At a glance.
- Oversharing when staging a property?
- Selfie risks, again,
- The privacy risks of airline boarding passes.
- Update on a third-party risk.
In real estate, pipes aren’t the only things that leak.
As if the current housing market isn’t complicated enough, a real estate agent in the UK is under fire for exposing a homeowner’s personal data in a virtual 3D house tour, the Daily Mail reports. The video, which appeared on realty website Rightmove and was provided by Fowlers real estate agency, included unblurred images of the homeowner’s family as well as insurance and financial documents bearing sensitive information. The blunder was discovered by Carole Theriault of the podcast Smashing Security, who points out that home images can provide a wealth of information for cybercriminals: “It's a treasure trove of private data — a veritable goldmine for identity thieves, phishers, you name it.” When approached about the finding, Fowlers owner Philip Fowler explained that the incident was just an oversight, as they ask homeowners to remove any identifying information from images before submitting them. “We take our client's privacy very seriously and ask each vendor who agrees to have a tour to check it through before launching specifically to avoid this sort of thing and check them through ourselves as well.” The agency has promised to be more careful in the future and has removed the tour in the meantime.
That selfie might be double-exposed.
A selfie might seem like an innocuous bit of narcissism, but cybercriminals are using them to nab more than a great profile pic. Yahoo details several online scams that aim to steal personal info contained in a virtual portrait. One phishing operation tricks the victim into thinking they’ve won a prize, but in order to claim it, the “winner” must send a photo of themself with their ID card, providing the thief with everything necessary to steal the target’s identity. Another email scheme convinces the recipient that they can “verify” their social media account -- earning that much-desired blue checkmark that proves to the digital world that they are who they say they are -- if they simply click on the link and complete an online form that requests a selfie as well as a host of identifying data. Other similar scams dangle the promise of a stimulus check or tax refund as bait. Security expert Melanie Musson advises to always check the email’s “from” field to verify it’s actually from a genuine source. "If that reads [social media site] followed by number” or anything else besides [social media site].com, red flags should start flying.” In general, government or financial institutions will never request a photograph online as proof of identity. When in doubt, visit the organization’s authentic website to request confirmation.
Skies more fiendish than friendly.
So, if we're returning to air travel as we emerge from the pandemic, are there privacy issues we ought to bear in mind? Here's one, from a few years ago when we were relatively footloose and fancy free, able to fly and confident in the availability of toilet paper. It's worth recalling that a boarding pass can provide a cybercriminal a one-way ticket to your private data, USA Today reported. The barcode on a boarding pass can be decoded using a barcode reader website, -- easily accessible to anyone with the internet -- and the seemingly random series of stripes contains private data like the passenger’s name, phone number, frequent flier number, and flight info. This information is enough for a cybercriminal to access to the passenger’s airline account, where payment info is likely also available. Travel tip: once you’ve deplaned, make your way to the baggage claim and a shredder.
ParkMobile third-party breach update.
Online parking payment platform ParkMobile disclosed that it suffered a data breach last month, and now it’s following up by releasing an update. Among the compromised data were license plate numbers, email addresses, phone numbers, and in a few cases, mailing addresses, depending on the information the user had provided. Encrypted passwords were also exposed, and though the encryption key was not stolen, users have been advised to consider changing their login credentials. The source of the breach was a vulnerability in third-party software.
Demi Ben-Ari, Co-founder and CTO of Panorays, commented on this incident as a representative case of third-party risk:
“With the rise in third-party breaches, it's not even safe to park your car anymore! But seriously, there is literally no industry that is exempt from vulnerabilities due to third parties, and the problem is only going to get worse as we continue to appify services and move our lives online. The ParkMobile app is just the latest example of a third-party vulnerability that wreaked havoc on customers' private data. The truth is that everyone -- all apps, all services, all companies -- everywhere has to take steps to mitigate cyber risk when working with their vendors. That means continuously assessing, monitoring, and remediating risk to ensure that vendors align with your internal security controls, regulations, and risk appetite."