In January this year, Dr. Anders Apgar received a call on his cell phone while he was in a restaurant with his family. His wife’s phone soon rang after that. He thought of ignoring the call, but his wife answered the call since both phones just kept ringing. When she answered the phone and saw there was a warning statement about their Coinbase account being compromised. Dr. Apgar then answered his phone and was spoken to by what may have been a female-voiced robocall that stated it was from Coinbase security. “We have detected unauthorized activity due to failed log-in attempt on your account. This was requested from a Canada IP address,” the voice said. Then it stated, “If this (is) not you, please press 1, to complete precautions recovering your account.” Dr. Apgar either entered a code he was given on-screen or pressed a key authorizing that code to approve his response, but he does not remember which of the actions he took. The voice then hung up. In a few seconds, this action locked him out of his Coinbase account and Dr. Apgar immediately realized he had been conned and probably had lost his investment of $106,000 in cryptocurrency. CNBC reported that this was a two-factor (2FA) code identification fraud done by a one-time password (OTP) bot. What did Dr. Apgar do wrong? The simplest and right thing to do would have been to simply hang up on the call. However, he was manipulated along with his fear and habit of using 2FA were used against him. Banks, financial exchanges, and other online institutions and exchanges routinely use 2FA verification as a way to increase security for customers. Customers are used to using 2FA as a safe way to complete secure transactions. The sophisticated cybercriminal has figured this out and uses “social engineering” (carefully planned emotional manipulation) and official-sounding messages to trick consumers into approving transactions that appear to be protecting or benefitting them, but instead hand over to the cybercriminal the key to the consumers’ accounts. Coinbase and other financial institutions each have similar policies stating they will not call customers unless requested by the customer to do so. Their policies direct customers to not take any action on unrequested calls or reply, to hang up on the call, then call the official number on the financial institution website to report the incident. The rest of the story is that it took over a month for Dr. Apgar to get access to his Coinbase account and he required the help of CNBC business news to call on his behalf. Then Coinbase sent Dr. Apgar an email which began a 3-day process to reestablish access to his account. Only $31,000 or the $106,000 investment remained. Coinbase had quickly locked up the account for security reasons, but it was too late to protect most of the investment.
Have you heard people say, “I just Zelled it”? Zelle is a money transfer app accepted by 1425 banks in the USA. Users love it because it is directly connected to their bank accounts so they can pay for their purchases instantaneously with their phone and avoid using a credit card. Besides being fast and easy to use, users feel confident using it because it is advertised as free, safe, and secure. Users transferred $490 billion through Zelle in 2021. But Justin Faunce no longer thinks Zelle is safe. He was called by an imposter pretending to be a Wells Fargo agent and tricked into immediately transferring $500 out of his bank account to the thief. Wells Fargo refused to reimburse Faunce even though he notified the bank right away. Banks are required by the Consumer Financial Protection Bureau to reimburse customers for losses on transfers that were “initiated by a person other than the consumer without actual authority to initiate the transfer.” Faunce was the victim of a fraudulent act. “This wasn’t my fault, so why isn’t the bank doing the right thing here?” While reporting the crime to a Wells Fargo rep, Faunce was told it wasn’t so bad since so many people have lost thousands of dollars from their accounts through Zelle. That news did not make him feel any better. Local news organizations and police blotters throughout the USA have covered the increasingly common problem of phone and text fraud. Yet both financial institutions and consumers will probably have to change in major ways to overcome this growing threat of cybercrime.
The tactics used against victims like Dr. Apgar and Justin Faunce are called vishing (phone fraud) and smishing (text fraud). According to federal law, this is not stalking. Cybercriminals use technology to spy on people, track them, and steal their car or home, or other property from them, and it causes people great emotional distress. So, broadly speaking, it is like stalking. It is just that the law defines it differently.
Employee mobile devices can put government and business data at risk
According to Verizon’s “DBIR: 2021 Data Breach Investigations Report,” 85% of data breaches at organizations involved a human element. This means that people are either careless at work or are being carefully manipulated into giving criminals or foreign agents access to their employer’s databases and financial accounts.
Route Fifty is a Washington D.C based news publication on the government. As of February 2021, it was reported that about 25 percent of local and state government employees use personal cell phones and tablets for work. Technology review site Tech Jury published 43+ Stunning BYOD Stats and Facts to Know in 2022. In this article Tech Jury revealed that 67 percent of company employees use their personal mobile devices for work. Some employees feel this makes going to the office less necessary, but the article also revealed that businesses profit a great deal from this arrangement. “Companies gain an extra 240 hours of work per year from employees due to mobile working” and do not have to pay for the employee’s mobile device hardware or monthly wireless bill.
Hank Schless, Senior Manager of Security Solutions at Lookout, a cloud security company, says this is risky. He wrote an article, Device management blind to 125 percent increase in financial sector phishing attacks. Every business owner who has a policy of insisting or allowing employees to use their own cellphone or laptops for work should read this article. Schless shows such policies make cybercrime much easier against businesses and their assets.
Mobile Device Management (MDM) programs of companies that give the employee cell phones, laptops, or other mobile devices that the organization controls are much more secure than employee-owned phones used for work. Why? Company-issued mobile devices usually are loaded with software that protects the device from misuse or accessing dangerous websites and downloads. When company employees use their personal mobile devices for work, MDM becomes porous and open to cybercrime because the employer no longer controls the device, the network, or the software.
