Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
The Wall Street Journal and MacRumors have both covered a disturbing crime ring that involves stealing iPhones and draining the iPhone owner’s bank accounts. The scam works like this:
The victim is hanging out at a bar, and they get out their iPhone and enter their passcode. The passcode is the 4 or 6 digit PIN number that most iPhone users have set up to unlock their phone.
A criminal at the same bar is looking over the victim’s shoulder to see what their passcode is.
The criminal grabs the victim’s iPhone and runs away with it.
This is where things get interesting, as stealing the iPhone is only the tip of the iceberg: Because the criminal now has the victim’s iPhone and their iPhone passcode, they have tremendous access to the victim’s cyber life. Email accounts, social media accounts, bank accounts, etc. So, the criminal starts grabbing control of the victim’s accounts. Here is the order of operations:
The criminal logs into the victim’s phone using their passcode.
The criminal turns off the “FindMy” feature on the iPhone so that it can’t be tracked.
The criminal changes the victim’s Apple ID passcode to lock the victim out of their Apple account.
The criminal changes the recovery phone number and/or email address associated with the Apple account of the victim so that the victim has no way to get back into their Apple devices, nor can the victim perform a remote wipe of the stolen iPhone.
The criminal starts looking for phone apps that can be used to transfer money, such as PayPal, Zelle, Venmo, various apps for individual banks, etc. Also, the criminal hopes that the passwords for these accounts are stored in Apple’s “keychain” password keeper feature, as the victim’s passcode can be used to unlock “keychain”.
For any money transfer service or account that has a valid password in “keychain”, the criminal initiates drains of the victim’s bank accounts by transferring money into the criminal’s own accounts.
The criminal may also make charges via ApplePay until the credit cards associated with ApplePay get shut off.
The criminal then sells the victim’s phone and pockets the cash.
This is a very disturbing sequence of events. Previously, you have likely heard me talk about the huge benefits of MFA, or Multi-Factor Authentication, but in this case, the criminal has beaten MFA because they have the victim’s passcode AND the victim’s phone. The fact that a phone can be used to unlock so many other aspects of our lives is how this scenario turns from a simple device theft into a huge financial fraud. Thankfully, there are steps you can take to protect yourself from this type of attack. Here are my recommendations, starting with the most important/practical ones:
DO NOT USE APPLE KEYCHAIN TO STORE PASSWORDS. Most 3rd party password keepers (1Password, Dashlane, etc.) have their own master password that is different from the iPhone’s unlock code, and the only way to unlock a 3rd party password keeper is with the separate master password or with facial/fingerprint recognition, and the criminal doesn’t have the victim’s master password nor their face/fingerprint. A 3rd party password keeper will protect your bank accounts and money transfer services from this type of attack.
Only install the banking apps or money transfer services that you need to have on your phone. If you don’t need them on your phone, don’t install them on your phone.
If you need banking apps or money transfer services on your phone, be certain to set them up to only allow unlocking with a unique password or with facial/fingerprint recognition. If you can unlock a banking app with just your iPhone’s passcode, a criminal can, too.
Consider turning off ApplePay altogether, as there is no way to protect ApplePay from a criminal that has your phone and passcode. At a minimum, make sure that ApplePay only has credit cards linked to it (as opposed to debit cards or bank accounts). It is easier to dispute fraudulent charges on a credit card than from a debit card or bank account.
Use a complex passcode on your phone. I run into many people with an unlock passcode of “111111” or “123456”. Simple passcodes such as these make it easy for someone looking over your shoulder to see what you’re typing in. Pick a genuinely complex passcode. Even better, using an alpha-numeric password is ideal, but I openly admit that typing in those types of passcodes is genuinely cumbersome.
Be careful using your iPhone in public places. Try to cover the screen when unlocking your phone, or always use facial recognition to unlock your phone in public places rather than your passcode.
Thankfully, some of these criminal gangs are being found, tried and convicted, but other copy-cat criminals are surely out there. Remember how powerful your smartphone is when it comes to unlocking your whole life. Treat it as such.
Until next month, stay safe!
Upcoming Speaking Events
Live events are back in action! Here is a list of the cities that I will be in for 2023. Please feel free to reach out if you have an event in mind.
March 7th-8th, San Diego, CA
March 13th-15th, Salt Lake City, UT
May 29th-June 2nd, Las Vegas, NV
June 16th-22nd, Dublin, Ireland
July 17th-18th, Orlando, FL
August 19th-20th, Honolulu, HI
October 22-24th, New Orleans, LA
This is why I don't have a "smart" doorbell or "smart" locks on my home. They seem like a dumb idea if you ask me.
Cybersecurity Tip of the Month
Spring Cleaning: Safely Disposing of External Hard Drives and USB Drives
With the first day of Spring finally arriving this past weekend, many of us will surely have the "spring cleaning" bug very soon. If you come across old USBs or hard drives that you decide to get rid of, please keep these things in mind before you do.
When selling, donating, or disposing of old USB drives or hard drives, many people think they can simply delete the files and they will be safe. This is not true, however. Third-party data recovery software programs can often restore these files, meaning that any sensitive documents or data on these drives could be exposed or fall into the wrong hands.
There are several different ways you can securely wipe these devices:
-Formatting an external device: Windows and Mac operating systems come with built-in format options for erasing hard drive data. You can follow a few simple steps to initiate this method which performs a write-zero pass, filling the storage space with zeros. To see more detailed step-by-steps for Windows and MacOS, visit this article.
-Erasing data on external drives using an app: There is no shortage of apps, paid and free, that will perform a data erasure service for you. Some of these are described more in depth here and include:
-Android: Secure Eraser, Shreddit
-Windows: CCleaner, Eassos PartitionGuru, MiniTool Drive Wipe
-MacOS: StellarWipe Mac, Mac Washing Machine Secure X9
-Windows and MacOS: AweEraser, Super Eraser
-Windows, MacOS, and Linux: WipeDrive
-Erase hard drives using Darik’s Boot-and-Nuke (DBAN) software: DBAN is a free data destruction program used to completely erase all the files on a hard drive. This is a great free program but will erase EVERYTHING on the hard drive, including applications, personal files, and operating systems, so it needs to be used carefully and intentionally. These articles give some very helpful tips and steps for using DBAN:
If you are disposing of a USB or external hard drive for any reason, be sure to do your due diligence. Double check what data is on the drive, determine how sensitive it is, and decide on the best way to ensure it is erased from the drive. And if in doubt, a good old fashioned hammer will always get the job done.