Pete Recommends – Weekly highlights on cyber security issues, July 13, 2024

Subject: How AI Is Helping Scammers, and How You and Your Family Can Stay Safe Online
Source: MOAA
https://www.moaa.org/content/publications-and-media/news-articles/2024-news-articles/finance/how-ai-is-helping-scammers,-and-how-you-and-your-family-can-stay-safe-online/

Service members, veterans, and military families reported nearly 43,000 impostor scams to the Federal Trade Commission last year – about 30,000 more than the second-largest fraud type and nearly half of all military-connected fraud complaints.And according to an expert on such fraud, scammers are getting even better at masking their identities as they try to separate you from your money and/or personal data.

“The biggest change we’ve seen is how, more and more, scammers are using artificial intelligence to improve their chances of success,” said Ally Armeson, executive director of programs, at the Cybercrime Support Network (CSN). “AI helps these criminals create very convincing phishing emails, fake voices, and deepfake videos that are quite hard to detect. With AI, scammers can produce nearly flawless imitations of voices and images using minimal data and at a very low cost. We cannot trust our eyes or ears when it comes to the internet or our devices.”

Subject: 10 Security Tips for Business Travelers This Summer
Source: TechRepublic
https://www.techrepublic.com/article/cyber-security-tips-business-travel/

Traveling for work can open employees up to a new host of security threats, including insecure Wi-Fi networks, infected public charging ports and Bluetooth attacks.

Topic: https://www.techrepublic.com/topic/security/

Subject: Google Fact Check Tools
Source: Google
https://www.bespacific.com/google-fact-check-tools/

“The Fact Check Tools consist of two tools: Fact Check Explorer and Fact Check Markup Tool. Both tools aim to facilitate the work of fact checkers, journalists and researchers. Google does not endorse or create any of these fact checks. If you disagree with one, please contact the website owner that published it.[…]

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Mortgage Brokers Sent People’s Estimated Credit, Address, and Veteran Status to Facebook
Source: USA Today via The Markup
https://themarkup.org/pixel-hunt/2024/05/15/mortgage-brokers-sent-peoples-estimated-credit-address-and-veteran-status-to-facebook

More than 200 national and regional lenders share sensitive user data with Facebook. Experts say it might be illegal.When someone applies for a mortgage, they trust a home loan lender or mortgage broker with some of the most sensitive information they have: information about their credit, their home, and the personal details of their lives.Unbeknownst to those prospective homeowners, they may also be sharing that information with Facebook.

As users filled out mortgage applications or requested quotes for mortgage rates, the pixel tracked information about their credit, veteran status, occupation, the specific homes they wanted, and more. Experts told The Markup that it might be against the law for mortgage lenders to feed this kind of information to Facebook.

What Have Mortgage Brokers Shared with Facebook? The Markup found mortgage brokers sent Facebook a range of different data points about visitors, including:

  • Estimated credit
  • Veteran status
  • Occupation
  • Co-borrowers’ names
  • Bankruptcy status
  • Homeownership status
  • Citizenship status
  • Interest in specific homes
  • The addresses of those homes

Clicking “I Decline” to the site’s cookie notice didn’t stop the pixel from tracking.

The FTC and Consumer Financial Protection Bureau have the power to police financial data under the Gramm–Leach–Bliley Act. The legislation is meant to secure users’ private financial information; while it applies to businesses like banks, it also covers several “non-banking financial institutions” that handle consumers’ financial data. Among the types of businesses that the FTC says are covered by the law are payday lenders, car dealerships—and mortgage brokers.

In practice, despite the terms of use, businesses send this sort of data again and again. Solow-Niederman told The Markup that one problem is that regulators are overwhelmed and can’t fully enforce penalties for companies caught violating privacy regulations.

Filed: https://themarkup.org/series/pixel-hunt

Subject: Opinion | Driving Apps Like Google Maps Drive Me Crazy
Source: NYT
https://www.nytimes.com/2024/07/10/opinion/google-maps-driving-apps-flaws.html?unlocked_article_code=1.6E0.rMWQ.nLlOXCOyAC98&smid=url-share

On my way to Kennedy International Airport, I grip the wheel tightly, swerving across three lanes of expressway traffic at 50 miles per hour to reach the exit. Minutes later, still shaken from my move, I hear a cheerful, disembodied voice instructing me to re-enter the expressway I had just exited. I curse at my phone.If you use a navigation app, you probably have felt helpless anger when your stupid phone endangers your life, and the lives of all the drivers around you, to potentially shave a minute or two from your drive time. Or maybe it’s stuck you on an ugly freeway when a glorious, ocean-hugging alternative lies a few miles away. Or maybe it’s trapped you on a route with no four-way stops, ignoring a less stressful solution that doesn’t leave you worried about a car barreling out of nowhere.For all the discussion of the many extraordinary ways algorithms have changed our society and our lives, one of the most impactful, and most infuriating, often escapes notice. Dominated by a couple of enormously powerful tech monopolists that have better things to worry about, our leading online mapping systems from Google and Apple are not nearly as good as they could be….And when you have to use a popular driving app, take its directions with a huge grain of salt.
+ comments
Subject: Every [smart] Phone Can ID Your Router – Here’s How to Stop It
Source: PC Mag
https://www.bespacific.com/every-phone-can-id-your-router-heres-how-to-stop-it/:

“Your smartphone constantly checks available Wi-Fi nodes, looking to reconnect with any that you’ve used before. You can see it happening, and it’s very convenient (though vulnerable to spoofing and “evil twin” attacks). What you don’t see is that your smartphone also uploads identifying details about your router to giant databases maintained by Apple, Google, and others. These databases benefit you (and everyone else) by fine-tuning your device’s GPS location skills. We’re here to explain why you might not want to participate and show you how to opt out.”

How to Opt Out – If learning about the possible dangers has you worried, or if you’re just enthused about every possible enhancement to your privacy, it’s easy enough to opt out. Both Apple and Google have agreed to ignore routers with SSIDs having a certain format. Specifically, if the router name ends in “_nomap” they ignore it.



Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.
Subject: Issuing preliminary findings under the Digital Services Act
Source: European Commission via Mastodon
https://newsie.social/@[email protected]/112772969816714555

Link to EU press release: Commission sends preliminary findings to X for breach of the Digital Services Act. For the first time, we are issuing preliminary findings under the Digital Services Act.

In our view, X does not comply in areas linked to:

  •  Dark patterns
  • Advertising transparency
  • Data access for researchers

We will ensure that all platforms comply with EU legislation.

Related topics

Subject: U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation
Source: The Hacker News
https://thehackernews.com/2024/07/us-seizes-domains-used-by-ai-powered.html

The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale.”The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the United States — which the operators then used to promote messages in support of Russian government objectives,” the DoJ said.

The bot network, comprising 968 accounts on X, is said to be part of an elaborate scheme hatched by an employee of Russian state-owned media outlet RT (formerly Russia Today), sponsored by the Kremlin, and aided by an officer of Russia’s Federal Security Service (FSB), who created and led an unnamed private intelligence organization.

The developmental efforts for the bot farm began in April 2022 when the individuals procured online infrastructure while anonymizing their identities and locations. The goal of the organization, per the DoJ, was to further Russian interests by spreading disinformation through fictitious online personas representing various nationalities.

The phony social media accounts were registered using private email servers that relied on two domains – mlrtr[.]com and otanmail[.]com – that were purchased from domain registrar Namecheap. X has since suspended the bot accounts for violating its terms of service.

The information operation — which targeted the U.S., Poland, Germany, the Netherlands, Spain, Ukraine, and Israel — was pulled off using an AI-powered software package dubbed Meliorator that facilitated the “en masse” creation and operation of said social media bot farm.

“Using this tool, RT affiliates disseminated disinformation to and about a number of countries, including the United States, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel,” law enforcement agencies from Canada, the Netherlands, and the U.S. said.

Subject: Singapore’s banks to ditch texted one-time passwords
Source: The Register
https://www.theregister.com/2024/07/12/singapore_banks_fight_phishing/

Accessibility be damned, preventing phishing is the priorityAfter around two decades of allowing one-time passwords (OTPs) delivered by text message to assist log ins to bank accounts in Singapore, the city-state will abandon the authentication technique.

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) announced on Tuesday that “major retail banks in Singapore will progressively phase out the use of One-Time Passwords (OTPs) for bank account login by customers who are digital token users within the next three months.”

The banks hope this will “better protect against phishing” – at least against attacks in which scammers trick customers into disclosing their OTP. Instead, MAS and ABS encourage the use of digital tokens –apps running on smartphones that produce OTPs – as the source of second factors for bank account authentication.

Bryan Tan, partner at tech-centric law firm Reed Smith, told The Reg the move was “not unexpected given that scammers have figured out how to game the current OTP system notwithstanding that it was two factor.”

The Register asked ABS and MAS what measures, if any, will be taken to include those who don’t have or want mobile phones – a situation Singapore recognized in 2020 when it created a device to substitute for its COVID-19 tracking app. It’s therefore unclear how the plan to ditch SMS 2FA will impact groups such as neo-luddites and the elderly, especially as dedicated physical tokens have also been a phased out in Singapore. We will update should a substantial reply materialize.

[more]

Filed: https://www.theregister.com/security/

LinkedIn
Posted in: AI, Cybercrime, Cybersecurity, Privacy, Social Media