New iPhone Setting Stops Apps & Ads from Stalking You (App Tracking Transparency)

Apple App Tracking Transparency is Finally Here!

With the release of iOS 14.5, Apple has given us the most powerful privacy tool for users in many years – it’s called App Tracking Transparency (ATT). The update also includes a lot of features that have Apple product users very excited, like new Siri voices and being able to open your iPhone with Face ID even when wearing a mask—IF AND ONLY IF you have an Apple watch.

But as a privacy advocate, the element that matters the most to me is the App Tracking Transparency (ATT) feature. This means that apps like Facebook, Instagram and Google will no longer be able to track or gather your surfing habits on other apps or websites without getting your permission. For example, if you worked out on the Peloton app this morning, Facebook can buy that information and advertise exercise clothing to you based on your exercise type, size, weight, etc.

This is a serious blow to Facebook and other “free” services that depend on gathering your intimate personal and behavioral data to sell to their advertising clients. Of course, these services have never actually been free, as we have always been paying by giving them our information.

Specifically, the update changes the Identifier for Advertisers (IDFA), which is a unique random number assigned to each iPhone and allows advertisers and developers to track user behavior on that device. This includes not only app usage but also web browsing behavior that is often used to target advertisements to your psychographic profile. Apple says this change will provide transparency and give users an easier way to choose if their data is tracked.

Needless to say, Facebook, Google, and other big tech firms are not happy with the change. Facebook was so upset they placed a full-page ad in The New York Times in December claiming that the change would negatively affect small businesses who will see a drop of over 60% in sales. Facebook was unable to substantiate that claim, but their claim that it will force developers to enable in-app purchases or force subscriptions to make up for lost revenue is most likely true.

What will this look like for you as a consumer?

Basically, whenever you open any app that wants to access the IDFA, you will see a pop-up notification that asks for permission to track you across apps and websites by other companies and you’ll be able to opt in to allow tracking or not by choosing between “Allow Tracking” or “Ask App Not To Track.” Opting into data collection rather than having to opt out finally catches up with data privacy regulations such as the EU’s GDPR. It will be required by all software makers within a few months of the release.

So it comes down to a question of are you willing to pay for the extras provided by apps in order to have a little bit more privacy?

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Is Your Free Wi-Fi Hotspot Being Hacked?

Don’t you just love the convenience of free Wi-Fi hotspots? You can access your bank account, send emails, browse in a store and then buy it online for half price. Unfortunately, they’re called Hotspots because they attract hackers who want to BURN you by intercepting everything you send over these totally insecure networks. Free Wi-Fi is like using a bullhorn to have a private conversation. I’m going to show you three ways to Wi-Fi without the worries.

I’m John Sileo, and this is Sileo on Security. Free Wi-Fi is everywhere, and most of us are totally addicted to it because it gives us a faster connection and saves on our data plans. By joining free Wi-Fi hotspots, you enable hackers to “sniff” everything you send between your device and the Internet. We call these man-in-the-middle attacks because they are hijacking your data before it leaves the building.

Here are three simple ways to keep criminals out of your private computing:

First, Learn to Recognize Evil Twins! An Evil Twin is a malicious hotspot masquerading as the real thing. Data thieves name their evil twin something very close to the legitimate hotspot to lure unsuspecting surfers and then they run sniffing software that records everything sent, including usernames, passwords and account numbers. The only way to spot an evil twin is to ask the hotspot provider which network is the real one. Hotspots that require a username and password are even more secure and make it much harder to hack.

Second, Look for HTTPS in the address bar! If you HAVE to use free Wi-Fi and you’re sending something sensitive, check to make sure you’re surfing on an encrypted https:// connection. The “s” stands for Secure and encrypted means no one but you and the legitimate recipient can read it as it travels from point A to point B.

Finally, here’s the most powerful solution – Surf Using Your Smartphone. Cellular data connections are encrypted, making it exceptionally hard for a hacker to get in the middle of your transmission. Most of us pay for data by the gigabyte, which means you have to be wise about how you use your data plan. I wouldn’t recommend streaming Titanic over a cellular connection but I’d definitely use it to bank, buy online and email. If you need to go online from a larger device like a laptop or iPad, call your mobile phone company and ask about tethering. Creating personal Wi-Fi hotspots like this costs about $15 per month + data charges, but it’s a lot cheaper than having a cyber criminal cash out your investments because you surfed using an insecure connection.

