On March 3, 2020, the cyber division of Federal Bureau of Investigation (FBI) issued a private industry notification calling out Business Email Compromise (BEC) scams through exploitation of cloud-based email services. Microsoft Office 365 and Google G Suite, the two largest cloud-based email services, are targeted by cyber criminals based on FBI complaint information since 2014. The scams are initiated through credential phishing attacks in order to compromise business email accounts and request or misdirect transfers of funds. Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting the two cloud services. The popularity of Office 365 and G Suite has positioned themselves as attractive targets for cybercriminals.
Trend Micro Cloud App Security is an API-based service protecting Microsoft® Office 365, Google G Suite, Box, and Dropbox. Using multiple advanced threat protection techniques, it acts as a second layer of protection after emails and files have passed through Office 365 and G Suite’s built-in security.
In 2019, Trend Micro Cloud App Security caught 12.7 million high-risk email threats in addition to what Office 365 and Gmail security have blocked. Those threats include close to one million malware, 11.3 million phishing attempts, and 386,000 BEC attempts. The blocked threats include 4.8 million of credential phishing and 225,000 of ransomware. These are potential attacks that could result in an organization’s monetary, productivity, or even reputation losses.
Trend Micro started publishing its Cloud App Security threat report since 2018. For third year in a row, Trend Micro Cloud App Security is proven to provide effective protection for cloud email services. The following customer examples for different scenarios further show how Cloud App Security is protecting different organizations.
Customer examples: Additional detections after Office 365 built-in security (2019 data)
These five customers, ranging from 550 seats to 80K seats, are across different industries. All of them use E3, which includes basic security (Exchange Online Protection). This data shows the value of adding CAS to enhance Office 365 native security. For example, a transportation company with 80,000 Office 365 E3 users found an additional 16,000 malware, 510,000 malicious & phishing URLs and 27,000 BEC, all in 2019. With the average cost of a BEC attack at $75,000 each and the potential losses and costs to recover from credential phishing and ransomware attacks, Trend Micro Cloud App Security pays for itself very quickly.
Customer examples: Additional Detections after Office 365 Advanced Threat Protection (2019 data)
Customers using Office 365 Advanced Threat Protection (ATP) also need an additional layer of filtering as well. For example, an IT Services company with 10,000 users of E3 and ATP detected an additional 14,000 malware, 713,000 malicious and phishing URLs, and 6,000 BEC in 2019 with Trend Micro Cloud App Security.
Customer examples: Additional Detections after third-party email gateway (2019 data)
Many customers use a third-party email gateway to scan emails before they are delivered to their Office 365 environment. Despite these gateway deployments, many of the sneakiest and hardest to detect threats still slipped though. Plus, a gateway solution can’t detect internal email threats, which can originate from compromised devices or accounts within Office 365.
For example, a business with 120,000 Office 365 users with a third-party email gateway stopped an additional 27,000 malware, 195,000 malicious and phishing emails, and almost 6,000 BEC in 2019 with Trend Micro Cloud App Security.
Customer examples: Additional Detections after Gmail built-in security (2019 data)
*Trend Micro Cloud App Security supports Gmail starting April 2019.
For customer choosing G suite, Trend Micro Cloud App Security can provide additional protection as well. For example, a telecommunication company with 12,500 users blocked almost 8,000 high risk threats with Cloud App Security in just five months.
Email gateway or built-in security for cloud email services is no longer enough to protect organizations from email-based threats. Businesses, no matter the size, are at risk from a plethora of dangers that these kinds of threats pose. Organizations should consider a comprehensive multilayered security solution such as Trend Micro Cloud App Security. It supplements the included security features in email and collaboration platforms like Office 365 and G Suite.
Check out the Trend Micro Cloud App Security Report 2019 to get more details on the type of threats blocked by this product and common email attacks analyzed by Trend Micro Research in 2019.
The post Trend Micro Cloud App Security Blocked 12.7 Million High-Risk Email Threats in 2019 – in addition to those detected by cloud email services’ built-in security appeared first on .
We are in unique times and it’s important to support each other through unique ways. Snyk is providing a community effort to make a difference through AllTheTalks.online, and Trend Micro is proud to be a sponsor of their virtual fundraiser and tech conference.
In today’s threat landscape new cloud technologies can pose a significant risk. Applying traditional security techniques not designed for cloud platforms can restrict the high-volume release cycles of cloud-based applications and impact business and customer goals for digital transformation.
When organizations are moving to the cloud, security can be seen as an obstacle. Often, the focus is on replicating security controls used in existing environments, however, the cloud actually enables new levels of visibility and controls that weren’t possible before.
With today’s increased attention on cyber threats, cloud vulnerabilities provide an opportunistic climate for novice and expert hackers alike as a result of dependencies on modern application development tools, and lack of awareness of security gaps in build pipelines and deployment environments.
Public clouds are capable of auditing API calls to the cloud management layer. This gives in-depth visibility into every action taken in your account, making it easy to audit exactly what’s happening, investigate and search for known and unknown attacks and see who did what to identify unusual behavior.
Join Mike Milner, Global Director of Application Security Technology at Trend Micro on Wednesday April 15, at 11:45am EST to learn how to Use Observability for Security and Audit. This is a short but important session where we will discuss the tools to help build your own application audit system for today’s digital transformation. We’ll look at ways of extending this level of visibility to your applications and APIs, such as using new capabilities offered by cloud providers for network mirroring, storage and massive data handling.
Register for a good cause and learn more at https://www.allthetalks.org/.
The post Cloud Native Application Development Enables New Levels of Security Visibility and Control appeared first on .
Introduction Open-source software helped to revolutionize the way that applications are built by professionals and enthusiasts alike. Being able to borrow a non-proprietary library to quickly prototype and build an application not only accelerates progress in projects, but also makes things easier to work with. Open-source libraries when creating applications is not the only positive […]
The post Open-source application security flaws: What you should know and how to spot them appeared first on Infosec Resources.
The reality is beginning to hit: The holiday season will look and feel different this year. Traditional family gatherings, complete with mile-long dinner tables and flag football games, are now considered COVID “super spreader” events, putting a dent in plans for large gatherings.
Still, there’s a bright side. We may be dealing with a pandemic, but we also happen to live in time of amazing technology and ingenuity. That means when the face-to-face connection isn’t possible, we can connect with a click or two.
According to the Center for Disease Control, it’s important to keep basic safety protocols such as mask-wearing, disinfecting, and social distancing in place. In addition, they recommend limiting the number of guests, celebrating outdoors if possible, and limiting the number of people in food prep areas. One of the most important things you can do, says the CDC, is to “have conversations with guests ahead of time to set expectations for celebrating together.”
A part of those conversations can also include ways to digitally connect with elderly or at risk loved ones who can’t gather and how to do it safely and securely. Here are a few ideas to get you rolling.
One big tip in organizing a successful, digitally connected holiday is to prep your technology logistics before your gathering. Ensure everyone invited to the call has downloaded the right app, adjusted privacy settings, and understands app and safety basics. For family members who may be uncomfortable connecting digitally, consider calling a few days ahead of time, previewing the app, and answering any questions. Prepping your tech will maximize your time together and ensure everyone feels confident.
1. Cook together. Use video apps such as FaceTime or Zoom to share recipes and even have grandma teach the kids to cook her famous corn casserole. Since everyone is together, you may even want to crowdsource favorite family recipes in a google doc and make a family cookbook.
Safe Family Tip: Your FaceTime app is always ideal because it’s encrypted and still private. When using video apps such as Zoom, make sure your account and meeting settings are personal.
2. Share a virtual mealtime. You might be surprised at how much fun sharing a mealtime virtually can be (we’ve tried it!) It’s easy: Set up your phone or computer on a stationary tripod or shelf that frames your dinner table. Agree on a time with family members. Dial them up on your phone or in your app. Toast the holiday in real-time.
Safe Family Tip: Be aware that with the increase in people going online to connect with family, shop, and work, hackers are also working overtime to get into Zoom (and other apps) conversations and figure out ways to plant malware. With increased digital activity, think about a comprehensive security solution, which can help protect devices against malware, phishing attacks, and other threats.
3. Enjoy movie time together. Using apps like Hulu Watch Party, Watch2gether, Amazon Watch, Netflix Party, and Houseparty makes it easy to watch a movie together from multiple locations. For kids, there’s Disney Plus Party for kid-friendly group viewing. Some of the apps require screen sharing, others separate logins, while others are simply one account holder sharing a link. The Verge offers this step-by-step on how to for several of these apps.
Safe Family Tip: Make sure the movie site or app you are using is legal and safe. Cybercriminals are hot on the trail of movie fans and have created movie apps designed to download malware onto computers. Avoid clicking on pop-up ads or random links while looking for movies or apps. Add an extra layer of protection using a Virtual Private Network (VPN) to encrypt your online activity, keep your identity secure, and secure downloads.
4. Multiplayer Game Apps. Don’t worry. Family game night lives on! Even if you are separated by miles, you can play virtual family games like Charades, Uno, Pictionary, Trivia, and many video games.
