SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 168: It only FEELS like a recap

Posted on December 19, 2019

This week’s Checklist topics may sound familiar, but don’t be fooled! We revisit three stories that we’ve talked about before, but which now have some updates worth discussing (spoiler: it’s not all good news!).

On this week’s Checklist, it’s deja vu all over again:

  • $20 bucks and a security breach on pump four…revisited
  • Last week’s Communications Limits…revisited
  • Bad passwords…revisited (again)

$20 on four: the case for paper money

Earlier in the year, we covered a story about gas station monitoring software that had serious vulnerabilities — serious enough to attract the attention of the Department of Homeland Security, who issued a security advisory warning the public about the threat.

But as it turns out, there’s even more bad news about gas station cybersecurity — so you may want to rethink how you pay when you fill up your tank.

A recent Engadget report says that gas station point-of-sale (POS) networks have security flaws which malicious actors are exploiting in order to steal credit card data. The source of the report is Visa itself, so we’d class this as an extremely credible threat.

People who follow cybersecurity news are probably aware of the issue of card skimmers — physical devices which look virtually identical to normal card readers, but which are installed in public places by bad actors in order to steal card data. But this latest gas station security threat is something different.

It seems that a network of hackers known as “Fin8” have been targeting gas stations by infiltrating their POS networks and installing malware designed to take advantage of chipless credit cards. When old-style magnetic stripe cards — the kind without the chip and PIN — are used at a gas station POS, the data is processed and transmitted without encryption. And unfortunately, it seems that the various systems in these POS networks are not isolated from one another, so a malicious actor with a toehold in a “minor” system can access the more sensitive systems where card data is processed. This is the kind of thing that security teams look for when assessing their own networks’ vulnerabilities — but not all industries are as cybersecurity-aware as we’d like them to be, and it appears that fuel vendors may fall into this category.

Visa has advised merchants to begin encrypting all data or require payment with chipped cards that have a PIN (which would necessitate, in some cases, setting up card readers which support the more modern cards). Starting next year, Visa will begin putting the burden of fraud claims on merchants who haven’t made chip card readers available, which will hopefully force all gas stations to transition their POS systems to something a bit more secure.

Of course, in the meantime, any security solution that relies on someone else doing the right thing is not likely to offer you much in the way of comfort! So what can you do in order to protect yourself from this threat? Here are a few suggestions:

  1. 1

    Pay cash for gas

    Probably the simplest solution, honestly. If you know that gas stations have weak security, then you may want to just pay cash for fuel, even if you typically use cards for your shopping. This also eliminates the issue caused by card skimmers, which, while not the focus of this week’s discussion, is still something you should be thinking about when assessing risk at the pump!

  2. 2

    Get a better card

    If you do want to use a credit card to buy gas, either for budget-tracking reasons or to earn rewards points, there are still some good options available to you. The vulnerability discussed in this story doesn’t affect new-style chip and PIN cards, so that’s the logical place to start: If you’re still using an old-fashioned mag stripe card, replace it with a chipped card. A bit more hassle, but also much safer (and still considerably less hassle than dealing with credit card fraud claims!).

  3. 3

    Use Apple Pay, Android Pay, or Apple Card

    If you do want to use a credit card to buy gas, either for budget-tracking reasons or to earn rewards points, there are still some good options available to you. The vulnerability discussed in this story doesn’t affect new-style chip and PIN cards, so that’s the logical place to start: If you’re still using an old-fashioned mag stripe card, replace it with a chipped card. A bit more hassle, but also much safer (and still considerably less hassle than dealing with credit card fraud claims!).

  4. 4

    Use Apple Pay, Android Pay, or Apple Card

    Mobile payment systems like Apple Pay and Android Pay are typically better-secured than traditional cards, because they’re essentially changing your card number with every transaction. Apple Card can be another excellent option, because it allows you the convenience of a physical card (yes, even in 2020, not all gas stations will accept mobile payments) with the safety of dynamic security codes and two-step authentication.

Communication Limits: Not ready for prime time

Last week, we told you about a new security and privacy feature which Apple was offering to parents. Communication Limits, a new feature of Apple’s Screen Time and Parental Controls offerings, was supposed to set limits on who could contact your child and who your child, in turn, could contact. The idea was to prevent kids from talking to strangers. Great idea … but the implementation is where it all falls apart.

Early users of the Communication Limits feature have found that it has a number of bugs. The most serious one is that in order for Communication Limits to work as it should, your child’s contacts have to be set up for default storage in iCloud. If they aren’t, then incoming texts to a child’s phone will cause iOS to prompt them to add the new number to their address book, which will then allow them to text, FaceTime, or call that number. This, obviously, defeats the entire purpose of Communication Limits! 

