Takeaways from the Apple and Snapchat Photo Breaches – Blame the Companies, not the Users

October 13th 2014 This hacking is getting out of control...Last month, reports emerged about the mass theft of nude and semi-nude photos from the private accounts of various celebrities using Apple’s services.

Now, it’s users of the photo sharing app Snapchat whose risqué pictures are on display. Reports indicate that 100,000 personal pictures and videos have been stolen and posted publicly. Many of these are images of partially or fully undressed minors, which fall into the category of child pornography.

Besides the – apparently not-so-obvious – suggestion that storing, posting, or sharing risqué photos online is never a good idea, there are some other takeaways for everyone to consider.

But first, here’s a quick look at each of these examples.

In the case of the celebrity incident, Apple said the hack was not due to a breach in any of Apple’s services, but rather from a targeted attack against celebrities that focused on finding their user names, passwords and answers to their security questions.

In other words, Apple says it’s the user’s fault, and posted the following advice: “To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.”

In the emerging Snapchat exposé, it seems the company has taken a page from the Apple handbook by acknowledging the hack, but asserting that it’s the users’ fault because they sent their photos through or to outside apps.  Again, ‘it’s the users fault’. In a statement to VentureBeat, Snapchat said, “Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.

For Snapchat users, this follows on the heels of two other incidents. The first incident at the end of last year involved a true hack of Snapchat (instead of a 3rd party app) that exposed the user names and phone numbers for 4.6 million account holders. Then, in May, Snapchat was forced to acknowledge in an FTC settlement that they deceived consumers when they claimed that user’ photos and videos actually ‘disappear forever’ and that user images ‘aren’t saved’. The company was also found at fault for a slew of other misrepresentations.

Who should know more about securing data, consumers or technology companies?

Digging deeper into the ‘blame’ game raises concern regarding corporate responsibility, and building consumer facing products with consumer’s best interests at heart.

Looking at Apple’s comments, they cited consumer’s weak passwords, lack of 2-step authentication, and social engineering for the celebrity hacks.

  • Why does Apple allow users to create weak passwords? Companies know users struggle with this, so why aren’t they helping users out with tips, suggestions – and requirements for strong passwords that won’t easily be hacked. Learn more: Password Perfect – Make Strong Passwords Every Time
  • Why doesn’t Apple require 2-step authentication? Most users don’t see the opportunity, or understand the need, for stronger authentication, but the company does understand this. So, why have they not helped users by making this mandatory? Learn more: Two-Factor Authentication Is Only as Strong as YOU Make It.
  • Why does Apple use insecure security questions?  An insecure question is one where a hacker can easily collect the information – either through a search on records, or by social engineering for answers to known questions.  It is far safer to have users come up with their own questions so a social engineering hacker can’t know what to ask about, and give users advice about strong questions and very private answers.

In the case of Snapchat, consumers had every reason to believe their images disappeared after 10 seconds. They were specifically told that the company did not store the images, and they weren’t informed that their images and videos were accessible to others through means that allowed recipient’s to retain the images.

  • Why did Snapchat allow 3rd party apps access to receive images from their service? If Snapchat knew that this posed a risk to their users, allowing this access is outrageous – as is failing to adequately warn their customer base.
  • If they weren’t going to block access to/from 3rd party apps, why didn’t Snapchat alert users if their images were about to be sent to a 3rd party app? They could have easily created an alert that would pop up and warn users that the images would not disappear, explain the risk, and ask the sender if they wish to continue.
  • Snapchat, like all online companies, knows that most users don’t read their Terms of Use – particularly when using a small form factor like a phone. So scolding users for failing to read the fine print in their Terms of Use where it warns against 3rd party apps is ridiculous. If they really wanted to warn users, they would make their warnings prominent where users would actually see them.

Technology companies own the responsibility in these incidents

Yes, consumers should take greater security precautions, but technology companies own the real responsibility in these incidents. If they had truly built products with consumer privacy, security, and safety as core requirements, their consumers wouldn’t be in the positions they find themselves.  Both cases represent breaches of personal images, but they also represent far greater breaches of consumer trust.

Understanding the Potential Risks in Embedded Images: Why Doesn’t My Email Automatically Download Images and Graphics?

SpamComicHere is one customer’s question that has relevance to everyone.

You know those emails you receive that show empty squares where images or graphics would be displayed? The ones where to see the images you have to click a link that usually says something like “to view images, click here”?

Like the customer with this question, many of you probably wonder why the images aren’t automatically displayed, and perhaps find it annoying to have to click the link to see them.

Don’t be annoyed, this is a critical service that protects your privacy and devices.

Most email clients do not automatically download the graphics or images embedded in an email to protect you from several potentially negative or harmful outcomes (see #1 in the graphic below).

Unfortunately, many consumers don’t understand the risks and simply click the links (see #2 in the graphic below) to download the images or graphics without weighing the consequences.

Here’s what you need to know

Graphics and images embedded in an the email frequently carry web beacons (also called tracking bugs, tracking pixels, pixel tags or clear gifs[i]) that are designed to relay a message back to the sender letting them know that the email account is legitimate and that the recipient opened it.GraphicsSafety

While legitimate companies use this technique to gauge the effectiveness of their email campaigns, spammers rely on information returned by these images to locate active e-mail addresses to target with spam and phish in the future, and to sell to others who want to spam and phish you. In addition they use a number of techniques to identify where you live (to customize their scams), the type of device used (to target malware), to see if you forwarded the message to someone else (to spam and phish them), and so on.

In other cases, the email may not be self-contained.  When you click to view images, the email may pull the content or images from a server, rather than include the content directly. When an email client or web browser prepares such an email or web page for display, it ordinarily sends a request to the server to send the additional content[ii].

In both cases – where images or graphics are downloaded, or where the content is pulled into the email from a server – malware may also simultaneously be downloaded to your device.

Always approach images and graphics in email with caution!

To protect yourself and your devices, the best defense against potentially intrusive or downright malicious web beacons is to prevent any pictures or graphics from downloading until you’ve had a chance to review the message.  When in doubt, delete the message.

When you know an email is from a company or organization you trust, you can select the option to always download images (see #3 in the graphic) from the sender; just double check to be sure that the email is from the legitimate source.


[i] https://en.wikipedia.org/wiki/Web_bug
[ii] https://en.wikipedia.org/wiki/Web_bug

Cyber Alert! Is that App a Fake?

There’s a new breed of malware designed to look like popular social network apps. These lookalike apps fool consumers into sharing personal information so criminals can exploit their data.FakeApps

In the first eight months of this year, more than 15,000 fake apps have affected more than 100 million users across all the major social networks, with Facebook being the most vulnerable site with 8,107 imposter apps detected, according to researchers at the Cheetah Mobile Threat Lab. Continue reading

Don’t Get Hooked by Malicious Social-Media Phishing Schemes

Frequent Facebook users, beware. A new study shows those logging heavy FaceLIKEbook time and accumulating large numbers of friends are more susceptible to social-media phishing attacks, which criminals use to gather potentially useful personal information.

The study, published in August, 2014, in the Journal of Computer-Mediated Communication, notes that Facebook power-users are more likely to respond to requests without considering who is sending the request, how they are connected to them, or who else may be connected to the requesters. Continue reading

Rollout of Credit/Debit Cards with Embedded Security Chips a Major Win for Consumers, but, We Need More

Europeans, Mexicans and Canadians have been using credit and debit cards with embedded security chips for several years, but this level of protection has only recently started to rollout in the U.S., and the transition may not be as fast as we’d prefecomiccomicr.

According to an article in Forbes, by the end of 2015, only 70% of U.S. credit cards and 41% of U.S. debit cards will have exchanged the magnetic strip for the newer security chips. This slow shift away from magnetic strip cards means U.S. citizen’s financial accounts continue to be more lucrative targets for criminals. According to Julie Conroy research director in retail banking at Aité Group, “the fraud rate has doubled from 5 basis points to 10 basis points [in the U.S.]. It speaks to the fact that criminals are targeting the U.S. because we are the weakest link in the chain.” Continue reading

October Observance Highlights Our Collective Responsibility for Cyber Security

National Cyber Security Awareness Month, sponsored in part by the U.S. Department of Homeland Security, kicks off in October. The launch of this observance is a good time to reflect on how, as Internet users, we can make our online experience just a little safer and more secure.piggybank

As part of this effort, the Stop.Think.Connect. Campaign was created with the help of DHS to increase the understanding of cyber threats and empower the American public to join in the shared responsibility for cyber security. Continue reading

The Convenience of “Internet of Things” Comes with Some Risky Strings Attached

IoTIf you’re not yet familiar with the term, “Internet of Things,” chances are that you’re already playing a role in it. Millions of homeowners and consumers are links in the Internet of Things (IoT), which encompasses billions of objects accessed, managed and monitored through the internet – devices and sensors, cloud-based infrastructure and data tools used daily.

It includes household items from electronics, appliances, fitness bands and smartwatches to thermostats, security systems and garage-door openers. Continue reading

Latest Malware Attack on U.S. Retailer Reinforces Need for Consumer Vigilance

Yet another reason to carefully and frequently check your bank and credit-card accounts surfaced recently, when the Department of Homeland Security issued an August 22 advisory about a point-of-sale-skimming malware package known as “Backoff.” It is suspected of enabling cyber theft of consumer payment information contained in millions of transactions.HelloMyName

The advisory estimates that this recently discovered variety of infection has affected approximately 1,000 U.S. businesses of all sizes – and many may not yet be aware of the security compromise because until recently it was undetectable by antivirus programs. Continue reading

Consumer Reporting of Cybercrime a Key Weapon in Battle Against Online Fraud

Cybercrime is all too real, particularly when almost-daily headlines casually announce the latest triumph for online hackers and fraudsters. But their illegal activities often are not treated as crimes by victimized consumers.

When a home or business is burglarized and property is stolen, it’s almost certain to be reported to law enforcement authorities – in the hope that the crime will be investigated or even solved. But when computers are hacked, personal data are stolen or fraudulent activity occurs online, many consumers may not take the same follow-up action. Continue reading

Back-to-School Internet Lesson: The difference between Search and Research

AisForAdaptOne of the things that frequently trips up students of all ages is evaluating the content they find online; is it accurate? Is it old? Is it malicious? Or, is it trying to sell or persuade me?

There is a real difference between entering some key words or phrases in a search engine and actually researching something. Continue reading