If your smartphone gets stolen, the damage may extend further than the loss of the device itself; a thief can cause much more harm with your banking apps, important documents, and personal photos and videos. If you shore up your defenses beforehand, thieves will end up with a useless “brick” and no way to show more ...
extract your personal information from it. Let’s get started. What a thief can do with a phone? Sell it for parts Withdraw money from a bank Format and resell Use personal information for blackmail and extortion Be prepared: How to make thieves’ lives harder Set screen lock Set a SIM card PIN Encrypt data Password-protect apps and notifications Set up data backup Turn on Find My Device What a thief can do with a phone? First, let’s consider what can actually happen to a stolen phone and why you should even bother protecting it. Sell it for parts In the most common scenario, the smartphone is simply sold for parts, especially if the thief found it locked. If the purpose was just to steal a phone, not to hurt you specifically, chances are the thief will not purposefully try to hack it. Manipulating a device that is powered-on and connected to the Internet in any way increases the risk of getting caught. Withdraw money from a bank In some situations, the temptation to make more money can outweigh caution. This scenario primarily concerns unlocked phones — for example that a thief snatched from the owner’s hands or found unattended. If a bank app was open, the thief can withdraw money within moments or even take out a loan. Some banks allow users to transfer money by sending text messages to certain phone numbers. That makes stealing money even easier; any verification codes will be sent to the stolen phone. Factory-reset and sell If a thief manages — typically, with the help of social engineering — to log in to your Google or Apple ID account and change your password, you will lose the ability to lock the device remotely, and the thief will be able to reset it to get a working smartphone, which they can then sell much more lucratively than they could for parts. Use personal information for blackmail and extortion, or simply leak it online Thieves may demand ransom if they find important documents on your smartphone, threatening to delete or send them to your contacts. The same goes for personal files that could compromise you or someone else. A thief can copy and analyze information from the Files app on an iPhone (primarily all iCloud content), the entire smartphone memory on Android, and cloud drives to which your phone has access. In addition to that, a thief can scan conversations, starting with instant messages, for material of interest or try to hack your Facebook or Instagram accounts and start asking your friends and acquaintances for money. Also in theory, the thief may try to link your bank account to another device, but that is an unlikely scenario. The thief would have to keep the phone turned on, thus increasing the risk of getting caught. Our tips will help limit a thief’s options to selling your phone for parts by frustrating any other plans they might have. How to securely lock your smartphone in case of theft Here’s how to secure your information and also ensure your ability to restore it on a new device if necessary. Set screen lock First, make sure your phone automatically locks the screen. Android users can find that option under Settings, in the Security section. Keep in mind that most manufacturers of Android devices customize their interfaces, so settings may vary slightly from phone to phone. For this post, we used Android 11 on a Google Pixel because it has a very typical implementation. On iPhones, the option is in the Face ID & Passcode section (or Touch ID & Passcode for iPhone 8 and older versions). Not every way to lock a phone’s screen is equally reliable. For example, in the case of Android, you should not rely too heavily on facial recognition; some implementations are relatively easy to trick with a simple photo. The iPhone’s Face ID is far more robust. A graphic key is too easy to spy over your shoulder; besides, people tend to draw predictable patterns. Long passwords and a fingerprint scanner are safest. Although it is possible to fake a fingerprint, common pickpockets do not have access to that kind of technology. That said, the most important thing is to lock the phone, so use whichever method you prefer. Set a SIM card PIN Entering a SIM card PIN every time you restart your device or buy a new one is a bit of a hassle, but it doesn’t happen too often, and the added security is worth the effort. If a SIM isn’t locked with a PIN, a thief can simply insert it into any other phone and make a call to themselves to find out your number — and knowing that, they will be able to log in to certain websites, pass two-factor authentication, and use text messages to transfer money from bank cards. It should go without saying that your SIM PIN must be different from the one you use for unlocking your phone. How to set a PIN for a SIM card on Android: Go to your phone settings and select Security; Click SIM card lock and toggle on Lock