Safe Family Tip: Be sure the app you are downloading is legitimate. Read reviews and make sure there aren’t any virus or malware issues before downloading. Once downloaded, maximize your safety settings on the app, use strong passwords, and only connect with known players.
5. Virtual Karaoke. Gather on apps like Smule to enjoy some family karaoke together.
Safe Family Tip: Any group app can be a danger zone for cyberbullying or connection from strangers. Be sure that family members are aware of the dangers of allowing younger users to keep these apps on their phones following the holidays. Parental Control Software is an easy way to make sure your kids engage with safe content online.
Thanks to technology, it’s possible to shrink just about any distance. Will it take effort? Sure. Some learning? Yup. But hopefully, even though your home may feel a little more empty this year, your heart will be full.
The post 5 Fun Ways to Keep Family Connections Strong (and Secure) This Holiday appeared first on McAfee Blogs.
All the kids are doing it, and so can you.
If you haven’t hopped onto a video chat with the family yet, the holidays are a great time to give it a whirl. While there are plenty of apps and services out there for video chatting, I put together a quick list of the more no-nonsense options.
Broadly speaking, I selected video chatting apps that are free, relatively straightforward, and possibly something you already have on your smartphone, tablet, or computer. From there, I also offer up some advice that can keep you and your family safe while you chat. Let’s take a look …
One of the easiest ways to hop onto a video chat is with your smartphone or tablet. They can save you a bit of configuring and fiddling around with settings because these devices have cameras, microphones, and video chat apps already built in. In that way, they’re optimized for video chat, so using one of them is practically “point and shoot.”
Depending on what smartphone or tablet you have, you have a couple of leading options:
Pre-installed on iPhones and iPads, FaceTime can connect up to 32 people on iOS and Mac OS devices at one time. That way, if you want to chat with a few family members at once, you can have plenty of people join in. Note that only iOS and Mac OS devices can use FaceTime, so the person you want to chat with will need FaceTime on a iOS or Mac OS device as well. Connections are quite simple. In fact, as simple as making a phone call. You can start a FaceTime call with a tap of family members in your contact list. Your device does the rest.
Google Duo is a voice chat app much akin to FaceTime that’s found on plenty of Android phones and tablets. However, it differs from FaceTime because it’s available for multiple platforms. For example, there’s a Google Duo app for iPhones, so if your grandkids have iPhones, they can install the Google Duo on their iPhones and have a chat with you on your Android phone.
Also, you can use Google Duo on a web browser without an app by clicking here. That’s a great option if you have a camera-ready laptop or computer—which we’ll talk about more next.) Google Duo also features “Family Mode” where you can put on masks and make doodles on the screen if you’re signed in with a Google account.
If you don’t have a smartphone or tablet, there are still plenty of options that are free and relatively easy as well.
For starters, you’ll need a laptop or computer with a microphone and camera, which is more or less standard in laptops today. If your laptop or computer doesn’t have that combo already, not to worry. There are plenty of moderately priced web cameras that include a microphone. I suggest getting one with a physical lens cap. That way it always protects your privacy. Likewise, you can always disconnect yours when it’s not in use.
With that, here are a few options for video chatting on your computer:
Originally aimed at a business audience, families and schools quickly latched on to Zoom for its ease of use at the start of the pandemic. Zoom offers unlimited time and unlimited calls for one-to-one meetings yet has a 40-minute limit once there are more than two devices connected. While there’s an app available, I recommend that you set up a free account and run it through a browser window. That way, you don’t have to deal with an install and you’ll always have the latest security protocols in play.
Skype from Microsoft has been around for a long time, getting its start back in the early 2000’s as a voice and text chatting app. Today, it comes standard on Windows PCs and supports apps for all kinds of tablets and smartphones too. Up to 50 people can join, which is of course plenty. If you want to create a video chat without an account, you can simply visit this page and start an instant video chat with a click. That’ll give you a link that you can copy and share with your family. And when they click on that link, you’ll all be connected.
Free to anyone with a free Google Gmail account, you can use Google Meet just by clicking its icon from your Google apps menu or by visiting https://meet.google.com/. Originally designed for businesses, governments, and schools, this premium product is now available to all. Some nice features include the ability to schedule a meeting with your family using Google Calendar and additional security features that help make sure your call is private. Like Zoom and Skype, it can run in the window of your browser, so there’s no app to download and install.
As I mentioned above, there’s practically setup when it comes to running a video call on your smartphone or tablet, as they’re already configured for video. Computers, however, may take a little more effort.
The first thing is to make sure that your microphone, speakers, and camera are all set up and ready to go. If you have a Windows computer, you can check out this quick article to get your audio set up and this article for setting up your camera. For Macs, check out this article for audio and this article for video.
From there, you can log into your video chat app or service of choice and give your audio and video a test just to make sure everything is a go. You can do this before you make a call by starting the app as you normally would and then clicking on the menu item for “Settings.” Each app handles it a little differently, yet the interface should show you if it detects your camera, microphone, and speakers. Once you’re set up, you likely won’t have to go back in and do it again.
Now, it’s time to think like a movie director. As you might think, the camera angle and lighting in your room make all the difference on a video chat.
In a way, the camera is the way you’ll make eye contact with your family. Set the camera or hold your device so that it’s at eye level with you. That way, it’ll appear like you’re making eye contact with them. Few things feel stranger on a video chat than a camera angle that appears to have you looking down at them (and with them looking up your nose in return).
As for lighting, avoid sitting with a light source behind you. The camera will adjust itself to the light source instead of you, putting your face in the dark. Instead, look to have a light source that’s in front and a bit off to the side from you. That’ll light your face without washing out your face in harsh light. Likewise, if you’re sitting in front of a computer monitor while you’re chatting, see if you can lower the brightness on the monitor. That’ll keep your video looking great as well.
Once you’re all set up, here are a few things that will help keep your calls private and secure.
If you’re initiating the chat, be sure to create a password that that uninvited parties can’t join the call. Also, don’t be shy about asking your family members to use a password on the calls they initiate. It’s pretty much a standard practice nowadays.
Many services, like Zoom, allow people to join a video chat by clicking a link. As with any link that’s sent to you, be sure that it’s legitimate. Confirm the link with the family member who sent it, particularly if you weren’t expecting one.
Likewise, make sure that you’re using comprehensive security software that protects you from scam emails and links, plus block links that could send you to sketchy websites. That way, if you do get sent a bogus invite link from a scammer, you’ll be protected.
When you click a link to join a video call from your computer, it will open a new browser tab that will prompt you to join the call. Often, there will be an option to “join using the app,” which your browser will automatically download if you click that option. However, the easiest way to join is by clicking the option to “join using my browser.” In addition to being a no-fuss option, it also means one less app on your device to keep current.
Aside from giving you the latest features and functionality, updates also often include essential security improvements. Set your computer to update itself automatically and consider using security software that will scan for vulnerabilities and install updates automatically as needed.
With the holidays upon us and the and New Year on the horizon, now’s a great time to give video chatting a try. As with any new app you try, do a little research of your own before you download it. Check out the news reviews to see if it’s right for you or if there have been any security concerns.
I hope this overview gives you a great start and that it becomes just one more of the many ways you keep in touch, whether during the holidays or year ’round.
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Zooming with the Grandkids: Five Easy Video Chat Apps for the Holidays appeared first on McAfee Blogs.
Most of us have fond summer memories of hanging out with friends in a secret clubhouse. However, this isn’t that. While the word clubhouse stirs up instant feelings of belonging to a group of friends, the digital Clubhouse app, we’re referencing is a meeting hub for users over 18. Currently, still in its beta phase, Clubhouse is by invitation only. This exclusivity is also what makes it somewhat irresistible for tweens and teens looking for a new place to meet with friends.
Clubhouse is an all-audio social network; kind of like a podcast meets a group phone call. Guests may drop in and even speak if they raise their hand are unmuted by the speaker. Speakers create “rooms” each with different topics and invite people to join in on that discussion.
The app found its wings as a fun place to connect during the pandemic. Mom groups, business roundtables, staff meetings, political groups, think tanks, and hobbyists flocked to connect on the app and still do. The topics are plentiful and there’s always a conversation happening that you can access with a click.
Currently there aren’t any parental controls or privacy settings on Clubhouse. While the app states that there’s a minimum age requirement of 18, there isn’t an actual age-verification system. As with so many other apps, anyone under 18 can simply get an invite, fake their age, and either drop in on any of the conversations going on or start their own room.
Mature content. Topics on Clubhouse cover a wide range of topics both mainstream and fringe. So, if an underage user fills out their profile information and interests, they will automatically get invitations to several daily discussions, which may or may not be age appropriate. They can also explore and join any kind of group.
Bullying. Clubhouse discussions are uncensored. Therefore, it’s possible that a heated discussion, biased comments, or bullying can take place.
