Previous month:
September 2018
Next month:
November 2018

15 posts from October 2018

More Consequences From The Phony-Accounts Scandal At Wells Fargo Bank

Wells Fargo logo Consequences continue after the bank's phony-accounts scandal. Last week, Well Fargo announced several changes in senior management:

"Chief Administrative Officer Hope Hardison and Chief Auditor David Julian have begun leaves of absence from Wells Fargo and will no longer be members of the company’s Operating Committee. These leaves relate to previously disclosed ongoing reviews by regulatory agencies in connection with historical retail banking sales practices. These leaves of absence are unrelated to the company’s reported financial results..."

An investigation in 2017 found a new total of 3.5 million phony consumer and small business accounts set up by employees trying to game an internal sales compensation system. The phony accounts, many of which incurred fees and charges, had been set up without customers' knowledge nor approval. In a settlement agreement in 2016 with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with 1.5 million phony accounts known at that time. In 2016, about 5,300 mostly lower-level employees had been fired as a result of the scandal.

The latest announcement listed more executive changes:

"David Galloreese continues as head of Human Resources and will report directly to CEO and President Tim Sloan and join the Operating Committee. Cara Peck, who heads the Culture and Change Management teams, will report directly to Galloreese.

Jim Rowe continues as head of Stakeholder Relations and will report directly to Sloan. Stakeholder Relations will expand to include Corporate Philanthropy and Community Relations, headed by Jon Campbell... Kimberly Bordner, currently executive audit director, will become the company’s acting Chief Auditor..."

The bank is conducting an executive search for a new Chief Auditor.

Executives at the bank have plenty to fix. In April, federal regulators assessed a $1 billion fine against the bank for violations of the Consumer Financial Protection Act (CFPA) in the way it administered mandatory insurance for auto loans. In August, reports surfaced that the bank had accidentally foreclosed on 400 homeowners it shouldn't have due to a software bug.

In June 2017, U.S. Senator Elizabeth Warren (D-Massachusetts) called for the firing of all 12 board members at Wells Fargo bank for failing to adequately protect account holders. Let's hope these latest senior executive changes bring about needed changes.


Yahoo Agrees To $50 Million Payment To Settle 2013 Breach

Fortune magazine reported that Yahoo:

"... has agreed to pay a $50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach... Up to 3 billion accounts had their emails and other personal information stolen in the hacking, but the settlement filed late Monday only applies to an estimated 1 billion accounts, held by 200 million people in the United States and Israel between 2012 and 2016... A hearing to approve this proposed end to the two-year lawsuit will be held in California on Nov. 29. If approved, the affected account holders will be emailed a notice."


Security Researcher Warns 'Hack A Smart Meter And Kill The Grid'

Everyone has utility meters which measure their gas and/or electricity consumption. Many of those meters are smart meters, installed in homes in both the United States and Britain. How secure are smart meters? First, some background since few consumers know what's installed in their homes.

According to the U.S. Energy Information Administration (EIA), there were 78.9 million smart meters installed in the United States by 2017, and residential installations account for 88 percent of that total. So, about half of all electricity customers in the United States use smart utility meters.

All smart meters wirelessly transmit usage to the utility provider. That's why you never see utility technicians visiting homes to manually "read" utility meters. There are two types of smart meters. In 2013, the number of two-way (AMI) smart meters in the United States exceeded the number of one-way (AMR) smart meters. The EIA explained:

"Two-way or AMI (advanced metering infrastructure) meters allow utilities and customers to interact to support smart consumption applications...The deployment and use of AMI and AMR meters vary greatly by state. Only 5 states had an AMI penetration rate above 80 percent. High penetration rates are seen in northern New England, Western states, Georgia and Texas. California added the most AMI meters of any state in 2013... There were 6 states with AMR penetration rates above 80 percent with Rhode Island the leader at 95 percent. The highest penetration rates are in the Rocky Mountain, Upper Plains and Southern Atlantic states. New York added nearly 540,000 AMR meters in 2013. Pennsylvania lost 580,000 AMR meters, but gained almost 620,000 AMI meters..."

