AT&T, Verizon and WhatsApp Flunk Privacy

An Electronic Frontier Foundation survey published last week gave AT&T, Verizon and WhatsApp the thumbs down when it comes to protecting user privacy. Google and Twitter also got a black eye.

The five were among 24 companies the EFF evaluated on criteria worked out over the past four years.

WhatsApp, now owned by Facebook, also took criticism in the EFF’s fifth annual report, Who Has Your Back?

On the plus side, nine companies — Adobe, Apple, Credo, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com and Yahoo — received the top rating, five stars, in each category.

“While we’re happy that the tech industry has made great strides over the last few years, there’s still much to be done,” said EFF staff attorney Nate Cardozo.

The EFF’s Criteria

The EFF used five criteria to assess the practices and policies of the 24 participating companies:

  1. whether the company implements industry-accepted best practices, such as whether the company requires demands for customer data to be accompanied by a signed court warrant before handing over information, whether the company publishes a transparency report, and whether it publishes guides explaining how it responds to such demands;
  2. whether the company tells users about government requests for their data unless prohibited by law, or only in very narrow and defined emergency situations, or unless doing so would be futile or ineffective;
  3. whether the company publicly discloses its data retention policies;
  4. whether the company discloses how many times government bodies ask it to remove user content or accounts and how often it complies; and
  5. whether the company opposes backdoors.

Twenty-one of the 24 companies evaluated publicly opposed backdoors.

The Telco Walk of Shame

Verizon Wireless and AT&T scored especially poorly, continuing a years-long trend of telcos lagging behind the rest of the tech sector, the EFF noted.

“It’s great that AT&T and Verizon are releasing transparency reports in the wake of Snowden,” said EFF’s Cardozo, referring to NSA whistle-blower Edward Snowden’s massive leaks.

Still, “there’s absolutely no excuse for their silence on the issue of encryption and government-mandated backdoors,” he told the E-Commerce Times.

The companies’ behavior reflects a long-established pattern. Back in 2012, Verizon was blasted for bragging it was monitoring subscribers’ app usage and browsing habits.

In 2014, there was an uproar when news surfaced that Verizon Wireless and AT&T were using supercookies. Public outrage led both carriers to stop.

Further, AT&T readily handed over user data to the Bush administration on request.

“Both companies operate in heavily regulated areas and recognize that the government has unusual power over them,” explained Rob Enderle, principal at the Enderle Group.

“They are therefore used to complying with requests like this in order to avoid escalations that could massively damage their business models,” he told the E-Commerce Times.

WhatsApp, Doc?

The criticism of WhatsApp’s privacy practices also might have been expected.

The United States Federal Trade Commission last year warned Facebook and WhatsApp about their obligation to protect consumers’ privacy in advance of Facebook’s buying the smaller firm.

Facebook in 2011 settled FTC charges that it deceived consumers by not keeping its privacy promises.

Naked Security in January reported that WhatsApp’s then-new service, WhatsApp Web, had privacy holes that could expose photos sent from a user’s mobile device and then deleted.

The firm in February revealed that a WhatsApp feature let people track users’ status and any changes they made to their content and settings, even if they changed their privacy settings.

Reports in March indicated that WhatsApp’s 800 million users’ phones could be hijacked through the application.

Facebook should take the heat, Enderle said, because it’s the parent company, but “nothing should stop WhatsApp from taking action on its own.”

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

1 Comment

  • I think that none of those companies is really concerned with your privacy, they are all starting up as secured or private and next thing you know we see them getting busted. SnapChat and WhatsApp can’t be trusted, there is no such a thing as private text message its all stored! Everyone who is till concerned with the privacy or their email communications should try ShazzleMail. Its free private email, they also have business and medical emails (hipaa).

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Privacy

E-commerce Times Channels

Hackers Cast LinkedIn as Most-Popular Phishing Spot

LinkedIn users are being steadily more targeted by phishing campaigns.

In recent weeks network audits revealed that the social media platform for professionals was in the crosshairs of 52 percent of all phishing scams globally in the first quarter of 2022.

This is the first time that hackers leveraged LinkedIn more often than any tech giant brand name like Apple, Google, and Microsoft, according to various reports.

Social media networks now overtake shipping, retail, and technology as the category most likely to be targeted by criminal groups, noted network security firm Check Point.

The phishing attacks reflect a 44 percent uplift from the previous quarter, when LinkedIn was in fifth place with only eight percent of phishing attempts. Now LinkedIn has surpassed DHL as the most targeted brand.

The second most targeted category is now shipping. DHL now holds second place with 14 percent of all phishing attempts during the quarter.

Checkpoint’s latest security report shows a trend toward threat actors leveraging social networks as a prime target. Hackers contact LinkedIn users via an official-looking email in an attempt to bait them to click on a malicious link.

