SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 180: Scams, Sign-Ins, and Automatic Updates

Posted on April 9, 2020

This week on the Checklist, we’ll share a new warning about coronavirus scams, update you on the state of Apple’s secure sign-in service, and debate the merits of our own advice!

Don’t fall for it

The Coronavirus Aid, Relief, and Economic Security Act, or CARES Act — the federal government’s initiative to curb the economic fallout from the Covid-19 pandemic — has now been signed into law. In the next couple of weeks, eligible Americans should begin receiving stimulus payments via direct deposit, and taxpayers without direct deposit information on file will receive paper checks by mail in the coming months. 

While these payments will be a much-needed lifeline for many struggling families, they’re also a golden opportunity for criminals — and the government is already warning people to be on the lookout for scams.

Just as they do every year during tax season, malicious actors will no doubt call and email people at random in an attempt to impersonate the IRS. They will most likely play on people’s anxieties about receiving their stimulus payments, asking them to confirm bank or personal details, or saying that an initial cash deposit is required in order to receive the relief funds. If you get a voice call, robocall, or email like that, you can be completely confident that it’s a scam. You don’t have to do anything to “sign up” for a stimulus payment, and the IRS absolutely won’t be calling you about it (they typically use the postal service to communicate with taxpayers anyway).

Scammers may try to impersonate other government entities as well, so be on the lookout for that too. The U.S. Department of the Treasury has issued a clear warning on their website:

“If you receive calls, emails, or other communications claiming to be from the Treasury Department and offering COVID-19 related grants or stimulus payments in exchange for personal financial information, or an advance fee, or charge of any kind, including the purchase of gift cards, please do not respond”.

There you have it, from the Treasury itself: Any call, email, or message of that sort is 100% certain to be a scam. So don’t engage with the scammers!

One more thing: If you’re a regular Checklist listener or reader, and all of this seems like common sense to you, great! But remember that there are a lot — and we mean a lot — of people out there who aren’t nearly as savvy as you are. If you want to help keep them safe, here are two things you can do.

First, take a moment today to tell the people in your life — friends, neighbors, coworkers, and family — that they need to be on the lookout for these scams. Talk to them, email them, share this podcast or our article on Covid-19 scams. Let them know that they should hang up on scam callers, and never, never click on the links that come in a scam email (the best policy there is to just delete it).

Second, be aware that even with everything that’s going on in the world right now, law enforcement agencies and government anti-fraud divisions are still working hard to stop scams and threats. If you think you’ve detected a scam attempt, report it to local law enforcement, or to the appropriate government contact, which can be found at this official website.

Safer Sign-ins are here!

When Sign in with Apple was introduced at last year’s Worldwide Developers Conference, it was hailed as an extremely promising step towards better digital privacy. Similar to other third-party sign-in services like “Sign in with Facebook” and “Sign in with Google”, Sign in with Apple would allow users to access an app or website without creating a dedicated account. Unlike other services, however, Apple’s sign-in tool was built for privacy, and was designed to share an absolute minimum of information with app developers and websites. There was even a feature which would allow users to create random, unique email addresses to conceal their real email addresses from third parties.

All of which sounded great … but still had to be implemented by the app developers. Apple made Sign in with Apple mandatory for any app that allowed other third-party sign-in services, but decided to give developers some time to integrate Sign in with Apple with their apps. For various reasons, the deadline for implementation kept getting pushed back — first to the end of 2019, then to the end of this month, and then, again, until the end of June.

However, many developers decided to take the end of April deadline as final, and are therefore on track to roll out Sign in with Apple in the next few weeks. Dozens of apps are reportedly ready to offer the Apple sign-in option, and more are sure to follow. This raises an important question for people who are currently logging in to apps using Facebook or Google: Should they switch to Sign in with Apple?

We’d say, unequivocally, yes. Just because you’ve been oversharing personal information for years due to a lack of better options, doesn’t mean that you have to continue to do so! If you use third-party sign-in already, then check out Sign in with Apple, and consider using it in the future.

To automate, or not to automate 

Whenever Apple releases a new round of updates, we advise our listeners and readers to run their updates, and gently suggest enabling automatic updates if they haven’t done so already.

But last week, we found an exception to that “update now” rule — a compatibility issue in the updated iOS and macOS that was causing problems with FaceTime whenever users tried to call people with older model iPhones and iPads. 

We don’t usually like “exceptions” to security best practices, but these are exceptional times. People need to keep in contact more than ever, and especially with older relatives — many of whom are using older devices. And so we said that the risk of not updating immediately might be justified if it meant keeping FaceTime functional. 

The good news is that Apple has already released iOS and iPadOS 13.4.1, which fixes the FaceTime compatibility bug on mobile. However, that still leaves us with a dilemma: If updates aren’t always perfect, and can cause issues, should we really be enabling automatic updates? Wouldn’t it be better to update manually, and even hold off on updating after each new OS release in case there are any issues?

It’s a fair question, but we’d have to say that for most people, automatic updates are still the best option by far. Yes, automatic updates may cause inconveniences from time to time. But the tradeoff is much better security, and much lower risk. 

First of all, if you’re updating manually, you have to remember to do it — and let’s face it, when things get hectic, it’s an easy task to postpone indefinitely (or forget about altogether). Worse yet, you may not even be aware that there is an update. If the update is a serious one, one that fixes a vulnerability that’s more than just theoretical and is being actively abused “in the wild” by malicious actors, then you’re at risk.

With all of that in mind, and considering that most updates are good updates, it just doesn’t make sense for most people to update manually: Automatic updates are definitely the way to go. That said, if you are extremely conscientious about device maintenance, have a strong understanding of cybersecurity issues, and keep up with Apple’s security bulletins like it’s your job (and for some of us, it is our job), then feel free to disable automatic updates if you prefer.

That takes us to the end of another Checklist, but we’ll return next week with more updates, news, commentary, and tips. In the meantime, check out our extensive archive of past shows, where you can find audio and show notes for every Checklist all the way back to the very first episode!

Join our mailing list for the latest security news and deals