Chart with 2-way smart utility meter penetration by state in 2013 by EIA. Click to view larger version See the chart on the right for two-way installations by state. Readers of this blog are aware of the privacy issues. A few states allow users to opt out of smart meters. Since the wireless transmissions occur throughout each month, smart meters can be used to profile consumers with a high degree of accuracy (e.g., the number of persons living in the dwelling, when you're home and the duration, which electric appliances are used, the presence of security and alarm systems, special equipment such as in-home medical equipment, etc.).

Now, back to Britain. It seems that the security of smart utility meters is questionable. Smart Grid Awareness follows the security and privacy issues associated with smart utility meters. The site reported that a British security expert:

"... is more convinced than ever that evidence now exists that rogue chips may be embedded into electronic circuit boards during the manufacturing process, such as those contained within utility smart meters. Smart meters can be considered high value targets for hackers due to the existence of the “remote disconnect” feature included as an option for most smart meters deployed today."

So, smart meters are part of the "smart power grid." If smart utility meters can be hacked, then the power grid -- and residential utility services -- can be interrupted or disabled. The remote-disconnect feature allows the utility to remotely turn off a meter. Smart meters in the United States have this feature, too. Reportedly, utilities say that they've disabled the feature. However, if the supply chain has been compromised with hacked chips (as this Bloomberg report claimed with computers), then bad actors may indeed be able to turn on and use the remote-disconnect feature in smart utility meters.

You can read for yourself the report by security researcher Nick Hunn. Clearly, there is more news to come about this. I look forward to energy providers assuring consumers how they've protected their supply chains. What do you think?


Survey: Most Home Users Satisfied With Voice-Controlled Assistants. Tech Adoption Barriers Exist

Recent survey results reported by MediaPost:

"Amazon Alexa and Google Assistant have the highest satisfaction levels among mobile users, each with an 85% satisfaction rating, followed by Siri and Bixby at 78% and Microsoft’s Cortana at 77%... As found in other studies, virtual assistants are being used for a range of things, including looking up things on the internet (51%), listening to music (48%), getting weather information (46%) and setting a timer (35%)... Smart speaker usage varies, with 31% of Amazon device owners using their speaker at least a few times a week, Google Home owners 25% and Apple HomePod 18%."

Additional survey results are available at Digital Trends and Experian. PWC found:

"Only 10% of surveyed respondents were not familiar with voice-enabled products and devices. Of the 90% who were, the majority have used a voice assistant (72%). Adoption is being driven by younger consumers, households with children, and households with an income of >$100k... Despite being accessible everywhere, three out of every four consumers (74%) are using their mobile voice assistants at home..."

Consumers seem to want privacy when using voice assistants, so usage tends to occur at home and not in public places. Also:

"... the bulk of consumers have yet to graduate to more advanced activities like shopping or controlling other smart devices in the home... 50% of respondents have made a purchase using their voice assistant, and an additional 25% would consider doing so in the future. The majority of items purchased are small and quick.. Usage will continue to increase but consistency must improve for wider adoption... Some consumers see voice assistants as a privacy risk... When forced to choose, 57% of consumers said they would rather watch an ad in the middle of a TV show than listen to an ad spoken by their voice assistant..."

Consumers want control over the presentation of advertisements by voice assistants. Control options desired include skip, select, never while listening to music, only at pre-approved times, customized based upon interests, seamless integration, and match to preferred brands. 38 percent of survey respondents said that they, "don't want something 'listening in' on my life all the time."

What are your preferences with voice assistants? Any privacy concerns?


Billions Of Data Points About Consumers Exposed During Data Breach At Data Aggregator

It's not only social media companies and credit reporting agencies that experience data breaches where massive amounts of sensitive, personal information about millions of consumers are exposed and/or stolen. Data aggregators and analytics firms also have data breaches. Wired Magazine reported:

"The sales intelligence firm Apollo sent a notice to its customers disclosing a data breach it suffered over the summer... Apollo is a data aggregator and analytics service aimed at helping sales teams know who to contact, when, and with what message to make the most deals... Apollo also claims in its marketing materials to have 200 million contacts and information from over 10 million companies in its vast reservoir of data. That's apparently not just spin. Night Lion Security founder Vinny Troia, who routinely scans the internet for unprotected, freely accessible databases, discovered Apollo's trove containing 212 million contact listings as well as nine billion data points related to companies and organizations. All of which was readily available online, for anyone to access. Troia disclosed the exposure to the company in mid-August."

