Your Face – The Truth About Biometric Data Theft

Your Face – The Truth About Biometric Data Theft

It all started with a smile. Byron’s new fitness app promised to tell him his new “biological age” but required a selfie to validate his account. So guess what he did? Snapped it for the app and went about his day. Although he didn’t quite agree with their age calculation later that night, he totally brushed it off and slathered on more skin care product.

A few weeks later, he saw a delivery app charge him for food several states away. Then his bank app asked him to confirm a new device. The kicker was when his pharmacy required him to update his new insurance card before picking up a prescription. He didn’t even have a prescription to pick up. “I better change my passwords,” he told his wife. That didn’t work. Stranger things kept happening. And she kept asking him about it. Annoying.

Even though he was proactive about updating his accounts, the problem was that he couldn’t change his face (well, technically he could have but extreme plastic surgery wasn’t in his five-year plan).

Hackers know you can’t just change the features that make you uniquely you. That data is one-of-a-kind and as permanent as it gets … which is why it is so powerful for authentication and totally devastating when compromised.

Remember that fun little fitness app that quietly stored his facial data? Well, their security wasn’t so great. They got hacked. Unlike that password you can’t quite remember, you can’t swap out your face or your fingerprints for new ones. So, what can you do?

– Make multi-factor authentication your new best friend. It might add an extra 15 seconds to your day, but your bank account’s balance is worth it in the long run.

– When your device tells you, “Software Update Available: Install Now?” don’t blink!

– Don’t automatically opt in. Get your readers out and check the fine print before handing over your face, fingerprints or your eyeballs to an app.

Guard Well Identity Theft Solutions exists to provide you, your family and your employees from the damages of identity theft. If you have any questions or concerns, please contact our Member Services team immediately. We are always available for you 24/7/365 at 888.966.4827 (GUARD).

Twitter Data Breach Alert

Twitter Data Breach Alert

Just recently our security teams have found that Twitter, a popular social media service, has been breached. At least 5.4 million accounts have been compromised. The breach origin date is July, 2022 and data exposed includes name, phone number, email address and account holder user IDs.

Twitter acknowledged publicly that they received a report through their bug bounty program of a vulnerability in Twitter’s systems in January 2022. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email address or phone number was associated with, if any. Twitter then explained that the bug resulted from an update to their code in June 2021. When Twitter learned about this, they immediately investigated and fixed it. Twitter announced that at that time, they had no evidence to suggest someone had taken advantage of the vulnerability. Twitter has said that it would directly notify every account owner it could confirm was affected by the exposure. In the meantime, it is highly suggested to add two-factor authentication.

Guard Well Identity Theft Solutions exists to protect you, your family, and your employees from the damages of identity theft. It has been a pleasure protecting America’s workforce for the last decade. We look forward to many years and much more growth to come.

Be vigilant. Be strong. Stay in the know. If you have any questions or concerns, please contact our Member Services immediately. We are always available for you 24/7/365 at 888.966.4827 (GUARD).

Photo courtesy of Bermix Studios via unsplash.com.

Two-factor Authentication Phishing  Scam

Two-factor Authentication Phishing Scam

Have you tried to log into an account of yours, such as your insurance or financial institution, and been told to confirm your identity in order to keep your credentials safe? You then receive a code either via text or email which is required for you to enter. Also known as 2FA, this SMS multi-step process has been the trusted security step to protect your accounts … until recently.

 

Unfortunately, there is an automated phishing attack on 2FA, which utilizes two tools: Muraena and NecroBrowser. Reported by Fortune, “The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber and NecroBrowser as the getaway driver.”

 

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2nd bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

 

So, what do you do? Do you still want to utilize SMS-based 2FA for your accounts? For the most part, the answer is yes.

 

Think of it like this. Say you want to put a lock on your front door to protect your home. Security professionals are arguing that the best type of lock available is way better than cheaper locks. Sure, makes sense. But if that more expensive lock isn’t available to you, isn’t having a cheaper lock still better than not having a lock at all?

 

As discussed on How-to-Geek’s website, there are some people who are more likely than others to be targeted by sophisticated hackers and should avoid using this SMS-based 2FA. For example, if you’re a politician, journalist, celebrity, or business leader, you could be targeted. Also, if you’re a person with access to sensitive corporate data, such as a system administrator, or just very wealthy, SMS may be too risky.

 

But, if you’re the average person with a Gmail or Facebook account and no one has a reason to spend a bunch of time getting access to your accounts, SMS authentication is fine and you should absolutely use it rather than using nothing at all.

 

If you suspect that your login credentials have been compromised, change your passwords as quickly as possible and report the website to the FTC and/or your identity theft resolution provider.

 

Sources:

https://conference.hitb.org/

https://Howtogeek.com/