New Episode Alert EP116

Weekly Blaze PodcastEpisode 116April 13 2020

Contact Tracing AppsNew Business Email Compromise ScamsPreventing Unwanted and SPAM Phone Calls

Now more than ever our digital privacy needs to be top of mind. Even if we're not traveling or even leaving our house, this too shall pass and we'll be back to normal sometime in the near future. That's why you should check out Silent Pocket's free download: 5 Tips From The Pros which has actionable advice that you can take right now to improve your privacy, security, and health even in these uncertain times. You'll even get some advice from yours truly. Visit

sharedsecurity.net/5tips

(that’s the number 5) to get your free download from Silent Pocket's newly designed website 

silentpocket.com

. And while you're there, check out their full product line of faraday bags and accessories and be sure to use discount code "sharedsecurity" to take 15% off your order.

Over 90% of individuals show risky behavior in handling potential phishing messages according to Click Armor's free

CanIBePhished.com self-assessment

. This engaging coronavirus edition of CanIBePhished.com can help identify your teams total vulnerability to phishing attacks that exploit the pandemic situation. So test your own vulnerability to phishing attacks for free now at

CanIBePhished.com

.

What are contact tracing apps and are they a privacy concern?

Have you heard of a concept called "contact tracing"? If you haven't, well it's a procedure that governments and public health organizations use to find out where a person who has been infected by a particular disease has been, and who they've been in close proximity to during the critical time that they may have been contagious. Potential contacts are then notified so that they can be told that they may have been exposed and are provided instructions on getting tested or being quarantined themselves. Now traditionally, contact tracing has been a very manual process of interviews, phone calls, and trying to figure out contact details of potentially unknown people. But now there is new technology being used in the form of a mobile application that can automatically detect interaction with another person that has tested positive for COVID-19.

One of these apps is currently being used in Singapore which is called TraceTogether

. Here's how the app works according to TraceTogether's website. Using Bluetooth, TraceTogether identifies other nearby phones with the app installed. It then tracks when you are in close proximity with these other people, including timestamps. If the need arises, this information can then be used to identify close contacts based on the proximity and duration of an encounter between the two users. Once an individual is confirmed with the virus, they can choose to allow the Singapore Ministry of Health to access the data in the app to help identify close contacts.

Another app that is under development in Canada

uses low-energy Bluetooth and GPS to identify people that have the virus and come in close proximity of you. A notice is then sent to the contact which urges them to self-isolate. 

So the first thing that I'm sure you're thinking to yourself is that this is the beginnings of a privacy nightmare! Of course, there are good intentions here to help in fighting COVID-19 but it also opens up the possibility for privacy breaches, abuse of personal data, and even potential discrimination against people that may be infected. Now the TraceTogether app does mention that they do have certain privacy controls such as that the app doesn't track your location or contacts, data is only stored on your phone for 21 days, said data is only accessed unless you are identified as a close contact, and that your mobile number is paired with a random ID which is exchanged between phones. Keep in mind this is only one app, many apps like these will be coming to market very soon and not all will have these basic privacy controls. Oh and who is going to making sure that these apps are secure? So the question is, would you be OK using an app like this to help prevent COVID-19? Perhaps many of us will need to compromise and risk some of our privacy in order to curb this pandemic.

FBI warns again of BEC scammers exploiting cloud email services

The FBI has announced

new warnings

that popular cloud-based email services are now being used to conduct BEC scams. If you're not familiar with the term BEC, well that stands for

Business Email Compromise

which is a scam where an attacker targets the CEO or the finance department of an organization and uses social engineering techniques through a phishing email to impersonate someone that a victim trusts in order to conduct a wire transfer for money, gain credit card details, or to get the person to give away banking account or other credentials. With this latest FBI warning, scammers are taking advantage of organizations now moving email to cloud based services like Gmail or Office 365. Scammers are using sophisticated "phish kits" that are designed to imitate and clone the login page for these popular email services in order to get a victim to hand over their email credentials. Once an attacker has gained access to a victims email, they will search for emails that have evidence of financial transactions or discussions and then leverage that information to impersonate trusted individuals within an organization. The FBI also warned that these same BEC scams have evolved to take advantage of the COVID-19 pandemic where BEC scams are now targeting US municipalities, financial institutions, and banking customers.

Here's one example the FBI gave which is quote "A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed. This is, of course, only one of many different types of BEC scams that are trying to capitalize on the COVID-19 pandemic.

For full details on the FBIs recommendations for organizations and individual's check out our show notes. But the biggest recommendation out of them all is to ensure you're using two-factor authentication with any cloud based email account. As we've said many times on the show before, two-factor authentication is one of the best defenses to protect not just email, but for any service you might be using on the Internet.

Over half of the phone calls people receive now are SPAM!

Surprise, surprise but did you know that new research shows that over half of the phone calls we receive are SPAM? I kind of feel like we don't really need a study to tell us that, right? I mean, you're probably like many of us in that the SPAM phone calls are constantly bombarding our phones. And despite call blocking apps from our mobile carriers and proposed FCC intervention, this problem seems to be getting worse.

The survey of over 1000 Americans, from a California-based online safety services company Pango

, showed that 54% of the calls people received are unwanted. Moreover, the tricks that scammers are using, such as the caller ID showing a unknown caller or familiar number, are working as 55% of survey respondents actually answer their phone when calls like these come in. Sadly, almost one in ten people admit to falling for a phone scam, while one in three people know someone who has fallen for a phone scam. The other data from this survey that I found interesting was the efforts that people are doing to reduce unwanted calls. 53% of respondents state that blocking unwanted callers via the features provided by their phone is the most popular method, followed by registering their phone number on the "do not call" registry. Last of the top three was blocking unwanted callers through features provided by your mobile carrier. Note that 21% of survey respondents said they've taken no action to try and stop all these unwanted calls.

One of the most effective ways you can eliminate unwanted calls is to use the "do not disturb" feature on your phone which only allows calls from personal contacts. Some phones like Apple iPhones actually have a feature called "Silence Unknown Callers" which will send calls like these right to voice mail. Note that you'll still get calls from anyone in your contact list or recent outgoing calls. Besides these methods

there are several things that the FCC is doing

including forcing the telecom carriers to implement a technology called "Caller ID Authentication" which aims to stop SPAM calls at their source. For more details on this and other actions the FCC is taking check out our show notes for several links on this topic. And remember your best defense outside of a technical solution is to never pick up your phone when you see an unknown caller, just let them go to voicemail.

MarchMonthly ShowEpisode 98In episode 98 of our monthly show co-host Scott Wright shows us a demo of Click Armor which is a gamified cybersecurity awareness platform, Tom presents the results of our listener survey, and we have a discussion about the privacy concerns with geofence warrants.

Watch this episode on our YouTube Channel!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.