This is especially problematic for several reasons. First, data aggregators like Apollo (and social media companies and credit reporting agencies) are high-value targets: plenty of data is stored in one location. That's both convenient and risky. It also places a premium upon data security.

When data like this is exposed or stolen, it makes it easy for fraudsters, scammers, and spammers to create sophisticated and more effective phishing (and vishing) attacks to trick consumers and employees into revealing sensitive payment and financial information.

Second, data breaches like this make it easier for governments' intelligence agencies to compile data about persons and targets. Third, Apollo's database reportedly also contained sensitive data about clients. That's proprietary information. Wired explained:

"Some client-imported data was also accessed without authorization... Customers access Apollo's data and predictive features through a main dashboard. They also have the option to connect other data tools they might use, for example authorizing their Salesforce accounts to port data into Apollo..."

Salesforce, a customer relationship management (CRM) platform, uses cloud services and other online technologies to help its clients, companies with sales representatives, to manage their sales, service, and marketing activities. This breach also suggests that some employee training is needed about what to, and what not to upload, to outsourcing vendor sites. What do you think?


Data Breach Affects 75,000 Healthcare.gov Users

On Friday, the Centers For Medicare and Medicaid Services (CMS) announced a data breach at a computer system which interacts with the Healthcare.gov site. Files for about 75,000 users -- agents and brokers -- were accessed by unauthorized persons. The announcement stated:

"Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE... CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled."

CMS has notified and is working with Federal law enforcement. It expects to restore the Direct Enrollment pathway for agents and brokers within the next 7 days, before the start of the sign-up period on November 1st for health care coverage under the Affordable Care Act.

CMS Administrator Seema Verma said:

"I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."

Sadly, data breaches happen -- all too often within government agencies and corporations. It should be noted that this breach was detected quickly -- within 3 days. Other data breaches have gone undetected for weeks or months; and too many corporate data breaches affected millions.

 


New York State Attorney General Expands Investigation Into Fraudulent 'Net Neutrality' Comments Submitted To FCC

The Attorney General (AG) for New York State has expanded its fraud investigation regarding net neutrality comments submitted to the U.S. Federal Communication Commission (FTC) website in 2017. The New York Times reported that the New York State AG has:

"... subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups submitted millions of fraudulent public comments to sway a critical federal decision on internet regulation... The attorney general, Barbara D. Underwood, is investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle over the regulations. Millions of comments were provided using temporary or duplicate email addresses, while others recycled identical phrases. Seven popular comments, repeated verbatim, accounted for millions more. The noise from the fake or orchestrated comments appears to have broadly favored the telecommunications industry..."

Also this month, the Center For Internet & Society reported the results of a study at Stanford University (bold emphasis added):

"In the leadup to the FCC's historic vote in December 2017 to repeal all net neutrality protections, 22 million comments were filed to the agency. But unfortunately, millions of those comments were fake. Some of the fake comment were part of sophisticated campaigns that filed fake comments using the names of real people - including journalists, Senators and dead people. The FCC did nothing to try to prevent comment stuffing and comment fraud, and even after the vote, made no attempt to help the public, journalists, policy makers actually understand what Americans actually told the FCC... This report used the 800,000 comments Kao identified as semantic standouts from form letter and fraud campaigns. These unique comments were overwhelmingly in support of keeping the 2015 Open Internet Order - in fact, 99.7% of comments opposed the repeal of net neutrality protections. This report then matched and sorted those comments to geographic areas, including the 50 states and every Congressional District..."

An investigation in 2017 by the New York State AG found that about 2 million of the comments submitted to the FCC about net neutrality "stole real Americans' identities." A follow-up investigation found that more than 9 million comments "used stolen identities."

The FCC, led by Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. The FCC has ignored requests to investigate comments fraud. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

Some of the organizations subpoenaed by the New York State AG include (links added):

"... Broadband for America, Century Strategies, and MediaBridge. Broadband for America is a coalition supported by cable and telecommunications companies; Century Strategies is a political consultancy founded by Ralph Reed, the former director of the Christian Coalition; and MediaBridge is a conservative messaging firm..."

