Twitter had a data security problem last week that might sound trivial. Email addresses, phone numbers, and the last four digits of the credit cards used to buy ads on Twitter were left in browser cache after the transaction, and that cache was not secured.
This may seem trivial, but the consequences could be far more significant than you might think. Let’s explore how — and we’ll close with my product of the week that is arguably the best non-Apple smartwatch currently in the market: the Suunto 7, which uses Qualcomm’s Snapdragon 3100 platform.
Phishing and Phone Fraud
When we largely shifted to working at home, a lot of people suddenly had tons of time on their hands and flipped to doing bad things. One of those things was mining people for money and information. Fraudsters know that folks working at home are distracted and worried, which leads to more potential victims.
A typical phishing attack, be it in the form of an email or phone call, attempts to convince you that the contact is from someone you trust. Then they use bits of information they have about you to mine you for enough additional information to do real damage.
If some of your data has been obtained illicitly because one of your vendor’s systems was compromised, the crooks can then come after you for more, on the phone. A typical call might go like this:
A fake caller ID number will show up to make the call you receive look legitimate, because the caller used a spoof app.
Attacker: Hello, this is [fake name], account supervisor at [Your Familiar Vendor]. We had a problem with your credit card with the last four digits of [the number they captured from Your Familiar Vendor], and the transaction failed to clear. Could you help us resolve the issue?
Attacker: Given the COVID-19 mess, you are ok, right?
Attacker: Anyway, given the COVID-19 mess, there have been a lot of fake accounts set up, and we need to make sure you are you. I hope you understand.
You: I do
Attacker: So, the email we have for you is [captured email address].
Attacker: And the phone number we have is the one I just called [gives captured phone number], correct?
Attacker: Do you have the credit card you used with you?
(The reason for all of these questions is not only to get you to believe they are who they say there are, but to get you saying “yes” repeatedly so you will continue to cooperate.)
Attacker: Oh, it looks like the system purged the expiration date of your card, what was that again?
You: Read the date to the attacker
Attacker: Ok, let’s try to run it again. Hang on. Some time passes. Sorry, the card still isn’t clearing. Do you think you might have miskeyed the number? I’m so sorry for the trouble, could you give me the number again?
(If they do this right, you are now convinced they are from Your Familiar Vendor.)
You: Share the number
Attacker: It still isn’t clearing, let’s double-check one more thing, that little number on the back of the card, would you mind reading to me?
Now, if you do, they have everything they need to charge your credit card, but they can then use this information to phish for even more using a similar methodology. For instance, the attackers could call back and this time say they are from Amazon (effective because most people do business with Amazon); repeat back the card information they have, say there is a problem, and then get another one or two card numbers and more information from you by pretending your cards have issues.
This process could iterate over weeks until they have enough information about you to steal your identity. If they succeed, it will take months or years to get your life and credit rating back. Not to mention the grief you are likely to get from your loved ones for falling for the scam.
Wrapping Up: Be Prepared
Now, forewarned is forearmed. So, knowing this, if you have advertised on Twitter, be on alert for anyone calling with some of your personal information and asking for more. Particularly if they have the information you know was leaked, but they could have phished your kids or spouse, so they may know more.
One recommended practice is never to provide information over the phone about your finances unless you made the call and verified it was to a business and location that you trust. Any inbound call, email, or text message, asking anything about your personal information or finances should be distrusted.
If you are concerned, look up the number to the company and initiate a phone call to them yourself to review your account to see if there is a problem.
Or, log into the company’s website by typing their URL directly into your browser (don’t click on links in emails, those could be phishing scams), so you can do a review to see if there are any flags on the account. If not, and generally, there won’t be, you probably avoided being hacked.
For kids and older folks, you might want to role play with them so they won’t fall for these scams and they will always be on the lookout. People that do this stuff well are great at finding the weak link in the family, and that means you need to assure that whoever yours is, they are ready for this challenge.
Originally published by: Rob Enderle (2020). Security Blunder. [online] Tech News World. Available at: technewsworld.com