Here’s your One Minute Mission: Call your cellular provider and ask them how much of your data package you use every month. If you’re maxing it out, upgrade your data plan, but only if you can afford it. Once you have some excess data, go into your settings, turn off Wi-Fi access and use your data plan whenever possible. If you’re streaming a movie temporarily turn Wi-Fi back on.

The next time you’re tempted to logon to a free Wi-Fi hotspot, ask yourself if what you’re about to send could be said over a bull horn in a public place. If not, take the steps we’ve talked about to keep your information private. Thanks for watching and I hope you’ll join me again for Sileo on Security.

Don’t Get Hooked by Phishing Scams

Have you ever wondered how cyber criminals install malware on your computer?  I’m going to show you and give you three tips to keep it from happening to you.  I’m John Sileo and this is Sileo on Security.

This particular hacking technique is called Phishing, and it’s where Cybercriminals send you fake emails that look like they’re from a legitimate business – your bank, PayPal or even a recently breached company like Anthem or Target.

Phishing has gotten a whole lot better over the years.  You can’t tell it from spelling mistakes, grammar, bad logos.  It’s much more exact; the emails look exactly like the legitimate emails. And phishing has morphed into spearfishing.  This is where criminals know a little something about you, maybe from a previous breach and they can highly target you for these really malicious attacks.

So here are three quick tips to keep phishing from infecting your computer and stealing your data.

  1. First of all, I want you to mistrust every link in an email unless you know who it is coming from and you were expecting that link.  Often times they’re collecting your personal information when you click on that link or downloading malware onto your system.  A lot of times there will be a link in the email that looks almost exactly like the legitimate link. So if the link takes you to a place where it’s asking for your money or for your information, just ignore it.
  2. The next thing you can do if you’re suspicious about a link in an email is type the URL directly into the address bar of your browser to make sure it takes you to the legitimate website.  This will keep you from landing on a phishing website where they’re going to try to siphon off your data or cash.
  3. Finally, I want to show you the hover technique.  This is an incredibly powerful way to see if you’re going to the real site or the site of the cyber criminals.   So in your email I want you to hover over the link and it’s going to pop up a window that shows you exactly where you’re actually going to.  When you look more closely at that link it looks like you’re going to the right place, but if you read from right to left instead of left to right (from the slash backward to the .ru or the .com) and your expectation of where you think you’re going doesn’t match where you’re actually going, that’s the first signal that you’re going to a malicious website.  It’s really important to know that when you hover over that link in that email it’s not going to pop up that window immediately.  You need to be patient and wait for it to bring that up.  Don’t click on the link in the meantime and it will show you if you’re going to the good website or the bad.

Here’s your One Minute Mission.  Head to your spam folder; it is full of phishing emails. I want you to hover over some of those links and I want you to start to detect the difference between the good ones and the bad ones.  By practicing the hover technique now you are getting in the habit of detecting those phishing emails when they don’t get caught by your spam software.

With these three tips, you have some basic knowledge of how hackers use emails to steal your private information.

For Sileo On Security, I’m John Sileo.  We’ll see you next time.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

 

 

Is Your Fitness Tracker Sharing Your Vital Statistics?

 

I’m out here in Vancouver. I just took a run and it reminded me of a question that someone asked me in one of my speeches this morning, which is: Are those fitness tracking devices sacrificing our privacy? I’m going to tell you whether or not they are and how to stop it if you hang on for just a second.

I’m John Sileo and this is Sileo on Security. The great rage right now is fitness or health tracking devices, the Fitbits, the Garmins, even the Apple watches that we wear to track everything that we do.  It could be the mileage we go, the steps we take, the elevation we gain, our pulse, our heartbeat. Are we in good shape or bad shape? It tracks that data and syncs it from the device to an app on our phone or on our computer and then it aggregates that data.

The big question that people have is:   Is this being tracked? Is this incredibly vital health information being sold to other companies? Is it being sold to insurance companies who want to know if I’m healthy or not and may want to raise or lower my rates based on that. Is it being sold to marketers who want to know if I’m overweight or underweight, or if I like fitness of a certain type?  These devices track intensely personal stuff, so you’ve got to know what you’re doing. I want you to look at three different factors.

Number one: the hardware. It’s different if you have a Garmin or a Fitbit or an Apple Watch. They all have different policies on how they share information. You need to know by device.

