SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 117: Once More Into the Breaches

Posted on December 6, 2018

As we get back into the groove of things in between the major holidays, the security hits keep on coming as it starts to look like there are more than just a few weeds in the “walled garden” that is the iOS App Store. Elsewhere, things aren’t always as they seem either as one of the most fundamental ways we know we’re safe on the web turns out to not be so ironclad. And of course, what would an episode of The Checklist be without a discussion about the latest group of folks to lose your data? On this week’s list, we’re checking off those items as we chat about the following topics:

  • More Scammy Apps on the App Store
  • Look for the Lock — Then Look Again
  • and a Few High-Profile Data Breaches

It seems like we’ve been discussing problems in the App Store more frequently lately. This week’s discussion brings us another instance of ne’er-do-wells taking advantage of users and causing headaches for the rest of us in the process. What’s the scoop? 

More Scammy Apps on the App Store

In the news this week, two different publications reported on Apple’s removal from the App Store of three apps that were tricking users into forking over vast sums of cash as in-app purchases. Ars Technica reported on the removal actions that focused on apps called “Fitness Balance” and “Calories Tracker,” while 9 to 5 Mac brought us the tale of another app called “Heart Rate Measurement.” In each case, what happened was roughly the same — and led to big bills for users who downloaded the apps looking for a way to improve their physical fitness.

According to Ars Technica, Fitness Balance and Calories Tracker both immediately displayed a fingerprint scanning prompt when users opened them for the first time. The apps claimed this would help gather measurements such as heart rate, body mass index, and so forth – typical fitness stats. As soon as the user put their finger on the reader, the app popped up a payment prompt with no warning; with the user’s fingerprint already on the scanner, the app quickly gets permission to charge whatever credit card you have linked to your Apple account. Depending on user location, those bamboozled by the prompt would end up paying $99.99, $119, or even 139 Euros. 

Heart Rate Measurement, as described in 9 to 5 Mac’s report, works similarly. By playing with the screen brightness and using a background designed to help camouflage the in-app payment prompt, the app uses a similar fingerprint scanning trick to fool users into paying for something they don’t intend. With that app, the charges came out to $89.99. 

Now, this might leave you wondering: who are these even targeting? Much like spam email, the answer is simple: somewhere out there are some people who are simply easy to trick, and somehow, it works out to be profitable. If it wasn’t working, it wouldn’t keep happening — so clearly the scammers think that they can fly under the radar long enough to scam people out of a whole lot of money at once. That raises another question, though: how could these apps even make it onto the store in the first place?

Apple does review in-app purchases and must approve them before an app gets the green light for listing on the store. However, Apple does not review price changes. In other words, a developer might initially submit an app with a 99-cent in-app purchase so it will gain approval. After its listing goes live, the developer simply changes the same purchase’s price point to $99.99 and waits for the money to start flowing in. Now might be a good time for Apple to revisit this policy; when something as simple as the app’s description on its store page requires approval before it can be changed, why shouldn’t in-app purchases receive the same treatment? 

Not long after users on websites such as Reddit began to complain about encountering the apps, Apple took action. All three apps were soon delisted and removed from the App Store, cutting off the flow of illicit funds to their developers. Ars Technica reports that users had received approval for their refund requests, and most expected to get their money back within the next month. While these scammy apps may be gone, others might still be out there. What can the average user take away from this story? 

First, as always: be vigilant. It’s is your money on the line, after all, and while Apple’s walled garden does do a good job of keeping most of the bad stuff out, we can’t take safety for granted. Read up on apps, watch out for dialogue boxes, and seek answers to your questions — and if you aren’t satisfied, reconsider whether an app is worth your time and attention. However, you may also want to take some steps to defend yourself against apps like those described in this story, which hide their payment prompts inside other app functions.

If you want to sacrifice the convenience of TouchID to be completely safe, you can, of course, disable it in the Settings of your iPhone. (That’s Settings: Touch ID & Passcode: iTunes and App Store.) A more extreme solution might be removing the payment option from your account, so you can never automatically receive a charge. However, staying aware is better than such scorched-earth tactics; keep the convenience but watch out for apps that don’t seem right. If you notice charges that you don’t remember authorizing, reach out to Apple.

One final point for this story: don’t rely solely on reviews to guide you towards quality in the App Store. According to Ars Technica, the apps all featured four to five-star ratings on the app store, with comments populated by people praising the apps. It’s likely that this is all a bunch of astroturfing laid down by the scammers themselves to boost the app’s profile and raise the likelihood of making a score — so as always, caveat emptor

Look for the Lock — Then Look Again

Our next story concerns your web-browser, and what safe browsing really means.

So, that little green lock in your URL bar — that friendly little guy means that a site is safe when you visit it, right? Well, sort of — but not entirely. It might mean your connection is secure, but it doesn’t mean you’re safe from giving your information away to the bad guys. CNET carried a story recently that brought this issue to our attention, in which they discussed how many users have been told to look for the green padlock, especially when purchasing items with credit cards, to ensure their information is secure. Unfortunately, CNET says, that isn’t always enough to keep you safe. Why not?

Think of it this way: the lock, which signifies your connection to the site is happening over HTTPS, only means you enjoy a “code of silence” with the site. That means no one on the outside can tamper with or eavesdrop on the data exchanged between your computer and the website’s server, because it’s encrypted. In other words, it’s no guarantee that the site itself is safe and secure — and bad actors can set up websites with HTTPS to fool users into thinking they’re in a safe place.

