Friday Five: 2/1 Edition
Apple vs. Facebook, Ohio's Data Protection Act, and India's largest bank exposes the data of millions - catch up on some of the week's biggest infosec news with this roundup!
1. Facebook Is Paying Teens to Install a 'Research' App That Lets It Monitor Their Phones by Tom McKay
What has to be one of the biggest stories of the week came Wednesday when Apple shut down Facebook’s ability to distribute internal iOS apps after it came to light that the company was exploiting a loophole to essentially harvest data from teenage users. The app, which Facebook paid users $20 a month to have on their phone, appeared to be a reskinned version of Facebook's Onavo, a VPN of sorts that Apple banned from its app store last year after it violated its policies. Apple gave Facebook the boot, revoking its iOS enterprise app certificate for 30 hours, as punishment. It did the same thing to Google on Thursday after it was discovered – incredulously – the company was found doing pretty much the same thing, except with a private app dubbed Screenwise Meter. Google apologized and disabled the app Thursday. Gizmodo’s article does a good job aggregating the news here but if you’re looking for more coverage, you’re going to want to read the pieces by TechCrunch’s Josh Constine, who broke the news.
2. Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts by Joseph Cox
It’s not that we set out to include a Motherboard story here every week; it's just that pretty much every week the publication manages to crank out a fascinating story that commands the infosec world's attention. This week an article made clear that attackers are exploiting flaws in SS7, a protocol used to coordinate out-of-band signaling in support of texts and calls, to success. While these attacks are nothing new, what's interesting is that the article says that the UK's Metro Bank fell victim to one. "We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," The National Cyber Security Centre told the publication. For the uninitiated, the attacks can involve the interception of two factor authentication codes used for banking so hackers – who in this instance would already have a user's username and password - can enter it themselves.
3. Ohio’s 'Data Protection Act' can shield higher ed against breach lawsuits by Joanna Grama
We've documented on the blog before just how in flux state data protection laws can be. Here's a good read on the benefits of one we hadn't heard of, the Ohio Data Protection Act, that went into effect last November. The piece, via SNG Group's EdScoop, suggests that Buckeye educational institutions can use the "affirmative defense," to negate liability of alleged unlawful conduct stemming from data breaches. As long as universities and other orgs have at least some fortifications implemented that meet standards, a la NIST that is. “Higher education institutions can take maximum advantage of the new law by adopting a unified compliance approach for their cybersecurity programs," Joanna Grama, a senior consultant for Vantage Technology Consulting Group wrote Monday.
4. India’s largest bank SBI leaked account data on millions of customers by Zack Whittaker
The State Bank of India denied that its customers' data had been leaked on Thursday, a day after a TechCrunch report alleged that data belonging to millions of its customers was being stored on a passwordless server. The publication, with the help of an unnamed researcher, discovered that SBI Quick, a text message and call based system, could be easily accessed. The flaw could have allowed anyone to see text messages to customers in real time, their phone numbers, bank balances, recent transactions, and even their partial bank account number. The server was secured after TechCrunch reached out to SBI - and India’s National Critical Information Infrastructure Protection Centre. The bank told The Economic Times that its continuing its investigation but that customers shouldn't worry about their data
5. Facebook Hires Up Three Of Its Biggest Privacy Critics by Emily Dreyfuss