In the past five years, 30 percent of all cardholders – credit, debit, even prepaid – have experienced some form of fraud, and at least 17 percent have experienced multiple fraud attempts. However, there’s also good news. Armed with an understanding of how credit card fraud happens and how to guard against it, you can significantly reduce your exposure to risk. The Shift to EMV Chips

You may have noticed in recent years that most credit and debit cards come embedded with small chips. A card chip, known as a Europay Mastercard Visa (EMV) chip, uses the global EMV standard to authenticate and secure transactions made by credit, debit and prepaid cards. This technology is more secure than traditional magnetic stripe cards, which store data that is unchanging and easily copied by a card skimmer. Once a fraudster has “skimmed” your magnetic stripe data, they have all the information they need to use your card as they see fit. Chip cards, by contrast, generate unique security codes for each new transaction. This means thieves can’t use your card for new transactions even if they manage to copy your data.

Unfortunately, card skimming is only one kind of risk. Chipped cards do nothing to protect against card-not-present transactions, such as those processed online. These cards also come with other potential security risks; each card still has a magnetic stripe backup, and this stripe data can be rewritten to effectively undo the protections afforded by the security chip. Data breaches are still a major concern as well, as chip technology offers no protection against the theft of stored information. Additionally, EMV cards can still be skimmed and their data sent remotely to a secondary device, allowing criminals to use the card as they wish for a short period of time.

Tread Carefully With P2P Transactions

Whether it’s Venmo, PayPal, Square Cash or another service entirely, a peer-to-peer (P2P) transaction platform allows you to quickly and conveniently send and receive cash from virtually any device. Unfortunately, P2P services also expose your credit card information to a greater risk. To limit your chance, only conduct transactions with people you know and trust. Additionally, carefully read the platform’s security policies before using to ensure that the process protected appropriately.

Use a Dedicated Card for Digital Transactions

There are clear benefits to using a single credit card for all your needs: it allows you to manage your spending easily and even rack up reward points. However, you can improve your security by using a separate card only for digital transactions. While it won’t prevent theft, it will limit your exposure by ensuring that only one account is potentially put at risk.

Don’t Get Hooked by Phishing Scams

Phishing is a very simple type of scam, but it’s also extremely effective. A phishing attempt comes in the form of an email, text message or social media communication that purports to be from a trusted source, often a reputable company or financial institution. The message will include a request for login credentials, personal information or other sensitive data that criminals can use for fraudulent purposes, or it will attempt to infect your device with malware. To prevent falling victim to phishing, never enter personal information after following a link you’ve received in an email or message. If you believe the request may be legitimate, contact the company or person directly to verify before providing any information.

Practice Good Security Habits

It may be convenient to store your credit card data and other information in online shopping accounts that you frequent, but it’s also a major security risk. Instead, opt out of any data storage, and enter your information manually for each transaction. Clear your browser’s cache after making a transaction to ensure that none of your data is stored, and be sure to only shop over a secure https:// connection. Treat all public computers and Wi-Fi hotspots as compromised, even if they appear to be safe.

Maintain Vigilance

The unfortunate reality is that you can never completely prevent fraud, but you can identify it quickly and limit the damage. To that end, make a habit of reviewing your credit card and bank statements frequently for any suspicious activity. It’s also important to check your credit score and credit report for any errors or signs of fraud. Many credit cards now provide free access to your credit score, and you can check your credit report three times per year by alternately requesting a report from each of the three major reporting bureaus: Experian, TransUnion and Equifax.

Stay Safe With Text Alerts

In addition to obtaining your credit reports, you can stay on top of your finances by using text alerts. Most banking apps provide the option to set various alerts, whether it’s a text message for every transaction over a specified dollar amount or a daily text summary of your current balance. Set these alerts and use them to keep an eye out for any signs of unusual activity. If you notice something that doesn’t add up, report it as quickly as you can.

Credit card fraud is a serious and rapidly growing problem, with losses estimated to reach $10 billion by 2020 in the United States alone. The introduction of EMV chips has helped to curb certain types of fraud, but it’s done nothing to prevent fraud online. With the knowledge and these tips, however, you can do what it takes to keep yourself and your finances protected.

A newly discovered backdoor that has managed to infect over one thousand Android devices was designed to steal sensitive data from popular social media applications, Google reveals.

Dubbed Tizi, the malware comes with rooting capabilities and has been already used in a series of targeted attacks against victims in African countries such as Kenya, Nigeria, and Tanzania. Discovered by the Google Play Protect team in September 2017, the backdoor appears to have been in use since October 2015.

