relied on pawning certain identifiers, like your device’s unique mobile advertising ID and location, into marketers’ hands as a way to make ends meet. Despite the fact that combining a unique tag on a given phone with that phone’s location gives both marketers and federal officials the ability to trace and target that phone and its owner with pretty terrifying accuracy, up until pretty recently the ad industry managed to hide behind the excuse that because this data didn’t, say, contain any directly identifiable information (like a phone owner’s name or address), nuggets like that mobile identifier were deemed effectively “anonymous” and untouched by current privacy regulations here in the US.

filed Privacy and Security

Subject: How to Blur Your House in Google Maps’ Street View
Source: lifehacker via beSpacific

Like Hacker – “While, sure, anybody could just drive by your house to see what it looks like—all the tin foil in the world isn’t going to shield you from that privacy “violation,” though a fence might help—you can make it harder for people to see your home on Google Maps. The solution involves blurring out your entire house, and while it’s a sure-fire way to make your abode the ugliest-looking address on your virtual block, you may still want to do it. If you don’t like the image Google captured with one of its many Street View cars, or you want to keep random internet strangers from doing digital drive-bys, the option is there. There’s also one big caveat if you use it. Once you elect to blur your address, you can’t unblur it. Full stop. I’m not sure Google even makes exemptions if you’re the new owner of a house that was previously blurred; you can try, but I wouldn’t hold my breath if I were you. I also believe this request persists even if, or when, Google takes new Street View images of your area…” [Yes it does persist. Also note, you can request the same blurring of your home on Microsoft Bing – but it is not automatic and can take more than a week to complete.]



Subject: EY’s chairman expressed ‘regret’ that German fintech Wirecard’s fraudulent practices were ‘not uncovered sooner’
Source: Markets Insider

  • EY’s global chairman has expressed “regret” that the accounting firm did not uncover Wirecard’s fraudulent practices sooner, according to a Financial Times report.
  • Amid backlash over EY’s failure to unmask the insolvent group’s $2 billion accounting fraud, chairman Carmine Di Sibio wrote to clients pledging to raise the bar on audits.
  • “The public interest clearly requires that much more be done to detect fraud at its earliest stages,” Di Sibio said in the letter seen by the FT.
  • He said EY would amp up the use of technology to improvise fraud prevention through measures such as “electronic confirmations for audit evidence.”

“Many people believe that the fraud at Wirecard should have been detected earlier and we fully understand that,” Di Sibio wrote in the letter seen by Financial Times. “Even though we were successful in uncovering the fraud, we regret that it was not uncovered sooner.”

Several investors are readying to sue both Wirecard and EY, which are under investigation by German authorities.

“The collusive acts of fraud at Wirecard were implemented through a highly complex criminal network designed to deceive everyone – investors, banks, supervisory authorities, investigating lawyers and forensic auditors, as well as ourselves,” the chairman wrote.

All auditors at EY will receive annual training in forensic accounting, according to the letter.
“I am not going to pre-empt the outcome of any investigations, but I want to clarify a fact that I know is of considerable importance to you and all our clients…When external confirmations for trustee accounts were obtained, the evidence received (including bank confirmations) had been falsified. It is obvious, therefore, that we need innovative techniques and processes to tackle future fraud of this scale,” Di Sibio said.

Subject: USPS Phishing Texts Are Flooding Phones Across The Country
Source: via Gizmodo

For those lucky enough not to have received these texts, the scheme generally works like this: you get a text from a mysterious number claiming that your delivery from USPS, FedEx, or another delivery service is experiencing some sort of issue in transit that requires your urgent attention. Because our country’s post offices are in a state of literal crisis right now, and because the text includes a legitimate-sounding (but in fact phony) tracking number, you click on the link they provide.