Reportedly, the New York AG has requested information from both groups which opposed and supported net neutrality protections. The New York AG operates a website where consumers can check for fake comments submitted to the FCC. (When you check, enter your name in quotes for a more precise search. And check the street address, since many people have the same name.) I checked. You can read my valid comment submitted to the FCC.

This whole affair is another reminder of how to attack and undermine a democracy by abusing online tools. A prior post discussed how social media has been abused.


Aetna To Pay More Than $17 Million To Resolve 2 Privacy Breaches

Aetna logo Aetna inked settlement agreements with several states, including New Jersey, to resolve disclosures of sensitive patient information. According to an announcement by the Attorney General for New Jersey, the settlement agreements resolve:

"... a multi-state investigation focused on two separate privacy breaches by Aetna that occurred in 2017 – one involving a mailing that potentially revealed information about addressees’ HIV/AIDS status, the other involving a mailing that potentially revealed individuals’ involvement in a study of patients with atrial fibrillation (or AFib)..."

Connecticut, Washington, and the District of Columbia joined with New Jersey for both the  investigation and settlement agreements. The multi-state investigation found:

"... that Aetna inadvertently disclosed HIV/AIDS-related information about thousands of individuals across the U.S. – including approximately 647 New Jersey residents – through a third-party mailing on July 28, 2017. The envelopes used in the mailing had an over-sized, transparent glassine address window, which revealed not only the recipients’ names and addresses, but also text that included the words “HIV Medications"... The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals concerning a study of patients with AFib. The envelopes for the mailing included the name and logo for the study – IMPACT AFib – which could have been interpreted as indicating that the addressee had an AFib diagnosis... Aetna not only violated the federal Health Insurance Portability and Accountability Act (HIPAA), but also state laws pertaining to the protected health information of individuals in general, and of persons with AIDS or HIV infection in particular..."

A class-action lawsuit filed on behalf of affected HIV/AIDS patients has been settled, pending approval from a federal court, which requires Aetna to pay about $17 million to resolve allegations. Terms of the multi-state settlement agreement require Aetna to pay a $365,211.59 civil penalty to New Jersey, and:

  • Implement policy, processes, and employee training reforms to both better protect persons' protected health information, and ensure mailings maintain persons' privacy; and
  • Hire an independent consultant to evaluate and report on its privacy protection practices, and to monitor its compliance with the terms of the settlement agreements.

CVS Health logo In December of last year, CVS Health and Aetna announced a merger agreement where CVS Health acquired Aetna for about $69 billion. Last week, CVS Health announced an expansion of its board of directors to include the addition of three directors from its Aetna unit. At press time, neither company's website mentioned the multi-state settlement agreement.


Facebook Lowers Its Number of Breach Victims And Explains How Hackers Broke In And Stole Data

Facebook logo In an October 12th Security Update, Facebook lowered the number of users affected during its latest data breach, and explained how hackers broke into its systems and stole users' information during the data breach it first announced on September 28th. During the data breach:

"... the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information."

Facebook promises to notify the 30 million breach victims. While it lowered the number of breach victims from 50 to 30 million, this still isn't good. 30 million is still a lot of users. And, hackers stolen the juiciest data elements -- contact and profile information -- about breach victims, enabling them to conduct more fraud against victims, their family, friends, and coworkers. Plus, note the phrase: "the attackers already controlled a set of accounts." This suggest the hackers created bogus Facebook accounts, had the sign-in credentials (e.g., username, password) of valid accounts, or both. Not good.

Moreover, there is probably more bad news coming, as other affected companies assess the (collateral) damage. Experts said that Facebook's latest breach may be worse since many companies participate in the Facebook Connect program. Not good.

The timeline of the data breach and intrusion detection are troubling. Facebook admitted that the vulnerability hackers exploited existed from July, 2017 to September, 2018 when it noticed, "an unusual spike of activity that began on September 14, 2018." While it is good that Facebook's tech team notice the intrusion, the bad news is the long open window the vulnerability existed provided plenty of time for hackers to plot and do damage.  That the hackers used automated tools suggests that the hackers knew about the vulnerabilities for a long time... long enough to decide what to do, and then build automated tools to steal users' information. Where was Facebook's quality assurance (QA) testing department during all of this? Not good.

