This is the Shared Security Weekly Blaze for February 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.
Show Transcript
This is your Shared Security Weekly Blaze for February 12th 2018…with your host…Tom Eston
In this week’s episode: Tax Season Scams, SIM Hijacking and Smart TV Privacy
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
It’s tax season here in the United States and as you may already know there are three things that are certain in life: death, taxes and criminals trying to scam you out of your hard earned money. Which means it’s time to be aware of common phishing and scam tactics that may target you during this tax season.
In fact, this year (due to news of changes to the US tax code) there are now more opportunities for scammers to leverage this news to their advantage. Like any significant event that happens in the world (like natural disasters and terrorist attacks) , attackers will leverage these news events in an attempt to elicit an emotional response from you so that you either click a malicious link or submit your private and sensitive information to the scammer.
According to the SANS Internet Storm Center, recent tax related phishing emails that have been identified are asking for personal information in order to receive your tax refund. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. These calls will typically ask for personal information or to convince you to make a payment under the threat of being arrested. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant this tax season and please let your elderly friends, parents or relatives know about these tax scams. Unfortunately, the elderly are common targets for these types of attacks.
Last week telecom giant T-Mobile sent out a mass text message to its entire customer base alerting them to add an additional security measure to their account. The problem? There has been a major increase in an attack called SIM hijacking or also known as a phone number port out scam.
SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number or in some cases the attacker will attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials for banking or potentially access to any other accounts that use a mobile phone number for access.
SIM hijacking and fraudulent phone porting have become popular attacks for identity thieves as well as other criminals. This is because your mobile number is increasingly becoming the center of your digital identity in that your phone number is a unique identifier for you and is used for things like authentication to reset passwords and for two-factor access to many different types of accounts and systems.
The way to help prevent this attack is to create a validation code with your mobile carrier. T-Mobile calls this a “port validation” code but other carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack happening to you. You may have to research this on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access.
Our number one story is about research Consumer Reports released this past week which found that millions of smart TVs are vulnerable to hackers and that all smart TVs are collecting private data about your viewing habits. Consumer Reports conducted their own testing as part of a security and privacy evaluation of smart TVs from popular brands such as LG, Sony and Vizio. Specifically, vulnerabilities were identified in Samsung TVs along with models made by TCL and other brands, that use the Roku smart TV platform. These vulnerabilities would allow an attacker to cause havoc on the victims TV like randomly change the channel, mute the TV speakers or pump up the volume unbeknownst to the user. The attacks require a victim to either download a malicious app or malicious code through a phishing or other type of social engineering attack in order to access the smart TV through the victims home wifi network. To prevent this attack on TVs that are using the Roku platform you have to turn off a “external control” feature in the Roku platform settings. Roku noted in a blog post that “We want to assure our customers that there is no security risk” and disputes the Consumer Report findings. However, it’s concerning to me that this “external control” feature is enabled by default. The other concern from the Consumer Reports research is that all smart TVs (at some level) are collecting information about users viewing habits.
Now these concerns are nothing new. There have been many reports over the last several years of multiple brand smart TVs using this technology which is called Automatic Content Recognition (or ACR) since at least 2010. With ACR technology enabled on your TV it means that your viewing habits including everything you watch and stream are being sent to and collected by a third-party. This information is valuable to the TV manufactures and their partners so they can tailor ads and other content to your viewing habits in order to (you guessed it) make more money. In fact, last year Vizio settled with the US Federal Trade Commission for $1.5 million for collecting this kind of data without consumer’s knowledge. Since then, Vizio and other TV manufactures have enabled privacy settings on smart TVs to disable or limit ACR technology. The bigger problem now is that ACR is being implemented in ways designed to force you to accept the ACR privacy policy or you will be unable to use any Internet enabled features like the ability to stream Netflix, Amazon and other popular streaming services. Unfortunately, as a consumer, we’re given very little choice unless we want to revert back to just having a “dumb TV”.
So how do you change the ACR and other privacy settings on your smart TV? It’s not easy as the TV manufactures have made this difficult to change. First, make sure your smart TV has the latest update (this is also known as a firmware update). You can usually find this in the system information menu of most TVs. Some TVs will actually update on their own so be sure to check to see if you have the latest version. Next, reset your TV back to its factory default so you can review the privacy policy as well as any prompts to change ACR settings. You can also dig down within the menu system on the TV to find this yourself as they are buried, by design.
Well that’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback@sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
