(Credit: Getty Images)
Have you ever gotten a text message from a number you don’t recognize that looks like a conversation already in progress with someone who seems to know who you are? Something as simple as “Hey, how have you been?” or “I’m going to be in town this weekend, want to catch up?” Yeah, it’s a scam. The most optimistic read is that they’re misdirected texts, but scammers use that optimism—and your curiosity—to get you to respond and start a conversation. If they get their way, that conversation ends with them getting your money or your data.
Flirty text messages aren’t the only things you have to look out for in infosec this week. We’ve known for a long time that smart home devices are a prime target for hackers, since many of them are easily exploited on their own or depend on your home network for security. Thankfully, we have tips to make sure everything is locked down.
Also, this week, we reported that Discord is the latest service to add age verification, reigniting a long-running debate over whether or not age verification actually protects users or simply serves to shield companies from accountability while harvesting their personal data. If you’ve been reading along, you know which direction the evidence points. And speaking of data collection, this week we explained why you should opt out of face scanning whenever possible, and trust us, even when it’s presented to you as mandatory, like at airports and border crossings, it’s optional. It’s also optional on your phone, and we think you should disable it there as well.
In lighter news, you may have seen ads for the Flipper Zero, a powerful, easy-to-use handheld hacking device that’s great for getting started in security (or those who love playing with tech). Well, this week we went hands on with it, digging into the Flipper Zero’s features and showing you how to set one up. We even have another story, packed with eight projects to try with the Flipper Zero, including unlocking security doors (responsibly, of course!) to controlling those waiting room TVs you really wish you could change the channel on. Just use your new powers for good, OK?
Google Fulfilled ICE Subpoena Demanding Student Journalist’s Bank and Credit Card Numbers
Most tech companies usually promise to let you know if law enforcement has requested specific information about you from them, and to share what information, if any, they shared. A lot of these promises came when tech companies wielded much less power, and, at least openly, were more committed to protecting their users from government overreach, tracking, or suppression (mostly in the post-Wikileaks era, when warrantless spying was a headline-making affair). According to a new report from The Intercept, however, those days are long gone. According to the story and a copy of the subpoena the publication obtained, Google handed over the personal data of a student journalist and activist at Cornell University who attended an on-campus pro-Palestinian protest to US Immigration and Customs Enforcement (ICE) after the agency requested it. Complying with the subpoena isn’t the issue; however, the amount of data, including credit card and bank account numbers, usernames, physical addresses, and more, is.
Google notified the student in a brief email that it had shared metadata with the agency after the fact, but did not disclose exactly how much data the agency requested or how much had been provided, or why the agency requested the information in the first place (ICE, for its part, also didn’t state why it wanted the information beyond it being “part of an ongoing investigation,” and requested Google not notify the student of the data sharing at all). The student himself, who is a British citizen and currently lives in Senegal, notes that the information was shared before he had an opportunity to object or to seek legal counsel, as another student involved in the same protest had. As a result, privacy experts from the Electronic Frontier Foundation, which represents him, as well as the ACLU of Northern California, have all contacted major tech companies to both protest this kind of data sharing, as well as insist companies uphold their own policies (and federal law) involving data privacy and informing users when said data can be shared.
Payroll Pirates Are Conning Help Desks to Steal Workers’ Identities and Redirect Paychecks
Ah, social engineering. It never fails, mostly because the weakest link in any security chain is almost always the human factor. Many people either aren’t empowered enough or paid enough to care about organizational security, and in other cases, malicious actors have all of the information they need to get around security measures and trick unsuspecting users into essentially giving their data away. In this case, according to The Register, security researchers at Arc Labs looked into a security incident where a thief used old credentials from a previous data breach to gain access to a health care company’s email systems, and after a little snooping, contacted the company’s help desk and managed to redirect a physician’s paycheck to their own bank account. The breach was only uncovered when, predictably, the doctor in question was told they had been paid but never saw the money deposited into their account.
This kind of identity theft is simple, but devastating. Essentially, the thief called the company’s help desk, posing as the physician in question and using a combination of information they’d gleaned from reading company emails and pressuring the agents they spoke with to demand access to other sensitive accounts, such as the physician’s company payroll system, where they made the change. And this isn’t the first time, either—additional cases uncovered by other researchers point to this type of identity theft, where your identity is stolen from your employer, and not you directly, are on the rise. After all, it’s easier to pose as you and bully a service provider’s customer service into handing over your data than it is to trick an individual, in some cases.
Massive AI Chat App Leaked Millions of Users' Private Conversations
Another week, another AI-related security breach. 404 Media reports that AI chat app Chat & Ask AI, which has over 50 million users, left hundreds of thousands of private conversations exposed, on topics from suicide, hacking, and making drugs like meth. Chat & Ask AI is a wrapper app that presents a custom interface but actually routes queries and conversations to other AI chatbots, such as Gemini, ChatGPT, and Claude. We’ve mentioned before that you should never assume your conversations with an AI chatbot are private, and with companies like ChatGPT injecting ads into the chatbot, you also shouldn’t assume those conversations are even safe from the company offering the service to you. But in this case, the issue runs deeper. An independent security researcher revealed that because the app’s Google Firebase instance was misconfigured, anyone with the right knowledge could impersonate “authenticated” users and access all back-end data, including user conversations and queries.
The researcher claimed that he had access to over 300 million messages from more than 25 million users, and that he extracted and analyzed a sample of 60,000 users and a million messages from the database. All of that information included full conversation histories, timestamps, and even details like the nicknames the Chat & Ask AI users gave their AI bots, and the visual models they configured them with.