“Device management is not security….. the digital-first lifestyle makes us phishing targets,” Schless says. Phishing has increased 125 percent per quarter, and malware and app risk increased more than 500 percent. Just as Dr. Apgar and Justin Faunce were tricked into giving cyber thieves access to their financial accounts, employees are no different and can be manipulated into a trust level where they give up login credentials or install malicious apps.
What is SMS and Why is It a Problem?
Worldwide, 5 billion people text using SMS messaging. SMS means Short Message Service, the most common texting method in the USA. MMS stands for Multimedia Messaging Service and enables SMS users to send photos, video, audio, and phone contacts. People love texting because it is super-fast and super easy, In other words, it is the fastest way to communicate and get things done. Shira Ovide’s “On Tech” newsletter in the New York Times reported that about one trillion personal and commercial SMS and /or MMS messages were sent in the USA in 2020. However, SMS is not secure and texts can be intercepted by cyber thieves. SMS has no end-to-end encryption like Apple iPhone’s iMessage, Facebook’s WhatsApp, or Signal, the most popular private messaging app.
According to localproject.net, America produces approximately 45% of the world’s text volume. Texts have a 99% open rate and texts have a 45% average response rate.
This love for speed and convenience comes at a price. RoboKiller, a popular anti-spam app company, reported that there were over 87 trillion spam texts in 2021 which was a 58% annual increase over the previous year. This caused at least $10 billion in fraud and many losses due to spam text are not reported to the Federal Trade Commission.
Common spam messages used by cyber thieves include messages like:
- Your bank account has been compromised. Your bank account card has been charged (showing a specific dollar amount).
- Your PayPal account is locked.
- Your bank account has had some suspicious activity.
- Hi (your name), we are having issues releasing your package. Please update shipping directions (text link). Reply Stop to Opt-Out.
The text then asks you to click a link that rings a call to a fake representative or may send you another text to approve a fraudulent transaction appearing as if it will protect your account.
Don’t try and outsmart a cyber thief
Anjali Nair of NBC News interviewed Jacinta Tobin, a VP at cybersecurity company Proofpoint. Tobin said, “The intelligence about you doesn’t dissipate. It builds,” she said. “Each attack that happens, each text you respond to or each call you respond to. Even if the attacker doesn’t get that money from you, they can get money by selling your information.” Her advice is “Don’t click on a URL in a text message. Don’t trust URLs in text messages unless you have more assurance. If you get a text message from a bank or a retailer, type in the URL into your browser separately.” In essence, most cyber thieves are pros. This is their work, and they have a lot of practice. Like a predator, they try and take victims by surprise. A cyber thief uses victims’ cell phone habits and emotions against themselves, and most crimes are over in less than a minute.
There are two parts to the problem
The rapid erosion of privacy in society has come from providers of communications technology as well as the users of that technology. Institutions continually improve devices and software that enhance communications but also create and collect data on individuals. Then companies increase their profits by selling that person’s personal data to the government and corporations that regularly use that personal data which undermines individual privacy and security. Yet, at the same time, people willingly and enthusiastically hand over their personal information for free apps, posting on social media, applying for loyalty card discount programs, etc. In doing so, the vast majority of people have become accustomed to trading their privacy and security for mere convenience.
People want a fast and cheap way to locate their lost stuff such as with the use of Apple Air tags or to use texting technology to allow for instantaneous communication. At the same time, people hear about the growing problem of their lives being monitored and controlled by institutions and commercial interests. “I have nothing to hide,” or “It will never happen to me,” are two common responses, while neglecting to put thought into how they might easily stop or limit intrusions into their private lives and personal information.
Everything of value or ways to access that value is becoming digitized. The corporations who build the technology and the government that regulates it are increasingly falling behind in protecting people from harm and their assets from theft by misuse of tracking devices that access digital assets. Trusting big institutions will take care of the “little guy” is a big reason for the growth of cybercrime. However, most people think it could never happen to them.
Senator Ron Wyden of Oregon said, “Wireless carriers’ continued sale of location data is a nightmare for national security and the personal safety of anyone with a phone. When stalkers, spies, and predators know when a woman is alone, or when a home is empty, or where a White House official stops after work, the possibilities for abuse are endless.”
Law professor Andrea Matwyshyn from Northeastern University Center for Law, Innovation, and Creativity said, “The Internet of Things is becoming a weapon against both consumers and national security.”
It might seem overwhelming to know that so many organizations and criminals can obtain your location data, track you, and use your phone’s text messages against you. Maybe you just want to give up and do nothing about it, hoping you’ll be OK but uneasy that things are out of your control. A growing number of technologies and services, as well as a few new laws and regulations, are beginning to seriously address these issues. But as mentioned above, don’t reply to suspected spam texts or phone calls. Immediately hang up, Then, contact the institution by using the phone number on their official website to check on the validity of the text or call.
The motivated individual can make choices that make it much harder for others to take his or her personal data. For most, the first challenge is to question what conveniences are worth handing over personal data for. This means to stop waiting for the government and Big Data corporations to fix the problem – they have a role to play but the problem is much bigger than they can tackle. Each individual has to be proactive if they are to create a lifestyle that protects and gives them more control over their personal data. This is the first and most important step. It might be wise to go into cell phone settings and disable the sharing personal data function on various apps or services. Maybe upgrade to a text app that has end-to-end encryption. Choosing an anti-tracker app that detects hidden GPS and Bluetooth trackers on one’s vehicle, purse, backpack, etc. is another good step.
Next month’s article will address effective countermeasures to use and how to take more control over your personal location data.