- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° Your Weekly Security Update
- 𤨠This Should Be on Your Radar đĄ
- đ Security Fail of the Week đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, do these three things to protect yourself:
- Lock sensitive apps behind Face ID. You can set apps on your iPhone to only open with Face ID or your iPhone passcode, preventing others from accessing your sensitive data.
- Remember, you can always manually save passwords. If your password manager fails to automatically save a specific password, you can always manually enter the details. Hereâs how to do it in the Passwords app.
- Encrypt your iCloud data if possible. Advanced Data Protection is a feature that encrypts your iCloud data, making it completely inaccessible without your Apple Account password.
In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.
What should you do in the following scenario?
You receive an official-looking letter which states that your Social Security number has been suspended due to criminal activity. What should you do? đ¤
- Call the number in the letter.
- Trash the letter.
- Visit the Social Security Administrationâs website and log in to check on the validity of your account.
Scroll to the bottom to see how you did!
Scams are everywhere, and all types of people fall for them. But in recent years, people on the younger end of the spectrum, like Gen Zers and millennials, have become increasingly susceptible to digital scams. As we have often repeated here at Security Friday: the more scammers know about you, the easier it is for them to scam you. Since young people share more of their personal lives online and spend more time on their phones than older people do, they generate more of a digital profile for scammers to access. The FTC found that in 2024, people in their 20s fell for scams more often than those in their 70sâreversing the common wisdom that holds that older people are more likely to fall for scams. Moneywise has a more detailed write-up on this subject, along with tips on how to protect yourself.
The Bottom Line: In the past, it was more common for scammers to target older individuals, but, in recent years, the pendulum has started to swing the other way. Really, anyone can fall victim to scams, regardless of age or technical knowledge. All any of us can do is stay informed on the latest scams and exercise caution in our online activity.
DoorDash Hit by Data Breach
DoorDash has been notifying users of an October data breach that included first and last names, physical addresses, email addresses, and phone numbers. The affected users are a mix of customers, Dashers, and merchants. In its response to the incident, DoorDash says that the breach originated from an employee who fell for a social engineering scam. Bleeping Computer has more details on the story.
The Bottom Line: DoorDash has already referred this incident to law enforcement. If you are affected by the breach, you should receive an email from DoorDash. With data breaches becoming more common, we strongly suggest freezing your credit, if possible. This makes it more difficult for your identity to be stolen, even if your personal information is leaked. You can unfreeze it at any time, either permanently or temporarily, if you need to open a new line of credit.
Age Verification by Facial Scanning
Live streaming platform Twitch has introduced facial scanning to verify user ages in the UK. Both new users and existing users logging in for the first time since the policy change will need to submit to a facial scan. Additionally, anyone who attempts to access a stream with specific adult content warnings will need to verify their age via facial scanning before they are allowed to watch. Rolling Out has a more detailed write-up about the changes, as well as how Twitch is being impacted by other age-related laws in the UK.
The Bottom Line: Age verification is a good idea in theory, but in practice, it often comes at the cost of privacy and security. To verify your age, you must trust third-party companies with your ID (or, in Twitchâs case, a scan of your face), which is then at risk of exposure in a data breach, as we saw recently at Discord. If you are in the UK, age verification is now required by law, which is why itâs so important to voice your concerns to lawmakers who may be swayed by public opinion.
Somalian E-Visa System Breached
Somaliaâs electronic visa system was breached by "unidentified hackers." The US embassy put out a statement saying that the data of at least 35,000 had been exposed in the breach, including names, photos, birthdays, addresses, and email contacts. The UK is also warning international travellers that their data could be at risk if they enter it into Somaliaâs e-visa system, as the breach is still ongoing. The Somalian government has not publicly addressed the breach despite moving its e-visa service from evisa.gov.so to etas.gov.so. The BBC has more details.
The Bottom Line: If you are currently travelling or planning to travel to Somalia any time soon, you may want to consider the risks posed by this data breach. If you arenât in Somalia or planning to travel there, thereâs nothing to worry about.
How Private Is Your Licence Plate Number? ICEâs New Plate Reader App
Normally, if you record a licence plate number and then call the DMV to try to find out who owns that car, all youâll be able to find out is the make and model of the vehicle. Government motor-vehicle agencies will not share the name of the owner, much less their address or anything else about them, without a warrant. However, 404 Media reports that ICE has been demoing a new app that weaponizes advertising profile data collected by the data broker Thomson Reuters (the same company that operates the news agency), government databases, and Motorolaâs traffic cameras. This allows an agent to photograph a licence plate and immediately receive the ownerâs name and home address, as well as a map of places that the vehicle has been seen in the past, significant locations, patterns, and habits, all without a warrant.
The Bottom Line: We donât know specifically how Thomson Reuters collects its profiling data. But you can limit the amount of information that commercial data brokers in general can harvest about you by employing tools such as a privacy-preserving web browser like Safari, Brave, or DuckDuckGo, and a VPN. You should also reduce your reliance on data-thirsty apps such as Google search (we recommend Ecosia or DuckDuckGo instead), Google Workplace, or Gmail, and limit your use of data-harvesting social media such as Facebook or X.
Company Refuses to Bow to Hackersâ Demands
Checkout.com, a payment processing platform used by companies around the world, was recently targeted by the hacking group ShinyHunters. The group contacted Checkout.com and demanded a ransom in exchange for data that it had stolen. Checkout.com investigated and found that the data came from an old third-party cloud storage system that had not been properly decommissioned. Upon determining that ShinyHunters did not have access to merchant funds or card numbers, Checkout.com decided that it would not give in to the groupâs ransom demands. Instead, the company is donating the ransom amount to fund cybercrime research. You can read Checkout.comâs statement here.
The Bottom Line: No practical advice here; just a really cool story about a company standing up to criminals and helping to advance cybersecurity research at the same time.
Did You Win the Lottery? (You Didnât Win the Lottery)
This prolific scam is probably as old as time, but itâs still alive and flourishing. The scam itself is simple: You are contacted by someone who claims that youâve won a prize in a lottery. To claim your prize, youâre told, you must pay a small fee. Of course, once you pay the fee, no prize will ever materialize. It seems like this scam wouldnât work, but it does work. Scammers use time pressure language: âAct now!â and âClaim your prize before itâs goneâ to encourage victims to make a bad decision quickly. If a scammer sends enough of these messages, theyâre sure to catch someone whoâs on their way home from the bar at 1 am, or someone who just took their meds before bed, or someone who is jetlagged, and before that person has had a chance to think better of it, theyâve pulled the trigger and sent the scammer some money.
The Bottom Line: No legitimate lottery will pay out rewards to someone who has not entered the lottery. No legitimate lottery will ask the winner to pay a fee of any kind before claiming a prize. No legitimate lottery or prize will ever pressure the winner to claim their prize immediately. Especially, no lottery will contact the winner over social media messenger or by email.
Airline Data Broker Shuts Down
Weâve previously mentioned the data broker set up by a group of airlines to sell flight information to law enforcement agencies without requiring normal legal checks and balances such as warrants. After pressure from lawmakers and reporting from 404 Media, Airlines Reporting Corporation has notified its customers that it will be shutting down its Travel Intelligence Program, the arm of the corporation responsible for selling travelersâ information to third parties.
The Bottom Line: If you emailed Airlines Reporting Corporation to opt out of data collection based on our instructions, you donât need to be concerned about that anymore. Please enjoy having one less thing to worry about.
Childrenâs AI Teddy Bear Casually Explains Where to Find Knives and Matches
The US Public Interest Research Group recently released its yearly report on the safety of toys. This year, it highlighted a new set of toys coming to market: ones that include GenAI-driven speech functionality. The catch? Several of the toys they tested didnât have adequate safeguards about what the toy could or could not say to a child. One teddy bear used its newfound powers of speech to explain how to light a match, where to find knives, and all about sexual roleplay, among other disturbing matters. That one was pulled from the market. Your digital security is one thing, but the digital domain is expanding into new territory here, with digital voices now appearing in new places, like a kidâs toy box.
This is not the only place where AI agency might be enabling new kinds of dangers: Microsoft is rolling out a so-called âagenticâ GenAI in Windows. Agentic means the GenAI would be capable not just of advising the user, but of actually taking actions itself. You could instruct it to make a budget for your house, and instead of just generating some text, it could go download a budgeting app, install it, and then use the app to make the budget. It could even install malware, warns Microsoft. Which would be bad. To use the teddy bear as an analogy, imagine if the AI-driven teddy bear, in addition to speaking with an AI voice, could also walk itself over to the knife drawer.
The Bottom Line: Generative AI systems are a brand-new technology. Practice caution in where and how you deploy that technology in your life. We havenât developed legal, ethical, and technical frameworks to mitigate the harms of this new technology yet.
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.1
- The most recent macOS is 26.1
- The most recent tvOS is 26.1
- The most recent watchOS is 26.1
- The most recent visionOS is 26.1
Read about the latest updates from Apple.
In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.
Worried about viruses infecting your iPhone? Check out:
If you enjoyed this newsletter, youâll love all the security content available on iPhone Life Insider!
This premium subscription includes:
- The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors
- In-depth guides on everything from security to iPhone photography to other Apple devices
- Daily, bite-sized video tips on topics ranging from iCloud security to password management
- A digital subscription to iPhone Life Magazine, where youâll find articles covering the best security gear, apps, and in-depth how-tos
- The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure
- Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content
- Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group
|
