This newsletter is distributed to everyone on our mailing list and provides links and insights regarding techno-crimes, investigations, security, and privacy.
Contents in this issue:
- Voice Deepfakes Are Coming for Your Bank Balance
- It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy
- How car theft went high-tech
- The hidden trackers in your phone, explained
- X plans to collect users’ biometric data, along with education and job history
- The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
- Ransomware ecosystem targeting individuals, small firms remains robust
- Lawsuits Against Google And Meta Allege Websites Are Spying On Taxpayers
- Fraudsters can bypass biometric facial recognition
- Bots are better at beating ‘are you a robot?’ tests than humans are
- Scheduled Speaking Engagements
Voice Deepfakes Are Coming for Your Bank Balance
(Aug. 30, 2023)
As I have demonstrated in several presentations, techno-criminals’ capabilities to use voice cloning have become much more sophisticated and widespread.
From the linked New York Times article:
“This spring, Clive Kabatznik, an investor in Florida, called his local Bank of America representative to discuss a big money transfer he was planning to make. Then he called again.
Except the second phone call wasn’t from Mr. Kabatznik. Rather, a software program had artificially generated his voice and tried to trick the banker into moving the money elsewhere.”
I follow many news and research sources about A.I. platforms and services, and new ones appear with increased capabilities every day.
It’s a serious problem because we don’t have the technology to detect deepfake audio in real time.
In another case, an attacker used a deepfake to break into an I.T. company:
“The caller claimed to be one of the members of the I.T. team, and deepfaked our employee’s actual voice,” Retool said in the report. “The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.”We also don’t have laws or regulations in place to control how this technology is being used.”
We also need laws or regulations to address dealing with this technology. Still, with the current political dysfunction that exists today in the United States, I have little hope for helpful solutions any time soon.
From an earlier New York Times article:
“What’s different is that everybody can do it now,” said Britt Paris, an assistant professor of library and information science at Rutgers University who helped coin the term “cheapfakes.” “It’s not just people with sophisticated computational technology and fairly sophisticated computational know-how. Instead, it’s a free app.”
“We cannot wait for two years until laws are passed,” said Ravit Dotan, a postdoctoral researcher who runs the Collaborative A.I. Responsibility Lab at the University of Pittsburgh. “By then, the damage could be too much. We have an election coming up here in the U.S. It’s going to be an issue.”
You should contact your bank or investment brokerage to ask whether they require that a caller know a PIN or passphrase before any electronic funds transfers or password changes can be made to your financial accounts.
A.I. technology is growing too fast for anyone or any organization to keep up with. Take a few minutes to do what you can to protect your most critical accounts from this type of A.I. voice fraud.
It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy
(Sep. 6, 2023)
The enhanced capabilities of modern cars that provide some self-driving features, more entertainment options, and even safety communications capabilities are more advanced than ever.
But you may need to learn about the amount of data collected about anyone who uses your car, including passengers.
The Mozilla Foundation keeps track of the various privacy policies and how the car companies use the information they collect.
The results aren’t encouraging.
“We reviewed 25 car brands in our research and we handed out 25 “dings” for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.”
“It’s bad enough for the behemoth corporations that own the car brands to have all that personal information in their possession, to use for their own research, marketing, or the ultra-vague “business purposes.” But then, most (84%) of the car brands we researched say they can share your personal data — with service providers, data brokers, and other businesses we know little or nothing about. Worse, nineteen (76%) say they can sell your personal data.
A surprising number (56%) also say they can share your information with the government or law enforcement in response to a “request.” Not a high bar court order, but something as easy as an “informal request.”
In a different report, the Mozilla Foundation said:
“When car companies aren’t busy sharing or selling your data, they’re often not protecting it as well as they should. We couldn’t confirm if any of the car brands we researched meet our Minimum Security Standards.”
It’s a disgrace that car companies are increasing the data they collect about users while not doing much to ensure the security or privacy of that data.
This is another example of why we need a comprehensive personal privacy law in the United States.
How car theft went high-tech
(Aug. 15, 2023)
Your car may be the one item that contains the most technology that you own and use, but few treat the security of a car in the same way they might protect a computer.
“These days, cars are computer centers on wheels. Today’s vehicles can contain over 100 computers and millions of lines of software code. These computers are all networked together and can operate all aspects of your vehicle.”
