STE WILLIAMS

Researchers have discovered that several leading Android-based password managers can be fooled into entering login credentials into fake phishing apps.

Password managers can be used to create, store, enter and autofill passwords into apps and websites. As well as allowing users to maintain scores of strong passwords, password managers can also provide some defence against phishing – their autofill features will enter passwords on sites they’re associated (and their mobile apps), but not on fakes.

The University of Genoa and EUROCOM’s Phishing Attacks on Modern Android study explores the difference between accessing a service through its mobile app and accessing it through its website on a desktop browser.

With desktop browsers, when a site is visited for the first time the password manager creates an association between its domain (verified by its digital certificate) and the credentials used to access it.

However, when somebody uses the website credentials to log in to an app, the process of verifying the app is more complicated and potentially less secure.

The main way password managers tell good apps from bad apps is by associating the website domain for that app with the app package name, a metadata ID checked using static or heuristically-generated associations.

The flaw is that package names can be spoofed – all the attacker has to do is create a fake app with the correct package name and the password manager will trust it enough to present the correct credentials.

The researchers found that several popular password managers were vulnerable to this kind of mapping weakness – LastPass, 1Password, Dashlane, and Keeper – with only Google Smart Lock (which isn’t primarily a password manager) able to resist.

Instant trouble

Even Google’s recently introduced Instant Apps – designed to be tried without the need for a download – could be abused by a phishing website to trigger a password manager autofill, the team discovered during testing.

This is particularly dangerous because it means it might be possible to execute a phishing attack without the need to install a fake app spoofing a package name (something Google Play doesn’t allow).

Write the researchers:

We believe this attack strategy significantly lowers the bar, with respect to all known phishing attacks on the web and mobile devices: to the best of our knowledge, this is the first attack that does not assume a malicious app already installed on the phone.

What can be done?

The problem is that the way password managers understand mapping legitimate domains to apps on Android is governed by three standards – the Accessibility Service (a11y); the Autofill Framework (Oreo 8.0 onwards); or using OpenYOLO, a separate Google-Dashlane collaboration.

The first of these, a11y, was designed for people with disabilities and ended up being used by malicious apps to abuse administrator rights, which led Google to implement Autofill Framework, and Dashlane to OpenYOLO. Unfortunately, all three standards are vulnerable to manipulation of package names, which suggests fixing this problem won’t be easy.

The researchers’ solution is a new getVerifiedDomainNames() API that dispenses with package names in favour of checking a hardcoded association between a website domain (and subdomains) and the app connecting to it.

The drawback of this is that websites would need to start publishing an assets file containing this data, something the researchers discovered barely 2% of more than 8,000 sample domains currently bother to do.

For now, this leaves password managers to fall back on their own defences. LastPass, for one, told Naked Security that it did not believe that the weakness had led to any of its customers being compromised:

Our app now requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimise the risk of any fake apps being filled/accepted.

Naked Security believes that using a password manager is still one of simplest and most effective computer security steps you can take, and closer integration with mobile apps makes using a password manager easier.

You are much more likely to be burned by password reuse than by an autofill attack on a fake app. However, if you are concerned about this kind of attack, or similar attacks that exploit autofill features using hidden password fields, don’t abandon your password manager, just turn autofill off.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5efK4MJkwlw/

Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a “precautionary step”.

What’s happened?

In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September.

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the “digital keys” that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.

Rosen says the vulnerability is now fixed.

We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.

Those affected will now have to log back into Facebook, and any apps that use Facebook Login.

Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts you might not have restricted access to.

It’s still early days but Facebook says it looks like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.

Facebook says it doesn’t yet know if any accounts were misused or information was accessed.

What to do

If you’ve been logged out by Facebook then your account is one of those affected. Rosen says there’s no need for anyone to change their passwords.

Whether you’re affected or not, as a cautionary measure you can choose to log out of all your Facebook sessions by going to Settings Security and Login. On this page you can see a list of all the places you’re logged in. Scroll down the page until you see Log out of all sessions and click it.

Follow @AnnaBrading
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p_Hp7Q0tDmk/

A Linux kernel vulnerability that can only be exploited locally is nonetheless proving a bit of a nuisance.

It’s a classic local privilege escalation bug, dubbed CVE-2018-14634, and lets an intruder or logged-in rogue user obtain root-level control over the machine.