Misinformation. If you walked through a crowded mall, you might overhear a dozen different accounts about a news event, a person, or a topic. The same holds true for Clubhouse where commentary is the currency. Therefore, misinformation is likely (as is common with any other app).
Accounts can’t be locked. Another privacy gap on Clubhouse is that accounts can’t be set to private and rooms/conversations will remain open by default unless the host makes it private, which means anyone can drop in.
The celebrity hook. Clubhouse has attracted celebrities and social media influencers to its halls who host discussions. This is a big draw for kids who want to hear real-life conversations and just get a bit closer to their favorite celebrity. Again, content can be unpredictable in these rooms and potentially risky for underage users.
Why age restrictions matter. More and more, kids who ignore age restrictions on apps are wandering into trouble. Consider talking to your child about why age restrictions exist, the consequences if they are ignored, and some alternative apps that might be safer.
Why privacy matters. While Clubhouse has grown prolifically in a short time, which has caused some concern over data privacy. According to reports, Clubhouse asks users to share their contacts and has been accused of being “overly aggressive with its connection recommendations.” Also, it’s unclear how the app collects and leverages user data. As outlined by McAfee’s Advanced Threat Research Team last month, the security of user information and communication within Clubhouse has vulnerabilities that could be exploited. For these reasons, consider discussing the data “exchange” we often make when we jump on an exciting new app, why data matters, and why it’s important to understand what’s being collected and to use any and all privacy settings. According to its privacy policy, Clubhouse also “temporarily record the audio in a room when it is live.”
Why content matters. With so many images and ideas coming across our screens every day, holding fast to our content standards can be a challenge for families. Talk to kids about why age-appropriate conversations, topics, and friend groups matter online and what happens when you try to speed up that process. Discuss how content filters and parental controls work and consider them for your family.
The good news about Clubhouse (when it comes to young users) is that along with its rapid growth, the creators are reportedly responding to consumer safety demands and daily increasing in-app safety features for reporting harassment and abuse.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Is the Clubhouse App a Safe Place for Kids to Hangout? appeared first on McAfee Blogs.
When gyms were forced to close last year, you likely looked for other ways to get some exercise and stay active during quarantine. From investing in a few pairs of dumbbells or perhaps downloading an app or two to help you track your workouts, you found alternatives to help you break a sweat. As an accessible, easy way to release endorphins, running quickly grew in popularity along with the platforms that help runners stay accountable. According to Runner’s World, there was a 34% uptick in outdoor miles logged by common fitness apps between March and September 2020 compared to the same stretch in 2019. But are these tools potentially endangering your privacy?
According to TechCrunch, running apps could potentially threaten your security if the data they collect ends up in the wrong hands. Let’s explore the functionalities of these apps and how they could pose a threat to your online safety.
Running apps are solid companions for advanced and amateur runners alike, allowing you to track the length of your run and set a pace for yourself. These apps learn a lot about you the more you use them by gathering health data like your height and weight and even your location. But similar to the threats that exist when you overshare on other online platforms, this data could pose a serious threat to your privacy. For example, location data could identify where you live or where you work – information that you definitely wouldn’t want in the hands of a stranger. If a cybercriminal is able to hack into your account, they could exploit this information to commit identity theft or craft a phishing email disguised as your employer.
Additionally, many of these apps lack basic security measures to prevent hackers from breaking into accounts or from health and fitness data from spilling out. For example, many popular running apps allow the most basic passwords like “qwerty” and “password.” Oftentimes, hackers automate their attacks by targeting accounts with easy-to-crack passwords like the ones mentioned. This allows them to exploit the most accounts with as little effort as possible. Furthermore, these apps do not have the option to set up two-factor authentication, which creates an additional barrier to prevent hackers from exploiting reused passwords.
No matter where you are in your fitness journey, it is essential to take the necessary precautions to minimize the risks of the platforms you use to hold yourself accountable – running apps included. If you are looking to hit your stride while keeping security and privacy top of mind, follow these tips:
Your password is your first line of defense, so it is important that you use one that is strong and unique to your other account credentials. If a hacker does manage to guess your password for one of your online accounts, it is likely they will check for repeat credentials across multiple sites. By using different passwords or passphrases, you can feel slightly more at ease knowing that the majority of your data is secure if one of your accounts becomes vulnerable.
You can also use a password manager to help you create strong passwords, remove the hassle of remembering numerous passwords, and log on to websites automatically.
Some running apps are configured to publicly share user data by default. After you download an app, spend some time researching how to change these settings so your data is not shared with strangers without your permission.
If your running app of choice does undergo any security updates, make sure that they are installed as soon as possible. Developers actively work to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections. The easiest way to do this is to enable automatic software updates on your mobile device.
Next time you go for a run with your location services on, think again about what risks this poses to your virtual security and your physical safety. Enhance your security by only enabling the features that are necessary to optimize your fitness performance. This will help prevent hackers from using your location as a vehicle to invade your privacy.
Since the data collected on running apps involves sensitive health and location information, it is worth reviewing the privacy policies for all of the fitness platforms you regularly use to see how your data might be affected. To ensure that you can keep moving toward your fitness goals while protecting your online safety, stay educated on the tools you use to track your progress and implement the necessary security measure to do so with security in mind.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Remain Secure While Using Running Apps appeared first on McAfee Blogs.
More and more social platforms are coming up with safer ways for younger kids to access their apps. The most recent announcement comes from Facebook who is reportedly creating a version of Instagram for kids 13 and under.
It’s a family safety win to see so many companies (YouTube, TikTok, and Facebook have parental control channels) making changes. That’s because currently, kids under 13 have no problem getting around an app’s age restrictions, a decision that can expose them to risks such as cyberbullying, stranger connections, and inappropriate content.
With apps making an overall shift toward safer experiences, areas of concern for families still exist especially since kids are increasingly connecting with social media companies before they enter middle school. Here are just a few things to consider as your child moves into the world of social networking, regardless of his or her age.
The window between 9-12 is an important one when it comes to teaching kids digital skills and influencing their digital behavior. It’s never too early to begin these conversations. Remember, kids need aware, digitally savvy parents more than ever to prepare them for the challenges ahead.
The post More Apps for Younger Users Emerging. Here’s What Parents Need to Know. appeared first on McAfee Blog.
Today’s technology allows you to complete various tasks at the touch of a button wherever you go. As a result, you place trust in online services that make everyday chores more convenient without second-guessing their effects. One such service is online banking. More Canadians are doing their banking virtually with over 76% using online or mobile devices. Despite the extensive measures that banks take to strengthen their online security, no system is fail-safe. It is extremely important to practice proper security habits and be on the lookout for online fraud to ensure the safety of your financial information.
According to the Canadian Bankers Association (CBA), banks in Canada use sophisticated technology and layers of security to help protect customers from fraud when doing their banking online or using a mobile banking app. Although online banking is generally safe, it does provide cybercriminals with a potentially lucrative opportunity. Some scammers turn to phishing techniques to trick people into handing over their sensitive personal information. They call, text, or email you claiming to be a representative from your bank and state that they noticed some unusual activity related to your account. The imposters then ask you to click on a link in the email or text message to verify your credentials. Unfortunately, this “verification link” is actually a phishing link, and cybercriminals can use the password or credit card details to walk right into your account.
Once cybercriminals gain access to your password and username, they may then move on to credential stuffing. Credential stuffing occurs when an attacker inserts the username and password for one account into the login page of another online service. This tactic capitalizes on the fact that many people reuse the same username and password across multiple accounts.
Hackers also use phishing to spread malware onto the devices you use to access online banking services. These suspicious emails and text messages disguised as notifications from your bank could contain malicious links or attachments that trick you into downloading malware on your device. Furthermore, attackers mimic banking and money transfer institutions to collect your credentials and access your sensitive information.
The convenience of paying bills and depositing checks without running to the bank or post office is undeniable. Everyone is always rushing about, so if you’re now doing these things online securing your online privacy is not a responsibility to speed through.
It’s important that you put your privacy first when using online and mobile banking platforms so you can use these convenient services without jeopardizing your financial accounts. Follow these tips to enhance your online banking security:
Review your bank’s terms and conditions to understand your responsibilities as the account owner and the responsibilities of your bank. Check your accounts regularly for transactions you didn’t make and contact your financial provider as soon as you find an error. Most banks have policies that reimburse you for unauthorized purchases if someone uses your credit card without your permission.
Look at the recommendations provided by your bank, for example, CIBC recommends using longer passwords for your bank account that include a combination of uppercase, lowercase, numbers, and special characters. Additionally, do not reuse this password across your other accounts. If a hacker guesses your password for one of your online accounts, it’s likely that they will check for repeat credentials across multiple sites. By using different passwords or passphrases, you can feel secure knowing that the majority of your data is secure if one of your accounts becomes vulnerable. If you’re worried about forgetting your passwords, subscribe to a password management tool that will remember them for you.
Always opt-in for two- or multi-factor authentication if your financial institution offers it. This is a method of signing in that requires not only a username and password but also a one-time code that is sent by text or email. This extra layer of verification makes it much harder for a criminal to access your sensitive accounts.
