You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 84 for September 2nd 2019: “Ghost click” Android apps found on the Google Play Store, new privacy protections for Apple’s Siri voice assistant, and did you know that your credit card may spying on you?
I have a question for you. How often do you carry your laptop with you? If you’re a frequent traveler, the answer may be all day and every day. So if you are carrying your laptop around, how are you doing it? If you’re like most of us we use some cheap neoprene laptop sleeve or just throw it in a backpack. But what if I told you there is a better approach? Well Silent Pocket makes a fantastic solution called a faraday laptop and tablet sleeve. I have one and I love it. Their laptop sleeve comes in waterproof nylon or beautiful leather to provide protection for your laptop from not only the elements but also by blocking all wireless signals making your laptop instantly secure. Check out Silent Pocket’s Farady Laptop and Tablet Sleeve for yourself at silentpocket.com. And as a listener of this podcast be sure to use discount code “sharedsecurity” to receive 15% off your order.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy news topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Did you know that Android app developers have found creative ways to load ads or conduct “ghost clicks” within an app so that the ad is never shown to you and that you never have to click an ad on the screen? Well last week it was discovered by researchers from Symantec that an Android app developer called “Idea Master” had two apps, a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: Daily Workout, Best HIIT Coach”, were downloaded over 1.5 million times in the Google Play Store for close to a year were using this very tactic. According to Symantec researchers, the code to do all of this was hidden due to the way that the apps were compiled. Typically, researchers can easily reverse engineer Android apps to view the source code but in this case a “packer” was used to purposely obfuscate the code. These packers are typically used by app developers to protect intellectual property in their code.
How this attack works is that the developer first makes sure the ads show up just outside the viewable area of the of the screen and then they program the app to initiate an automated ad-clicking process that runs in the background. Not only will this drive up ad revenue for the app developer but it has the side-effect of slowing down your Android device and drains your battery. There is also the potential for these developers to use similar tactics to load malicious content or open up websites so that more dangerous things could be installed on your phone. So how can you prevent something like this from happening on your Android device? First, keep your mobile device up-to-date, only install apps from trusted sources, and pay close attention to the permissions that are requested when you install an app. And if you see your battery or data usage spike after installing an app, that should also be a clue that an app may be doing something malicious on your device.
Remember on a recent previous episode how I talked about Amazon, Apple, and Google having major privacy issues regarding what was being recorded from their voice assistants like Siri, Amazon Echo, and Google Home? In all of these assistants, recordings were found to have contained very private conversations that were being analyzed by contractors hired to improve the technology behind these digital assistants. Several weeks ago Apple suspended what they call their Siri “grading” program due to privacy concerns with the use of contractors and the very private conversations which included everything from financial data, medical, and other very personal details when Siri was accidentally triggered.
This past week Apple has now announced that they will be resuming this program in the Fall but only after some privacy changes are made. These changes include that Apple will no longer retain recordings of Siri interactions and instead will use computer generated transcripts to help Siri improve. Second, users will be able to opt in to have audio samples from Siri analyzed with the option to opt out at any time. And third, for customers that do opt-in, only Apple employees will be allowed to listen to audio samples and that they will delete any recording which happened to be an inadvertent trigger of Siri. Now, let’s see of Google and Amazon follow Apple’s lead to fix some of these recent privacy concerns with all of these voice assistants.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
Credit cards are a necessity these days for paying for things either online or when you’re out and about and we all know that credit cards just make paying for things much more convenient. One of the side effects though, as we often talk about on this show, is that your credit card data is a huge target as evidenced by the countless data breaches we hear about almost every day. But have you ever thought that your credit card might be spying on you and that, in fact, your credit card transaction data goes to many different types of companies for lots of things you may not even know about? Well I read a fascinating story last week posted by Geoffrey Fowler, a technology columnist for the Washington Post, about how he purchased two banana’s at Target. Yes, you heard that correctly, bananas. He purchased one banana on a Chase Amazon Prime Rewards Visa credit card, and the other on the new Apple Card which is advertised as credit card focused on your privacy.
Here’s what he found out. First, card data is extremely valuable to all sorts of companies. From your bank, the retailers, the credit card processors, and even the apps that you might use, like Mint, to organize your finances. All of your transactions are often aggregated, anonymized, hashed, or used in some way to eventually target you with marketing or other types of offers based on what you purchase. While we don’t typically think about how our spending habits could reveal information about us, it was pretty eye opening to me to see the path that your data takes as soon as you make a credit card purchase.
First, your bank obviously knows you made a purchase but what you might not know is that your bank will send your data to marketing partners and affiliates. You can opt out of this through those yearly privacy notices that you receive in the mail once a year, but by default you opt-in to data sharing just by signing up for a credit card. In fact the Chase credit card used in this experiment was found to share data for seven different reasons to companies not owned by Chase. This is where the Apple Card was different. Goldman Sachs says it does not collect or send any transaction or other data to any third-party companies. Oh and of course, any co-branded credit card like the Chase card that partners with Amazon, gets a piece of your data too.
What else? Well there are the card networks run by Mastercard and Visa which also aggregate your data and then sell that data to various third-parties. This is where the Apple Card starts to fail from a privacy perspective. Once data hits the card network, that data is no longer under the privacy restrictions put in place by Apple and Goldman Sachs. There is also the store itself as well as the point-of-sale-systems. For example, both bananas were purchased at Target. Now Target of course knows what you purchased and can start to use your card number as a unique identifier showing what you’ve purchased and when. Target shares your data as well with other companies too. And if a particular store has a loyalty card, it gets even worse as now more of your purchases and related history can be shared.
Now where it gets really interesting is with the point-of-sale systems and the merchant banks that actually process your credit card transactions. They too can share your data. I’ve started to see payment terminals asking me if I want to print a receipt at the register, or have it emailed or texted to me. Guess what happens if I choose email or text? Yep, you guessed it. I just gave my phone number and email to the credit card processor. Creepier still, next time I use that credit card at that store the terminal will most likely remember that I chose email or text as my choice of receipt delivery.
But wait, there’s more! Mobile wallets and financial apps also send your data to third parties too but I think you get the idea. We’ll have the full article linked in the show notes so that you can read the rest for yourself, but, what are some things we can do about this? First, you could just start using cash everywhere but if you use a loyalty card with a purchase you’ll still be giving away your data. The more sound, and unfortunately painful approach, is to opt-out of as much of this as you can by researching how to opt-out through your bank, credit card company and even some stores may allow you to opt-out too. But as the article noted, “the devil is in the defaults.” Which means that only a small number of us are going to actually take the time to contact all of these companies to opt-out of data sharing. My take is that the Apple Card is doing some good things here but just doesn’t go far enough. I think it’s going to take a combination of some type of new federal privacy law combined with businesses finally realizing that quote “data is the new corporate social responsibility.”
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.