Fraud Prevention Month starts, cyber incident costs hospital chain $67 million and problems with COVID apps.
Welcome to Cyber Security Today. It’s Monday March 1st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
 |
 |
 |
Today is the start of Fraud Prevention Month, a time to remind consumers and businesses to be more aware of all the scams going on. While not all fraud occurs online a significant amount does, so I’m going to spend a few minutes with you on this.
Accurate statistics on online fraud are hard to come by because it relies on reporting. But last year the Canadian Anti-Fraud Centre received over 101,000 overall fraud reports involving nearly $160 million in reported losses. Of that $160 million, $18.5 million came from romance scams, $16.5 million came from investment scams, $14.4 million came from targeted email scams called spear phishing and $12 million came from extortion.
Online fraud comes in many forms: Romance and dating scams that trick people into giving money to a so-called lover, callers or email pretending to be from Microsoft selling anti-virus support services, gift card fraud, tax return scams, property rental scams, COVID vaccine cons and what are called business email compromise scams, where crooks trick executives into sending hundreds of thousands of dollars in payments to the wrong bank account.
Your best protection is to recognize fraud: Many scams play on a potential victim’s emotions like panic, fear, desperation and love. Usually, the goal is to get immediate action — you’ve got to buy now before the offer ends, or the computer virus gets worse. So when you read email, text or social media messages, or get phone calls, slow down. Think about what you tell people over the phone or online. Confirm information. Talk to family and friends. It’s okay to reject, refuse or ignore requests for money. Only fraudsters will try to rush or panic you. Watch your bank account and credit profile for suspicious activity. And report fraud even if no money was lost.
For more information check the website of the Canadian Anti-Fraud Centre. It will also offer tips daily on its Twitter feed, @canantifraud, and on its Facebook page.
For advice aimed at businesses check my news stories on ITWorldCanada.com.
One type of fraud committed by crooks through identity theft is the swapping of SIM cards in smartphones. A crook is able to switch the victim’s SIM card to a phone they control, either in person at the cellphone company or online. Then the crook can try to access bank accounts online. In one of the latest examples, last month American carrier T-Mobile sent out notices to subscribers hit by SIM car scams. According to the Bleeping Computer news service, 400 people were victimized. The best way to protect yourself from this scam is to have a PIN number on your account that only you know to prevent changes.
Facebook will have to pay people in Illinois $650 million to settle a class-action privacy lawsuit. The suit said the social media company allegedly used photo face-tagging and other biometric data without permission before 2015.
Last September I reported that the large American hospital and clinic chain Universal Health Services had been hit by a cyberattack that crippled its IT operations across the U.S. This was widely reported as ransomware. Last week as part of its quarterly financial statement the company said the disruption cost it $67 million in IT recovery costs and lost income from temporarily having to send patients to other hospitals. UHS says there is no evidence patient or employee data has been copied or misused.
Finally, many privacy and security experts worry about potential problems with COVID-19 contact tracing or notification apps that have been released around the world. So university researchers in Britain and Australia created a new automated tool to scan and evaluate 40 Android apps. And in their initial round of testing, they found none of them were free of privacy or security defects. The apps tested included Canada’s COVID Alert and the American apps called Contact Tracing and Contact Tracer.
More than half of the apps posed potential security risks for using cryptographic algorithms that were insecure or not part of best practices, or for storing sensitive information in clear text that could be potentially read by attackers. Over 40 per cent of apps pose security risks through what are called manifest weaknesses such as allowing permissions for backup that could allow the copying of potentially unencrypted application data. Three-quarters of the apps had at least one tracker, like those from Google or Facebook, that allowed the tracking of users.
It isn’t clear if problems were caused by the rush to get these apps to the public. The study says usually when it notified app developers the problems found were cleared up, although sometimes new vulnerabilities were introduced.
===
UPDATE: In reply to an emailed question after this podcast was recorded one of the study’s authors, Gareth Tyson of Queen Mary University of London, said the COVIDAlert app is at risk. “It does have a decentralized architecture, which makes it more robust against certain types of attacks. For example, it would be difficult for the server operator to centrally link user contacts. However, it does suffer from other privacy exposure risks as it’s possible for (technically capable) users to identify diagnosed citizens, as they exchange tokens between each other. This can be used to identify people’s health status. For example, an adversary could limit their contact to a given individual, and then wait to see if a health alert is received (indicating the person has been diagnosed as COVID positive). In terms of how serious this is, it is likely a subjective call based on an individual’s perceptions of privacy. Some users may be very concerned about this risk, whereas others may be more relaxed.”
He also said researchers will run their tool again today to see if the Canadian app’s posture has changed.
===
That’s it for today. Links to details about these stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