What happens next is up to the scammer behind the text, but generally they’re trying to get your credentials—most often in the form of a credit card number. In the example security researcher Eric Ellason unearthed in this tweet thread, the link that supposedly provided access a supposed USPS shipment actually led to a domain that did nothing but infect your browser (or phone) with malware.

see also:

Subject: Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene
Source: WIRED

In 2018, 23-year-old Jorge Molina was arrested and jailed for six days on suspicion of killing another man. Police in Avondale, Arizona, about 20 miles from Phoenix, held Molina for questioning. According to a police report, officers told him they knew “one hundred percent, without a doubt” his phone was at the scene of the crime, based on data from Google. In fact, Molina wasn’t there. He’d simply lent an old phone to the man police later arrested. The phone was still signed into his Google account.The information about Molina’s phone came from a geofence warrant, a relatively new and increasingly popular investigative technique police use to track suspects’ locations. Traditionally, police identify a suspect, then issue a warrant to search the person’s home or belongings.

Geofence warrants work in reverse: Police start with a time and location, and request data from Google or another tech company about the devices in the area at the time. The companies then typically supply anonymous data on the devices in the area. Police use their own investigative tools to narrow down this list. Then they may ask for more specific information—often an email address or a name of the account holder—for a phone on the narrower list.

Critics say the process is an invasion of privacy, often subjecting many people to an unconstitutional search. Now, in a rare step, two judges have denied requests for geofence warrants and questioned whether they complied with Fourth Amendment protections for searches. Lawmakers and activists see the court opinions as steps toward a potential ban on the practice.

“This exact same data can be gathered by all sorts of commercial data brokers using the free apps on our phone,” Cahn says. “Police can potentially use them to get the exact same information as when they send a warrant to Google.”

Subject: The Internet of Things (video)
Source:  WatchBlog: Official Blog of the U.S. GAO

“Internet of Things” (IoT) generally refers to everyday devices that you can find around your house—such as thermostats, smart speakers, or refrigerators—that now connect to a network or the Internet. But, the federal government is also using this technology for a variety of purposes. Today’s WatchBlog features a new report issued this week and highlights our new video on how one federal agency IoT technology.

Subject: A Cash App con that could wipe out your bank account
Source: WRIC via WTAJ

It turned out someone disputed a payment to him. No one from Cash App ever contacted Harrison about it so that person disputed more payments-, draining Harrison’s account.
He says he’s out hundreds and cash app told him there was nothing they could do.

Harrison’s not the only one with Cash App complaints.

“We get calls daily,” said Barry N Moore, the President and CEO of the Central Virginia Better Business Bureau.

He said the local BBB has received more than 30 complaints in just the past few months.

“It’s just a big mess,” Moore said.

The only way to talk to Cash App is through the app and website and scammers know it. They’re posing a cash app customer service representatives.

Moore says most of the complaints to the BBB have come from Cash App customers who did a Google search for support after running into an issue with the app. Their search then led to very believable but bogus Cash App websites and fake customer service numbers where scammers are standing by ready to steal your money. Moore explained how the scam works.

Subject: Google to ban ‘stalkerware’ apps that secretly snoop on people
Source: Business Insider

  • Google says it will ban stalkerware apps on the Google Play store beginning on Oct. 1 — but with some exceptions.
  • The new policy is meant to crack down on apps built to collect personal information on someone’s device and secretly send it to another person, like a controlling spouse or partner.
  • However, Google will continue to allow parental control apps that do the same thing — but apps will now have to show users a notification when they’re being tracked.

Subject: DuckDuckGo Is Growing Fast
Source: BleepingComputer via beSpacific
BleepingComputer: “DuckDuckGo, the privacy-focused search engine, announced that August 2020 ended in over 2 billion total searches via its search platform. While Google remains the most popular search engine, DuckDuckGo has gained a great deal of traction in recent months as more and more users have begun to value their privacy on the internet. DuckDuckGo saw over 2 billion searches and 4 million app/extension installations, and the company also said that they have over 65 million active users. DuckDuckGo could shatter its old traffic record if the same growth trend continues. Even though DuckDuckGo is growing rapidly, it still controls less than 2 percent of all search volume in the United States. However, DuckDuckGo’s growth trend has continued throughout the year, mainly due to Google and other companies’ privacy scandal…”RSS
Posted in: Computer Security, Cybercrime, Cybersecurity, Economy, Email Security, Privacy