Facebook Finally Fixes Its Two-Factor Mess

Credit to Author: Andy Greenberg, Brian Barrett| Date: Sat, 21 Dec 2019 14:00:00 +0000

A Wawa breach, Russian spies, and more of the week's top security news. 

It's beginning to look a lot like the end of the year in cybersecurity! In an interview with the Pentagon's artificial intelligence honcho, we looked forward at how AI will intersect with warfare in the future—and the many unresolved questions that raises. And in an interview with venerated author Cliff Stoll, we took a look back a historic moment in cybersecurity.

We detailed how popular conference room video displays can be hacked, and how WhatsApp group chat security still needs a little work.

5G is coming, and while it'll be more secure than 4G it's still not perfect. Chrome will check your passwords to make sure they're not already in some data breach somewhere. And set aside some time to read this tale of an Army veteran who thought he found romance on a dating site—but ran into a terrifying scam instead.

And there's still more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

For far too long, if you provided Facebook with a phone number for two-factor authentication, the company turned around and used it to serve you targeted ads and present you with people you might know. It's the sort of duplicitous, privacy-disregarding behavior that earned the company a $5 billion FTC fine. But while Zuck and company quit using 2FA numbers to feed its ad machine in the summer, it took until this week to announce that it would do the same with friend-finding. Even now, though, the change won't roll out globally until next year. More annoying still, according to Reuters, to uncouple your 2FA number from Facebook's friend-connections, you need to delete and then enter it once more. Or maybe go ahead and delete your Facebook account altogether, just a thought!

Bad news, fans of hoagies and slightly stale soft pretzels in and around Pennsylvania: Convenience store chain Wawa on Friday revealed that its point-of-sale servers had been infected with malware that stole credit card information, potentially affecting all 700 of its stores across five states. The malware had been present on Wawa's systems as early as March, but was only discovered on December 10. The company assures customers that debit card PINs, credit card CVV2 codes and ATMs at the stores weren't affected, but it's nonetheless offering credit monitoring to affected customers.

Bloomberg this week told the in-depth story of a young Israeli hacker named Daniel Kaye, also known by his handle Spdrman, who launched a record-setting cyberattack that took down the largest telecommunications network in Libera. In the fall of 2016, Kaye's distributed denial of service attacks launched gargantuan waves of junk traffic from his botnet of half a million hijacked internet-connected security cameras, one of several botnets known as Mirai, at the Liberian telecom network Lonestar. Kaye had been hired by the CEO of one of Lonestar's competitors, Avishai Marziano. The attack knocked 1.5 million Liberians off the internet, about a third of the country's population, including its largest hospital and infectious disease specialists dealing with the aftermath of the Ebola outbreak that had hit the country the year before. At other points, Kaye allegedly rented out parts of its botnet to other hackers who used it for attacks on banks and gaming rivals. Kaye was arrested by British police in February of 2017 while trying to board a flight to Cyprus, and was later given a 32-month prison sentence.

The New York Times Opinions desk this week revealed that it had obtained a massive cache of location data that included 50 billion"pings"representing the detailed locations of 12 million Americans, as captured by their smartphones as they move about their daily lives. The Times declined to reveal the source of that data, saying only that it was a firm that collects location data on Americans, and that such data is captured by programs as seemingly harmless as weather apps and coupon savers. The Times then went on to demonstrate the application of that data for targeted surveillance, showing that it could track the detailed whereabouts of a Secret Service agent accompanying President Trump, following him to Mar-a-lago and a round of golf the president played with Japan's Prime Minister Shinzo Abe. To drive the point home, the Times also published obscured location patterns of other officials including a Pentagon staffer and a senator's advisor.

Russian spy ships hanging out near the US is surprisingly common. But US officials told CNN this week that the Viktor Leonov was acting in an "unsafe manner" and engaging in "erratic maneuvers," which are generally not words you want to hear in association with a nearby spy ship from a hostile nation.

https://www.wired.com/category/security/feed/