Another apparent bug is that if a child’s iPhone is paired with an Apple Watch, the child can ask Siri on the watch to call or text any number, and the system will allow it — even if that number is not on the list of approved contacts. 

All of which raises a very basic question: What’s going on here, Apple? It’s sad to say, but it looks like someone in quality assurance dropped the ball. However, it’s worth noting that Apple has access to some of the best developers in the world, so the issue here isn’t likely one of competence. It’s only speculation, of course, but typically in software development things like this happen when upper management decides that they want to unveil a new feature by a deadline, over the protestations of the actual developers who say they need more time. Apple’s culture has historically resisted this way of doing business, which set it apart from other big tech companies. So if this is a case of a feature being rushed to market for marketing reasons, before being fully tested, it’s disappointing to say the least.

As Apple works on a fix, the best thing to do in the meantime is make sure that Contacts are synced with iCloud by default. To do this, go to Settings > Contacts > Select Default Account. Then make sure the default is set to, you guessed it, iCloud.

Seriously…get a password manager

Security firm SplashData has released its annual list of bad passwords and it is, well, disheartening — at least to us, since this is another topic that we feel like we’ve talked about before (and more than once). 

The researchers at SplashData looked at millions of passwords which were leaked in data breaches to see what people were using to secure their accounts. Apparently, a disturbingly large number of folks out there are going with things like “123456”, “qwerty”, and “password”. Other entries making the top 25 worst passwords of 2019 include “welcome”, “iloveyou”, and “princess”. SplashData estimates that around 10% of people have used at least one of the top 25 worst passwords.

Stories like this aren’t meant to shame those who are using bad passwords, but rather to educate. Of course, it wouldn’t be fair to place all of the blame on users, either: Part of the problem lies with the fact that we’re still using passwords for authentication at all. As security expert and ethical hacker Georgia Weidman told us in an interview, “Authentication in general is a mess. Whoever decided we were going to use passwords never envisioned the security landscape we have today”. But until we’re able to replace passwords with something better, the best protection is for people to make sure all of their accounts are secured with strong, unique passwords.

So what do we mean by “strong” and “unique”? 

Strong passwords should be complex enough (and long enough) that a hacker couldn’t write a program to try every possible combination of letters and numbers and guess said password. This means an eight character minimum length, and using a mix of numbers, uppercase and lowercase letters, and special characters. Passwords shouldn’t contain personal information like your birthdate, anniversary, or street address, since much of that data is surprisingly accessible online, a fact which is routinely exploited by malicious actors. Using “password” plus your birth year really isn’t any safer than just using “password”. Your password shouldn’t be a word or phrase which exists in a dictionary or a song lyrics database, either, because a common tactic used by hackers is to compile lists of these sorts of potential passwords and then create an automated program to try them out as passwords on various sites. 

A “unique” password is just what it sounds like: a password you’ve only used on a single site. Your Amazon password should never be the same as your Gmail password; your online banking password should never be the same as the one you use for Words With Friends. The reason is that companies large and small suffer data breaches all the time. If your password is compromised in one of these breaches, it may be months (or never) before anyone even knows about it — and in that time, your password may have been traded or sold by hackers on the dark web. Bad actors know that people reuse passwords all the time, so even if they buy some credentials for an “unimportant” account like a mobile game, they’ll then try those same credentials on higher-value targets like banks, cloud storage services, and so on.

If you only had a handful of accounts to create passwords for, then creating strong, unique passwords might not be so hard to accomplish. But most of us have dozens. And realistically, we’re not going to be able to create — let alone remember — good passwords for all of these. As data breach expert Troy Hunt put it, “The only secure password is the one you can’t remember”.

This is why using a password manager is really a “must do” for anyone who cares about their security and privacy. These tools require a master password to access (which you’ll be able to remember), but then generate and securely store extremely strong, totally unique passwords for all of your other sites. As Troy Hunt said in his interview with us, “Password managers are unequivocally the single best thing you can do for your security posture as a normal, everyday person”.

For Apple users who are still on the fence about password managers, or who intend to start using one in the future, but don’t feel they have the time to adopt a new technology at the moment, a good way to get started with better password security is by using Keychain. It’s not quite a full-featured password manager — and it has limitations, plus it really only plays well with Safari — but it’s a good start, and certainly better than staying with “123456”!

Join our mailing list for the latest security news and deals