Pete Recommends – Weekly highlights on cyber security issues, September 4, 2021

Subject: Expired Driver’s Licenses Open Lane for Cybercriminals
Source: Nextgov

Fraudsters send out texts or emails falsely warning that the target’s license needs to be updated, is missing information or is expiring.

Driver’s license phishing scams designed to steal people’s identities have been popping up across the U.S., according to state motor vehicle agencies.

Fraudsters send out texts or emails falsely warning that the target’s license needs to be updated, is missing information or is expiring. If the person clicks the link, it typically opens a Google Forms spreadsheet requesting personal information such as a Social Security number and date of birth.


Subject: States press forward on vax passports without Biden’s guidance
Source: Politico

A growing number of states are rolling out digital credentials commonly known as vaccine passports and taking on an initiative the Biden administration signaled this spring that it would own by issuing nationwide standards.

California, New York and Louisiana are deploying SMART Health Cards developed by the Vaccination Credential Initiative, a consortium of health and technology companies that includes Apple, Microsoft and the Mayo Clinic. At least a half dozen other states are considering adopting the credentials, according to people familiar with the effort.

If enough states embrace the technology, it could become a de facto nationwide standard and relieve the Biden administration of having to lay out federal requirements for domestic purposes. But experts worry that a lack of federal guard rails will result in a confusing patchwork of unregulated and unreliable tools for verifying vaccination status — further complicated by regions where they’re off limits. Conservative governors in states like Florida, Texas, Arizona and Georgia have already issued orders banning the passports.

The standard CDC vaccination cards lack a scannable QR code that could help verify their authenticity. There’s also no national vaccination database, leaving businesses and others requiring proof of vaccination relying on an honor system, said Mullen, adding the cards may have been hastily designed amid the push to get vaccines in as many arms as possible amid a winter Covid surge.

Rebecca Coyle, the executive director of the American Immunization Registry Association, said broad adoption of SMART Health Cards could fill the void left by the federal government. There can’t be “endless” standards, and the private sector is in a position to act faster than the federal government, she said.
Filed Under:

Subject: FBI-CISA Advisory on Ransomware Awareness for Holidays and Weekends
Source: CISA

Today, the Federal Bureau of Investigation (FBI) and CISA released a Joint Cybersecurity Advisory (CSA) to urge organizations to ensure they protect themselves against ransomware attacks during holidays and weekends—when offices are normally closed.Although FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday, malicious cyber actors have launched serious ransomware attacks during other holidays and weekends in 2021. The Joint CSA identifies both immediate and longer term actions organizations can take to protect against the rise in ransomware…

Subject: No, Coinbase Wasn’t Hacked, This Time
Source: Gizmodo

The cryptocurrency platform accidentally told tens of thousands of users that their two-factor authentication settings had been changed.

“Your 2-step verification settings have been changed,” the alert, which was sent out Friday afternoon via email and SMS text, read. The messages went out to 125,000 users, almost certainly leading many to believe that their accounts had been hacked.

On Saturday, Coinbase announced via Twitter that the messages that had been sent had no basis in fact.

However, this weekend’s false alarm was probably made worse by the fact that Coinbase has been having problems with actual account hacks lately. CNBC reports that numerous customers have recently expressed outrage at the company, after their crypto was stolen in hacking incidents and Coinbase essentially brushed them off.


Subject: Here Are the First 8 States Getting ID Support in Apple Wallet
Source: Gizmodo

The states will soon begin verifying state-issued IDs uploaded to the Apple Wallet, for use at select TSA checkpoints.Apple wants to hold all of our most important stuff in the Apple Wallet: a tempting offer we’re declining for now because we don’t need the pain of losing the phone compounded with also losing our credit cards, house keys, and car keys. But if you’re willing to roll the dice, Apple has announced that eight states are giving the project a governmental stamp of approval by verifying scans of drivers’ licenses and state IDs.
Apple has already allowed users to scan their drivers’ licenses to add to the Wallet, but the states—Arizona, Georgia, Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah—will soon authenticate state-issued ID uploads along with a selfie and facial verification with head movements. If approved, Apple Wallet holders will soon be able to use at select TSA checkpoints with touchless readers

It seems likely that Apple’s well on track to federal approval. TSA Administrator David Pekoske is quoted as saying that this “new and innovative” storage method “marks a major milestone by TSA to provide an additional level of convenience for the traveler by enabling more opportunities for touchless TSA airport security screening.” According to Apple, the TSA will start installing touchless identity readers which will pick up only the “the required information,” meaning that they won’t have to hand over their phones to airport security agents. Apple said that states will release more information in the coming months about which TSA checkpoints will begin accepting the Wallet ID. The TSA was not immediately available for comment.

Subject: SpyFone barred from selling stalking apps that secretly monitor phone activity
Source: FTC Consumer Information

Phone monitoring apps designed to avoid detection by the owner of the phone don’t just invade your privacy — they make it possible for stalkers and domestic abusers to track the location of the person they are targeting in real-time.Stalkerware apps can give an abuser secret access to their target’s location, phone conversations, text and email messages, and photos. Some can even take pictures, turn on the microphone to record calls, and send commands by text to make the phone vibrate or ring.

The FTC sued a stalkerware app company Support King, LLC, which operated as, and its CEO Scott Zuckerman. SpyFone, the company’s app allowed users to secretly track another person’s mobile device. The FTC says the company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack. According to the FTC, SpyFone failed to ensure people were using the app for legitimate purposes and didn’t protect the information it collected, allowing stalkers or domestic abusers to stealthily track their potential targets and exposing device owners to hackers, identity thieves, and other cyber threats.

For more information, check out the National Network to End Domestic Violence’s technology safety tips. For more help contact the National Domestic Violence Hotline at or 1-800-799-SAFE.

Subject: Fraud Alert: Malicious QR Codes Now Used by Online Scammers
Source: Delaware Valley Consumers’ Checkbook

You see them everywhere—on restaurant menus, in newspaper and magazine ads, on billboards, product packages, business cards, and at the checkout counter. Quick Response (QR) codes have been around for decades, but they were rarely used for consumer transactions before the pandemic.These strange-looking black-and-white squares—developed by a Japanese company in 1994 as an inventory-control technology—can hold significantly more information than the standard bar code.

Once scanned and clicked, a QR code takes you to a website (the URL is embedded in the image) to place an order, make a payment, download coupons or apps, or learn about new products and services.

The rapid acceptance of QR codes has been good for retailers, but it’s also provided cyber criminals with a powerful new tool.

“The more people start using QR codes, the more of an opportunity it creates for attackers,” said Lorrie Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon. “Most of the time, the QR code takes you to whatever website you thought you were going to, but sometimes you wind up going to a phishing website or a website that’s full of viruses or malware.”

Here’s how to play it safe:

“In the past few years, bad guys are using SSL [secure] connections for their malicious websites, so just looking for a lock is not sufficient anymore,” Budd told Checkbook. “You have to click on the lock to find out what server you are actually connecting to.”

Subject: Twitter Has Some Big Privacy Changes It Would Like to Test on You
Source: Gizmodo

In an effort to get more people onboard with their whole sharing-intimate-thoughts-and-opinions-with-strangers-on-the-internet thing, Twitter plans to trial a host of new features that will allow for greater privacy customization.The functions, which give users more control over who sees what, when, and how, are based on internal company research that suggests certain people are reticent to tweet because they’re uncomfortable with who can view or follow them, according to a report from Bloomberg.

“When social privacy needs are not met, people limit their self-expression,” a researcher at Twitter, Svetlana Pimkina, said. “They withdraw from the conversation.” Thus the new tools are designed to keep users feeling safe and, therefore, engaged.


Subject: Tips for Victims of Unemployment Benefit Fraud
Source: The New York Times

Have you received an unsolicited debit card in the mail? Or a letter seeking extra details for an application for unemployment insurance that you don’t recall filing?You may be among the thousands of people who have fallen victim to unemployment-related identity fraud. The problem emerged last year as state employment systems were straining to process a crush of claims during the coronavirus pandemic. The fraud persists even as the authorities try to crack down on it and as expanded pandemic unemployment benefits are set to expire, identity theft experts say. The authorities estimate that billions of dollars in unemployment aid have been lost to improper payments and fraud.

The federal government announced plans in August to modernize state unemployment systems to help reduce fraud. But it remains too easy for criminals to pilfer personal information elsewhere and use it to steal someone’s identity, Ms. Land said.

The schemes often direct payments to online bank accounts or to debit cards, which many states use to pay jobless benefits. The cards are usually mailed to an address where the criminals or their accomplices can receive them. A man in Michigan was charged last year with using stolen identities to receive about $150,000 in fraudulent benefits from the state of Pennsylvania. He is accused of having debit cards mailed to addresses in Michigan, withdrawing the cash from A.T.M.s and using some of the money to buy a $45,000 Rolex watch. A lawyer for the defendant said he had not yet entered a plea in the case, which is pending in Michigan federal court.

What should I do if I receive an unsolicited debit card or benefits letter?

The Federal Trade Commission recommends reporting the fraud by contacting the state agency that sent the letter or card. Then, follow the agency’s instructions. You’ll probably be directed to file a police report with your local department and submit a copy to the state work force agency. The F.T.C. also suggests informing your employer. Keep copies of the documents you submit and any responses you receive.


Posted in: Cybercrime, Cybersecurity, Privacy, Social Media