“The computers in a vehicle can be divided into four categories. Many computers are dedicated to operating the vehicle’s drive train, including controlling the fuel, battery or both, monitoring emissions and operating cruise control.”
“One difference between the network in your car and a typical computer network is that all devices in the car trust each other. Therefore, if an attacker can access one computer, they can easily access other computers in the car.”
“One method of stealing cars involves using two devices to build an electronic bridge between your fob and your car. One person goes near the car and uses a device to trick the car into sending a digital code used to verify the owner’s fob. The thief’s device sends that signal to an accomplice standing near the owner’s home, which transmits a copy of the car’s signal. When the owner’s fob replies, the device near the house sends the fob signal to the device near the car, and the car opens.”
“The network used by all computers in a car to communicate is called a controller area network bus. It’s designed to allow the computers in a car to send commands and information to each other. The CAN bus was not designed for security, because all of the devices are assumed to be self-contained. But that presumption leaves the CAN bus vulnerable to hackers.”
“Car thieves often try to hack into the CAN bus and from there the computers that control the car’s engine. The engine control unit stores a copy of the wireless key code, and thieves can clone this to a blank key fob to use to start the victim’s car. One method is accessing a car’s onboard diagnostics through a physical port or wireless connection meant for repair technicians. Thieves who access the onboard diagnostics gain access to the CAN bus.”
I could write another entire post about how a car can be hacked; some can be much more dangerous than just stealing a vehicle.
Many vehicle recalls today aren’t because of a mechanical defect…it’s to update the car’s software after a vulnerability has been discovered and fixed.
If you receive a recall notice, pay attention to it to ensure your safety while possibly reducing the theft risk.
The hidden trackers in your phone, explained
(Jul. 8, 2020)
How do the apps on your mobile devices track you?
From the linked article from Vox.com:
“But there was another story there that most of us can’t see: how trackers hidden in smartphone apps are the source of incredible amounts of specific data about us, much of which gets sent to companies you’ve never heard of. This has been happening for years and is essential to the mobile app economy. But it took the COVID-19 pandemic to bring some of these companies and their capabilities to the forefront.
Your phone is the ideal tool for advertisers and data brokers, both as a means of collecting your information and serving you ads based on it. This is usually done through software development kits, or SDKs, which these companies provide to app developers for free in exchange for the information they can collect from them, or a cut of the ads they can sell through them. When you turn on location services for a weather app so it can give you a localized forecast, you may be sending your location data back to someone else.
A recent Wall Street Journal article revealed that location data was not just being sold to marketers or data brokers but also to law enforcement, where it was used to help catch undocumented immigrants. More recently, a data company called Mobilewalla boasted of its ability to track protesters’ cellphones, and despite such data supposedly being anonymized, the company claimed it could identify protesters’ age, gender, and race.”
This article was published in 2020 when much of the tracking technology was being developed for COVID-19 tracing and to enforce social distancing policies attempting to slow the spread of the virus.
Do you think these companies’ businesses have slowed or grown since then?
I suspect the latter.
X plans to collect users’ biometric data, along with education and job history
(Aug. 31, 2023)
Originally reported by Bloomberg, someone notified me that X (formerly known as Twitter) had changed its privacy policies to allow the company to collect users’ biometric data, along with their education and job history.
I quickly verified this by accessing the new policy, which will go into effect on September 29, 2023. You can read it for yourself at https://twitter.com/en/privacy#x-privacy-1.
Over the years, I’ve received great information from people I’ve followed, and I may have even interacted with you on the X formerly known as Twitter platform.
Unfortunately, as with other social media platforms such as those operated by Meta, these platforms continue to push the envelope to expand the intrusiveness of the data they wish to collect past the point where it’s acceptable for me.
Just as I did with Facebook (before it changed names), I’ll delete my account before the new policy takes effect.
Thank you for the information you’ve provided for those of you whom I’ve followed for all these years on Twitter. I wish you continued success.
For any of you linked to me on Twitter, please reach out and connect on LinkedIn, as this will now be the only social network where I’ll have a presence after September 29th.
I wish the best of luck to those who choose to remain on the X platform, but understand that the current owner doesn’t care about your privacy.