Next, you need to take a look at the apps that are collecting the data. Are you using the Fitbit app that comes along natively with the Fitbit device?  Because that is different than if you’re using an app all by itself that you got on the App Store. You need to go through and read that privacy and data policy for the specific app to see how they’re sharing your intimate information.

Third, you need to consider not syncing that device to an actual app. Just track it on the device.  Then it never gets back into the cloud and never gets back to those companies at all. It’s certainly not as functional, but it is one option.

Here’s your One Minute Mission. I want you to Google the name of your device (“Fitbit”, for example) and enter the words “privacy policy” or “security” and I want you to research what others are saying about it in any current article. The reason is that these companies change their privacy and security policies all the time. They start with really good privacy policies and then they migrate to something less and less private.

Listen, I love these devices. I love the fact that they keep us fit and healthy. I love that they keep us competing with our friends and family to have a healthy lifestyle, but you can’t operate them without knowing what you’re doing, without knowing what information you’re giving away. Take a few minutes to take these steps and then go out and get healthy and use these devices. For Sileo on Security, I’ll see you on the next episode.

 

How to Bulletproof Against a Stolen Smartphone

I’d just come off stage in San Diego and was headed to NYC for another speech when my cell rang. When I answered, the person on the other end of the line was in total OUT-OF-CONTROL panic mode. It was the client I was headed to see in NYC, who, from now on, I will refer to as Barney Fife.

John, you gotta help me. I’m in NYC already, getting ready for the conference and I lost my phone sometime in the last hour. I don’t know if I left it at the airport, in the cab or someplace in between. You’ve gotta help me out because… it gets worse.

HOW does it get worse, Barney Fife? I asked.

Well, I keep my banking passwords in my contacts app, so anyone who has the phone, has my passwords, and my contacts. There’s more. “I use my personal email to transfer files between my work computer and my laptop. Yesterday, I emailed myself an Excel file of all of the speakers we’ve hired for this conference. It has all of their W-9 tax information. And then he got to the real point – it has YOUR W-9 information, your social security number!

So now I’m getting kind of motivated to help out. Barney, I’ve got one question for you… “Did you Bullet Proof Your Smartphone like I taught you”? I’m not sure, he said. And so I asked him three questions that I want you to ask yourself:

Question 1. Do you have a passcode on your phone? If not, nothing else matters, because all of that data on that phone is up for grabs by anyone who has the phone. Yes, I have a passcode! He answered.

Question 2. Do you  sync your smartphone on a regular basis with your computer so that you have a backup of all of the data in case the phone is gone forever? “Every day”, he said.

And Question 3. Did you enable remote tracking on your phone? “What’s remote tracking?”, he asked. Oh, we were so close!

So, your phone is essentially a tracking device. The same GPS technology that mapping programs use lets you see where your phone is anytime it’s turned on. If you turn on remote tracking, which both iPhones and Androids automatically come with, you can get on another computer and see exactly where your phone is on a map. If you left it in the hotel room, you know it. If it’s driving away from you at 70 miles an hour, you can appropriately freak out. OR, you could hit the button that remotely wipes all of the data off of your smartphone. You can remotely wipe your contacts, your email, your excel files with my SSN in them! And if you have a synced backup copy, you can restore it all to a new phone and pick up where you left off. Granted, you have to buy a new phone, but that is a small cost compared to the value of the private data on your device.

So it turns out that Barney Fife had actually turned on his remote tracking but had never used it. When I explained how he could remotely track it from his computer, he found the smartphone… in his jacket pocket.

Your One Minute Mission? Turn on smartphone tracking and wiping right now! If you have an iPhone, I want you to Google the words Find My iPhone and click on the apple.com page that explains how to set it up. For Androids, Google Find My Android and go to the page on google.com that explains the entire process. Then, test it out and see where your phone is. If it disappears, log in from another computer and lock it, wipe it or go find it.

Can Medical Identity Theft Really Kill You? [Burning Questions Ep. 2]

There has been a great deal in the news about medical identity theft leading to death. Is it possible? Yes. Is it likely? Less likely than dying of a heart attack because you eat too much bacon. But let’s explore the possibility of death by medical identity theft (below, in this article), and why the threat gets sensationalized (in the video).