SIM card; Enter a PIN and confirm it. How to set a PIN for a SIM card on iOS: Go to Settings and open Cellular; Select SIM PIN and toggle it on; Enter a PIN and confirm it. Encrypt data Full-disk encryption (FDE) is another feature that protects your information. When it’s enabled, all files stored on the smartphone will be encrypted by default and there will be no way to read them without unlocking the smartphone. On iPhones and smartphones running Android 5 and above, data encryption is enabled by default. In earlier versions of Android, it needs to be activated manually. How to enable full-disk encryption on Android: Go to your phone settings and select Security; Go to Encryption & credentials and tap Encrypt phone. Follow the instructions. Password-protect apps and notifications Set up a separate password, PIN, or graphic key for critical apps. Then turn off notifications for those apps, especially any that pop up on a lock screen. Doing so makes reading alerts and text messages a little less convenient, but it also makes intercepting your one-time authentication codes, or moving your money to another account, almost impossible for outsiders. Privacy settings may differ across Android smartphone models. You can find instructions specific to your model on the manufacturer’s website, and here’s a general outline: Open Settings and go to Security or Privacy; Tap App lock; Select the apps you want to lock. The device will now ask for the PIN before opening those apps. Unfortunately, not all manufacturers offer the app lock feature. If you can’t find it in your settings, try checking Google Play for solutions or simply install Kaspersky Internet Security for Android, which has this feature. iOS lacks an application lock feature, but you can protect your apps by setting a screen time limit. To do so: Open Settings and go to Screen Time; Tap Use Screen Time Passcode and set a passcode; Go to App Limits and select a desired app category; Set a limit by selecting Add Limit; Specify a time limit, say, 2 minutes; Confirm your choice by tapping Add. When the time is up, the app will be locked, and the person using the phone will not be able to continue unless they know the passcode. Set up data backup If you back up your data regularly, then even if you lose your phone for good, you will not lose your contacts and other information. You’ll simply download a backup copy of the data onto your new device. How to set up backup on Android: Locate the System section in the settings; Select Backup; Turn on Google Drive backup or select a computer or other external media as a target, if your device offers that option. With an iPhone, you have two backup options. The easier route is to use automatic iCloud backup: Turn on iCloud Backup: Open Settings —> [account name] —> iCloud; Select Backup. Plug in your phone and connect it to Wi-Fi with an unlimited plan (the initial upload uses a lot of power and data); Check how much storage space you have left. All iCloud users get 5GB of free storage space, but if you need more, you can purchase a subscription from Apple or use a free alternative; Lock the screen so you do not disrupt the process with a random tap. If you prefer not to use the cloud, try computer backup — Apple offers a detailed guide on its website. Turn on Find My Device Find My Device (Android) and Find My iPhone (iOS) can track the location of a lost or stolen smartphone through a Google or Apple ID account. You can use these features to remotely lock the device or even completely erase all data on it. However, the feature must be active at the time the device is stolen or lost — you need to enable it now. How to turn on Find My Device on Android: Open Settings and go to Security; Turn on the Find My Device switch. How to turn on Find My iPhone: Open Settings and tap your name; Select Find My and toggle on Find My iPhone; Then go to the Security section in your Google account or the Find My app on your iPhone or iPad, and find your device on the list. You will see options to lock and erase the device. They will come in handy if the phone is stolen in an unlocked state and it has confidential information on it. You can set a message and backup contact number to be displayed on the screen when you lock the phone remotely. That gives anyone who ends up with your phone the option to find you and return it. You will, however, need to be more vigilant than usual; thieves can use your backup contact number for phishing — for example, to send fake support notifications trying to get your Google or Apple ID account password so they can unlink your device. In that case, keep a clear head and refrain from following suspicious links, let alone entering any confidential data on those websites. Losing or having one’s smartphone stolen stinks; there’s just no way around that. But taking precautions to secure your data and back it up in case of theft can turn that disaster into straightforward inconvenience. We certainly hope that never comes to pass, but we strongly recommend spending a few minutes to prepare.
Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here’s the story show more ...
