Warning to Claire’s shoppers, Tim Hortons app location data controversy and why you should turn your lights off
Welcome to Cyber Security Today. It’s Wednesday June 17th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Anyone who recently bought clothes, accessories, toys or other things at the online store called Claire’s should be watching for suspicious activity on their credit card statements. According to a security company called Sansec, criminals hacked the Claire’s website to skim off customer payment card numbers starting in the last week of April and going until June 13th. It’s no coincidence the attack happened now. Because of the COVID pandemic Claire’s closed its 3,000 stores around the world on March 20th. The next day criminals registered a look-alike internet name. After the hack when a Claire’s shopper clicked on the checkout button their information was copied to the criminal website. It’s another example of how criminals are taking advantage of increased online shopping because of the pandemic. It isn’t clear how the criminals got into Claire’s web site, but common ways are to guess the password of an administrator or trick the administrator into giving up a password through email phishing.
The lure of downloading a smartphone app from a big brand is appealing. But even apps from well-known companies can be a risk to your privacy depending on how much data they gather — and whether you know about it. Take, for example, the app from Canadian donut and coffee chain Tim Hortons. The company’s web site said the location of users is only tracked when the app is open. But an investigation by the Financial Post news service found otherwise. Reporter James McLeod discovered the app on his Android device tracked where he went even when it was closed. That’s because McLeod allowed the app to access his phone’s GPS system. GPS is handy for using a smartphone map to find where you are. Or, for example, if you want your Tim Hortons app to show where the nearest outlet is. But every app you allow to access the GPS will track you all the time. What the Tim Hortons app logged was not only when the reporter went to a Tim Hortons, but also if he was at a competitor like Starbucks, a house, a sports arena or when he was on vacation in Amsterdam — in fact it logged every time he travelled more than 100 km from his house. It also swallowed up a lot of other data, all of which the company said was only being used to tailor marketing and promotional offers to users of the Tim Hortons app. An official admitted the Tim Horton’s web site privacy statement should have been more clear. It now says it’s up to users to decide if and when they want to share location data. Some devices share location data only when the Tim’s app is open. Others let users share location all the time.
So the lesson is to check every permission of every app you have. If you allow an app to access GPS all the time, then more than likely it’s collecting location data on you all the time. You can turn an app’s GPS permission off and on only when you need it. Or, you can decide to refuse to use apps that need access to the GPS.
In addition to keeping an eye on your mobile app permissions you’ve also got to watch where you’re going on the Internet. A security company called Morphisec this week warned criminals are taking advantage of people going to web sites that offer pirated software, DVD plugins, porn and related software to infect computers and smartphones. What they may end up with is downloading something that behind the scenes users their device for mining cryptocurrency for criminals. Or it may download spyware. This is a reminder that any website you go to that offers questionable products is a place where criminals will offer questionable downloads.
Users of Facebook Messenger for Windows should make sure they’re running the latest version. A security company called Reason Cybersecurity found a vulnerability that could help the installation of malware. The latest version closes that hole. Separately, this week Adobe announced security updates are available for After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition.
Finally, are you worried law enforcement or criminals can eavesdrop on your phone or video calls? They may have another way: Leveraging a partially exposed light bulb in your room. That’s according to Israeli security researchers. They say that under the right circumstances the air pressure created by the sound of people talking in a room makes a light bulb vibrate in a way that could be picked up through a window by a modified telescope with an optical sensor and a computer to process the sound. The paper doesn’t say if this works when it rains or snows. If you’re worried, keep your drapes drawn. Or buy deep lampshades. Or talk in the dark.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.