This latest data breach included a tiny bit of good news:

"This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts."

Meanwhile, Facebook runs TV advertisements for its new Portal, a voice-activated device with a video screen, always-listening microphone, and camera for video chats within homes.  BuzzFeed reported:

"Portal’s debut comes at a time when Facebook is struggling to reassure the public that it’s capable of protecting users’ privacy... In promoting Portal, Facebook is emphasizing the devices’ security... The company asserts that it doesn't listen or view the content of Portal calls, and the Smart Camera’s artificial intelligence–powered tracking doesn’t run on Facebook servers or use facial recognition. Audio snippets of voice commands can also be deleted from your Facebook Activity Log... because Portal relies on Facebook’s Messenger service, those calls are still under the purview of Facebook’s data privacy policy. The company collects information about “the people, Pages, accounts, hashtags and groups you are connected to and how you interact with them across our Products, such as people you communicate with the most or groups you are part of.” This means that Facebook will know who you’re talking to on Portal and for how long."

Buzzfeed also listed several comments by users. Some are skeptical of privacy promises:

Tweet #1 about Facebook Portal. Click to view larger version

Here's another comment:

Who is going to buy Portal while breach investigation results from this latest data breach, and from its Cambridge Analytica breach, are still murky? What other systems and software vulnerabilities exist? Would you buy Portal?


NPR Podcast: 'The Weaponization Of Social Media'

Any technology can be used for good, or for bad. Social media is no exception. A recent data breach study in Australia listed the vulnerabilities of social media. A study in 2016 found, "social media attractive to vulnerable narcissists."

How have social media sites and mobile apps been used as weapons? The podcast below features an interview of P.W. Singer and Emerson Brooking, authors of a new book, "LikeWar: The Weaponization of Social Media." The authors cite real-world examples of how social media sites and mobile apps have been used during conflicts and demonstrations around the globe -- and continue to be used.

A Kirkus book review stated:

"... Singer and Brooking sagely note the intensity of interpersonal squabbling online as a moral equivalent of actual combat, and they also discuss how "humans as a species are uniquely ill-equipped to handle both the instantaneity and the immensity of information that defines the social media age." The United States seems especially ill-suited, since in the Wild West of the internet, our libertarian tendencies have led us to resist what other nations have put in place, including public notices when external disinformation campaigns are uncovered and “legal action to limit the effect of poisonous super-spreaders.” Information literacy, by this account, becomes a “national security imperative,” one in which the U.S. is badly lagging..."

The new book "LikeWar" is available at several online bookstores, including Barnes and Noble, Powell's, and Amazon. Now, watch the podcast:


'Got Another Friend Request From You' Warnings Circulate On Facebook. What's The Deal?

Facebook logo Several people have posted on their Facebook News Feeds messages with warnings, such as:

"Please do not accept any new Friend requests from me"

And:

"Hi … I actually got another friend request from you yesterday … which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears … then hit forward and all the people you want to forward too … I had to do the people individually. Good Luck!"

Maybe, you've seen one of these warnings. Some of my Facebook friends posted these warnings in their News Feed or in private messages via Messenger. What's happening? The fact-checking site Snopes explained:

"This message played on warnings about the phenomenon of Facebook “pirates” engaging in the “cloning” of Facebook accounts, a real (but much over-hyped) process by which scammers target existing Facebook users accounts by setting up new accounts with identical profile pictures and names, then sending out friend requests which appear to originate from those “cloned” users. Once those friend requests are accepted, the scammers can then spread messages which appear to originate from the targeted account, luring that person’s friends into propagating malware, falling for phishing schemes, or disclosing personal information that can be used for identity theft."

Hacked Versus Cloned Accounts

While everyone wants to warn their friends, it is important to do your homework first. Many Facebook users have confused "hacked" versus "cloned" accounts. A hack is when another person has stolen your password and used it to sign into your account to post fraudulent messages -- pretending to be you.