of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data. Comments on the fake Microsoft Authenticator browser extension show the reviews for these applications are either positive or very negative — basically calling it out as a scam. Image: chrome-stats.com. After hearing from a reader about a phony Microsoft Authenticator extension that appeared on the Google Chrome Store, KrebsOnSecurity began looking at the profile of the account that created it. There were a total of five reviews on the extension before it was removed: Three Google users gave it one star, warning people to stay far away from it; but two of the reviewers awarded it between three and four stars. “It’s great!,” the Google account Theresa Duncan enthused, improbably. “I’ve only had very occasional issues with it.” “Very convenient and handing,” assessed Anna Jones, incomprehensibly. Google’s Chrome Store said the email address tied to the account that published the knockoff Microsoft extension also was responsible for one called “iArtbook Digital Painting.” Before it was removed from the Chrome Store, iArtbook had garnered just 22 users and three reviews. As with the knockoff Microsoft extension, all three reviews were positive, and all were authored by accounts with first and last names, like Megan Vance, Olivia Knox, and Alison Graham. Google’s Chrome Store doesn’t make it easy to search by reviewer. For that I turned to Hao Nguyen, the developer behind chrome-stats.com, which indexes and makes searchable a broad array of attributes about extensions available from Google. Looking at the Google accounts that left positive reviews on both the now-defunct Microsoft Authenticator and iArtbook extensions, KrebsOnSecurity noticed that each left positive reviews on a handful of other extensions that have since been removed. Reviews on the iArtbook extension were all from apparently fake Google accounts that each reviewed two other extensions, one of which was published by the same developer. This same pattern was observed across 45 now-defunct extensions. Like an ever-expanding venn diagram, a review of the extensions commented on by each new fake reviewer found led to the discovery of even more phony reviewers and extensions. In total, roughly 24 hours worth of digging through chrome-stats.com unearthed more than 100 positive reviews on a network of patently fraudulent extensions. Those reviews in turn lead to the relatively straightforward identification of: -39 reviewers who were happy with extensions that spoofed major brands and requested financial data -45 malicious extensions that collectively had close to 100,000 downloads -25 developer accounts tied to multiple banned applications The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon. Scouring the manifests for each of these other extensions in turn revealed that many of the same developers were tied to multiple apps being promoted by the same phony Google accounts. Some of the fake extensions have only a handful of downloads, but most have hundreds or thousands. A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available from the Google store. A counterfeit version of CapCut, a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period. More than 16,000 people downloaded a fake Microsoft Teams browser extension over the roughly two months it was available for download from the Google Chrome store. Unlike malicious browser extensions that can turn your PC into a botnet or harvest your cookies, none of the extensions examined here request any special permissions from users. Once installed, however, they invariably prompt the user to provide personal and financial data — all the while pretending to be associated with major brand names. In some cases, the fake reviewers and phony extension developers used in this scheme share names, such as the case with “brook ice,” the Google account that positively reviewed the malicious Adobe and Microsoft Teams extensions. The email address brookice100@gmail.com was used to register the developer account responsible for producing two of the phony extensions examined in this review (PhotoMath and Dollify). Some of the data that informed this report. The full spreadsheet is available as a link at the end of the story. As we can see from the spreadsheet snippet above, many of the Google accounts that penned positive reviews on patently bogus extensions left comments on multiple apps on the same day. Additionally, Google’s account recovery tools indicate many different developer email addresses tied to extensions reviewed here share the same recovery email — suggesting a relatively few number of anonymous users are controlling the entire scheme. When the spreadsheet data shown above is sorted by email address of the extension developer, the grouping of the reviews by date becomes even clearer. KrebsOnSecurity shared these findings with Google and will update this story in the event they respond. Either way, Google somehow already detected all of these extensions as fraudulent and removed them from its store. However, there may be a future post here about how long that bad extension identification and removal process has taken over time. Overall, most of these extensions were available for two to three months before being taken down. As for the “so what?” here? I performed this research mainly because I could, and I thought it was interesting enough to share. Also, I got fascinated with the idea that finding fake applications might be as simple as identifying and following the likely fake reviewers. I’m positive there is more to this network of fraudulent extensions than is documented here. As this story illustrates, it pays to be judicious about installing extensions. Leaving aside these extensions which are outright fraudulent, so many legitimate extensions get abandoned or sold each year to shady marketers that it’s wise to only trust extensions that are actively maintained (and perhaps have a critical mass of users that would make noise if anything untoward happened with the software). According to chrome-stats.com, the majority of extensions — more than 100,000 of them — are effectively abandoned by their authors, or haven’t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation along with their user base. The information that informed this report is searchable in this Google spreadsheet.
Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems.
U.S. President Joe Biden’s proposed budget includes $750 million for the government agencies hit by the SolarWinds hack to pay for cybersecurity improvements to prevent another attack.
Hewlett Packard Enterprise (HPE) has fixed a critical zero-day remote code execution (RCE) flaw in its HPE Systems Insight Manager (SIM) software for Windows that it originally disclosed in December.
Researchers published details on a serious vulnerability they found in Siemens SIMATIC S7-1200 and S7-1500 PLCs that could allow an attacker to gain remote access to protected memory areas of the popular programmable logic controllers.
Multiple threat groups believed to be working in support of China's long-term economic interests are continuing to hammer away at networks belonging to organizations in the US and Europe.
Apple’s Big Sur 11.4 patches a security flaw that could be exploited to take screenshots, record audio and video, and access files on someone else’s Mac without their knowing.
The BravoMovies campaign, spotted by researchers at security firm ProofPoint, has been around since at least early May. While many of its elements seem absurd at a glance, it shows just how far hackers are willing to go to ensnare their victims.
Researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document's visible content by displaying malicious content without invalidating its signature.
SonicWall urged customers to ‘immediately’ address a post-authentication vulnerability, tracked as CVE-2021-20026, impacting on-premises versions of the Network Security Manager (NSM).
Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document's visible content by displaying malicious content over the certified content without invalidating its signature. "The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents
