Checklist 149: Security Tripping with The Checklist
This week, we say hello to August with a groan as news of more big data breaches that could affect our financial lives comes out. Then we’ll pivot to talk about how you can stay safe when you squeeze in one last summer vacation before autumn arrives, and we’ll round things out with a follow-up to a follow-up. It’s in the name of the show — so here’s this week’s checklist of stories:
- The Bad/Worse Breach
- 7 Tips for Trips
- A Stronger Little Snitch
Let’s not waste any time as we embark on a journey into the latest in security news.
The Bad/Worse Breach
We’ve got tales of two different and significant data breaches to start us off today. Let’s first turn our attention to one you may have already heard about in the news: the big breach over at Capital One.
According to a report published by the BBC, at some recent point in time, an individual plundered detailed information about more than 100 million people in both the United States and in Canada. The BBC says that names, addresses, and phone numbers supplied by individuals applying for Capital One credit cards were taken in the hack. Credit card numbers themselves, however, were not stolen. It might not be too bad if things ended there, but the hacker was able to make off with more than just that. More than 100,000 social security numbers and nearly as many bank account numbers for US customers were also stolen, along with about a million social insurance numbers for Canadian citizens.
All that, the BBC says, put it in the realm of the largest breaches “in banking history” — though it seems that every time we have a new breach to talk about, it’s always ranks high on the list! If you’re doing the math, though, this breach could affect between a quarter and a third of all adults in the United States. So what kind of trouble could those caught up in the breach face?
While it might sound like a good thing that credit card numbers weren’t stolen, we all might prefer if they had been a part of the hack — you can cancel credit card numbers, after all. You can’t, however, change your address so easily, and in pretty much every case, you’re stuck with the SSN you got when you were born. While these mundane personal details might seem innocuous in isolation, they can be extremely useful to bad actors looking for weaknesses and opportunities to cause some trouble.
They might call up an affected individual’s bank, for example, and say, “Hey, I forgot my account number, can you give it to me?” — which usually leads to the bank asking for verification, such as your Social Security number. Well, they got that in the hack, so when they supply it along with information such as your address, the helpful bank employee on the phone gives them your account number. They practically have the keys to the kingdom — and they might take this information and go around to other institutions using the same tactic.
With enough information, they could even start signing up for brand new accounts over which they have full control, leaving you out in the cold and damaging your credit in the process. No one wants to be in the middle of applying for a home or car loan only to discover that someone else took out a $20,000 loan in your name that is now delinquent. In short, there’s no end to the number of ways that someone with access to this much personal data could cause trouble.
Of course, we’re not only talking about this subject today because of the numbers involved and the threat. We’d also like to do a bit of a “postmortem” analysis on Capital One’s response to everything, so let’s run down how they handled this crisis and rate their response.
Capital One began to inform users of the breach and whether they were potentially involved within just a couple weeks of their discovery of the breach on July 19. However, the hack itself occurred back in March. While it is very nice to see a company fess up to their security failures sooner rather than later, those extra weeks still meant more time that users were in the dark about the risks they’d already unknowingly faced for several months. Of course, Capital One also insisted that it was “unlikely” the information had been used for fraud — something they can’t honestly say with confidence since this type of info is good pretty much only for fraud.
The company has also said that it would take steps to inform the affected individuals and provide them with “free credit monitoring and identity protection.” Is it just us, or does this seem like it is becoming the go-to Band-Aid response by financial companies when they lose our information? They take no responsibility beyond telling you “Hey, you might have a problem” and then leaving the ball in your court. Another problem here is that Capital One’s response doesn’t account for the fact that identity theft may not always be limited to assaults on your credit.
Capital One also issued a formal apology, but if we’re honest, we believe they could do more. Capital One, like other companies that have allowed data breaches due to poor security, should explain why anyone should continue to do business with them, such as by showing what steps they will take to prevent future issues. Providing real, actionable insight into what to do if someone steals your identity would be a good step, too.
While Capital One’s response isn’t perfect, it’s ultimately okay. At the very least, it’s far better than some other ways a company might have chosen to respond to a data breach. That’s what leads us into the second of the two data breaches we have to discuss today — an issue surrounding an app known as StockX, a platform for buying, selling, and trading fashion accessories. They’ve put on a clinic in how not to respond to a security problem.
According to TechCrunch, the company that develops and operates StockX thought they could tryto keep their issues on the down-low. They weren’t exactly successful. Here’s what happened.
On August 3, StockX reset user passwords — all of them at once. Every user received a password reset email, saying that “system updates” necessitated a change from everyone. At first, this caused a fair amount of confusion, panic, and chaos among users, as many wondered if they had been subjected to a phishing attack. StockX was quick to clarify that yes, the email was legitimate, and yes, everyone needed to change their passwords. However, they did not provide further details on what those “system updates” entailed or an explanation as to why they did not warn users ahead of time about such an important change.
There was a “good” reason they didn’t warn anyone, though: StockX was caught flat-footed in a data breach. After a bit of badgering by some persistent journalists, a spokesperson corresponding with TechCrunch admitted that “suspicious activity” had been detected on their website, leading to the action. Then the journos discovered the full story: a data broker contacted TechCrunch directly, claiming they had in their possession nearly 7 million StockX user records stolen by a hacker in May. The data apparently sold for about $300 per copy on the dark web, and TechCrunch was able to confirm that a sample provided to them contained legitimate, active user information.
