The first quarter of 2019 was filled with interesting news related to user security, data breaches, digital and mobile identity from around the world. Just based on this quarter alone, we can anticipate that the whole year will be very dynamic, from a security standpoint.
Facebook’s Password Breach Among Many Other Issues
Facebook has had many security issues over the past few years. But recently, the company admitted that they stored passwords of more than 600 million users in plaintext since 2012. These passwords were accessible by up to 20,000 employees and at least 2,000 employees searched through the files containing passwords (for unknown reasons).
On top of that, Facebook actually discovered the breach months ago, but they wanted to keep it quiet. However, they were forced to admit it publicly after this information was leaked.
And this was just the latest in a string of bad security issues Facebook had that goes to show we need to protect our data.
In February we also saw Facebook collecting personal information from many popular smartphone apps, even from individuals that don’t use Facebook. And let’s not forget that Facebook used phone numbers to target users with ads. People that gave Facebook their phone numbers for two-factor authentication had those numbers abused to allow advertisers to target them.
Even Apple banned Facebook’s research app that collected users’ personal information, which was against Apple’s privacy guidelines made in 2017. The app allowed Facebook to track users’ app history, private messages, and location data.
This happened because Facebook took advantage of Apple’s Developer Enterprise Program that allows Apple partners to test and distribute apps specifically for their own employees, and they used this program to pay non-employees up to $20 per month to download the research app without Apple’s knowledge.
Google Getting Rid of Harmful Apps
Speaking of smartphone application stores, we recently released a blog post about secure mobile authentication for apps on both the Google Play and Apple Store. However, many have managed to bypass the rules for application development.
Google started getting rid of harmful Android apps from their store. Their Google Play Protect, Android’s AI-driven built-in defense mechanism, has helped cut down on the number of potentially harmful applications. Play Protect prevented almost 1.6 billion app installation attempts from outside of Google Play in 2018.
Additionally, they put in alerts from Google Play that warn users about mobile unwanted software apps that aren’t exactly malware, but still collect data like phone numbers, email addresses, info about installed apps, and third-party account data.
Malware Still Manages To Get Into the Google Play Store
Even though Google is working on getting rid of malware apps, many manage to slip through. For example, a Motherboard investigation revealed that more than 20 Android apps in the Google Play Store were actually spyware made for the Italian government.
And other researchers have found mobile adware hidden in hundreds of Android apps that were downloaded more than 150 million times from Google Play. The malware disguised itself as an ad-serving platform and it infected more than 200 apps by opening a backdoor to install additional malware. This way, they were able to outsmart and bypass Google’s app store scanning.
A free weather app called World Weather Accurate Radar was downloaded more than 10 million times, only to collect unusual amounts of information from its users. The data collected included email addresses and mobile ID numbers and was sent to servers based in China.
But, they will not go unpunished for these actions.
Musical.ly, a lip-dubbing app that was added to the video app TikTok last year, had to pay $5.7 million to the Federal Trade Commission because of the allegations that it collected personal information from children under the age of 13 without parental consent.
New SIM scam and first SIM hijacking sentence
The rise in SIM swapping and related scams have increased over the years.
Tampa Bay area residents recently got a warning about a new scam that targeted phone owners. Scammers would cold call people or get their email or phone number, posing as customer service that wants to check if the user was a victim of fraud, send them a verification code through a legitimate Verizon website and gain access to the user’s phone through as soon as they read the code.
But this year, we also got to see one of the SIM hijackers getting sentenced. Joel Ortiz pleaded guilty to stealing over $5 million in cryptocurrency, and was sentenced to 10 years in prison.
This is the first jail time sentencing any SIM hijacker has got, which will set a harsh precedent for future convictions. Soon, more will follow, as several others have been arrested in recent months, including those that were a part of larger crime rings.