From splitting the check when eating out with friends to dividing the cost of bills, third-party mobile payment apps are an incredibly easy way to share money. Before downloading these apps, do your research. Ensure that the company behind the app or the app itself hasn’t undergone any major security incidents and that they have a history of patching bugs immediately. If you decide to download a mobile payment app, set your account to private and limit the amount of data you share. Additionally, look for the lock icon in your web browser when logging in to online banking platforms. A closed lock or padlock indicates that the website you’re on is secure.
Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. These mistakes include spelling or grammar errors throughout the email or text message, using a company’s logo with the incorrect aspect ratio or low resolution, and using a URL with typos. For example, phishers may swap an “o” with a zero, or end the address with “.con” instead of “.com.” If you receive a message with any of these characteristics, do not click on any of the links and delete it immediately.
Never conduct your banking business on a public or unsecured wi-fi network. Connect to a virtual private network (VPN), which allows you to send and receive data while encrypting your information. When your data traffic is scrambled, it’s shielded from prying eyes, which protects your network and the devices connected to it.
While online banking adds a wealth of convenience to your lives, it’s important that you remain invested in your security first and foremost. Cybercriminals often take advantage of your reliance on digital platforms to disguise themselves as bank representatives and trick you into handing over your personal data. To remain secure while online banking, practice good cybersecurity hygiene by using strong, unique passwords, multi-factor authentication, and stay vigilant while looking for signs of phishing. These tips will help elevate your financial security so you can virtually bank with peace of mind.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Elevate Your Financial Security: How to Safely Bank Online appeared first on McAfee Blogs.
It’s a question I get several times a year from anxious parents, either via a direct message, an email or even in line at the grocery store. It goes something like this: “What’s the one thing you wish you’d done better when monitoring your kids’ technology?”
Both of my kids are now young adults, and together, we survived a handful of digital mishaps. So, I tend to have a few answers ready. I’ll go into one of those answers in this post, and here it is: I’d physically pick up their phone more often and ask questions about the apps I didn’t recognize.
And here’s why.
There are the apps on your child’s phone that are familiar. They are the easy ones. We know what color they are, what their graphic avatars look like — the little ghost on the yellow background, the little bird, the camera on the bright purple and orange background. We may have gone through the app together or even use one or two of the apps ourselves. There’s Snapchat, TikTok, Twitter, YouTube, WhatsApp, Kik, and Instagram, among others. There are the mainstay photo apps (VSCO, Facetune, PicsArt) and games (The Sims, Fortnite, Minecraft). We may not like all the apps, but we’ve likely talked about the risks and feel comfortable with how your kids use them. With general recognition, it’s easy to have a false sense of security about what apps our kids are using.
Then, there are the apps on your child’s phone you know nothing about — and there are plenty. Rather than dismiss your concern because you don’t understand the app or because you may not have the energy to start an argument, next time, think about pausing to take a closer look. If you have concerns, address them sooner rather than later.
Here are just a few of the non-mainstream apps that kids use that may not be on your radar but may need a second look. Note: Every app has the potential to be misused. The apps mentioned here are also used every day for connection, entertainment, and harmless fun. Here are just a few this author has had experience with, and others commonly documented in the media.
Quick Tip: It’s possible a child might bury an app inside a folder or behind other apps on their home screens, making it harder to find. By going into settings in either iOS (Settings > General > iPhone Storage) or Android (Google Play Store > Apps >All), you can usually get a quick view of all the apps that exist on a phone.
Almost every app has privacy gaps if settings and monitoring are neglected. However, apps such as Live.Me, Game Pigeon, and Zoomerang (among many others) may have loopholes when it comes to age verification, location tracking, and gaps in personal data security. These gaps can give potential predators access to kids and increases opportunities for cyberbullying.
Safe Family Tip: Sit down with your kids, go through any unfamiliar apps, and use parental controls to monitor all family device activity.
If a child wants to keep activity or content secret from a parent, they will likely find a way. Some of the apps kids use to hide games, photos, or texts are encryption apps (apps that scramble content to outside sources) such as WhatsApp, Proton VPN, ProtonMail, Telegram, and Signal. Other secrecy apps are called vault apps (apps that can be disguised, hidden, or locked), such as Calculator, Vault, HideItPro, App Locker, and Poof.
Safe Family Tip: If you find one of these apps on your child’s phone, stay calm. Kids want privacy, which is normal. However, if the content you see is risky, remind your child that no content is 100% private, even if it’s in a vault app. In addition, commit to the ongoing dialogue that strengthens trust and together, considers setting safety expectations for devices, which may include parental controls.
Some apps, especially dating-type apps, require users to allow geotagging to connect you with people in your area. Yubo, which is an app like Tinder, is one your kids may be using that requires location to use it. Live.Me is another geotagging app.
Safe Family Tip: Go over the reasons location apps (and dating apps) are dangerous with your child. Sharing their location and meeting In Real Life (IRL) has become the norm to many kids. Remind them of the risks of this kind of behavior and together, put new boundaries in place.
The web is full of sketchy, dark pockets kids can stumble into. They can hear about a community forum or app from a friend and be wowed simply because it’s different and edgy. While there are plenty of harmless conversations taking place on these apps, spaces such as Discord, Reddit, and Twitch have reportedly housed communities’ extreme ideologies that target vulnerable kids.
Safe Family Tip: Be aware of behavior changes. Talk with your kids about the wide range of ideals and agendas promoted online, how to think critically about conversations and content, and most importantly, how to spot these communities.
Anonymity online is problematic for a plethora of reasons. Apps such as Yolo, Tumblr, and Tellonym, Omegle, YikYak, Whisper, LMK, MeetMe, are just a few of those apps to look for. Many of these apps are chat apps used to eventually meet up with new friends in real life (IRL). However, when apps allow anonymous accounts, it’s almost impossible to trace inappropriate content, threats, or bullying incidents.
Safe Family Tip: Kids get excited about making friends and having new experiences— so much so, they can ignore potential consequences. Discuss issues that may arise (catfishing, sextortion, scams, bullying) when people hide behind anonymous names and profiles. If needed, give real examples from the news where these apps have been connected to tragic outcomes.
Several apps and online communities have been connected to violence, hate content, intolerance, and fanaticism. A few of these sites include 4Chan, 8Chan, AnyChan, Gab, SaidIt.Net, and 8Kun, among many others.
Safe Family Tip: Note any behavior changes in your child. Talk often about digital literacy and being a responsible publisher (and consumer) of media online.
Staying in step with your child’s latest and greatest app affinity isn’t easy, and every parent makes mistakes in how they approach the task. However, kids of all ages (no matter how tech-savvy they are) need boundaries, expectations, and consistent and honest dialogue when it comes to digital habits and staying safe online. If you don’t know where to start (or start over), one first step is to start today and commit to staying aware of the digital risks out there. In addition, make time to have regular, open conversations with your child about their favorite apps — the ones you know about and the ones you may not.
The post Potentially Malicious Apps Your Kids May Use appeared first on McAfee Blogs.
There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of course, those days are nearly long gone, in large part thanks to “peer to peer” (P2P) mobile payment apps, like Venmo, Zelle, or Cash App. Now with a simple click on an app, you can transfer your friend money for brunch before you even leave the table. Yet for all their convenience, P2P mobile payment apps could cost you a couple of bucks or more if you’re not on the lookout for things like fraud. The good news is that there are some straightforward ways to protect yourself.
You likely have one of these apps on your phone already. If so, you’re among the many. It’s estimated that 70% of adults in the U.S. use mobile payment apps like these. And chances are that you have more than just the one. Only 25% of adults in the U.S. use just a single payment app.
Yet with all those different apps come different policies and protections associated with them. So, if you ever get stuck with a bum charge, it may not always be so easy to get your money back.
With that, here are seven quick tips for using your P2P mobile payment apps safely.
In addition to securing your account with a strong password, go into your settings and set up your app to use a PIN code, facial ID, or fingerprint ID. (And make sure you’re locking your phone the same way too.) This provides an additional layer of protection in the event your phone is stolen or lost and someone, other than you, tries to make a payment with it.
What’s worse than sending money to the wrong person? When paying a friend for the first time, have them make a payment request for you. This way, you can be sure that you’re sending money to the right person. With the freedom to create account names however one likes, a small typo can end up as a donation to a complete stranger. To top it off, that money could be gone for good!
Another option is to make a test payment. Sending a small amount to that new account lets both of you know that the routing is right and that a full payment can be made with confidence.
Bye, bye, bye! Unlike some other payment methods, new mobile payment apps don’t have a way to dispute a charge, cancel a payment, or otherwise use some sort of recall or retrieval feature. If anything, this reinforces the thought above—be sure that you’re absolutely making the payment to the right person.