Eggheads at cloud security biz Qualys discovered the programming blunder, which stems from an integer overflow in the open-source kernel’s create_elf_tables() function. It’s not remotely exploitable, thank $deity, but on a vulnerable 64-bit system, a “local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges,” Qualys warned this week.

Team Qualys continued by saying most Linux users will be unaffected – although Red Hat and CentOS folks should pay attention to the following:

Even though all Linux kernels are technically vulnerable, this issue is mitigated by a one-year-old patch that was backported to most long-term kernels and makes exploitation impossible.

Red Hat Enterprise Linux and CentOS hadn’t yet backported this patch leaving them both initially still vulnerable. Some versions of Debian 8 were also at risk at the time of the bug’s discovery. These various shortcomings have since been addressed.

Job done, the Qualys bods took time out to come up with a name for the vulnerability, which they subsequently dubbed “Mutagen Astronomy” – an anagram of “Too Many Arguments”. This references “Setec Astronomy” from the hacker film Sneakers, Qualys confirmed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/27/mutagen_astronomy_linux/

International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers’ personal information on the dark web.

The miscreant was able to access Bupa’s CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account.

The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year. The ad read:

DB [database] full of 500k+ Medically insured persons info from a well-known international blue chip Medical Insurance Company. Data lists 122 countries with info per person consisting of Full name, Gender, DOB, Email Address plus Membership Details excluding CC Details.

The staffer was one of 20 users with unfettered access to search, view and download data onto personal drives from SWAN, and worked at in the Partnership Advisory Team at Bupa Global’s Brighton Office.

In June last year, an external partner spotted the data was for sale on a site accessible via ToR, and reported it to Bupa, who sacked the culprit and ‘fessed up to the UK’s privacy watchdog.

After investigating, the Information Commissioner’s Office fined the insurance company £175,000 for systemic failures to protect personal data, which is a breach of data protection laws.

Bupa should have had a system that flagged up unusual activity like bulk data extraction, but it was defective.

According to the ICO’s report (PDF), because Bupa failed to routinely monitor the SWAN activity log it didn’t notice a defect that resulted in certain reports being logged incorrectly or not at all.

It also criticised the fact some staff could not only run and generate bulk data reports but also download or export them to separate applications, including file-sharing platforms and social media (yes, really).

In this case, the employee – who took the information between January and March 2017 – attached the data to emails in zip files and Excel files.

The ICO noted that the reason the staff had these abilities was in order to respond quickly to broker enquiries, which it said “illustrates the tension between customer satisfaction and information security”.

Bupa failed to undertake adequate risk assessment of the abilities granted to these users, or to the 1,351 others who could access customer data.

“That was a material organisational inadequacy, given the volume of personal data accessible through SWAN, the number of data subjects involved, the number of individuals with access to SWAN, and the ease with which they could access it,” the ICO said.

The watchdog also noted that the firm’s domestic CRM system, SWIFT, which contains 2.3 million records, doesn’t allow reports to be generated directly from the system by Intermediary Team members, and has a functioning system for recording accurate logs.

Bupa has until 29 October to pay up, and if it does so by 26 October the penalty will be reduced by 20 per cent. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/28/bupa_fine_dark_web/

Facebook confessed today that buggy code potentially exposed all of its users’ accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people’s private profiles, and perhaps as much as 90 million.

In a security note posted Friday morning, the social media giant’s VP of product management Guy Rosen said the biz uncovered a security hole earlier this week that allowed scumbags to snatch tens of millions of people’s account access tokens. These tokens were used to log into the associated accounts without knowing their passwords, letting crooks download victims’ private information, photos, and videos.

In effect, any Facebook user account was wide open to being hacked, although the Silicon Valley goliath estimated that “only” 50 million accounts were, in the words of a spokesperson, “directly affected.” A further 40 million had their accounts “looked up.” It has patched the hole, and logged out 90 million users to invalidate their access tokens. Facebook staff said it appears no posts were made on users’ behalf by the hackers, and that no credit card information was taken. “We will update you as we know more,” a representative told us.

The security hole was available through the “View As” option – where users can check how others might see their profile, allowing folks to make sure that their private stuff is private and public posts are visible. The biz’s engineers discovered that hackers had found a hole that allowed hackers “to steal Facebook access tokens which they could then use to take over people’s accounts.”

“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017,” the social network said in a statement.

