You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.
In episode 95 for November 18th 2019: Google’s access to the medical records of millions of Americans, a new ruling on suspicionless searches at the US border, and details on a new scam using the popular money sharing app Zelle.
This week I read a news article about how more schools are either outright banning the use of smart phones or having kids put their phones in their lockers while in class. And while some kids may complain that they can’t use their device, teachers and school administrators are noticing that when there are no smart phones in school kids seem more engaged with their friends, less distracted, and even less stressed. I think this is a great idea and hope more schools start implementing similar polices but did you know that as adults we have the power to do the same thing? When was the last time you “docked” your phone during the day so you could be more engaged and less distracted. Well Silent Pocket has the perfect solution for this and it’s called a Faraday Bag. Simply place your smart phone in one of their stylish faraday bags and you have instant silence, privacy, and quick way to be more engaged with the people around us. Pick up one today at silentpocket.com and use discount code “sharedsecurity” at checkout to receive 15% off your order.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I realize that just a few weeks ago I talked about Facebook’s new preventive health tool that is apparently not collecting patient data, but this past week it was reported that Google actually does have access to detailed medical records on tens of millions of Americans. But don’t worry, Google says that it promises to not mix patient data with all of the other massive amounts of data that Google collects about its users. The Wall Street Journal reported that Google has partnered with a company called Ascension, which is the second largest healthcare system in the US, on a project to “collect and crunch the detailed personal-health information of millions of people across 21 states.” According to a statement from Ascension they say they are partnering with Google to improve the tools used by patients and caregivers as well as “explore artificial intelligence and machine learning applications that will have the potential to support improvements in clinical quality and effectiveness.”
So what kind of healthcare data are we talking about? Well, pretty much everything including names, birthdates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, and even some billing claims. Shockingly, it seems that this partnership does not violate HIPAA (the Health Insurance Portability and Accountability Act) as the law does allow hospitals to share data with business partners as long as the data is used to help carry out its health care functions. Personally, I think this is a fine line that Google and Ascension are walking here. I mean, does anyone else find it ironic that Google also just purchased FitBit for $2.1 billion dollars? Don’t you think that it’s going to be really tempting for Google to find ways to combine or analyze Fitbit data with the detailed health care data of tens of millions of Americans? Even though it’s not too terribly shocking that Google is working with health care organizations but with the risk of data breaches and the constant mishandling of privacy information by the large tech firms, are we willing to let Google handle our health care data too? Perhaps we have no choice in the matter but at least the government does. In breaking news last week the Department of Health and Human Services stated that they will be opening up an investigation with Google to ensure that HIPPA protections were fully implemented.
In privacy news this week, a federal court in Boston ruled that supicionless searches of travelers’ electronic devices by federal agents at airports and other US ports of entry are unconstitutional. The ruling stemmed from a lawsuit made by the ACLU and the EFF on behalf of 11 travelers who had their laptops and smart phones searched at US ports of entry without being suspected of any crime. This new ruling means that the Customs and Border Control and Immigration and Customs Enforcement agencies need to now demonstrate individualized suspicion of illegal digital contraband before they can search a travelers device. As we’ve reported on previous episodes of the podcast, these agencies have been searching the devices of international travelers for quite some time now with really no rhyme or reason for doing so. And these searches have been done on US citizens as well, not just foreigners. Last year alone, the Customs and Border Control agency conducted more than 33,000 searches, which is almost four times the number of searches from just three years prior. This is a very positive development regarding the protections that the Fourth Amendment provides the countless numbers of travelers that come to the US each year. It’s also a win for everyone’s privacy as this ruling demonstrates that governments should not have the right to conduct suspicionless searches at border crossings.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
I’ve seen lots of news stories and even Facebook posts being shared by friends regarding a recent scam going around that uses the popular money sharing app, Zelle, to drain your bank account. This is the perfect time of year to talk about this because the holidays seem to increase the number and frequency of these scams. This one in particular is concerning because many people don’t realize that Zelle is probably already partnered with your current bank and automatically pre-built into your banks mobile app. In fact, every major US bank is partnered with Zelle so there is a very good chance that your bank is using it. Here’s how one version of the scam works. You’ll receive a call from what looks to come from your bank even with the caller ID showing your bank name. If you answer the call you’ll be told that your bank has detected fraud on your account and they can take care of the problem right now on the phone with you. You’ll then be asked to tell them a code that they had just sent you over text message. Just like that, you’ll receive the text message with the code and when you repeat the code back to the caller, they will say all fraud charges have been reimbursed, and to have a nice day. Minutes later, the scammer uses the verification code that you sent them to create a Zelle account and within minutes, start to drain your bank account sending money to the attacker. In this case, the attacker has either already has gained access to your online banking account or they are social engineering you over the phone so that they can gain access to your online banking account. Variations on this scam include asking you over the phone for personal details (like ones that would be in password reset questions), asking for your password, and other types of multi-factor authentication codes your bank may use. There have also been reports of this scam starting with a phishing email which takes you to a site that looks like your bank in order to harvest your banking credentials with the attacker then calling you with the text message trick to enable your Zelle account.
I did my own research to find out if Zelle was installed on the mobile app for my bank and I was actually surprised that it was. Like everyone else, I never heard of Zelle before nor did I know my bank had built in into their mobile app. I also found out that there is no way to disable Zelle on my banking account! This is feedback that I’m definitely taking back to my bank, and so should you.
So what’s the best advice to avoid becoming a victim of this scam? First, your bank will never call you about fraud. Typically, if you have fraud alerts set up you’ll get a text message asking you to call them. Speaking of fraud alerts, always enable these as most banks these days have this option available. I also recommend never picking up a call that looks to come from your bank. Most likely this is always going to be a spoofed call. In fact, I actually recommend never answering your phone for any number you don’t recognize unless it’s a call that you’re expecting. Sad, I know, but this is unfortunately the world we live in. Lastly, never give out any personal information, passwords, two-factor authentication codes, credit card details, and other sensitive information over the phone if asked. Unless you 100% trust the person or company you’re talking to, you may be giving this information to a scammer.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.