Credit cards offer a couple of clear advantages over debit cards when using them in association with mobile payment apps (and online shopping for that matter too). Essentially, they can protect you better from fraud:
Report any activity like this immediately to your financial institution. Timing can be of the essence in terms of limiting your liabilities and losses. For additional info, check out this article from the Federal Trade Commission (FTC) that outlines what to do if your debit or credit card is stolen and what your liabilities are.
Also, note the following guidance from the FTC on payment apps:
“New mobile apps and forms of payment may not provide these same protections. That means it might not always be easy to get your money back if something goes wrong. Make sure you understand the protections and assurances your payment services provider offers with their service.”
It’s sad but true. Crooks are setting up all kinds of scams that use mobile payment apps. A popular one involves creating fake charities or posing as legitimate ones and then asking for funds by mobile payment. To avoid getting scammed, check and see if the charity is legit. The FTC suggests researching resources like Better Business Bureau’s Wise Giving Alliance, Charity Navigator, Charity Watch or, GuideStar.
Overall, the FTC further recommends the following to keep yourself from getting scammed:
With so much of your life on your phone, getting security software installed on your it can protect you and the things you keep on your phone. Whether you’re an Android owner or iOS owner, mobile security software can keep your data, shopping, and payments secure.
The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blogs.
Equipping and guiding your digitally connected child is one of the toughest challenges you will face as a parent. As your child grows and changes, so too will their online activities. Friend groups, favorite apps, and online interests can shift from one month to the next, which is why parental controls can be a parent’s best friend.
According to a report from Common Sense Media, teens spend an average of seven hours and 22 minutes on their phones a day. Tweens (ages 8 to 12) spend four hours and 44 minutes daily. This is time outside of schoolwork.
That is a lot of time to stroll the streets of cyberspace for entertainment purposes, and it’s only increased since the pandemic.
Striking a balance between screen time and healthy device use is an always-evolving challenge. On the one hand, your child’s device is an essential channel connecting them to their self-identity, peer acceptance, and emotional well-being. On the other hand, that same device is also the door that can bring issues such as cyberbullying, predators, risky behavior, and self-image struggles into your child’s life.
Parental controls are tools that allow parents to set controls on their children’s internet use. Controls include content filters (inappropriate content), usage limits (time controls), and monitoring (tracking activity).
Many of the technology your family already owns or sites your kids visit have basic parental controls (i.e., built-in controls for android and iPhone and social networks such as YouTube). However, another level of parental control comes in software specifically engineered to filter, limit, and track digital activity. These consumer-designed parental controls offer families a higher, more powerful form of protection.
If you are like many parents who land on this blog, you’ve hit a rough patch. You have concerns about your child’s online activity but aren’t sure how to begin restoring balance. Rightly, you want to find the best parental control software and put digital safeguards in place.
Every family dynamic is different, as is every family’s approach to online monitoring. However, most parents can agree that when a negative influence begins to impact the family’s emotional and physical health, exploring new solutions can help get you back on track.
Depending on your child’s age, you may need to consider parental controls if:
1. They don’t respond when you talk to them
If your child is increasingly engrossed in their phone and it’s causing communication issues in your family, you may want to consider software that includes time limits. Connecting with your child during device-free time can improve communication.
2. They’ve started ignoring homework and family responsibilities
There are a lot of reasons grades can plummet, or interests can fade. However, if your child is spending more and more time online, limiting or monitoring what goes on in that time can help restore emotional balance and self-discipline to meet responsibilities.
3. Their browser history shows access to risky content
Innocent online searches can lead to not so innocent results or children may go looking for content simply because they’re curious. Parental controls automatically block age-inappropriate sites and filter websites, apps, and web searches.
4. They won’t give you their device without a fight
If the phone has become the center of your child’s world at the cost of parental respect and family rules, they may be engaged in inappropriate behavior online, connecting with the wrong friends, or struggling with tech balance. With the proper parental controls, a parent can block risky content, view daily activity, and set healthy time limits.
5. They’re losing interest in family outings and other non-digital activities
Poor habits form quietly over time. If your child has dramatically changed their focus in the past three to six months, consider zooming in on why. It may not be technology use, but you may consider an additional layer of protection if it is.
6. They go into another room to respond to a text
While everyone deserves privacy, if constantly sneaking away to communicate with a friend is your child’s new norm, you may consider making some screen time adjustments.
7. They are exhausted
Unbeknownst to parents, kids might be exchanging sleep for screen time. Parental controls can help you nip this unhealthy habit. Setting time limits can help kids experience deeper sleep, better moods, more focus, and more energy.
8. They overshare online
If you browse through your child’s social media and notice their profiles are public instead of private, or if your child tends to overshare personal information, parental controls can help you monitor future activity.
Ideally, we’d all prefer to live in a world where we didn’t need parental controls at all. Unfortunately, that is neither a present nor future reality. So, we recalibrate, keep learning, and keep adding to our parenting skills. As always, we believe the first go-to digital safety tool is investing in consistent open and honest conversation with your child. And the second tool? Yup, reach for the parental controls. While you may hear some hemming and hawing from your kids at first, the peace of mind you gain from having parental controls in place will be worth it.
The post 8 Signs It May Be Time for Parental Controls appeared first on McAfee Blog.
There’s a lot of conversation going on right now around digital apps; only it’s not about TikTok or Twitch. Instead, it’s about the spike in the number of app scams taking place every day—many of them impacting younger consumers.
In a recent report from The Washington Post, nearly two percent of the apps downloaded from the Apple store in a single day were scams costing consumers an estimated $48 million. A similar report this week in Tech Republic estimates more than 170 Android apps, including 25 on Google Play, have attempted to scam people by offering cryptomining services for a fee but then failing to deliver. Scam reports can also be attributed to side-loaded apps, which are apps installed from unofficial sources online.
While the scam structures vary, the most popular ones pose as legitimate brands such as Amazon or Samsung, persuading users to download apps they don’t need. Other scams use misleading tactics, manipulate ratings and reviews, and trick people into paying for something accidentally.
Scams that target teens abound online because hackers assume younger consumers are more impulsive and casual about their online privacy. According to the Better Business Bureau, scams targeting teens include social media scams used to collect personal info for identity theft. Others include bogus auctions for luxury goods, scholarships and job offer scams, and promises of free items such as cell phones.
Some of the most popular scams can be found in fraudulent dating apps, according to the report. The Federal Trade Commission stated that consumers reported a record $304 million lost to romance scams in 2020, a number that has spiked since the pandemic. While some scams look like legit dating apps, others surface in hangout apps such as Clubhouse, Google Hangouts, or seemingly harmless apps like Words with Friends.
App scams have been discovered embedded in spying and internet security apps. Ironically, several of those have been in alleged VPN (Virtual Private Network) apps that promised privacy but instead collected sensitive user data.
Consumers, especially kids, can be scammed through peer-to-peer cash apps, such as Venmo or Zelle. Because cash apps require users to link to a personal bank account directly, scammers can easily sell you goods or befriend you to send money only to delete their accounts and disappear.
Likewise, downloadable gaming apps can contain scams that offer free in-game currency. By clicking on a link and entering a username, password, gamers are promised free currency—only it never shows up in their account.
While the debate continues over how to improve both Apple and Google Play’s app security standards, for now, anyone downloading an app is at risk to some degree.
So how can you be sure your family’s apps are safe to use? While it’s getting harder to discern, there are some key steps you can take to reduce your risk.
No app is 100 percent safe. All have security loopholes and user behavior can make them vulnerable to a wide range of scams. However, by staying aware, using the right tools, and being wise with your clicks, your family can enjoy the fun of digital life without the fallout.
The post 9 Tips to Help Kids Avoid Popular App Scams appeared first on McAfee Blogs.
We’ve all been there. It’s the middle of the night and you wake up to a sad and sniffly kiddo shuffling into your room. Yup, looks like someone has a temperature. You phone the on-call doctor to make sure it’s nothing serious and then set an alarm so you can make an appointment when the office opens. Yet this time that doctor’s visit could go a little differently. It may not take place in the office at all. You may be offered a chance to see the doctor with a telemedicine visit.
Telemedicine has been in use for some time. For several years now, it’s connected patients to health care services using live video and sometimes special diagnostic tools that pass along information via the internet. Overall, it’s a way of going to the doctor without actually going to the doctor’s office. Historically, it’s done a great job of caring for people who live in remote locations and for people with ongoing conditions that need long-term monitoring.
That all changed last year. Telemedicine visits saw a big spike during the early days of the pandemic, partly to help keep the spread of the virus in check and to protect vulnerable patients. Even though that spike has since tapered off, one study found that about 40 percent of consumers in the U.S. say they’ll use telemedicine moving forward—and our own research from earlier this year put that worldwide figure at nearly 30 percent. Telemedicine seems to be taking root.
While telemedicine leaves many families with more healthcare options, it may leave them with a few more questions about their security as well. After all, our health data is a precious thing. In the U.S., HIPPA privacy standards protect our information and consultations with healthcare professionals. However, online visits add an entirely new dimension to that.