Snopes described above what a "cloned" account is... basically a second, unauthorized account. Sadly, there are plenty of online sources for scammers to obtain stolen photos and information to create cloned accounts. One source is the multitude of massive corporate data breaches: Equifax, Nationwide, Facebook, the RNC, Uber, and others. Another source are Facebook friends with sloppy security settings on their accounts: the "Public" setting is no security. That allows scammers to access your account via your friends' wide-open accounts lacking security.

It is important to know the differences between "hacked" and "cloned" accounts. Snopes advised:

"... there would be no utility to forwarding [the above] warning to any of your Facebook friends unless you had actually received a second friend request from one of them. Moreover, even if this warning were possibly real, the optimal approach would not be for the recipient to forward it willy-nilly to every single contact on their friends list... If you have reason to believe your Facebook account might have been “cloned,” you should try sending separate private messages to a few of your Facebook friends to check whether any of them had indeed recently received a duplicate friend request from you, as well as searching Facebook for accounts with names and profile pictures identical to yours. Should either method turn up a hit, use Facebook’s "report this profile" link to have the unauthorized account deactivated."

Cloned Accounts

If you received a (second) Friend Request from a person who you are already friends with on Facebook, then that suggests a cloned account. (Cloned accounts are not new. It's one of the disadvantages of social media.) Call your friend on the phone or speak with him/her in-person to: a) tell him/her you received a second Friend Request, and b) determine whether or not he/she really sent that second Friend Request. (Yes, online privacy takes some effort.) If he/she didn't send a second Friend Request, then you know what to do: report the unauthorized profile to Facebook, and then delete the second Friend Request. Don't accept it.

If he/she did send a second Friend Request, ask why. (Let's ignore the practice by some teens to set up multiple accounts; one for parents and a second for peers.) I've had friends -- adults -- forget their online passwords, and set up a second Facebook account -- a clumsy, confusing solution. Not everyone has good online skills. Your friend will tell you which account he/she uses and which account he/she wants you to connect to. Then, un-Friend the other account.

Hacked Accounts

All Facebook users should know how to determine if your Facebook account has been hacked. Online privacy takes effort. How to check:

  1. Sign into Facebook
  2. Select "Settings."
  3. Select "Security and Login."
  4. You will see a list of the locations where your account has been accessed. If one or more of the locations weren't you, then it's likely another person has stolen and used your password. Proceed to step #5.
  5. For each location that wasn't you, select "Not You" and then "Secure Account." Follow the online instructions displayed and change your password immediately.

I've performed this check after friends have (erroneously) informed me that my account was hacked. It wasn't.

Facebook Search and Privacy Settings

Those wanting to be proactive can search the Facebook site to find other persons using the same name. Simply, enter your name in the search mechanism. The results page lists other accounts with the same name. If you see another account using your identical profile photo (and/or other identical personal information and photos), then use Facebook's "report this profile" link to report the unauthorized account.

You can go one step further and warn your Facebook friends who have the "Public" security setting on their accounts. They may be unaware of the privacy risks, and once informed may change their security setting to "Friends Only." Hopefully, they will listen.

If they don't listen, you can suggest that he/she at a minimum change other privacy settings. Users control who can see their photos and list of friends on Facebook. To change the privacy setting, navigate to your Friends List page and select the edit icon. Then, select the "Edit Privacy" link. Next, change both privacy settings for, "Who can see your friends?" and "Who can see the people, Pages, and lists you follow?" to "Only Me." As a last resort, you can un-Friend the security neophyte, if he/she refuses to make any changes to their security settings.


New Phone-Based Phishing Scams Can Trick Even Experts. How You Can Avoid Getting Duped

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

  1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
  2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
  3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
  4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
  5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.


Why The Recent Facebook Data Breach Is Probably Much Worse Than You First Thought

Facebook logo The recent data breach at Facebook has indications that it may be much worse than first thought. It's not the fact that a known 50 million users were affected, and 40 million more may also be affected. There's more. The New York Times reported on Tuesday:

"... the impact could be significantly bigger since those stolen credentials could have been used to gain access to so many other sites. Companies that allow customers to log in with Facebook Connect are scrambling to figure out whether their own user accounts have been compromised."

