SecureMac, Inc.

Checklist 239: Two + Two = You

July 15, 2021

Are data brokers de-anonymizing your data?

Checklist 239: Two + Two = You

On this week’s Checklist:

They know who you are

A recent piece by Motherboard examined the secretive world of data de-anonymization services — and the results were disturbing.

As Checklist listeners know, advertisers and apps collect reams of data about mobile device users. In itself, this isn’t news. And over the past year, Apple’s attempts to stop data collection has generated serious public pushback from Facebook and others. But one of the defenses of data collection used by Facebook and friends has always been that collected user data is anonymized, and therefore safe.

As Motherboard reporters discovered, though, there’s a whole industry devoted to cracking this anonymity. For a price, they’ll link “anonymous” mobile advertising IDs (MAIDs) to your personally identifiable information: your name, address, phone number and more.

Motherboard journalists posed as potential customers and approached a data broker who specializes in linking MAIDs to real people. The company’s CEO proudly told the reporters about all of the information that was on offer — an assortment of de-anonymized personal details that, in his words, were “too numerous to list” in his email.

It’s worrying, to say the least, that anyone with an advertising-enabled smartphone is at risk of being unmasked in this way. According to statistics cited by the data brokers themselves, these companies already have records on almost every adult American. As some observers have pointed out, this may even be a national security risk, since foreign entities could potentially make use of all this identifiable data to buy information about people with very sensitive jobs: elected officials, members of the military, and so on.

The issue hasn’t escaped the notice of politicians, who are calling for stronger regulation of data collection practices. Senator Ron Wyden (D-Oregon) has said:

I have serious concerns that Americans’ personal data is available to foreign governments that could use it to harm U.S. national security. That’s why I’ve proposed strong consumer privacy legislation, and a bill to prevent companies based in unfriendly foreign nations from purchasing Americans’ personal data.

Until such legislation exists, however, it’s up to the individual user to limit how much information apps can collect. The good news is that, on iPhones at least, this is far easier than it used to be thanks to App Tracking Transparency.

Just go to Settings > Privacy > Tracking and toggle off Allow Apps to Request to Track. That will stop iOS apps from even being able to ask for permission to track you — your device will just give them a hard “no” when they try to access your data.

An end to scam callers?

There is a huge problem with scam phone calls in the United States — and some surveys estimate that it’s costing Americans upwards of $30 billion per year.

Around 60% phone scam victims are taken in by robocalls: those automated scam messages that bad guys send out in bulk. But spam calls aren’t as easy to spot as you might think. The scammers use caller ID spoofing to make their calls appear to come from a local number, which adds an air of legitimacy to the prerecorded message.

So what can be done? According to a recent piece in MacWorld, you’ve got a few options:

  1. Send unknown callers to voicemail

    Your first option is to filter out unknown callers so that you never have to deal with these robocalls (or their live counterparts) again.

    On an iPhone, there’s actually an iOS setting that can help with this. To use it, go to Settings > Phone > Silence Unknown Callers. This will take you to a screen with an explanation and the switch to toggle the feature on.

    When the Silence Unknown Callers feature is enabled, Siri will screen all incoming calls, comparing the caller’s number to your Contacts and other information on your device, and will decide whether or not you know the caller. If Siri thinks that the caller is most likely a stranger, the call gets sent to voicemail.

  2. Block repeat offenders

    If you’re being harassed by a really low-tech spammer, they might keep calling you from the exact same number.

    If this is happening, you can always just block that number! On iOS, just go to your Recent Calls, and tap the information icon (the little “i” in a circle) next to the number. You’ll see a menu of options for what you can do with the number; the one you’re looking for is Block this Caller. Tap that, and then Block Contact on the following screen.

  3. Use an anti-spam app

    Aside from iOS itself, there are also several spam-filtering apps available for iPhone users. Apps like Robo Shield, Truecaller, and Robokiller are generally pretty good at eliminating spam phone calls. The downside, of course, is that they all charge a subscription fee — but if you’re really being deluged by spam calls, it might be worth it.

    On iOS, you’ll have to give an app some permissions in order for it to function correctly, but this is pretty straightforward. Just go to Settings > Phone > Call Blocking & Identification. This is where you can enable your anti-spam app.

  4. Get help from your carrier

    One last option — which still isn’t very widely known — is to ask your cellular carrier for help with spam calls.

    Most of the big carriers have their own spam call blockers that will work on an iPhone. They have free options and paid ones. If nothing else is working, try giving AT&T, Verizon, T-Mobile, or whoever a call and asking them for help.

What’s worse than a stolen iPhone?

Police in Brazil are warning that criminal gangs are stealing iPhones — but not because they want the iPhones themselves!

Instead of reselling a stolen device, they’re pulling the SIM card and putting it into another iPhone. Then, they use publicly available information from social media sites to find the email address of the owner of the stolen phone. This email address is typically going to be the same one used for the victim’s Apple ID, so at this stage, they just reset the Apple ID password using the linked phone number. They’re able to do this because the phone number is associated with the stolen SIM … the one that’s now sitting in an unlocked iPhone controlled by the bad guys. 

Now they’re in, at which point the thieves like to open up the Notes app. Why Notes? As it turns out, a lot of people are storing some very sensitive data here: PINs, passwords for bank accounts, and more.

The solution to this threat is pretty simple: Never store lists of passwords in Notes or other insecure apps! Password managers — protected by a strong master password — are the way to go. In addition, you might consider using an eSIM instead of a standard physical SIM card, since these aren’t as easy to transfer to a new phone.

That brings us to the end of another Checklist. If you’d like to suggest a topic for a future episode, write to us and let us know. To browse past shows, check out our archives, where you’ll find show notes and full audio for every Checklist we’ve ever recorded!

Join our mailing list for the latest security news and deals