If your health care provider recommends a telemedicine visit for you or your child, it can be both a convenient and safe experience with a little prep on your part. With a few straightforward security measures lined up (some of which you may already have in place), you can make sure that everyone’s private health information will be safe and secure during your virtual visit.
A great first step for a safer telemedicine visit is to protect your devices with comprehensive security software. Like security software protecting you while you manage your finances, file your taxes online, and so forth, it will help protect you while sharing your private health information. Plus, it will give you plenty of other features that can help you manage your passwords, protect your identity, safeguard your privacy in general, and more.
Be sure to protect your tablets and smartphones while you’re at it, even if you’re not using them for telemedicine. With all the shopping and banking we do on those devices, it’s a smart move to protect them in addition to laptops and computers.
Your telemedicine visit may require setting up a new account and password, one that will add to your growing list considering all the banking, social media, and payment apps you probably use. Plus, there are the umpteen other passwords you have for your online shopping accounts, your children’s school records, your taxes, and so on. Don’t give into the temptation of re-using an old password or making a simple one. Hackers count on that, where stealing one password means stealing several—and gaining access to multiple accounts in one blow.
When you set up your account, use a strong, unique password. This may also be a good time to get a handle on all your passwords with a password manager. Also found in comprehensive security software, a password manager can create and securely store strong and unique passwords for you, which can keep you safe and make your day a little easier too.
A VPN, or virtual private network, offers a strong layer of additional protection when you’re transmitting health data or simply having a private conversation about your health with a professional. A VPN creates an encrypted tunnel to keep you and your activity anonymous. In effect, your data is scrambled and hidden to anyone outside your VPN tunnel, thus making your private information difficult to collect.
Like many of the security steps, we’re talking about here, using a VPN offers benefits beyond telemedicine. A VPN is a must when using public Wi-Fi, like at airports and cafes, because it makes a public connection private (and safe from prying eyes). Additionally, it’s also great for use at home when taking care of sensitive business like your banking or finances.
If you’re searching for a telemedicine provider online, keep an eye out for sketchy links and scams. The sad thing with the increased use of telemedicine is that hackers have clued in and are looking for targets. One way you can stay safer is to use a web advisor with your browser that can identify potentially hazardous links and sites. Anti-phishing technologies in your security software can help as well by preventing email-based scams from reaching your inbox in the first place.
Even better than searching online, consider contacting your pediatrician or doctor’s office for a recommendation, as they can point out the best healthcare options for you and your concerns—and let you know if a telemedicine visit is the best course of action for you in the first place. This way, you can get comfortable with what your visit will look like, find out what special apps (if any) are used, and how your care provider will protect your privacy. Also, you can decide which device you will use and where you’ll use it so that you feel at ease during your virtual visit.
A reputable care provider will likely put all this pre-appointment information together for you on their website or “frequently asked questions” (FAQ) page, which will include helpful links and numbers to call if you need help or have questions. For an example of what that could look like, check out the telemedicine page that Virginia Mason/Franciscan Health designed for its patients.
We’ve talked plenty about digital security, yet there’s the old-fashioned issue of physical eavesdropping to think about too. When it’s time for your actual appointment, pick a place in your home where you can assure yourself some privacy. (Of course, don’t go online for your virtual appointment in a public place.) Look for a space where you can’t be overheard by neighbors and passers-by—preferably someplace like your bedroom where you can be comfortable as well. If your child has an appointment, let them know that this is like any other doctor’s visit and help them keep their voice down so they can keep their info private.
With telemedicine becoming more and more of an option for families, it’s just one of the many tools your doctor or pediatrician can use to keep you and your family well. So as always, if you have a health concern, call your doctor or pediatrician’s office for guidance. They’ll know the best path forward.
In the meantime, there are some great resources out there that can help you make the best decision about telehealth if the time comes. One really helpful article from the American Academy of Pediatrics helps parents get up to speed on telemedicine and outlines a few cases where a telemedicine visit might be right for your child.
With the sniffles, fevers, and plenty of, “Mom, I don’t feel so good …” comments that come along with parenthood, it’s nice to know that telemedicine gives us another tool we can use to keep our families well—one that’s ultimately up to you and your doctor to choose if it’s right for your child.
The post 6 Tips for a Safer and Easier Telemedicine Visit appeared first on McAfee Blog.
Mobile phones have gone through an incredible transformation since their inception in the 1970s. Now, the sheer number of applications is dizzying, as are their privacy policies; however, smartphone apps can bring hours of fun and belly laughs, and occasionally, a viral app captures the world’s attention. Don’t let potential risks to your personal information safety ruin all smartphone apps for you. All you need to share and play safely is a few tips to help you identify which apps are OK to use and how to navigate them intelligently.
Check out these four viral apps that may be putting your personal information at risk, plus a few tips that’ll help you enjoy smartphone apps safely.
Voilà AI Artist is a trending app that reimagines your face as a cartoon, caricature, or model of fine Renaissance art. Users can snap a selfie with the app or allow the app to access their photo library. According to WIRED, the app says it deletes users’ photos from its database in 24 to 48 hours, though it’s difficult to confirm that they aren’t stored.
Approach any app that could potentially use and store your likeness with caution. Deepfake technology is becoming more sophisticated and common by the day. Deepfakes are fabricated videos, images, or sound clips of every day or famous people based on real videos and images. Fake media impacts the victims whose likenesses are used because often the media is demeaning or incendiary. Voilà AI Artist hasn’t been suspected of any wrongdoing, but it’s best to be aware of how your face could be used to endorse something you don’t agree with.
Another face-altering app that could pose a risk to users’ privacy is FaceApp. Similar to Voilà AI Artist, it’s unclear what the app does with your likeness once you allow it to take your picture. FaceApp’s terms of use agreement outline that the selfies uploaded to the app belong to the app. From there, the app is free “to use, reproduce, modify, adapt, create derivative works from, distribute, perform, and display your User Content.” This line of fine print should make users pause. Again, users’ faces could be used in ways they wouldn’t normally agree to.
While the Pokémon Go craze of 2016 has greatly subsided, the next viral app that sweeps the world could replicate the security vulnerabilities the premise presents. Pokémon Go uses augmented reality, which is the kind of technology that makes it look like a Pokémon is strolling across your living room. The app can access your camera, as well as your contacts, pictures, chats, and location. It’s a blast exploring your neighborhood looking for animated critters and seeing nearby strangers’ profiles pop up on your map; however, be wary of sharing location data and images of the inside of your home with people you don’t know in real life.
TikTok may pose a risk to users’ data privacy. TikTok is under suspicion for using data mining tactics. Data mining is a practice where corporations harvest personal details from user-profiles and share them with advertising, marketing, and analytics companies. According to Business Insider, TikTok collects more than 50 kinds of data from users as young as 13 years old, including age, gender, location, and online habits. These facts are often used to create targeted ads that sometimes border on an invasion of privacy.
Check out these tips to make sure you’re prepared to use apps safely or help you decide to skip trends entirely.
The post 4 Viral Apps Risking Your Personal & Smartphone Security appeared first on McAfee Blog.
You may have heard the news that more than 300,000 Android users unknowingly downloaded banking trojan apps from the Google Play Store, malicious apps which bypassed the store’s security detections to install malware.
This news comes from a security report that found these trojans cleverly posed as apps that people commonly search for, such as QR code scanners, fitness apps, and a bevy of other popular types of utilities. In fact, these phony apps contain trojans that are designed to steal banking information, harvest keystrokes as you enter account info, and even grab screenshots of what you’re doing on your phone.
The trick with this malware is that it only activates after it is installed, which may or may not be apparent to the user. For the malware to activate, it requires an extra step, such as an in-app update (not through the Play Store), which then downloads the payload of malware onto the phone. In many cases, the bogus apps force users to make this update once the app is downloaded.
So, while the apps that appeared in the Play Store may not have contained malware, they deliver the payload onto the user’s phone post-purchase from other servers, which is a reason why these malicious apps have not been readily flagged.
All of this is just one more way hackers have found to infect smartphones with malware.
It’s no wonder that they target smartphones. They’re loaded with personal info and photos, in addition to credentials for banking and payment apps, all of which are valuable to loot or hold for ransom. Add in other powerful smartphone features like cameras, microphones, and GPS, and a compromised phone may allow a hacker to:
All of that adds up to one thing—a great, big “no thanks!”
So how do these sorts of malicious apps work? By posing as legitimate apps, they can end up on your phone and gain broad, powerful permissions to files, photos, and functionality—or sneak in code that allows cybercriminals to gather personal info. As a result, that can lead to all kinds of headaches, ranging from a plague of popup ads to costly identity theft.
Here are a few recent examples of malicious apps in the news:
Again, “no thanks!” So, let’s see about steering clear of malicious apps like these.
