Cybersecurity

OPINION

Twitter’s Security Blunder: More Dangerous Than You Think

phone fraud hacker

Twitter had a data security problem last week that might sound trivial. Email addresses, phone numbers, and the last four digits of the credit cards used to buy ads on Twitter were left in browser cache after the transaction, and that cache was not secured.

This may seem trivial, but the consequences could be far more significant than you might think. Let’s explore how — and we’ll close with my product of the week that is arguably the best non-Apple smartwatch currently in the market: the Suunto 7, which uses Qualcomm’s Snapdragon 3100 platform.

Phishing and Phone Fraud

When we largely shifted to working at home, a lot of people suddenly had tons of time on their hands and flipped to doing bad things. One of those things was mining people for money and information. Fraudsters know that folks working at home are distracted and worried, which leads to more potential victims.

A typical phishing attack, be it in the form of an email or phone call, attempts to convince you that the contact is from someone you trust. Then they use bits of information they have about you to mine you for enough additional information to do real damage.

If some of your data has been obtained illicitly because one of your vendor’s systems was compromised, the crooks can then come after you for more, on the phone. A typical call might go like this:

A fake caller ID number will show up to make the call you receive look legitimate, because the caller used a spoof app.

You: Hello

Attacker: Hello, this is [fake name], account supervisor at [Your Familiar Vendor]. We had a problem with your credit card with the last four digits of [the number they captured from Your Familiar Vendor], and the transaction failed to clear. Could you help us resolve the issue?

You: Sure

Attacker: Given the COVID-19 mess, you are ok, right?

You: Yes

Attacker: Anyway, given the COVID-19 mess, there have been a lot of fake accounts set up, and we need to make sure you are you. I hope you understand.

You: I do

Attacker: So, the email we have for you is [captured email address].

You: Yes

Attacker: And the phone number we have is the one I just called [gives captured phone number], correct?

You: Yes

Attacker: Do you have the credit card you used with you?

You: Yes

(The reason for all of these questions is not only to get you to believe they are who they say there are, but to get you saying “yes” repeatedly so you will continue to cooperate.)

Attacker: Oh, it looks like the system purged the expiration date of your card, what was that again?

You: Read the date to the attacker

Attacker: Ok, let’s try to run it again. Hang on. Some time passes. Sorry, the card still isn’t clearing. Do you think you might have miskeyed the number? I’m so sorry for the trouble, could you give me the number again?

(If they do this right, you are now convinced they are from Your Familiar Vendor.)

You: Share the number

Attacker: It still isn’t clearing, let’s double-check one more thing, that little number on the back of the card, would you mind reading to me?

Now, if you do, they have everything they need to charge your credit card, but they can then use this information to phish for even more using a similar methodology. For instance, the attackers could call back and this time say they are from Amazon (effective because most people do business with Amazon); repeat back the card information they have, say there is a problem, and then get another one or two card numbers and more information from you by pretending your cards have issues.

This process could iterate over weeks until they have enough information about you to steal your identity. If they succeed, it will take months or years to get your life and credit rating back. Not to mention the grief you are likely to get from your loved ones for falling for the scam.

Wrapping Up: Be Prepared

Now, forewarned is forearmed. So, knowing this, if you have advertised on Twitter, be on alert for anyone calling with some of your personal information and asking for more. Particularly if they have the information you know was leaked, but they could have phished your kids or spouse, so they may know more.

One recommended practice is never to provide information over the phone about your finances unless you made the call and verified it was to a business and location that you trust. Any inbound call, email, or text message, asking anything about your personal information or finances should be distrusted.

If you are concerned, look up the number to the company and initiate a phone call to them yourself to review your account to see if there is a problem.

Or, log into the company’s website by typing their URL directly into your browser (don’t click on links in emails, those could be phishing scams), so you can do a review to see if there are any flags on the account. If not, and generally, there won’t be, you probably avoided being hacked.

For kids and older folks, you might want to role play with them so they won’t fall for these scams and they will always be on the lookout. People that do this stuff well are great at finding the weak link in the family, and that means you need to assure that whoever yours is, they are ready for this challenge.

Rob Enderle's Technology Product of the Week

The Apple Watch remains the best smartwatch in the market. Still, Apple, in its infinite wisdom, decided not to repeat the policy they had with their other consumer devices and locked the watch to the Apple ecosystem. If you don’t have an iPhone, the Apple Watch isn’t for you. That’s why I continuously look for non-Apple challengers, and the best are running the Qualcomm Wear 3100 technology.

The latest of the watches running this I’ve tried is the Suunto 7, and while it doesn’t yet do what the Apple Watch does, it is, so far, the most impressive Android smartwatch I’ve tested to date.

What makes this watch better than most is its 1,000 nit 1.39″ AMOLED display. Most smartwatches wash out severely in sunlight, but 1,000 nits are what military-grade displays put out — and being able to see the display on your watch is essential.

The Suunto 7’s AMOLED display is more advanced than the Apple Watch OLED, but there are tradeoffs. OLED is better in sunlight, uses less power, and has deeper blacks. Still, AMOLED displays have a higher contrast ratio, tend to be harder to break because they are more flexible, and in most cases provide sharper images.

Qualcomm-based Sunnto 7 smartwatch

Suunto 7 Smart Watch

While this isn’t a dedicated sports watch, it does have decent step tracking and a reliable GPS component for runners. Like most watches today, it supports contactless pay with NFC using Google Pay.

Although it will help you control your music, it doesn’t support offline music (you can’t store music on the device), and it doesn’t have a built-in WAN modem, so you do need your phone in proximity for this and other phone-integrated features.

The Suunto 7 doesn’t have a sleep tracker, which is a deal-breaker for many, but I find I charge my smartwatch at night anyway, so that hasn’t been a substantial problem for me. Its heart rate sensor has tested well against chest-mounted sensors, so it is more accurate than most.

One exciting feature is the Suunto heat map, which tracks routes used by other Suunto owners. This feature won’t be beneficial if there aren’t any in your area, but if there are, it can help you discover new running and riding routes.

It is one of the more attractive watches and an interesting blend of sports and fashion features, and it hit a sweet spot for me, so the Suunto 7 smartwatch is my product of the week.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.

Rob Enderle

Rob Enderle has been an ECT News Network columnist since 2003. His areas of interest include AI, autonomous driving, drones, personal technology, emerging technology, regulation, litigation, M&E, and technology in politics. He has an MBA in human resources, marketing and computer science. He is also a certified management accountant. Enderle currently is president and principal analyst of the Enderle Group, a consultancy that serves the technology industry. He formerly served as a senior research fellow at Giga Information Group and Forrester. Email Rob.

1 Comment

  • When will people understand that "social media" is not social, and its not "free". It sends its users down tunnels, dangerous ones. Its NOT free, because you are the product feeding the beast with your data. The same goes for the cloud/somebody elses computer, none of its good but idiots cant seem to say no to it

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels