Bypassing 2FA for a credit card with a stolen phone

If you think that you are safe from fraud if you have enabled the 2-factor verification for a credit card, be aware that it can be bypassed if the thief steals not only the card but also your phone:

Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped.

But the thief has a method which circumnavigates those basic safety protocols.

Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.

The solution? Change the notification setting of your messenger app not to display the SMS on the lock screen. Or better yet, if your bank supports it, instead of SMS, switch to using an authorization app.

City worker loses USB containing personal details of every resident

A city in Japan has been forced to apologize after a contractor admitted he had lost a USB memory stick containing the personal data of almost half a million residents after an alcohol-fueled night out.

After spending Tuesday evening drinking at a restaurant, he realized on his way home that the bag containing the drive was missing, along with the personal details of all 460,000 Amagasaki residents. He reported the loss to police the following morning.

Of course, such an unpleasant situation could be completely avoided if the USB drive was encrypted with software such as USBCrypt.

Read more…

How to hide folder on Windows 11 or 10 without any additional software

Of you want to hide folder on your Windows 11 or Windows 10 computer, you probably expect to buy a security program that can do that. However, before you invest your hard earned money in such a solution, you may want to consider the available built-in methods of folder hiding that already included with Windows. If you are familiar with Windows batch files and know how to create them you may find folder locking batch file of use. Surely, the folder protection it provides it’s not as strong as that of the paid security programs, but depending on your specific situation, the protection offered by the folder locker batch file could be just enough, and it’s free! Check it out.

How to hide pictures in Windows 11 and 10 from the Photos app

Usually when you use the Photos app on your Windows 11 or Windows 10 PC, it shows all photos it can find, but did you know you could hide photos from other people when they use the Photos app on your computer? You can achieve that by excluding a folder with pictures from Windows search index, and that would hide the photos you don’t want others to see from the Photos app. Read more…

FBI Tech Tuesday: Building a Digital Defense with Credit Reports — FBI

Given the hacks we’ve seen in recent years, there are few people who haven’t had their identity stolen. While you, as an individual, can’t stop those breaches against some of the nation’s biggest retailers and financial institutions, there is something very simple that you CAN do: check your credit history.

There are three main credit reporting agencies in the U.S.: TransUnion, Experian, and Equifax. Together, they have set up a system through which you can request one free credit report each year from each of their agencies. You have the choice of getting all three at once or spreading them out over the course of the year.

To request your free reports, go to www.annualcreditreport.com.

Your report will include any names you have used, your addresses, how much you owe your creditors, whether you pay on time, whether you’ve been sued and whether you’ve filed for bankruptcy. Each report collects slightly different information from different sources, so it is important to check all three—whether at the same time or spread out over time.

Why is it important to make sure each of these reports is accurate? This may be your first indicator that someone is committing fraud in your name. In addition, these credit agencies sell this information to creditors, employers, insurance companies, and other businesses. The information in this record may make a difference in whether you get a mortgage, new car loan, new credit card, get a job or pass a rental screening.

Continue reading: FBI Tech Tuesday: Building a Digital Defense with Credit Reports — FBI

36 fake security apps removed from Google Play

Google has recently pulled 36 fake security apps from Google Play, after they’ve been flagged by Trend Micro researchers.

Posing as legitimate security solutions, and occasionally misusing the name of well-known AV vendors like Avast, the apps seemed to be doing the job: they showed security notifications and other messages, warned users about malicious apps, and seemingly provided ways to fix security issues and vulnerabilities.

But, it was all an act: the notifications are bogus, and the apps used simple animations to trick users into believing the discovered issues were resolved.

The apps’ real goals was to bombard users with ads and entice them to click on them, as well as covertly collect information about the user, the device, the OS, the installed apps, and track the user’s location, and upload all this information to a remote server.

Source: 36 fake security apps removed from Google Play – Help Net Security

High-severity bugs in 25 Symantec/Norton products imperil millions | Ars Technica

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.

If you use a Symantec or Norton product, now would be a good time to update.

Source: High-severity bugs in 25 Symantec/Norton products imperil millions | Ars Technica

Is the IRS Investigating You?

Is the IRS Investigating You?

Lately I’ve been receiving a lot of phone calls warning me that the IRS is filing a lawsuit against me.

This would be scary, except that I know it isn’t true.

Fake IRS calls are a type of fraud that has become more common in the past few years. Fraudsters claim to be IRS agents, police officers, and other officials. They say that you owe back taxes and that if you do not pay immediately you will be subject to jail time, loss of your driver’s license, or other penalties.

Continue reading: For Better – Or What?: Is the IRS Investigating You?

Two-factor authentication for Apple ID – Apple Support

Two-factor authentication is an extra layer of security for your Apple ID designed to ensure that you’re the only person who can access your account, even if someone knows your password.

With two-factor authentication, your account can only be accessed on devices you trust, like your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you’ll need to provide two pieces of information—your password and the six-digit verification code that’s automatically displayed on your trusted devices. By entering the code, you’re verifying that you trust the new device. For example, if you have an iPhone and are signing into your account for the first time on a newly purchased Mac, you’ll be prompted to enter your password and the verification code that’s automatically displayed on your iPhone.

Because your password alone is no longer enough to access your account, two-factor authentication dramatically improves the security of your Apple ID and all the personal information you store with Apple.

Once signed in, you won’t be asked for a verification code on that device again unless you sign out completely, erase the device, or need to change your password for security reasons. When you sign in on the web, you can choose to trust your browser, so you won’t be asked for a verification code the next time you sign in from that computer.

Source: Two-factor authentication for Apple ID – Apple Support

Two factor paper passwords | John Graham-Cumming

People love to use the same password over and over again, or they invent some amazing scheme like the same single word followed by their birth year, or replacing a’s with 4’s. And no matter how many password database get hacked the idea that password security matters doesn’t seem to really sink in.

When I do get someone to listen I tell them to use diceware generated passwords and them write them down in a little book and guard the book jealously (actually, I tell them to use a password manager but most people seem to balk at using software I think for fear of losing their passwords).

But then they often ask the sensible question: “What if someone steals that book?” And so I suggest a ‘two factor’ solution.

Continue reading: Two factor paper passwords | John Graham-Cumming