A fully featured backdoor, Tizi installs spyware that allows it to steal sensitive data from the targeted applications, Google says. The malware family attempts to exploit old vulnerabilities to gain root access on the infected Android devices, and its developer also uses a website and social media to lure users into installing more apps from Google Play and third-party websites.

To date, Google has identified over 1,300 devices affected by the malware. According to the company, newer Tizi variants include rooting capabilities that attempt to exploit a series of local vulnerabilities, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

Since most of these vulnerabilities target older chipsets, devices, and Android versions, users running a security patch level of April 2016 or later are far less exposed to Tizi's capabilities. If none of the exploits work, the Tizi apps attempting to gain root will switch to perform the action through the high level of permissions it asks from the user.

Once it has gained root on the compromised device, the threat can proceed to stealing sensitive data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

After infection, the malware usually contacts its command and control (C&C) by sending an SMS with the device's GPS coordinates to a specific number. Subsequent communication with the C&C, however, is performed over HTTPS, but some versions of the malware also use the MQTT messaging protocol to connect to a custom server.

“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,” Google says.

On top of that, however, the malware can also record ambient audio and take pictures without displaying the image on the device's screen.

To stay safe, users are advised to pay close attention to the permissions they grant to newly installed applications; to enable a secure lock screen, such as PIN, pattern, or password; keeping their devices up-to-date at all times, given that the threat exploits old, known vulnerabilities; and ensure Google Play Protect is enabled.

Apple has now released a fix for the bug described here. That fix is part of Security Update 2017-001, which is available from the Mac App Store, in the Updates tab, with the label “Install this update as soon as possible.” (Somewhat confusingly, there have already been previous Security Update 2017-001 releases, for unrelated issues, for Sierra, El Capitan and Yosemite.) This update should be installed as soon as possible, and does not require a restart. It turns out that the issue in question works with any authentication dialog in High Sierra. For example, in any pane in System Preferences, click the padlock icon to unlock it and an authentication dialog will appear. Similarly, if you try to move a file into a folder you don’t have access to, you’ll be asked to authenticate:

Enter “root” as the username, and leave the password field blank. Try this a few times, and it may work on the first try, but more likely you’ll have to try two or a few more times.

When the authentication window disappears, whatever action you were attempting will be done, without any password required.

Let’s take a step back for just a moment and consider what this means. On a Unix system, such as macOS, there is one user to rule them all. (One user to find them. One user to bring them all and in the darkness bind them. /end obligatory nerdy Lord of the Rings reference>)

That user is the “root” user. The root user is given the power to change anything on the system. There are some exceptions to that on recent versions of macOS, but even so, the root user is the single most powerful user with more control over the system than any other.

Being able to authenticate as the root user without a password is serious, but unfortunately, the problem gets worse. After this has bug has been triggered, it turns out you can do anything as root on the first try, without a password.

The root user, which has no password by default, is normally disabled. While the root user is disabled, it should not be possible for anyone to log in as root. This is how macOS has worked since day one, and it has never been an issue before, but this vulnerability causes the root user to become enabled… with no password.

Unfortunately, this means that anyone will be able to log into your Mac using user “root” and no password!

Note that this does not require that the login window be set to always ask for a username and password. If you have it set to display a list of user icons instead, after triggering this vulnerability, there will be an “Other…” icon that will be present on the login screen. Clicking that will allow you to manually enter “root” with no password.

Remote access

This bug does not appear to be exploitable through some of the remote access services that can be enabled in the Sharing pane of System Preferences. Remote Login, which enables access via SSH, does not appear to be exploitable in our testing, nor does File Sharing. Even after triggering the bug and, thus, enabling the root user with no password, we were not able to connect to the vulnerable Mac through these methods.

Unfortunately, it looks like Screen Sharing, which allows you to view and remotely control the screen of your Mac, is vulnerable to this bug. In fact, it can actually be used to trigger this bug, without needing to rely on the root user already having been enabled!

In the screen sharing authentication window on a remote Mac, the same technique can be used. We were able to connect via screen sharing, using “root” as the username and no password, on the second attempt. At that point, the root user was enabled on the remote Mac, and we were able to log in to the root account via screen sharing without any blatant indication that we were doing so appearing on the screen shown to the logged in user on the target Mac. (An icon does appear in the menu bar on the target Mac, but it is not immediately obvious what that icon means. The average user will likely never notice the new icon.)

Unforeseen consequences

Once someone is logged into your Mac as root, they can do whatever they want, including accessing your files, installing spyware, you name it. So, in other words, if you were to leave your Mac unattended for 30 seconds, someone could backdoor it and have a very powerful way in later.