StockX did the right thing in requiring a password change, but it’s safe to say they did pretty much everything else wrong. Capital One owned up to their failure and took the PR hit, while StockX tried to avoid acknowledging that something went wrong at all — ultimately causing themselves an even bigger PR nightmare when the truth came out. That should be the number one lesson for companies dealing with data breaches: tell the truth and do it early.
How at-risk are StockX users as a result of this breach? The stolen information mostly included names, emails, and hashed passwords, along with some other miscellaneous data. The good news is that this data is far less easy to use for social engineering attacks than the Capital One haul, but hackers are still likely to try. At the very least, they’ll look for places where they can re-use passwords and usernames.
There’s a simple lesson here: be open and be honest as soon as possible so your users can make informed choices about what to do next.
7 Tips for Trips
With summer winding down and Labor Day on the horizon, you might feel like it’s time to fit in one more quick trip away from home to make the most of the time you have left. If you’ve got a vacation lined up soon, we’d like to provide you with some helpful suggestions to consider before you hit the road, head to the cruise ship, or board your plane. Here are seven quick and easy ways to keep yourself safe while traveling and staying connected.
Lock It Down
Do you ever clean your home before you leave, or put other things in order so that you don’t have to worry about them as soon as you get home? This is a good philosophy to apply to your digital life, too. Create a backup of your Mac with Time Machine, for example — you don’t want to come home to find a freak power surge during a thunderstorm has fried your hard drive. Back up your mobile devices, too, and then run through the usual round of updates. And make sure you’re running the latest versions of macOS and iOS so that you have the latest updates in place to protect you while you travel.
Don’t Pay at the Pump
Have you seen any local news stories concerning credit card skimmers discovered at area gas stations? It may not have happened in your area yet, but it’s a widespread problem across the country. Card skimmers look just like real credit card readers, but they steal your information when you insert your card. The bad guys can then use your info to make purchases. Consider going inside to pay at the register or simply using cash to avoid the threat posed by skimmers. If you have contactless payments such as Apple Pay set up on your phone, you can avoid the hassle altogether.
Free Wi-Fi Can Cost You
We all want to save our mobile data allowances as much as possible, and that makes it tempting to use free public Wi-Fi in places such as airports and hotels when you need to stay connected. However, we know these networks can be very unsafe, and unsecured networks can allow anyone to intercept your data. In a worst-case scenario, they might even be able to interact with your device. If you must use a public connection, fire up your favorite VPN first.
Guard Your Email
Everywhere you go on vacation, you’re likely to encounter at least one place asking for your email, be it a hotel, a museum, or even a restaurant. Sometimes there are useful reasons to hand over an address, but mostly it just allows marketing departments to send you more emails and ultimately sell your email on to other third parties. Either opt-out of providing your email or create a “burner”, or throwaway, email account that you don’t use for anything else. And whatever you do, don’t re-use the password for your actual email account for your travel account (or any other account, for that matter).
Be App Averse
Is it just us, or does it feel like everyone has an app these days? Some apps, such as official city guides and museum-developed apps for self-guided tours, can be fun and enhance your travel experience. However, you can’t always tell how secure these apps will be, so you should exercise caution and ask yourself: “Do I really need this?”
If you do download an app while you travel, don’t use your Google or Facebook accounts to log in. Use your burner email to create an account and log in directly instead.
Be App Averse
Tourist hotspots are magnets for thieves. It’s easy to lose a MacBook or an iPhone on vacation, or worse, to have one stolen from you. Before departing home, ensure that you have Find My iPhone enabled for all your devices. This way, you can more easily locate your phone if you lose it, or you can at least render it unusable to thieves.
Protect That Mac
If you plan to use a macOS device in unfamiliar places or on public Wi-Fi, you must be prepared to encounter an increased risk of security threats. Maintain a robust third-party antivirus protection suite or consider downloading a trial version of a reputable solution (say, MacScan 3?) to cover you while you travel.
A Stronger Little Snitch
Let’s wrap things up with one final follow-up to our Summer Security Blockbusters show from early July.
Recall that during that show, we talked about “fencing off” parts of your information infrastructure. Last week, we got a friendly email from Corrie, who wanted to know if the app Little Snitch could serve as that fence. Both SecureMac’s own Nicholas Ptacek and our host August Trometer said “no” to that, due to the fact that Little Snitch’s primary focus is on tracking information leaving your Mac, rather than arriving to it. At least, that’s what we thought! Then listener Paul wrote in after last week’s follow-up to say:
You can set up Little Snitch to block all incoming connections; you just have to create a rule. Basically, I created a “Public” profile and added “Deny All Inbound Connections” Then I switch to my Public profile from the Little Snitch menu.
According to Nicholas, this appears not only to be a feature new to the software but also something that would indeed suit Corrie’s needs. This is why we love our listeners — we weren’t aware, we were made aware, and now we can share this security goodness with everyone! Little Snitch is already a fantastic app, and this is a great way to extend its functionality.
Once configured in this way, Little Snitch will indeed function as an extremely effective firewall. In other words, your apps can still communicate with the outside world, and they can still receive the inbound connections they need in order to function, but other incoming connections — say, from that shady guy sitting in the corner of the coffee shop — are refused. Keep in mind, though, if you’re doing this at home, you may sometimes have issues with external devices that need to sync or share files with your Mac. Evaluate those issues on a case by case basis.
Also, remember that Little Snitch runs only on your Mac. If you want to monitor other Macs in your household, you’ll need to have Little Snitch running on those, too.
Thanks for the hot tip, Paul!