FBI details how bad Internet crime is, a report on unsafe passwords, a medical hack and how your face may be used without your knowledge to train facial recognition software.
Welcome to Cyber Security Today. It’s Wednesday April 24th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com.
The FBI’s annual internet crime complaints report is out, and again it paints an ugly picture. The agency received almost 352,000 complaints last year with losses totaling more than $2.7 billion. The most prevalent crime types reported by victims were non-payment or non-delivery of products, extortion, and personal data breach. The top three with the highest reported losses were business email scams, where companies are tricked into wiring money or buying and sending gift cards to a criminal; confidence and romance fraud, and non-payment or non-delivery of products. Of that $2.7 billion in reported losses, $1.2 billion was from businesses and individuals tricked into wiring money to a criminal. Real estate agents even get stung sending money to criminals in home sales.
Fortunately, the FBI is pretty good at getting a lot of that money back. Still, it warns organizations to watch out for emailed messages requesting payment changes — like, money used to go to this account, now the person wants it sent to another bank. And verify email addresses you get are accurate when checking mail on a cell phone or other mobile device. The full report is available here.
I’ve talked before about the risks of using simple passwords that lots of other people use as well. This only helps hackers. Well, this week the British government’s National Cyber Security Centre published a report reminding people of the unsafe passwords they need to eliminate. Like “123456.” Do you know how many times 123456 has been used? On 23 million accounts, according to lists of stolen passwords seen by police and security researchers. Other unsafe passwords are the days of the week, months of the year, well-known rock bands, sports teams and company names. Even your first name isn’t a good password. By the way, Ashley has been used as a password on over 400,000 accounts.
Lots of people use and re-use poor passwords, which get collected by hackers when they steal login credentials. Then hackers assemble lists of the most commonly-used stolen passwords and use them to try to hack into more places with automated attacks.
What can you do? For computer logins and applications, the U.K. Cyber Security Centre says a safe password is three random words. Use words memorable to you, so no one can’t guess your password.
A link to the full report is here.
A Texas-based company called EmCare, which provides outsourced doctor services to American hospitals and clinics, said last week that a hacker got into the email accounts of a number of employees. The company told Bloomberg News that what the hacker got was personal information on 60,000 individuals, 31,000 of whom are patients. The data included name, date of birth or age, and for some patients, clinical information. In some instances, Social Security and driver’s license numbers were available. There were no details. But maybe that much information was in unencrypted spreadsheets or databases that employees emailed to each other at attachments. If so, this would be an example of either a lack of company privacy policy requiring encryption of files sent by email, or a failure to train and police employees to follow the rule.
Employees in any organization should remember that your email may be protected from being intercepted. But if your account is hacked valuable information can be found in the email attachments you send and receive.
Finally, facial recognition software is being used by police to identify suspects, by retailers to identify shoplifters and by stadiums to identify hooligans. But how does the artificial intelligence software learn to pick out people? By training on hundreds of thousands of publicly available images you and others upload to social media. That’s according to a news story this week by the Financial Times. Software companies, governments and universities have been scooping up images to create huge databases of pictures for training facial recognition software. Often these databases are available for commercial companies to use for training their facial recognition software.
Usually people aren’t asked for permission to use their images or likenesses. That’s one of the problems with the web: If information is publicly available, it can be used by someone for a non-commercial purpose. In this case, software companies aren’t selling your picture, they’re using it for training. You agree to the non-commercial use of your image when you upload it to Facebook, Flickr, YouTube, Instagram or wherever. One way to make sure photos of yourself, relatives or friends that you upload aren’t used this way is to make your social media sites are restricted to private. In other words, they can only be seen by people you approve.
This is worth thinking about. There’s a link to the full article here.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.