Let’s say that you want to go to a (made-up) website such as GalaxyTrade.com, but you type in GalaxyTrade.co instead; the padlock appears, and the site looks almost correct, but you’re actually communicating with a site that wants to steal data from users looking for GalaxyTrade.com. yThis is a scenario called typosquattingd; you shouldn’t blindly look for the padlock and assume “oh, I’ve made it to the correct website.” That can lead to accidentally exposing your information.

That leads to our #1 tip for avoiding this problem in the first place: be careful about what you type, and always double check to make sure you’re arriving at the correct destination on the web. Don’t just click links — especially from emails! — because you can easily miss fake or poisoned URLs that will lead you to bad, scammy websites looking for your data. 

Password managers can save the day again here, too; they’ll let you know when a site’s login page doesn’t match the correct URL they expect, which can tip you off to the fact that something might not be right. If you’re in Safari, a “green bar” in your browser can signify “extended validation” which means a site has gone to greater lengths to verify itself. In other words, follow best practices, keep your eyes peeled for suspicious behavior from sites, and never trust blindly. With those things in mind, you can keep yourself safer as you browse the web. 

A Few New High-Profile Data Breaches

We’ll start the process of wrapping up today’s show with news of not one — not two—but THREE big data breaches! Can you believe it? We can… here’s what’s happening.

According to a post from Malwarebytes, hotel giant Marriott was forced to disclose that it suffered a massive breach — one that could impact nearly 500 million customers who have spent nights in “Starwood-branded hotels” over a period covering the past four years. Don’t think you’ve ever stayed at a Starwood hotel because the name doesn’t sound very familiar? Well, that’s because they aren’t called Starwood hotels. You might know them better as:

  • Westin
  • Sheraton
  • The Luxury Collection
  • Four Points by Sheraton
  • W Hotels
  • St. Regis
  • Le Méridien
  • Aloft
  • Element
  • Tribute Portfolio
  • Design Hotels

Somehow, the bad guys managed to break into one of Marriott’s many servers, this one housing a database that contained information on reservations made from sometime in 2014 all the way up to a cutoff date of September 10th, 2018. Even those who stayed at a Starwood-branded property a few months ago at the time of this episode’s recording could have had their information compromised. 

It wouldn’t be hard to get swept up in the mess, as nearly 327 million people had information in the database. The stolen information varied but included a variety of different things, such as a user’s name, address and phone number, passport number, date of birth, travel information, and more. For an unknown number of those guests, credit card information was also stolen — though Marriott says such information was appropriately encrypted. 

So, what should you do if you stayed at one of those hotels? First, change your password immediately if you’re a part of the Starwood loyalty program since data related to that program was also stolen. Keep an eye on your banking and credit card information, too; even though the data was encrypted, it’s always a good idea to monitor for identity theft regardless. Additionally, watch out for opportunistic scammers — if you see an email telling you to click a link for help fixing data exposed in a breach, avoid it like the plague!

But wait, there’s more.

Ever heard of Quora? It’s getting pretty popular these days, and for long-time Internet users, it might even look familiar to some of the old sites of yesteryear — like Yahoo Answers. Quora is a community built on answering questions, founded in 2009 by former Facebook employees. 

According to Malwarebytes again, Quora recently suffered a breach of its own with hackers making off with information on what may amount to 100 million users. Usernames, email addresses, and encrypted passwords were all stolen. Oh, and a little something else, too — it’s possible that the thieves were able to access information Quora users had imported from other websites, including private messages. Lovely, right? On the plus side, Quora was quick to respond and rapidly directed users on what to do to stay safe. 

Again, change your password right away — and if you’re still using that password somewhere else, change that, too! Why shouldn’t you reuse passwords? Well, maybe ask Dunkin Donuts about that one.

Malwarebytes says that Dunkin, too, was the victim of an attack recently, as a bad actor gained access to the company’s “Perks” rewards accounts. The good news is that the data exposed here is much less severe than in others discussed today: “just” names, emails, and Perk account numbers. Dunkin Donuts says that the bad guys were able to get inside thanks to some sloppy security and re-used passwords; they were able to gain access through brute-force attacking accounts because the site never cut off access after a number of failed attempts. So just as we said above, if you’re a rewards user, change your password — and maybe start a petition to get Dunkin Donuts to harden its security. 

Remember a time when data breaches were a “once in a while” story, and not “everyday news”? Those were the days — but unfortunately, we don’t have time to dwell on nostalgia for “safer” times today, as that’s the end of this week’s discussion. If you think you might have been caught up in one of these breaches, be sure to act appropriately and promptly. If you haven’t already, now is a good time to consider investing in a password manager; with the ability to generate and store unique passwords so you never need to worry about remembering complicated strings, you can ensure that no one data breach can compromise your life.

Speaking of good things to consider, have you considered that there is an easy way to catch up on The Checklist when you’ve missed episodes or want to revisit an older subject? No matter what’s got your curiosity piqued, you can find all you need for a thorough look into many topics in The Checklist Archives. Full show notes and audio accompanied by helpful links equals a strong resource for learning about everything you need to know.

Join our mailing list for the latest security news and deals