Suppose that you are Suzy, an average office worker in a cubicle farm. You step away from your desk for a moment to grab a cup of coffee. You’ll only be gone for about a minute, and don’t bother locking your screen. While you’re gone, Bob from the next cubicle comes over and “roots” your computer.

Later, you go to lunch. You’re gone for an hour, and Bob knows this because he’s familiar with your routine. He uses the root user to log into your Mac and install spyware—perhaps something to peep through the webcam, hoping to catch you in a compromising position later on when you’ve taken your MacBook Pro home with you.

Of course, all that’s even easier if you have screen sharing turned on, and he can install the spyware remotely, without ever touching your Mac.

Creeped out yet?

Fortunately, if you have your Mac’s hard drive encrypted with FileVault, this will prevent the attacker from having a persistent backdoor. In order to log in, the attacker would have to know the password that will unlock FileVault. Not even the all-powerful root user can access an encrypted FileVault drive without the password.

It’s also worth pointing out that a well-prepared attacker with access to your unlocked Mac could install spyware in less than a minute without relying on this vulnerability and without needing an admin password of any kind (depending on what the spyware does). Some spyware can be installed with normal user privileges.

Further, with a longer interval of unsupervised physical access to any Mac that doesn’t have FileVault turned on, an attacker can install spyware of any kind without needing an admin password.

Avoiding an attack using this vulnerability is actually fairly trivial. Just turn on FileVault, and always lock your Mac’s screen or log out when you’re away from it. While you’re at it, set a firmware password. And, to prevent remote access, turn off all services in System Preferences -> Sharing as a precaution.

Still, this is a very serious vulnerability, which Apple needs to address as quickly as possible. We contacted Apple for comment, but by the time of this writing, had not heard back.

Undoing the damage

If you, like many, have tried this out on your own Mac, you’ve opened up a potential backdoor. Fortunately, closing that door isn’t particularly hard, if you know the door is there and that it’s open.

First, open the Directory Utility application. It’s buried deep in the system where it’s hard to find, but there’s an easy way to open it. Just use Spotlight. Click the magnifying glass icon at the right side of the menu bar, or press command-space, to invoke Spotlight. Then start typing Directory Utility in the search window. Once the application is found, simply double-click it in the list to open it. (Or, even easier, press return once it’s selected in the search results.)

Once Directory Utility opens, click the lock icon in the bottom left corner of the window to unlock it. Then, pull down the Edit menu.

If you see an item reading Enable Root User, as shown in the screenshot above, you’re good. Whatever you did, the root user wasn’t enabled. Quit Directory Utility, and go about your business.

If, instead, you see an item reading Disable Root User, choose that. The root user will be disabled again, as it should be, and it will no longer be possible to log in as the root user from the login screen. Just be aware that this does nothing to protect against the vulnerability, so the root user could easily be enabled again.

Be sure to take the other measures described above to secure your system against unauthorized physical access. Namely,  turn on FileVault, always lock your Mac’s screen or log out when you’re away from it, set a firmware password, and turn off all services in System Preferences -> Sharing.

The FCC announced its plans to do away with net neutrality rules. What effect will that have on IoT? It was hardly a surprise, but this week Federal Communications Commission Chairman Ajit Pai made it all but official: He announced a plan to scrap Obama-era net neutrality rules.

Since Republicans hold a 3-2 edge at the FCC, Pai’s plan is virtually certain to pass — despite lobbying efforts and court challenges from just about every internet constituency apart from big internet service providers (ISPs). "The Restoring Internet Freedom Order," as it’s cynically called, will very likely upend the current rules classifying internet service as a public utility and prohibiting carriers from slowing or blocking certain types of traffic.

Most of the commentary so far has centered on possible blockages of fast access to consumer services such as Netflix, or higher ISP prices to ensure unfettered access to popular online content. But the looming end of net neutrality is likely to have far more pervasive effects than a jittery picture when streaming old episodes of Breaking Bad.

The IoT thrived under net neutrality

One of the biggest questions, in fact, is what effect the sunset of net neutrality provisions will have on the Internet of Things (IoT). My initial analysis suggests that the effects could be significant, but will take time to shake out.

We’ve never really lived in a world with no net neutrality rules, so ISPs and enterprises will be feeling their way around the new landscape. But there are already concerns about how the end of net neutrality could affect the IoT.

Blocking and throttling internet traffic

First of all, if carriers can block, throttle, or delay traffic at their discretion, they could very easily decide to impede IoT traffic in a variety of ways, for a variety of reasons. Unless, perhaps, users paid a premium for fast, timely deliver of their IoT data or agreed to buy IoT devices only from the carrier or its approved partners. In areas where a carrier held a monopoly on internet access, it could pretty much dictate terms.