Read more

Gladys Kravitz is Sniffing FREE WiFi Hotspots for Your Secrets

The free WiFi hotspot ritual is habitual. You head to your favorite café to get some work done “away from the office”. Justifying your $4 cup of 50 cent coffee with a Starbucks-approved rationalization (“I work so much more efficiently at my 3rd spot!”), you flip open your laptop, link to the free WiFi and get down to business. The caffeine primes your creativity, the  bustling noise provides a canvass backdrop for your artful work and the hyper-convenient Internet access makes it easy for someone else (think organized criminal) to intercept everything you send through the air.

At the table next to you, drinking a free glass of water (these guys are too smart to pay that price for a cuppa joe), sits a hacker running a piece of software that sniffs the data you send over the free (unprotected) WiFi. They watch your private data like Gladys Kravitz stalking the very bewitching and often nose-wriggling Samantha. When you log in to your webmail account, they record your username (usually your email address) and password. Since you use the same password for many different websites, they run an automated computer program that attempts to log into every bank in the world using that username and password. When it fails, the program automatically increments your email password in every way possible until it eventually cracks your banking code.

By the time you head for a latte refill, you can no longer afford it. (This is one effective way to break the Starbucks habit). Most of us have been well trained to unthinkingly connect to the FREE WiFi hotspot at cafés, airports and hotels. Wireless technology is both useful and powerful, but operating it without protection is like skydiving with a parachute that you never deploy (it’s a fun ride while it lasts…). If you connect to any WiFi hotspot without first having to log in with a unique username and password, there is nothing that masks your data as it travels through the air. (Watch the 9News Investigation Video with Jeremy Jojola for a sample).

How to use a free WiFi hotspot without crash landing

Like our previously mentioned skydiver, you want not only to put on your parachute before you jump, but to pull the cord before you taste dirt. Here are some simple steps you can take, along with a “How To” video, before you jump on your next free WiFi hotspot:

  1. HTTPS Surfing. If you absolutely must use the free WiFi hotspot, only exchange information over websites with encrypted connections. What’s an encrypted connection and how can you tell? Watch this short video to learn how to tell if you are on a safe, https internet connection. If you are, all of the data that goes between your device and the WiFi hotspot (and eventually onto the Internet), is scrambled and protected by a passcode (the encryption part) that makes it much harder to intercept. Banks (see video), Gmail and even Facebook (see video) offer HTTPS connections. Sometimes all you have to do on a website is to change your security defaults! If your connection is regular old http (no “s” at the end), just know that your data can be free for all to see (if they have the right tools).
  2. Tethering. Also known as a personal WiFi hotspot, tethering is the act of using your smartphone’s encrypted cellular connection to the Internet to surf securely from your mobile device. Tethering works for laptops, tablets and iPods and is relatively simple and inexpensive to use. To tether your computing device to your smartphone, simply contact your mobile provider (Verizon, AT&T, Sprint, T-Mobile, etc.) and let them know that you want to be able to connect your computing device to your smartphone (you want to tether). They will let you know that it costs about $15 per month (well worth the protection), will turn it on and will walk you through setting up both your smartphone and device so that they communicate with the Internet in a well-protected manner. Note: Many tablets, like the iPad, now come with cellular data access built into the device. So, for example, if you have an iPad with Wireless + Cellular capability, you can almost always connect via your cellular connection (just like your phone connects) and never even have to utilize free WiFi (though it’s still safe to use the secure Wifi in your home and office). You can do the same thing by accessing the Internet via your smartphone that is NOT connected to WiFi. Cellular surfing can be a bit slower, but it is considerably more private.
  3. VPN Software. Using a VPN (or virtual private network software), is a safer way to surf on free WiFi. Think of it like this: it takes the same protections you get when using an https connection and applies them to all of the URLs you visit. VPNs are standard gear for business users, but individuals need them just as much as corporations. One of the more popular VPNs for consumer use is Hotspot Shield VPN (this is not an educated endorsement of the product, just an example). The good part about a VPN is that it protects your data transmissions over the internet at all times, not just when using free WiFi.

Better yet, utilize all three solutions and find yourself 100% safer than the Frappuccino lover over at the next table. Mobile computing will increase your productivity, your connectivity and your flexibility. But to do it without a bit of security preparation is to court digital suicide.

John Sileo not only uses free WiFi hotspots (wisely), he is an internationally recognized keynote speaker on how to keep your employees from making poor data security decisions regarding identity, privacy and reputation protection. His happy clients included the Department of Defense, Pfizer, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.  Tyler Tobin, the CEO and Chief Hacker for Tobin & Associates LLC, is a world renowned Professional White Hat Hacker. His firm specializes in performing compliance, GLBA and full-blown security assessments. His customer base is both regional and global. Assessments include social engineering, external and internal vulnerability and penetration testing and compliance examinations (SEC, SOX, SSAE and GLBA).

Check washing & check fraud can dirty your spring cleaning

Check washing is so simple, you must learn to prevent check fraud

Are check fraud and check washing still relevant in the age of digital payments? If you’re like the average person, chances are you don’t write too many checks anymore. With the convenience of online payment options, nearly universal acceptance of credit and debit cards, and the proliferation of ATMs offering you easy access to money at every turn, why resort to the archaic, labor-intensive method of writing a check?

The simple answer—sometimes we have no other choice!  Some places still don’t accept credit cards (Costco if you don’t have an American Express), or they charge an extra fee for them.  Some retailers don’t offer online payment options.  And frankly, sometimes it’s just an old habit and we haven’t made the effort to find a safer option because we’re stuck in the mindset of “it’s never happened to me” when thinking about check fraud.

Yet, according to a recent AFP Payments Fraud and Control Survey, checks remain the payment type most vulnerable to fraud attacks. In an American Bankers Association Deposit Account Fraud Survey, 73% of banks reported check fraud losses totaling approximately $893 million. And perhaps scariest of all, the imprisonment rate for check fraud is only 2% according to a statement made by the Department of Justice.  So although it’s not as glamorous or high tech as some other forms of fraud, check fraud is very tempting to criminals. It’s often as easy as taking an afternoon stroll down a street looking for vulnerable mailboxes, and then doing a little bit of “laundry”.

Check Washing Check Fraud

One form of check fraud that hits home for businesses and individuals alike is check washing.  It is the practice of removing legitimate check information, especially the “Pay To” name and the amount, and replacing it with data beneficial to the criminal (his own name or a larger amount) through chemical or electronic means. We conducted our own experiment to see just how easy it is to alter a check.  Take a look at our results in the video above.

What can you do to prevent this form of check fraud from happening to you?  There are many steps you can take:

  • Always use high security checks with multiple check fraud and check washing countermeasures
  • Use security gel-based pens with dark ink 
  • Don’t leave mail containing checks in an unattended or unlocked mailbox  (i.e. w/ red flag up)
  • Buy a locking mailbox (one large enough for a postal carrier to put mail through, but not large enough for a hand)
  • Shred voided checks
  • Check your bank statements regularly and immediately when you receive them.  You have a limited time in which to report check fraud.
  • Put clear tape over important fields when mailing a check
  • Do not leave blank spaces on payee or amount lines
  • Have new checks delivered to your bank if possible so they are not sitting in your unattended mailbox

Businesses are highly susceptible to massive check fraud via check washing, because the balances in their accounts tend to be higher and more vulnerable. This simple change from regular checks to high security checks can drastically reduce your risk of check washing and check fraud.

John Sileo is CEO of The Sileo Group, and a  keynote speaker on cyber security, identity theft and business fraud prevention. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Stop Online Tracking Ep. 5: Flush Your Cookies

Watch the entire Browser Spies Online Privacy series. To view the entire series, wait until the end of each video and click on the Next Video button in the lower right-hand corner of your screen. As you watch each short video in your browser, make the necessary changes based on each simple video tip on protecting your online identity and privacy.

Browser privacy expert John Sileo and Fox & Friends have teamed up to educate consumers on how your surfing habits are being intercepted, collected and sold as you browse the Web. These tips give you more control over your Internet Privacy in short, easy to implement tips. Privacy exposure, browser tracking and constant data surveillance are a reality of the digital economy. It’s important to defend your data privacy before it’s too late.

Stop Online Tracking Ep. 4: Enable Do Not Track

Watch the entire Browser Spies Online Privacy series. To view the entire series, wait until the end of each video and click on the Next Video button in the lower right-hand corner of your screen. As you watch each short video in your browser, make the necessary changes based on each simple video tip on protecting your online identity and privacy.

Browser privacy expert John Sileo and Fox & Friends have teamed up to educate consumers on how your browsing patterns are being monitored, shared and sold as you surf the Internet. These tips give you more control over your online security in short, easy to implement phases. Data exposure, surf-tracking and constant browser surveillance are a reality of the digital age. It’s important to defend your information privacy before it’s too late.