Once lured, users face a login screen to a fake portal where hackers harvest their credentials. The fake website often contains a form intended to steal users’ credentials, payment details, or other personal information.

“The goal of these phishing attacks is to get victims to click on a malicious link. LinkedIn emails, like another commonly targeted sender, shipping providers, are ideal because the email shares only summary information, and the user is compelled to click through to the on-platform detail and content,” Archie Agarwal, founder and CEO at ThreatModeler, told the E-Commerce Times.

Ideal Pickings

Hackers target LinkedIn users for two key reasons, according to Agarwal. Phishing is a digital play on the confidence game built on trust. Exploiting victims’ trust in their LinkedIn network is a natural alternative to phishing on corporate sites.

“The other advantage to targeting LinkedIn users is that targets are easy to identify and prioritize. Users’ profiles publish their title and affiliations,” he said.

It makes sense for attackers to use LinkedIn as a hook for socially engineered phishing attacks, added Hank Schless, senior manager, for security solutions firm Lookout, as it is generally accepted as a usable professional platform.

“However, it is not that different from any other social platform where an attacker can create a fake but convincing profile and message one of your employees with a malicious link or attachment,” he told the E-Commerce Times.

Countermeasures

Rather than clicking on the email, LinkedIn users should instead go directly to the platform that supposedly notified them and look for that notification detail there, suggested Agarwal.

“Platforms like LinkedIn and DHL have an incentive to notify users through email and text but link the user back to the platform to raise visits/usage. This incentive will always stand at odds with protecting against phishing opportunities,” he said.

Phishing that appears to come from legitimate services cannot be stopped. At the same time, current defenses are not tuned to find these types of attacks, noted Patrick Harr, CEO of anti-phishing firm SlashNext.

“These attacks are rising, and the gateway to ransomware is phishing. As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to stopping these threats,” he told the E-Commerce Times.

The ability to block employee web traffic to phishing sites, via malicious links and other vectors, and stop a ransomware attack at the start of the kill chain, is paramount, he added.

Trust Factors In

The use of LinkedIn blurs the boundary between work purposes and personal career development. For individuals, such as sales and marketing professionals, or recruiters who are using LinkedIn for work purposes, employers should remind them that trust is not transitive.

Recognize that second-level connections are basically unknown individuals. All information on LinkedIn, no matter how professional it looks, can be entirely fake, observed Oliver Tavakoli, CTO at security firm Vectra AI.

“To avoid falling for LinkedIn scams, simply imagine the same message arriving via email in your work inbox. Apply the same training that you have received for identifying phishing scams. Only accept connections from people you have met or ones who have been formally introduced to you,” he told the E-Commerce Times.

LinkedIn should undertake efforts to find and delete fake profiles. It should also make it far easier for organizations to flag incorrect claims in fake profiles — for example, having worked at a particular organization — to quickly correct such inaccuracies, Tavakoli added.

“On the end-user front, there is no real substitute for education — teaching skepticism and not falling for the transitive effect of trust,” he advised.

Think About It

Considering that 92 percent of LinkedIn users’ data was exposed in the 2021 breach, it comes as no surprise cybercriminals have increased attacks leveraging LinkedIn data, prompted Harr. “However, based on our data, we are not seeing that LinkedIn has become the most imitated brand. This title belongs to Microsoft.”

With LinkedIn moving up the list of platforms used in phishing-related attacks, organizations should update their acceptable use policies (AUPs) to protect employees and mitigate the risk of web-based attacks, Schless recommended. Cloud-based web proxies such as secure web gateways (SWG) that are fed by rich threat intelligence datasets can help organizations build dynamic AUPs and protect enterprise data.

This enables admins to control which websites their employees and guest users can access with the purpose of blocking internet-borne malware, viruses, and phishing sites.

SWG is a critical solution to have in the modern enterprise security arsenal. It provides a way to block accidental access to malicious sites and can also be a safe tunnel to protect users from modern web-based threats such as ransomware, other malware, and phishing attacks, he explained.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime
EXPERT ADVICE

Crypto 101: Data Privacy and Security on Cryptocurrency Platforms

bitcoin

Involvement in cryptocurrency has gone from being an activity relegated to tech savants and Silicon Valley intellectuals to an interest of the general public.

This growing level of interest has ushered in a call for increased security on cryptocurrency platforms.

Expectation of Security

With our lives being lived increasingly online, people have a higher expectation of tightened security measures to keep our personal information safe from prying eyes. While there can likely never be a perfectly secure online experience, a high data privacy and security level can be achieved.

These security concerns are shared by people looking to dip their toes into the cryptocurrency waters. For many newcomers to crypto investing the learning curve can be steep. There may be hesitancy if people do not feel comfortable with the level of security on a given crypto platform.