Facebook Connect, an online tool launched in 2008, allows users to sign into other apps and websites using their Facebook credentials (e.g., username, password). many small, medium, and large businesses joined the Facebook Connect program, which was using:

"... a simple proposition: Connect to our platform, and we’ll make it faster and easier for people to use your apps... The tool was adopted by thousands of other firms, from mom-and-pop publishing companies to high-profile tech outfits like Airbnb and Uber."

Initially, Facebook Connect made online life easier and more convenient. Users could sign up for new apps and sites without having to create and remember new sign-in credentials:

But in July 2017, that measure of security fell short. By exploiting three software bugs, attackers forged “access tokens,” digital keys used to gain entry to a user’s account. From there, the hackers were able to do anything users could do on their own Facebook accounts, including logging in to third-party apps."

On Tuesday, Facebook released a "Login Update," which said in part:

"We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.

Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens. However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out."

So, there are more news and updates to come about this. According to the New York Times, some companies' experiences so far:

"Tinder, the dating app, has found no evidence that accounts have been breached, based on the "limited information Facebook has provided," Justine Sacco, a spokeswoman for Tinder and its parent company, the Match Group, said in a statement... The security team at Uber, the ride-hailing giant, is logging some users out of their accounts to be cautious, said Melanie Ensign, a spokeswoman for Uber. It is asking them to log back in — a preventive measure that would invalidate older, stolen access tokens."


FTC: How You Should Handle Robocalls. 4 Companies Settle Regarding Privacy Shield Claims

First, it seems that the number of robocalls has increased during the past two years. Some automated calls are English. Some are in other languages. All try to trick consumers into sending money or disclosing sensitive financial and payment information. Advice from the U.S. Federal Trade Commission (FTC):

Second, the FTC announced a settlement agreement with four companies:

"In separate complaints, the FTC alleges that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law... The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework."

According to the lawsuits, IDmission, a cloud-based services firm, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. The other three companies each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. VenPath is a data analytics firm. SmartStart offers employment and background screening services. mResource provides talent management and recruitment services.

Terms of the settlement agreements prohibit all four companies from misrepresenting their participation in any privacy or data security program sponsored by the government. Also:

"... VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order."


Facebook Data Breach Affected 90 Million Users. Users Claim Facebook Blocked Posts About the Breach

On Friday, Facebook announced a data breach which affected about 50 million users of the social networking service. Facebook engineers discovered the hack on September 25th. The Facebook announcement explained:

"... that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app... This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Facebook Security Update: image for mobile users. Click to view larger version Many mobile users will see the message in the image displayed on the right. Facebook said it has fixed the vulnerability, notified law enforcement, turned off the "View As" feature until the breach investigation is finished, and has already reset the access tokens of about 90 million users.

Why the higher number of 90 million and not 50 million? According to the announcement:

"... we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

So, 90 million users affected and 50 million known for sure. What to make of this? Wait for findings in the completed breach investigation. Until then, we won't know exactly how attackers broke in, what they stole, and the true number of affected users.

What else to make of this? Facebook's announcement skillfully avoided any direct mentions of exactly when the attack started. The announcement stated that the vulnerability was related to a July 2017 change to the video uploading feature. So, the attack could have started soon after that. Facebook didn't say, and it may not know. Hopefully, the final breach investigation report will clarify things.

And, there is more disturbing news.

Some users have claimed that Facebook blocked them from posting messages about the data breach. TechCrunch reported:

"Some users are reporting that they are unable to post [the] story about a security breach affecting 50 million Facebook users. The issue appears to only affect particular stories from certain outlets, at this time one story from The Guardian and one from the Associated Press, both reputable press outlets... some users, including members of the staff here at TechCrunch who were able to replicate the bug, were met with the following error message which prevented them from sharing the story."

Error message displayed to some users trying to post about Facebook data breach. Click to view larger version

Well, we now know that -- for better or for worse -- Facebook has an automated tool to identify spam content in real-time. And, this tool can easily misidentify content as spam, which isn't spam. Not good.

Reportedly, this error message problem has been fixed. Regardless, it should never have happened. The data breach is big news. Clearly, many people want to read and post about it. Popularity does not indicate spam. And Facebook owes users an explanation about its automated tool.

Did Facebook notify you directly of its data breach? Did you get this spam error message? How concerned are you? Please share your experience and opinions below.