The good news is that there are ways you can spot these imposters. Major app marketplaces like Google Play and Apple’s App Store do their part to keep their virtual shelves free of malware, as reported by Google and Apple themselves. Still, cybercriminals can find ways around these efforts. (That’s what they do, after all!) So, a little extra precaution on your part will help you stay safer. These steps can help:
Another way cyber criminals weasel their way into your device is by getting permissions to access things like your location, contacts, and photos—and they’ll use sketchy apps to do it. (Consider the long-running free flashlight app scams mentioned above that requested up to more than 70 different permissions, such as the right to record audio, video, and access contacts.) So, pay close attention to what permissions the app is requesting when you’re installing it. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it may be a scam. Delete the app and find a legitimate one that doesn’t ask for invasive permissions like that.
Additionally, you can check to see what permissions an app may request before downloading the app. In Google Play, scroll down the app listing and find “About this app.” From there, click “App permissions,” which will provide you with an informative list. In the iOS App Store, scroll down to “App Privacy” and tap “See Details” for a similar list. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permissions here, and Android can do the same here.
While some apps (like games) rely on downloadable content from within the app, look out for apps that prompt you for an immediate update directly from the app. For the most part, the app you download from the store should be the most recent version and not require an update. Likewise, update your phone through the app store, not the app itself, which can help you avoid malware-based attacks like these.
As with so many attacks, cybercriminals rely on people clicking links or tapping “download” without a second thought. Before you download, take time to do some quick research, which may uncover a few signs that the app is malicious. Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
Even better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
Unlike Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe and secure, third-party sites may not have that process in place. In fact, some third-party sites may intentionally host malicious apps as part of a broader scam. Granted, cybercriminals have found ways to work around Google and Apple’s review process, yet the chances of downloading a safe app from them are far greater than anywhere else. Furthermore, both Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer.
With all that we do on our phones, it’s important to get security software installed on them, just like we do on our computers and laptops. Whether you go with comprehensive security software that protects all of your devices or pick up an app in Google Play or Apple’s iOS App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.
Hand-in-hand with installing security software is keeping your phone’s operating system up to date. Updates can fix vulnerabilities that cybercriminals rely on to pull off their malware-based attacks—it’s another tried and true method of keeping yourself safe and your phone running in tip-top shape.
Here are a few more things you can do:
Lastly, you can always ask yourself, “Do I really need this app?” One way to avoid malicious mobile apps is to download fewer apps overall. If you’re unsure if that free game is on the up-and-up or if the offer for that productivity app sounds a little too good, skip it. Look for a better option or pass on the idea altogether. As said earlier, cybercriminals really rely on us clicking and downloading without thinking. Staying on guard against mobile malware will cost you a few moments of your time, which is minimal compared to the potential costs of a hacked phone.
The post Before You Download: Steer Clear of Malicious Android Apps appeared first on McAfee Blog.
It’s safe to say that many Americans are obsessed with Squid Game. According to Business Insider, the Korean drama series has driven the newest engagers to a Netflix title of any Netflix series over the last three years. And while word-of-mouth buzz has played a big part in the show’s success, TV watchers aren’t the only ones taking note. Cybercriminals are also formulating ways to profit off the show’s popularity. According to the New York Post, a malicious app based on Squid Game was recently found on the Google Play Store, infecting users’ devices with malware.
The app in question, called “Squid Game Wallpaper 4K HD,” was one of the 200 Squid Game-related apps on the Google Play Store. This particular app masqueraded as a place to download cool Squid Game backgrounds for Android devices. However, once a user downloaded the app, it infected their smartphone with a strain of Joker malware. Joker malware is a type of billing fraud malware that usually disguises itself as a messenger, photo editor, camera, or in this case, wallpaper apps.
You may wonder how an app like this even ends up on a legitimate app purchasing store. In order to bypass Google Play’s app review process, Joker malware hides its malicious payload during the review process. This means that when the app is published in the Google Play Store, there’s no sign of malware. It’s only when a user installs the app that the malware downloads the malicious payload. Once the malware successfully installs itself, it secretly signs the user up for premium subscriptions, intercepts all their SMS messages, and can upload all their contacts to the malware operators.
The “Squid Game Wallpaper 4K HD” app received 5,000 downloads before it was removed from the Google Play Store. It’s likely that cybercriminals will continue to use the show’s popularity to exploit its fans and make a profit, whether that be through malicious apps disguised as a place where viewers can watch the show or fraudulent websites selling Squid Game merchandise. But fear not! There are steps you can take to help ensure that you steer clear of malware:
Unlike Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe, third-party sites may not have that process in place. In fact, some third-party sites may intentionally host malicious apps as part of a broader scam. However, cybercriminals have found ways to work around Google and Apple’s review process (such as with “Squid Game Wallpaper 4K HD”), but the chances of downloading a safe app from these stores are far greater than anywhere else. Additionally, Google and Apple are quick to remove malicious apps once discovered.
Before you download a new app, do some quick research. Check out the developer. Have they published several other apps with many downloads and good reviews? A legit app typically has several reviews, whereas malicious apps may have only a handful of fake five-star reviews. Lastly, look for typos and grammatical errors in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
Certain types of malware strains operate stealthily behind the scenes, commandeering login credentials or banking information right under a user’s nose. Check your accounts every so often and if you notice any suspicious activity, report it and change your passwords. You can also use ID monitoring tools, which will notify you of uncharacteristic changes or actions.
Just like you secure your computers and laptops, it’s important to secure the minicomputer in your pocket—your smartphone! For the strongest protection, use comprehensive security software that shields your device from malware and risky websites, links, and files. With a few key steps, you can boost your confidence in the safety of your devices and personal information and enjoy your favorite binge-worthy shows to the fullest!
The post Squid Game App or Mobile Malware in Disguise? appeared first on McAfee Blog.
It would be impossible nowadays to separate our everyday lives from technology. We travel well-worn, comfortable paths online and engage in digital activities that work for us. But could those seemingly harmless habits be putting out the welcome to cyber criminals out to steal our data?
It’s a given that our “digital-first mindset” comes with inherent risks. With the work and learn from home shift looking more permanent and cybercrime on the rise, it’s imperative to adopt new mindsets and put new skills in motion. The first step with any change? Admitting your family may have a few bad habits to fix. Here are just a few to consider.
1. You share toooo much online. Too Much Information, yes, TMI. Oversharing personal information online is easy access for bad actors online. Those out to do harm online have made it their life’s work to piece together your personal details so they can steal your identity—or worse. Safe Family Tips: Encourage your family not to post private information such as their full name, family member names, city, address, school name, extracurricular activities, and pet names. Also, get in the habit of a) setting social media profiles to private, b) regularly scrubbing personal information on social profiles—this includes profile info, comments, and even captions that reveal too much c) regularly editing your friends lists to people you know and trust.
2. You’ve gotten lazy about passwords. It’s tough to keep up with everything these days. We get it. However, passwords are essential. They protect your digital life—much like locks on doors protect your physical life. Safe Family Tips: Layer up your protection. Use multi-factor authentication to safeguard user authenticity and add a layer of security to protect personal data and all family devices. Consider adding comprehensive software that includes a password manager as well as virus and malware protection. This level of protection can add both power and peace of mind to your family’s online security strategy.
3. You casually use public Wi-Fi. It’s easy to do. If you are working away from home or on a family trip, you may need to purchase something, meet a deadline, or send sensitive documents quickly. Public Wi-Fi is easy and fast, but it’s also loaded with security gaps that cybercriminals camp out on. Safe Family Tip: If you must conduct transactions on a public Wi-Fi connection, consider McAfee Total Protection. It includes antivirus and safe browsing software, plus a secure VPN.
4. You have too many unvetted apps. We love apps, but can we trust them? Unfortunately, when it comes to security and privacy, apps are notoriously risky and getting tougher to trust as app technology evolves. So, what can you do? Safe Family Tips: A few things you can do include a) Double-checking app permissions. Before granting access to an app, ask yourself: Does this app need what it’s asking me to share? Apps should not ask for access to your data, b) researching the app and checking its security level and if there have been breaches, c) reading user reviews, d) routinely deleting dormant and unused apps from your phone. This is important to do on your phone and your laptop, e) monitor your credit report for questionable activity that may be connected to a malicious app or any number of online scams.
5. You’ve gotten too comfortable online. If you think that a data breach, financial theft, or catfish scam can’t happen to you or your family, it’s a sign you may be too comfortable online. Growing strong digital habits is an ongoing discipline. If you started strong but have loosened your focus, it’s easy to get back to it. Safe Family Tips: Some of the most vulnerable areas to your privacy can be your kids’ social media. They may be oversharing, downloading malicious apps, and engaging with questionable people online that could pose a risk to your family. Consider regularly monitoring your child’s online activity (without hovering or spying). Physically pick up their devices to vet new apps and check they’ve maintained all privacy settings.
6. You lack a unified family security strategy. Consider it: If each family member owns three devices, your family has countless security gaps. Closing those gaps requires a unified plan. Safe Family Tips: a) Sit down and talk about baseline security practices every family member should follow, b) inventory your technology, including IoT devices, smartphones, game systems, tablets, and toys, c) make “keeping the bad guys out” fun for kids and a challenge for teens. Sit and change passwords together, review privacy settings, reduce friend lists. Come up with a reward system that tallies and recognizes each positive security step.
