Thursday, June 30, 2022

Cyber Security Today – Wednesday, June 1, 2022

I’m Jim Love, CIO of IT World Canada sitting in for the vacationing Howard Solomon and this is Cyber Security Today for Wednesday, June 1st.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts
This episode reports on a study from Kaspersky that shows some new mobile device threats, how at least one government may have to rethink the security aspects of digital ID and a breach which affects the privacy of hotel customers around the world.
Mobile attacks on downward trend, but are getting more sophisticated in their approach
Kaspersky’s IT Threat Evolution report is out for Q1 of 2022 and it has some interesting findings. The report is based on threats detected by their software  and reported from users who have consented to provide statistical data.
Overall, the report indicates that the number of threats on mobile devices is about the same for the first quarter of 2022 as it was for the last quarter of 2021. But those numbers are both substantially below the peak in Q3 of 2020 and have been declining since that point.
That’s the good news.
The bad news is that it appears that the fraudsters are finding new ways to fool users.   Many different fraudulent apps are now distributed via official app stores. These apps are published in the store and have a number of fake reviews posted which are, not surprisingly, all positive.
These apps, Kaspersky notes, occupy seven out of the twenty places in their malware ranking for Q1.
One of the more increasingly popular schemes used by scammers is scam apps for receiving social benefits. The number of these has grown since 2021.
These mobile apps redirect to a webpage where users are shown a large sum of money they are supposedly entitled to. In order to claim these benefits, they need to pay a commission to cover the costs for admin costs or legal costs or something similar. Of course, once the money has been paid, the user receives nothing in return. This is just one example of the tricks they use.
One thing we know about malware is that if it’s successful, cyber crooks will continue to evolve leveraging the elements that made it successful.
It’s essential that users do careful research when downloading apps – even from apps stores. Look for reviews in reputable sources and not just in the stores. Never take a single review as evidence an app is legitimate. For social benefits, never go through a third party. Government benefit programs always have a public information source on a legitimate government website.
Gotta get a fake id
The idea that digital IDs would reduce fraud took a bit of a hit in New South Wales Australia. Australia is one of the countries that is actively looking at Digital ID.
In 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues.
The government promised that the new digital ID would “provide additional levels of security and protection against identity fraud, compared to the plastic [driver’s license]” citizens had used for decades.
Security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. Fraudulent uses can be as innocuous as teenager using a fake id for underage drinking or they could be more nefarious and damaging. The point is that this type of fraud is surprisingly easy.
The ids all have safeguards but these are protected by a four digit PIN number. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes
The remaining flaws are a lack of adequate encryption, no means to natively validate the data and there’s no way to tell when information has been tampered with.
Over 142 million records of customers of MGM Hotels were publicly shared on Telegram, the social media app.
Personally identifiable information (PII) of MGM Hotels customers around the world, including the names, postal addresses, email addresses, phone numbers, and dates of birth of millions of people has been posted to this social media site.
On May 22nd, 2022, the vpnMentor Research Team stumbled upon 4 archive files totalling 8.7GB of data that were leaked on Telegram for anyone to find.
The hackers who shared the files claim that at least 30 million people had some of their data leaked.  While this has not been independently verified, in February 2020, over 10 million records were published on a hacking forum, and 142+ million were sold on a dark web cybercrime marketplace in July 2020 for USD $2,900.
The breach had been initially discovered by the company back in the summer of 2019.
The whole breach is being shared for free on Telegram – a platform that is much more accessible for even the least tech-savvy people.
It’s enough to make us nostalgic for the days when you could register in a hotel as John Smith without being challenged. But it does emphasize the idea that every time we turn over our personal information as part of any transaction, we must be prepared to have that data leaked.
That’s Cyber Security today for Wednesday June 1st, 2022.
Follow Cyber Security Today where ever you get your podcasts – Apple, Google or other sources.  You can also have it delivered to you via your Google or Alexa smart speaker.
I’m Jim Love, CIO of ITWC, publishers of IT World Canada and creators of the ITWC podcasting network.  Howard will be back on Monday and I’ll be sitting in with you for Friday’s podcast as well as our weekend edition.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Jim Love
Jim Lovehttp://www.changethegame.ca
I've been in IT and business for over 30 years. I worked my way up, literally from the mail room and I've done every job from mail clerk to CEO. Today I'm CIO and Chief Digital Officer of IT World Canada - Canada's leader in ICT publishing and digital marketing.

Cyber Security Today Podcast