I haven’t yet heard of any plans to do such noxious things, but it’s hard to put anything past these companies. They’re some of the most disliked companies in America, and they’re under pressure to justify their huge network investments. What do you really expect them to do … let a potential gold mine just sit there?

Effects on enterprise users and small businesses

Attempts to leverage the new rules might not have be so blatant, though. A carrier might simply tell a company like GE that if it wants guaranteed prompt delivery of the data from its industrial IoT devices, it will have to upgrade to a higher — read, more expensive — tier of service to ensure the required service levels.

Given the high stakes, a company the size of GE might be willing go along. But smaller businesses — especially those upstart IoT startups with the cool new ideas might — not be able to afford to pay the freight for premium net access. So, the data from its IoT devices might not be delivered for analysis in a timely fashion … or at all. For enterprise IoT users, the initial effect is likely to be higher costs to ensure access and greater uncertainty about the best ways to connect IoT devices.

The IoT, like the net as a whole, runs on the free exchange of data. That freedom might not disapper immediately upon the death of net neutrality, but this week’s FCC actions certainly makes it more likely to erode over time.

At this moment, someone wants your information. Hackers covet your email account, your home address and your Social Security number. They want to commandeer your webcam and break into your bank account. They are just waiting for you to slip up and give them a chance. Everywhere you look, malevolent coders are finding backdoors and vulnerabilities. There are simple ways to protect yourself. But where do you start? Follow these five steps to boost your safety online instantly.

1. Passwords

Relying on a weak password is asking to be hacked. Your passwords are either your first line of defense against hackers, or they’re an open window that lets them slip through. In cybersecurity, there is no middle ground.

How dangerous is it? A lowercase, six-character password takes a hacker around 10 minutes to figure out. Add four more characters, and you extend the time of that heist by 45,000 years.

Create a long, complex password that isn’t hard to remember. One trick is making your password a sentence – focus on positive sentences that are easy for you to remember and unique to you, such as “My son was born on Aug. 12.” On many sites, you can even use spaces!

Additionally, if one of the apps or websites you use is involved in a data breach, you’ll want to update your password for that account immediately. And don’t reuse passwords across different accounts!

2. Set Up Two-Factor Authentication

You’ve probably seen this before, even if you didn’t know what it was called. Two-factor authentication – a type of strong authentication– for is a fancy name for adding another step to the login process. A login page may ask for your first car or your favorite food. The website might even send a text message with a special code to make sure you are who you claim to be or ask you to verify your identity with touch ID or a physical security key.

Two-factor authentication adds an important layer of protection to your account. For hackers, the coup de grace is setting up instant alerts when your account is accessed from an unfamiliar device or location. Usually, this is because you’re logging in to your email account from an internet café in London, or you’re checking your bank balance on a trusted friend’s phone. Other times, it’s a hacker who is trying to figure out your credentials. You will receive a notification by email or text message saying that there was a login from an unrecognized machine or someone asked to reset your password. The login will not be authorized or the password reset without having the special code included in the email or text.

If you do nothing else on this list, click here for the steps to turn on two-factor authentication on Google, Facebook and other sites you use.

3. Delete Accounts You’ve Abandoned

You’ve probably encountered this before. Some spammy message shows up in your inbox, allegedly sent from your beloved Aunt Joan. Why does Aunt Joan want you to click on this strange-looking link? Why is she suddenly interested in giving you a limited-time discount on a Rolex watch? These messages are sure signs of a hacked account.

The rule of thumb is this: An old account contains more personal data than you realize, no matter how short-lived it is and no matter how long it’s been abandoned.

Have too many online accounts to remember them all? Click here for a site that provides you with the steps you need to close down the accounts you’re no longer using.

Research new apps and/or websites before using them to make sure others have had positive experiences from a security and privacy perspectives. Sometimes, you may even want to delete accounts simply because you’ve lost trust in the company that’s storing your private information. The Federal Trade Commission’s identitytheft.gov shares steps to take if your information has been lost in a breach.

4. Check If Your Information Has Been Stolen

Now you’re on a mission to boost your security. But what about data that’s already been stolen? How do you find out whether an account has already been broken into?

At least one trusted site is dedicated to precisely that: HaveIBeenPwned sifts through your accounts in search of security breaches. Just run your email address and username through the search field, and it will tell you if your login information has been linked to any past breaches.

5. Encrypt All of Your Messages

“Encryption” used to be a word reserved for international superspies, but not anymore. What you’re looking for is “end-to-end encryption.” This method scrambles your messages so that they can’t be read if someone other than the intended recipient gets it. There are a variety of services you can use that provide end-to-end encryption; here’s the free one I recommend.