7. You ignore updates. Those updates you’re putting off? They may be annoying, but most of them are security-related, so it’s wise to install them as they come out. Safe Family Tip: Many people make it a habit to change their passwords every time they install a new update. We couldn’t agree more.
Technology continues to evolve and open extraordinary opportunities to families every day. However, it’s also opening equally extraordinary opportunities for bad actors banking on consumers’ casual security habits. Let’s stop them in their tracks. If you nodded to any of the above habits, you aren’t alone. Today is a new day, and putting better digital habits in motion begins right here, right now.
The post 7 Common Digital Behaviors that Put Your Family’s Privacy at Risk appeared first on McAfee Blog.
You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in a taxi or lost an expensive ring down the drain. You never let your smartphone out of your sight, yet one day you notice it’s acting oddly.
Did you know that your device can fall into cybercriminals’ hands without ever leaving yours? SIM swapping is a method that allows criminals to take control of your smartphone and break into your online accounts.
Don’t worry: there are a few easy steps you can take to safeguard your smartphone from prying eyes and get back to using your devices confidently.
First off, what exactly is a SIM card? SIM stands for subscriber identity module, and it is a memory chip that makes your phone truly yours. It stores your phone plan and phone number, as well as all your photos, texts, contacts, and apps. In most cases, you can pop your SIM card out of an old phone and into a new one to transfer your photos, apps, etc.
Unlike what the name suggests, SIM swapping doesn’t require a cybercriminal to get access to your physical phone and steal your SIM card. SIM swapping can happen remotely. A cybercriminal, with a few important details about your life in hand, can answer security questions correctly, impersonate you, and convince your mobile carrier to reassign your phone number to a new SIM card. At that point, the criminal can get access to your phone’s data and start changing your account passwords to lock you out of your online banking profile, email, and more.
SIM swapping was especially relevant right after the T-Mobile data breach.1 Cybercriminals stole millions of phone numbers and the users’ associated personal details. Criminals could later use these details to SIM swap, allowing them to receive users’ text or email two-factor authentication codes and gain access to their personal accounts.
The most glaring sign that your phone number was reassigned to a new SIM card is that your current phone no longer connects to the cell network. That means you won’t be able to make calls, send texts, or surf the internet when you’re not connected to Wi-Fi. Since most people use their smartphones every day, you’ll likely find out quickly that your phone isn’t functioning as it should.
Additionally, when a SIM card is no longer active, the carrier will often send a notification text. If you receive one of these texts but didn’t deactivate your SIM card, use someone else’s phone or landline to contact your wireless provider.
Check out these tips to keep your device and personal information safe from SIM swapping.
With just a few simple steps, you can feel better about the security of your smartphone, cellphone number, and online accounts. If you’d like extra peace of mind, consider signing up for an identity theft protection service like McAfee Identity Protection Service. McAfee, on average, detects suspicious activity ten months earlier than similar monitoring services. Time is of the essence in cases of SIM swapping and other identity theft schemes. An identity protection partner can restore your confidence in your online activities.
1“T-Mobile data breach and SIM-swap scam: How to protect your identity”
The post What Is SIM Swapping? 3 Ways to Protect Your Smartphone appeared first on McAfee Blog.
It’s a long-standing question. Can Apple Macs get viruses?
While Apple does go to great lengths to keep all its devices safe, this doesn’t mean your Mac is immune to all computer viruses. So what does Apple provide in terms of antivirus protection? Let’s take a look along with some signs that your Mac may be hacked and how you can protect yourself from further threats beyond viruses, like identity theft.
Whether hackers physically sneak it onto your device or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, viruses and malware can create problems for you in a few ways:
Some possible signs of hacking software on your Mac include:
Is your device operating more slowly, are web pages and apps harder to load, or does your battery never seem to keep a charge? These are all signs that you could have malware running in the background, zapping your device’s resources.
Like the performance issues above, malware or mining apps running in the background can burn extra computing power (and data). Aside from sapping performance, malware and mining apps can cause your computer to run hot or even overheat.
If you find apps you haven’t downloaded, along with messages and emails that you didn’t send, that’s a red flag. A hacker may have hijacked your computer to send messages or to spread malware to your contacts. Similarly, if you see spikes in your data usage, that could be a sign of a hack as well.
Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your computer may have been hacked.
Macs contain several built-in features that help protect them from viruses:
Similarly, all apps that wish to be sold on the Apple App Store must go through Apple’s App Review. While not strictly a review for malware, security matters are considered in the process. Per Apple, “We review all apps and app updates submitted to the App Store in an effort to determine whether they are reliable, perform as expected, respect user privacy, and are free of objectionable content.”
There are a couple reasons why Mac users may want to consider additional protection in addition to the antivirus protection that Mac provides out of the box:
In all, Macs are like any other connected device. They’re susceptible to threats and vulnerabilities as well. Looking more broadly, there’s the wider world of threats on the internet, such as phishing attacks, malicious links and downloads, prying eyes on public Wi-Fi, data breaches, identity theft, and so on. It’s for this reason Mac users may think about bolstering their defenses further with online protection software.
Staying safer online follows a simple recipe:
Reading between the lines, that recipe can take a bit of work. However, comprehensive online protection can take care of it for you. In particular, McAfee Total Protection includes an exclusive Protection Score, which checks to see how safe you are online, identifies gaps, and then offers personalized guidance, and helping you know exactly how safe you are.
An important part of this score is privacy and security, which is backed by a VPN that turns on automatically when you’re on an unsecure network and personal information monitoring to help protect you from identity theft—good examples that illustrate how staying safe online requires more than just antivirus.
So, Macs can get viruses and are subject to threats just like any other computer. While Macs have strong protections built into them, they may not offer the full breadth of protection you want, particularly in terms of online identity theft and the ability to protect you from the latest malware threats. Consider the threats you want to keep clear of and then take a look at your options that’ll help keep you safe.
The post Can Apple Macs get Viruses? appeared first on McAfee Blog.
apple-1200
apple-1200
Authored by Oliver Devane and Vallabh Chole
Notifications on Chrome and Edge, both desktop browsers, are commonplace, and malicious actors are increasingly abusing this feature. McAfee previously blogged about how to change desktop browser settings to stop malicious notifications. This blog focuses on Chrome notifications on Android mobile devices such as phones and tablets, and how McAfee Mobile Security protects users from malicious sites leveraging these notifications.
Most users are unaware of the source of these notifications. Permission is granted when a user clicks ‘Allow’ on a prompt within Android Chrome.
Many malicious websites use language and images like the one above that entice the user to click ‘Allow’ such as ‘Just one more step! Click “Allow” to continue. Once allow is clicked, the website is added to a site permissions list, which will enable it to send notifications.
The notifications will look like a usual Android notification which you will be used to seeing such as you have a new WhatsApp message or email. To identify the source of the notification, we need to look for the application name which is like the one highlighted in the red box below.
The image above shows the notification came from Chrome and it is from the website premiumbros[.]com. This is something you should pay attention to as it will be needed when you want to stop annoying notifications.
Some notifications like the ones in this blog are malicious as they attempt to trick users into believing that their mobile device is infected with a virus and some action is required. When the users click the notification, Chrome will load a website which will present them with a fake warning like the example below:
Clicking either Cancel or Update Now on the above website will result in the same behavior. The browser will redirect the user to a google play store app so that they can download and install it.
The malicious websites will flood your phone with several notifications. The screenshot below shows an example of this:
You may ask yourself, why do malicious actors try to get me to install a google play application? The people behind these scams receive a commission when these applications are installed on devices. They rely on deceptive tactics to trick users into installing them to maximize profits.
To remove a website’s notification permission, you need to change a Chrome setting.
1- Find out the name of the website which is sending these notifications. This can be done by looking at the notification and noting down the name of the website. If we use this blog as an example, it would be premiumbros[.]com
2- Open the Chrome browser app which can be found by performing the following search:
3- Click the three … on the top right hand of the application
4- Scroll down and click on settings
5- Click on Notifications
6- Scroll down until you find the website which you identified in step 1
7- Pres the blue radio button so it turns grey
8- Notifications will now be disabled for that website. If you want to block multiple websites, click the radio button for them as well.
McAfee customers who have McAfee Mobile Security are protected against these malicious websites as long as they enable the ‘Safe Browsing’ feature within the application.
Upon trying to access a malicious website such as the one in the blog it will be blocked as shown in the image below:
Please read this guide on enabling the Safe Browsing feature within the Mobile Security Application.
The post Why Am I Getting All These Notifications on my Phone? appeared first on McAfee Blog.
apple-1200
apple-1200
Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.
Image: Blog.google
The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.
Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.
According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.
“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.
Sampath Srinivas, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.
“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”
As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.
Johannes Ullrich, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”
“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.
Steve Bellovin, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.
Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.
“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”
Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”
Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.
“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”
Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”
“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”
Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.
“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”
The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.
Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm SpyCloud found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.
A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.