I guess that the old cliché that “nothing good lasts forever” has proven true.
The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
(Aug. 22, 2023)
If you’re an American adult, you almost certainly have a credit report that contains sensitive personal and financial information.
However, accessing this data has become easier for hackers and other criminals.
From the linked article:
“Most Americans have very little choice but to provide their personal information to credit bureaus. Hackers have found a way into that data supply chain, and are advertising access in group chats used by violent criminals who rob, assault, and shoot targets.”
“On the messaging app Telegram, I entered a tiny amount of information about my target into the dark blue text box—their name and the state I believed they lived in—and pressed enter. A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.”
“The communities where this tool is advertised include chat rooms focused on swatting, where criminals place bogus calls that result in a heavily armed police response to a specific location; SIM swapping, in which hackers take over a victim’s phone number to then receive login codes and break into their online accounts; and physical violence, where criminals hire one another to rob, shoot, or assault their enemies and vandalize the target’s home. Overall, the tool offers exceptional power and requires little to no technical sophistication to obtain a victim’s sensitive data. Worse yet, it is exceedingly difficult for a user to opt out, and this data may be available even for people who have otherwise been careful with distributing their personal information, and who have taken steps to have their details scrubbed from other data brokers.”
“Senator Ron Wyden told 404 Media in a statement that “These companies have demonstrated that they can’t control who has access to their data products. The government needs to stop these companies from packaging and selling our personal information, and the senior executives that put profit over national security and Americans’ safety should be punished accordingly.”
“It is now clear that data brokers pose both a threat to U.S. national security and to Americans’ safety and privacy,” Senator Wyden’s statement added. “These unaccountable companies have recklessly sold Americans’ information to agents working for foreign governments and have enabled hackers to access and sell Americans’ personal information to anyone with a credit card.”
Senator Wyden has a commendable history supporting personal privacy, but unfortunately, I don’t think most of his compatriots in the Senate or House of Representatives share his concerns.
The lack of privacy protection for United States citizens is deplorable. I agree that this problem should be treated as “both a threat to U.S. national security and to Americans’ safety and privacy.”
Is it too much to ask that other legislators (both state and federal) take responsibility to protect our data?
Ransomware ecosystem targeting individuals, small firms remains robust
(Aug. 24, 2023)
Most reports about ransomware attacks focus on the victims who are large companies or government agencies.
But don’t think that individuals and smaller companies aren’t also at risk.
Many sources that I read confirm this, but the linked article from The Record provides a good summary of what is happening:
“Ransomware attacks on major companies and large government organizations have dominated the headlines in 2023, but researchers from several companies are warning that smaller-scale attacks on individuals and small businesses are causing significant harm and damage too.
Rakesh Krishnan, senior threat analyst at Netenrich, said it is common for ransomware gangs to eschew larger targets in favor of victims they know will not have the technical know-how to deal with an incident.
In a report last month, Chainalysis noted this trend, highlighting that while media attention and focus is on the gangs demanding millions from large companies, there was also a significant growth in activity from groups like Dharma, Phobos and Stop/Djvu that demanded ransoms under $1,700.”
Everyone needs a plan in place should they ever become victimized by ransomware.
At the very least, have a complete backup of your data, including your apps, and test restoring data from your backup periodically to ensure it works.
For sensitive data, such as financial and medical records, consider using encryption to protect the data, even if it is stolen.
Think about the volume of data you have in these backups. With cheap data storage, people and organizations are keeping much more data than ever.
The problem with this is that if you ever need to restore a complete backup of everything, the volume of data could take weeks or even months, and what will you do in the meantime?
Years ago, we would review the data to save storage and delete what was no longer needed. This could help restore your system from backups much faster, saving time and money.
If you don’t have a ransomware response plan in place, now is the time to decide whether you want to take the risk that it won’t happen to you…
Lawsuits Against Google and Meta Allege Websites Are Spying on Taxpayers
(Aug. 23, 2023)
Would you share your tax return information with Google or Meta (Facebook)?
I think a lot of you would say, “Absolutely not,” but because of how surveillance capitalism allows companies to share your data, that appears to be what is happening:
“Users of tax prep websites in seven states have filed a class action lawsuit against Google, claiming the company engaged in wiretapping. According to court documents, the company’s actions allegedly resulted in the involuntary transmission of sensitive personal information including income, refund amounts, filing status, and scholarship information.