Accordingly, there needs to be a level of trust built by the platforms to ease the minds of people just getting started in crypto.

Blockchain Technology Security

Cybercriminals, hackers, and scammers know no bounds when attempting to part a person from their money, and criminal interest in digital assets is no different.

Research conducted by Barracuda, a cloud-enabled security solutions company, revealed that approximately 7,000 people lost more than US$80 million due to crypto scams between October 2020 and March 2021. According to the Federal Trade Commission, this is a massive increase of 1,100 percent from the previous years.

Cryptocurrency operates on blockchain technology, which at its core is used to record financial exchanges without the need for third-party verification. The very essence of blockchain tech works to deter hackers and nefarious actors seeking to gain private information or steal digital assets.

Data added to the blockchain and encrypted is permanent and unchangeable. Even if someone were to gain access and change any information stored therein, the other records would remain intact. The compromised record could be identified and repaired. Thus, blockchain technology makes cryptocurrency investment exceedingly secure.

This security found in the blockchain does not say that crypto investors should rely on it entirely and discard any personal responsibility in protecting their information or digital money. Security and data protection need to be a marriage between the tools available and the user.

Mashael Al Sabah, a cybersecurity researcher at the Qatar Computing Research Institute, laid bare the security holes that could be found in the blockchain in a 2018 paper that she co-authored. The paper showed that by simply sifting through publicly available Bitcoin blockchain data and social media accounts, the real identities of crypto investors and account holders could be revealed.

So, while blockchain technology is not foolproof, it still stands to be game-changing in terms of securing data or financial information.

Security Is a Personal Responsibility

More than ever before, people understand the importance of protecting their private information and securing one’s financial assets.

Their initial hesitancy to try cryptocurrency may lie in a lack of understanding of the regulation behind the currency. With traditional banking, people better understand the security measures to protect their money. The waters get a bit muddied when it comes to cryptocurrencies.

Cryptocurrency platforms use some security methods that most regular internet users are familiar with, including two-factor authentication processes. This familiarity may contribute to false security in people new to crypto. There still needs to be personal responsibility when entering the crypto arena.

Users can protect themselves by:

  • Not leaving cryptocurrency on exchanges. It can be tempting to leave all of your digital coinage in one place, ready for quick transactions, but this also leaves your crypto ripe for the picking by hackers.
  • Not leaving crypto on local storage. Backing up crypto on local, private storage such as a hard drive, computer desktop, or phone can leave it open for being lost or stolen.
  • Not losing or forgetting passwords. Remembering or saving passwords may sound like a given, but one may want to remember the story of Stefan Thomas, who owns 7,000 Bitcoins (valued at about $280 million at the time of this writing), but lost access to the digital fortune because he lost his password to his IronKey USB drive where he stored his Bitcoin.
  • Using secure crypto platforms. Many cryptocurrency platforms or businesses accept crypto payments or provide crypto cashback on purchases. It behooves the user to do their research on any platform they utilize for cryptocurrency exchanges or transactions. Users should gravitate towards crypto platforms that have been tried, tested, and proven legitimate and secure.

Master of Your Own Data

With many data breaches making headlines, some experts are encouraging people to take control over their own data and turn the tables of data mining scammers.

Some have leveraged the interest in data and sold theirs in exchange for cryptocurrency. Many have started advocating for a return to decentralization of data and for people to harness the power of personal data ownership and value.

This concept, again, involves blockchain technology. Blockchain allows people to sell their personal data securely and keep records of each transaction.

Ownership of data creates security. When people have agency over their personal information and can use or exchange it as they wish, there is a strengthened feeling of security.

Crypto Security Standard

Cryptocurrency platforms that want to be considered top players in the crypto game need to alleviate the worries of crypto investors by taking necessary precautions to provide secure transactions.

They also need to play the game of the regulatory measures for crypto exchange, measures that are admittedly still in their infancy. The Cryptocurrency Security Standard (CCSS) has been established to set requirements for all cryptocurrency exchange platforms, apps, and storage solutions.

Cryptocurrency systems require the creation of keys/seeds, which should be kept confidential and should not be easily guessable for those intending to obtain access to crypto that they have no rights to.

Dual verification for crypto wallet access, reference, and background checks, and redundant storage of keys and necessary access information also helps keep an investor’s cryptocurrency secure.

As cryptocurrency investing and exchange grows in popularity and utilization, security concerns will likely increase as well. It will be the responsibility of the various cryptocurrency platforms to make security and data privacy a top priority as more people enter the crypto space looking to make their mark.

Jacky Goh

Jacky Goh is CEO and co-founder of Rewards Bunny, a cash-back e-commerce shopping platform that rewards users in cash or cryptocurrency for online purchases.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories