"Skimmed" may be what you're looking for when selecting milk for your tea, but probably isn't something you want to hear happened to your credit card. We talk about skimming attacks in our episode "Credit and debit card security," but since a similar attack has been making the rounds lately, we figured today's newsletter would be a good time to highlight one of our favorite tips for minimizing damages if your card number gets stolen.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Most credit and debit cards have a way to notify you for each transaction. If your card has a mobile app, it almost certainly has this feature, and if not, you can usually sign up for email or text message notifications on your card's website. (If you opt into text message notifications, don't trust phone numbers or links in those messages - SMS messages are easily spoofed. If you can, look up your bank's phone number yourself and call them instead of replying, too.) The faster you know about your card being misused, the more likely you can get the charge reversed and stop further misuse …

Continue reading…

The weather's getting just a bit warmer where we are, which means we usually don't need to wear gloves anymore. "Touchscreen gloves" with capacitive fingertips are handy, but not totally accurate, and it's annoying when you mistype your passcode enough times for your phone to say, "Try again in one minute." This feature is intended to frustrate automated cell-phone-cracking devices like Cellebrite's UFED, a favorite tool of the NYPD and perhaps the Hong Kong police, but it's occasionally frustrating to the actual phone user, too. (This happened to Geoffrey recently on a subway platform - by the time the minute passed, the train came and it was warm enough that he could take his gloves off.)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

A long passcode is your best bet to keeping the contents of your phone private. Fingerprint-based and face-based unlocking mechanisms are regularly compelled by law enforcement agencies, but biometric unlocking methods aren't just vulnerable to law enforcement. A physical attacker can place your finger on your phone or in front of your face relatively easily, and they probably don't even have to be forceful: there …

Continue reading…

It's been a busy week in security news, with another reason to avoid SMS-based two-factor authentication and another reason to apply software updates as soon as you can - even on your cable modem. There's good news too, though: ad tracking has gotten significantly less effective, and Google has introduced a new way to secure your account. Also, waiting for software updates is the perfect excuse to make a pot of tea.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

One of our stories this week is new research about ways that attackers can trick your cell phone company into moving your account over to your device, an attack often called "SIM-swapping" or "SIM-jacking." Even apart from this risk, there are good reasons to prefer non-SMS-based two-factor authentication methods. The SMS protocol itself is insecure, and it's not outside the realm of possibility that an attacker could eavesdrop on a text message being sent to you. (We haven't seen any websites offer to send two-factor codes via end-to-end encrypted protocols like iMessage or Signal.) For methods other than SMS, you're usually able to set up multiple two-factor authentication mechanisms …

Continue reading…

Happy 2020! Neither of us is particularly the type to make New Year's resolutions, which makes sense since security is a year-round, all the time concern. Let's get to it.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Right before the holidays, we talked about keeping your devices safe if you must charge them via untrusted connections. For iOS users, there's one more setting worth disabling to keep your device safe from both untrusted chargers and automated cell phone decryption devices like Cellebrite's UFED or Grayshift's GrayKey: in the Settings app, under "Touch ID & Passcode" or "Face ID & Passcode," make sure that "Allow Access When Locked" for "USB Accessories" is disabled. This prevents your iPhone or iPad from making any sort of connection to a USB device plugged into it while the phone is locked, preventing such a device from trying to attack your phone. (Your phone can still charge, and audio connections over Lightning still work.)

Forbes recently found a search warrant where police were able to use a GrayKey to get data from an "iPhone 12.5" - apparently a reference to the internal model number of …

Continue reading…

Last night was the solstice, the longest night of the year. Over the next six months, the days will get longer - unless, of course, you're in the southern hemisphere, when it was the summer solstice, the shortest night of the year. Still, day or night, there's never a bad time for security.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

With lots of people traveling over the winter holidays, it's a good idea to think about what information is available on your phone's lock screen versus what can only be accessed behind your passcode. In particular, if you use mobile boarding passes, it's worth putting them in Apple Wallet or the passes section of Google Pay so that you don't have to unlock your phone and expose the rest of its contents for an agent to scan your ticket.

Notifications can also expose sensitive information, and it's worth thinking about whether or not the convenience of email and message previews are helpful or a liability. On iOS, Settings > Notifications > Show Previews allows you to you can choose the default setting for when apps show more than just the …

Continue reading…