Checklist 284: New Breaches, New Protections
On this week’s Checklist, we cover:
- A bad breach, a decent response
- IoT insecurity, hot tub edition
- Apple comms changes
A data breach with a silver lining
Flagstar Bank has suffered a data breach, and it’s a big one. More than 1.5 million of the bank’s customers have had their Social Security numbers leaked.
Flagstar notified affected customers in a letter at the start of June — even though the breach happened in December of last year. So far, so bad. But surprisingly, it gets better.
To its credit, Flagstar Bank is giving the breach’s victims some real, tangible help. They’ve hired an identity security firm to provide free identity monitoring to affected parties for up to two years.
In addition to standard identity monitoring services like credit monitoring and identity theft restoration, Flagstar says the firm will also offer:
…unlimited access to consultation with a … fraud specialist. Support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used, including investigating suspicious activity that could be tied to an identity theft event.
A fraud prevention checklist
Flagstar also sent customers a checklist of strategies to protect themselves from identity fraud. And you know how much we love a good checklist! Tips included:
- Never share personal information via phone, web, or mail unless you were the one to initiate contact.
- Use strong, unique passwords and PINs for all accounts.
- Look out for missed bills or account statements. Identity thieves often divert official communications, so a missing document is an early warning sign of a problem.
- Always use secure data transfer protocols for banking. This means HTTPS for all web activity and avoiding unsecured public Wi-Fi networks.
- Regularly monitor financial accounts for unknown or suspicious transactions.
An IoT security issue? Say it ain’t so!
IoT devices are famously insecure. Part of the reason for this is that non-technical companies — i.e., companies with very little experience doing cybersecurity — seem convinced that they need to make IoT versions of their classic products.
Case in point: Jacuzzi, the hot tub maker so successful its name is synonymous with its flagship product. Now, Jacuzzi is undeniably awesome at manufacturing hot tubs. But when it comes to IoT security, well, that appears to be another story.
The company offers a “SmartTub” interface that lets you monitor and control your hot tub via mobile app. Sounds great, but unfortunately (though perhaps unsurprisingly), Jacuzzi’s IoT tech has serious security flaws. TechCrunch reports that the IoT interface can be accessed by unauthorized users, revealing owner information and potentially allowing bad actors to tamper with a victim’s hot tub settings.
The incident is yet another reminder of that first rule of IoT security: If something doesn’t need to be connected to the Internet, it’s probably best not to connect it to the Internet!
Apple improves communications
WWDC22 has come and gone, and now developers and security researchers have started to examine the early betas of iOS 16 and macOS 13 Ventura. The folks at MacRumors have already spotted a couple of positive changes:
MacRumors says that Apple’s Junk Message Reporting, the feature that allows you to report junk messages in iMessage, is expanding. Starting in iOS 16, junk reporting will also be possible for SMS and MMS messages. To use the feature, says MacRumors, you just “long press on an SMS/MMS message in the Unknown Senders section of the Messages app in iOS 16.” This gives you the option to report the message as junk to both Apple and the cellular carrier.
Another MacRumors piece will make it easier for Mail users to spot brand impersonators. According to the article:
iOS 16 and macOS Ventura add support for the Brand Indicators for Message Identification (BIMI) standard in the Mail app, helping users to easily verify authenticated emails sent by brands by displaying the brand’s logo alongside the email’s header.
Emails from brands that have opted in to the program will be marked “Digitally Certified” if you tap the email’s header. It’s a smallish change, but we’ll take any help we can get in the war on phishing!