According to the complaint, tax preparation companies like H&R Block, TaxAct, and TaxSlayer sent private tax return information to Google using Google Analytics technology. The plaintiffs allege that data may include email addresses, data on users’ income, filing status, refund amounts, buttons clicked, and year of return, and was used by Google to improve its ad business and enhance its other business tools.”
Once again, this is another example showing why there needs to be a comprehensive privacy law in the United States and why practices like those described in this article shouldn’t be legal.
The tax preparation companies will say that these practices are allowed by their privacy policies that all customers agree to when they sign up for the service.
I think the days of allowing companies to effectively “hide” this type of behavior in privacy policies is also something that should no longer be allowed.
This is not being transparent with customers because most of these privacy policies are too long, using legal language that many people don’t understand, and the companies rely on the knowledge that the documents will never be read.
Be simple, tell customers and clients up front how their data will be used, and don’t try to hide this type of behavior.
Fraudsters can bypass biometric facial recognition
(Aug. 25, 2023)
I’ve written before about how facial recognition has become more controversial and how artificial intelligence can now create deepfakes that can fool facial recognition for authenticating identity.
But as this technology advances, we’re seeing an increase in how the technology can be bypassed, which will only continue to grow.
From the linked article:
“Biometrics is gaining momentum, as many organizations are implementing it for faster and smoother authentication processes. However, Stuart Wells, a CTO at biometrics authentication company Jumio, highlights potential threats and methods that fraudsters might use to bypass facial recognition.
Europol has forecasted that by 2026, up to 90 percent of online content might be artificially generated, posing a growing challenge for organizations to accurately determine the true identities of the users in question.”
We are fast approaching a time when you won’t be able to take anything you see or hear at face value.
The techno-criminals will continue to evolve with the technology, and so should you.
Bots are better at beating ‘are you a robot?’ tests than humans are
(Aug. 8, 2023)
Do you get frustrated with the various types of CAPTCHA or RECAPTCHA systems that are out there to “verify” that you’re a human and not a “bot” before granting you access to a website?
I understand why many websites try to keep bots from scraping the data, but honestly, many of these systems are so dysfunctional that I want to give up and leave.
Many images are so grainy and of poor quality that I don’t understand how the website operator can even expect a user to get the choice right.
Or it could be just my eyesight.
However, this technology may soon become obsolete because the bots are getting better at defeating it:
“Bots are better and faster than humans at online CAPTCHA tests designed to keep them out of websites. The finding calls into question whether we should continue using these kind of security measures, given how much frustration they can cause for people.”
It will be interesting to see what new solutions the websites will develop next.
Scheduled Speaking Engagements
I’ll be giving a 4-hour workshop on October 13th for the Central Indiana Chapter of the ACFE in Indianapolis, Indiana. Topics will include A.I., deep fakes, data poisoning, darknets, and how suspects can use technology to hide from you. For more information, go to https://www.acfeindy.com/.
The Techno-Crime Newsletter is a free monthly newsletter providing information and opinions about techno-crimes, cybersecurity tools and techniques, privacy, and operational security for investigators. To subscribe or to read past issues, see The Techno-Crime Newsletter Archive web page.
Please feel free to forward this newsletter to anyone who will find the information interesting or useful. You also have our permission to reprint The Techno-Crime Newsletter, as long the entire newsletter is reprinted.
Walt Manning is an investigations futurist who researches how technology is transforming crime and how governments, legal systems, law enforcement, and investigations will need to evolve to meet these new challenges. Walt started his career in law enforcement with the Dallas Police Department and then went on to manage e-discovery and digital forensics services for major criminal and civil litigation matters worldwide. He is the author of the thought-provoking book Techno-Crimes and the Evolution of Investigations, where he explains why technology will force investigations to evolve. Walt is an internationally recognized speaker and author known for his ability to identify current and impending threats from technology and advise his clients and audiences about ways to minimize their risk. In addition to many published articles, he has been interviewed and widely quoted in the media as an expert on topics related to technology crime and investigations.
Copyright © 2023 by The Techno-Crime Institute Ltd.