Spiked

On a press conference held Friday morning in the valley, a Facebook representative went into greater details. The hole was the result of three different bugs: the first caused a video upload feature to appear on certain posts when it shouldn’t have; the second caused that uploader to generate an access token; and the third, critically, caused the access token that was generated to be for the person that someone was looking up, rather than the actual user. That meant a third party was able to potentially directly access any user’s account.

Facebook spotted the hole after it noted a suspicious “spike” in user activity on Tuesday. The attack was “fairly large scale,” it admitted, and when it investigated the cause, it discovered hackers were using the site’s API to automate the process of grabbing users’ profile information.

As Zuck apologizes again… Facebook admits ‘most’ of its 2bn+ users may have had public profiles slurped by bots

READ MORE

Facebook said it went to law enforcement the next day, patched the hole soon after, and logged out all accounts that accessed the “View As” option since July 2017.

“We are constantly improving our security and this underscores the fact that there are constant attacks,” said CEO Mark Zuckerberg. “We need to keep focusing on this over time.”

This comes after a hacker in Taiwan threatened to live-stream over the internet on Sunday him hacking into Zuckerberg’s Facebook account. He U-turned, and canceled the web video spectacle within hours of today’s admission by Facebook.

Earlier this week, it emerged Facebook was using people’s cellphone numbers, provided for two-factor authentication, to target them with adverts, even though the numbers were only provided for security reasons rather than ads. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/28/facebook_crappy_code/

The Australian teen who last month admitted hacking into Apple’s internal network and stealing data from the Cupertino giant has been spared jail.

A magistrate judge in the Melbourne children’s court sentenced the young man – now an adult at 19 but who was 16 at the time he broke the law – to eight months probation with no conviction to his record. As he was a minor at the time, the lad’s name was not given.

“Your offending is serious, sustained and sophisticated,” the beak was quoted as saying. “You knew what you were doing was wrong.”

No, the Mirai botnet masters aren’t going to jail. Why? ‘Cos they help Feds nab cyber-crims

READ MORE

The Melbourne teen fessed up last month to a pair of criminal charges, admitting he hacked into Apple’s systems on multiple occasions back in 2015 and 2017.

Claiming he was only trying to get the attention of a company he idolized, the youth was said to have asked a friend in 2015 to help him tunnel into Apple’s network through a VPN service that he then used to sneak into and rifle through the iGiant’s systems multiple times. After the connection was cut off, he broke into Apple’s network again in 2017 to root around the company’s files.

In all, the kid managed to make off with around 90GB worth of Apple’s internal docs and code. No personal data was believed to have been included in the teenage fanboi’s takings.

After Apple discovered the intrusion, it reported the cyber-break-in to Melbourne police, who had no difficulty gathering evidence for their case, since our would-be Zero Cool decided to keep the pilfered iStuffs in a folder titled “Hacky Hack Hack,” on his computer, and hadn’t obfuscated his public IP address during his hacking spree. That IP address helped lead the cops to his door.

Hopefully the young man will learn a lot more about opsec when he begins studying criminology and cyber security courses at university in the coming months. No word on whether Apple will have a job offer waiting when he graduates, though anyone who can get into your network from the other side of the planet and lift 90GB worth of stuff is probably at least worth an interview. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/28/hackers_avoid_jail/

The decision comes days after security researcher had blasted company for jeopardizing user privacy with browser update.

This story was updated on September 28 to clarify that with Chrome 70 Google will, by default, still automatically sign in users to Chrome when they sign in to a Google account, but users will get the option to disable the link.

Google has reversed course on a controversial recent browser update it introduced with little notice that automatically logs users in to Chrome whenever they sign in to any Google web account.

Starting with the next release of Chrome — Version 70 — Google is adding a control that gives users the choice of linking web-based sign-in with browser-based sign-in. Instead of automatically logging users in to Chrome when they sign in to a Gmail or other Google account, Chrome will let users decide if they want to be automatically signed in to the browser or not.

“For users that disable this feature, signing into a Google website will not sign them into Chrome,” Chrome product manager Zach Koch announced in a blog post on September 26.

Importantly, though, the default setting in Chrome 70 will continue to be for users to get automatically signed in to Chrome when they log in to a Google account. What Google is making available with the next Chrome release is an option that lets users disable that setting, a Google spokeswoman clarified to Dark Reading Thursday. “Once the feature is disabled, it will stay disabled,” the spokeswoman said.

The decision essentially restores the status that existed before Chrome 69, where users had the choice of keeping their sign-in to Google accounts completely separate from their sign-in for Chrome. A Gmail user concerned about Google collecting their browsing data, for instance, could use Chrome in basic browser mode without being signed in to it.

Google’s change of heart comes days after security researcher Matthew Green from Johns Hopkins University had blasted the update in Chrome 69 as being sneaky and posing a substantial threat to user privacy. In a searing and widely quoted blog post, Green described the update as being unnecessary and deliberately putting users at risk of mistakenly allowing Google to collect their browsing data.

Google, meanwhile, described the update as harmless and providing a way to simplify the way Chrome handles logins. The company has maintained that when automatically signing users in to Chrome, it would only collect browsing data if a user explicitly consents to that collection.

Currently with Chrome 69, when a user signs into a Google account, his or her account picture or icon will appear in the Chrome user interface (UI). This enables the user to easily verify their sign-in status, according to Google. Signing out of Chrome will automatically log the user out of all their Google accounts.

In the Google blog post, Koch claimed that Google had introduced that update in response to feedback from users on shared devices who were confused about their sign-in state. “We think these UI changes help prevent users from inadvertently performing searches or navigating to websites that could be saved to a different user’s synced account,” he wrote.

Koch’s post made no reference to the concerns raised by Green and others over the recent update. He merely noted that Google had heard “feedback” and was making changes to Chrome 70 to give users back the control they had over Chrome logins.

Google is also updating its Chrome UIs so users can more easily understand if their browsing data is being synced — or collected. “We want to be clearer about your sign-in state and whether or not you’re syncing data to your Google Account,” Koch wrote.

Related Content:

• Privacy Survey Says: Americans Don’t Want to Sell Their Data
• Privacy Group: Facebook, Google Policies Break GDPR Laws
• 4 Benefits of a World with Less Privacy
• 7 Places Where Privacy and Security Collide

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/endpoint/-google-to-let-users-disable-automatic-login-to-chrome/d/d-id/1332907?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When it comes to protecting information, we can all do better. But encouraging a can-do attitude goes a long way toward discouraging users’ risky behaviors.

Even with best-in-class data breach protection and prevention technology, strong security and privacy practices start internally — with your employees. There are several ways to go about this, but based on my work in the field for over 10 years, the most effective ways to lower a company’s risk exposure begin and end with a positive approach. Here are three examples:

1. Give Employees a Reason to Care
Communicating security messages that are relatable and provide actionable steps employees can take to protect information and respond to threats is more effective than authoritative commands. Encouraging a can-do attitude also goes a long way. When employees aren’t afraid of being punished for mistakes, like accidentally clicking on a phishing link, they’re more likely to exhibit positive behaviors. You can reinforce these behaviors by reminding employees that information security is a team effort for the protection of the entire company.

Another way to engage employees is a rewards system for good behavior. These range from physical rewards (monetary or otherwise) to recognition (a lottery system or nomination process for recognizing your peers) and even gamification (a friendly competition that tracks performance on a leaderboard). Combining two of these concepts, Salesforce, a cloud computing company, piloted a security awareness gamification initiative focused on positive recognition rather than negative reinforcement. According to chief trust officer Patrick Heim, after 18 months, participants were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.

2. Offer Choices, not Mandates
Reframe the conversation to focus on a partnership with employees, giving them multiple strategies for protecting information and responding to potential threats. By offering choices and getting their buy-in, you can make employees feel like part of the solution. For example, instead of saying, “You must adopt this security measure,” try saying “Here are four options we recommend, and you can choose the one you’re most comfortable using.” Employees learn in different ways, so it can be helpful to give them multiple ways to achieve the same goal of enhancing security with secure passwords, for example, and complying with company policies.

A great example of inclusive programming is anti-phishing training, which teaches employees to identify fraudulent attempts to obtain sensitive information electronically, often for malicious reasons, under the guise of a trustworthy source. In order for this training to be successful, employees must learn how to make choices when they receive potential phishing emails. Experiential training with real-world simulations — where employees build their knowledge base and ability to make choices in the moment, as it relates to them and their learning style — has proved to be effective. According to the research from Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate compared with 5% relying on lectures.

Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. There are several strategies for coming up with a strong and unique password, allowing users to memorize them in different ways. One way is to think of an everyday phrase that is easy to remember, such as “My favorite action movie is 2 Fast 2 Furious!” Then grab the first digit of each word, which becomes “Mfami2F2F!”

3. It’s About Security, not Perfection
Historically, companies have used deterrent strategies or fear appeals to discourage risky behaviors. Today, it’s more effective to encourage positive behaviors by finding out what motivates employees and then communicating security messages that align with those motivations. At Family Insurance Solutions, for example, IT security administrator Jordan Schroeder noted in an interview that employees who were once his biggest concern are now his best partners in security because, in response to phishing and break-in attempts, he relies on positive feedback and messages of encouragement when they do the right thing. When they do the wrong thing, he shows them the correct behavior. Unlike Salesforce, there is no gamification, but the results are evident in employees’ behavior as they educate themselves and no longer hide what they did wrong for fear of reprisal.

When it comes to protecting information, we can all do better. But if employees fail, it’s important they feel encouraged to immediately report it and do the right thing. At the end of the day, perfection is not the goal — it’s lowering your organization’s risk exposure.

Related Content:

• 6 Security Training Hacks to Increase Cyber IQ Org-Wide
• How to Gauge the Effectiveness of Security Awareness Programs
• 6 Ways to Tell an Insider Has Gone Rogue

 

Black Hat Europe returns to London Dec., 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Robert E. Crossler, an assistant professor of information systems, joined the Department of Management, Information Systems Entrepreneurship in the Carson College of Business at Washington State University in July 2016. He obtained his bachelor’s degree in information … View Full Bio

Article source: https://www.darkreading.com/cloud/how-data-security-improves-when-you-engage-employees-in-the-process/a/d-id/1332897?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A vulnerability in Facebook’s “View As” feature let attackers steal security tokens linked to 50 million accounts, the company confirms.

Facebook today confirmed a major security breach affecting nearly 50 million people, whose accounts were compromised when a vulnerability let hackers steal security tokens linked to their profiles.

The flaw was in Facebook’s “View As” feature, which lets account holders see what their profile looks like to someone else – a friend, the public, etc. Attackers could exploit the bug to steal Facebook access tokens, which can be used to take over accounts. Tokens act as “digital keys” to keep people logged in so they don’t have to enter a password every time they use the app.

Facebook has fixed the vulnerability, alerted law enforcement to the breach, and temporarily disabled the “View As” feature while it investigates the problem.

While the investigation is still ongoing, Facebook has confirmed the attack stemmed from a change it made to a video uploading feature in July 2017, which affected the “View As” feature. Attackers needed to find the bug, use it to steal an access token, then pivot from their target account to other accounts in order to steal more of these tokens.

There is no need for anyone to change their passwords, says Guy Rosen, VP of product management, in a blog post on the disclosure. Facebook has also reset the security tokens for the 50 million affected accounts, as well as 40 million additional accounts which have been viewed using the “View As” feature within the past year.

In total, about 90 million of Facebook’s two billion users will have to log back into their accounts today, as well as any apps accessed via Facebook Login. When they do, they’ll see a notification at the top of their News Feed explaining what happened.

Rosen states if Facebook discovers more affected accounts, it will immediately reset access tokens. For anyone taking the precautionary step of logging out of Facebook, the site’s Security and Login section lets you see where you’re logged in and lets you log out of all devices at once.

Facebook, still early in its analysis, says it does not know who might be behind this attack or where the actor(s) could be based. Today’s news has left some industry experts concerned about why the vulnerability wasn’t detected sooner.

“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team,” says Paul Bischoff, privacy advocate with Comparitech. “I would be interested to know how long this flaw existed before it was discovered and exploited.”

Related Content:

• Managing Data the Way We Manage Money
• 7 Most Prevalent Phishing Subject Lines
• Twitter Bug May Have Exposed Millions of DMs
• Security Flaw Found in Apple Mobile Device Enrollment Program

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/facebook-hacked-50-million-users-affected/d/d-id/1332927?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Wednesday was a busy day for the Federal Communications Commission (FCC) when it comes to putting some pecuniary hurt on marketing companies for illegally spoofing millions of calls.

One of the fines – a proposed one – was a first for the Commission, in that it’s the first major enforcement action against a company that apparently “commandeered consumers’ phone numbers,” the FCC said in its announcement.

The FCC is looking to penalize Affordable Enterprises of Arizona for more than $37.5 million for what it says are more than 2.3 million illegally spoofed robocalls that pretended to be from consumers’ phone numbers.

Affordable Enterprises was at it for 14 months, starting in 2016. Its shtick was to sic its robots on unsuspecting people in order to telemarket home improvement and remodeling services.

The calls were spoofed to look like they came from phone numbers that had nothing to do with the telemarketer. The calls also appeared to come from unassigned phone numbers and numbers assigned to pre-paid “burner” phones, the FCC said. The caller ID was spoofed in every one of the millions of calls, making it impossible to identify who was actually calling.

The FCC pointed to one poor soul whose phone number was hijacked in order to make those calls. The Arizona woman said she received more than five calls a day on her cell phone, all coming from irate people complaining about the telemarketing calls they got from “her” phone number. In fact, they were from Affordable Enterprises, records showed.

The FCC said:

Such calling tactics harm both the consumers receiving the deceptive calls and those whose numbers are essentially commandeered by the telemarketer.

The FCC notes that the Truth in Caller ID Act prohibits spoofing when it comes to “transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongly obtain anything of value.”

In other words, spoofing phone numbers isn’t always illegal. One of the legitimate, legal uses for spoofing is when a doctor calls a patient from her personal mobile phone and displays the office number rather than her personal phone number, or when a business displays its toll-free call-back number.

If consumers can’t see through the spoof ruse, how does the FCC? With a subpoena, that’s how.

The FCC got wind of Affordable Enterprise when it was tipped off by a whistleblower who used to work for the telemarketer. The Commission’s Enforcement Bureau used that tip to subpoena the company’s phone records and worked with the Federal Trade Commission (FTC) to review consumer complaints from individuals on the Do Not Call Registry.

The FCC says the company also went by the names Affordable Kitchens and Affordable Windows, using an unspecified telemarketing platform to connect sales reps to consumers to try to market home improvement services.

FCC fine for another robocaller

The Affordable Enterprises fine is a maybe, but Wednesday also brought one confirmed slap-down.

This fine was even stiffer than the proposed one: the FCC said that it’s fined health insurance robocaller Philip Roesel $82 million for illegally spoofed marketing calls. Roesel made more than 21 million robocalls over a three-month period from late 2016 through early 2017.

Big fine? Yes, but not the biggest. The FCC recently topped that by fining a Florida robocaller $120 million for the nearly 97 million spoofed calls his marketing companies made to sell vacations at resorts that, surprise surprise, turned out to be so not the Marriott, Expedia, Hilton and TripAdvisor vacations initially mentioned. That robocaller was Adrian Abramovich, whom Senator Edward J. Market had dubbed the “robocaller kingpin”.

In April, the Senate Commerce, Science Transportation Committee subpoenaed Abramovich to explain exactly how easy it is to download automated phone-calling technology, spoof numbers to make it look like calls are coming from a local neighbor, and robo-drag millions of hapless consumers away from what should be their robot-free dinners.

His answer: pretty darn easy. He told senators:

There is available open source software, totally customizable to your needs, that can be misused by someone to make thousands of automated calls with the click of a button.

Besides all the fines, the FCC says it’s also passed rules to allow phone companies to proactively block calls that are likely to be fraudulent and has also “spurred significant progress” in establishing a reliable call authentication system to verify the caller ID information that appears on phones.

All-time high for spoofing

Such a system can’t come a minute too soon, given that the number of spoofed calls are skyrocketing. In April, such calls hit an estimated 3.4 billion: an all-time high, according to what robocall blocking service YouMail told the New York Times.

These are particularly dangerous times when it comes to so-called neighbor spoofing: that’s when robocallers display a phone number similar to your own on your caller ID, to increase the likelihood that you’ll pick up.

Neal O’Farrell, executive director of the Identity Theft Council, says that neighbor spoofing isn’t just annoying – often, such calls are a means to identity theft: a lot of crooks figure that if they can get a live victim on the line, they’re halfway there.

When it comes to deterrence, the fines are a start, but they’re not the entire solution, given that many robocalls are originating from outside of the US. Third-party apps such as Nomorobo are another tool in the arsenal, but they don’t catch all the spoofed calls.

As spoofing and telemarketing technologies evolve and advance, we all have to stay vigilant.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9TmjTyDs5uU/