Category: Uncategorized

1
FAKE APPS FIND A WAY TO GOOGLE PLAY!
2
Eureka! California Just Adopted a Strong Consumer Privacy Law
3
Ambulance chasing through data sharing? Health app accused of sharing personal health information with law firm
4
Former MasterChef contestant falls victim to online fraud attack
5
When employee data does fall within the legal privacy net
6
Aqua-man goes hi-tech – Microsoft’s Plunge into Deep Sea Data Storage
7
Foreign Hackers Take Down Triple Zero Network
8
The Defence Department’s $4 million investment in Cognitive Computing
9
Apple Distributors Arrested for Allegedly Selling Customer Personal Information
10
Juniper report predicts IoT botnets will be an unmanageable cyber-security issue

FAKE APPS FIND A WAY TO GOOGLE PLAY!

By Cameron Abbott and Jessica McIntosh

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

 

It cannot be overlook, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

Eureka! California Just Adopted a Strong Consumer Privacy Law

By Susan P Altman

While the rest of us were still recovering from the May 25 effective date of the EU’s General Data Protection Regulation (GDPR), California, the most populous and largest economy of any of the United States, confidently adopted a broad consumer privacy law. The California Consumer Privacy Act of 2018 (CCPA) was enacted June 28 and becomes operative on January 1, 2020. Unlike existing industry-specific U.S. privacy laws, the CCPA has a broad overall scope, more like the GDPR. It ensures California residents the right to know what information about them is being collected and sold or disclosed, to reject the sale of their personal information, to access the information, and to receive equal service and price, even if they exercise their privacy rights.

Unlike the GDPR, the CCPA does not extend to extra-territorial coverage. The CCPA applies only to for-profit businesses doing business in California and sets certain thresholds for business activity and size, thereby protecting most of the Silicon Valley start-up community from the cost of compliance. The CCPA protects the rights of “consumers,” who are natural persons residing in California, and generally does not apply to California residents while they are outside of California.

A business that is required to comply with CCPA will need to update its website, and include a conspicuous link on the homepage to a page titled, “Do Not Sell My Personal Information.” In addition, the website must describe the consumer’s privacy rights and annually update its privacy policy to reflect current practices. Consumers will be able to opt-out of collection practices; although children (or their parents) must opt-in. Consumers must be able to contact businesses regarding their collected information. Amendments and corrections to the CCPA are expected.

Ambulance chasing through data sharing? Health app accused of sharing personal health information with law firm

By Cameron Abbott and Sarah Goegan

The idea of lawyers “ambulance chasing” seems to have taken on a new form. An investigation by the ABC has revealed how technology is being used to share health information with lawyers to generate work.

The ABC has revealed that HealthEngine, Australia’s largest online doctor’s appointment booking service, shared daily lists of prospective clients with law firm Slater and Gordon, based on personal medical information shared by users with the app.

Read More

When employee data does fall within the legal privacy net

By Cameron Abbott, Warwick Andersen and Georgia Mills

PageUp, a leading HR software support company has revealed it has fallen victim to a massive data breach, potentially compromising the personal details of thousands of Australians.  Boasting over 2 million active users worldwide and counting a roll call of major Australian companies together with a number of government agencies as clients, the breach may be the largest since the introduction of mandatory data breach notification laws in February (which we blogged about here).

Read More

Aqua-man goes hi-tech – Microsoft’s Plunge into Deep Sea Data Storage

By Cameron Abbott and Georgia Mills

In addition to all things cyber security related, we here at CyberWatch love to see new technologies being developed and Microsoft’s latest data storage project has us all excited.

Microsoft has leveraged the technologies of submarines and renewable energy to plunge an experimental 12 metre long datacentre into the sea near Scotland’s Orkney Islands.  The project, known as Project Natick, seeks to understand the benefits and difficulties in deploying subsea datacentres powered by offshore renewable energy.

Read More

Foreign Hackers Take Down Triple Zero Network

By Cameron Abbott and Georgia Mills

The triple zero emergency call service, operated by Telstra, was subjected to an onslaught of more than 1000 offshore calls on Saturday morning, leading to a number of genuine emergency calls being unanswered and sparking a government investigation.

Read More

The Defence Department’s $4 million investment in Cognitive Computing

By Cameron Abbott and Georgia Mills

The Australian Defence Department granted IBM Australia a $4 million, 3 year contract for the provision of its Watson cognitive computing infrastructure.  The platform provides a cognitive, artificial intelligence and machine learning capability for use by Defence and is only the second on-premises instance of Watson globally.

Matt Smorhun, Assistant Secretary for the ICT Strategy Realisation Branch at the Department of Defence said they decided to “just buy this thing” and then work out how it was going to fit into the organisation later. (Which did strike us as a rather strange approach to spending tax payers dollars – but congrats to the IBM sales person who pulled that off!)

Read More

Apple Distributors Arrested for Allegedly Selling Customer Personal Information

By Cameron Abbott and Edwin Tan

On Wednesday, police in China’s Zhejiang province released a statement reporting the arrest of 22 third-party Apple distributors for allegedly selling customer data on the black market. Officials claim that the suspects searched an internal Apple database to obtain sensitive information, such as names, Apple IDs and phone numbers.

Each sale was for between 10 yuan to 180 yuan (A$1.95 to A$35.17). The entire scam was reportedly worth more than 50 million yuan (about A$9.8 million).

It is presently unclear whether there were victims outside of China, or how many people were affected by the breach.

No doubt these events will raise concerns worldwide about distributors’ access to customer data when it flows through the supply chain. Companies will need to have strong guarantees in place with their distributors, in relation to the handling and security of data, in order to reduce their risk of breaches when data leaves their control.

Users wishing to add an extra layer of security to their Apple ID can try utilising two-factor authentication, as set out by Apple here.

Juniper report predicts IoT botnets will be an unmanageable cyber-security issue

By Cameron Abbott

Juniper’s Internet of Things for Security Providers: Opportunities, Strategies, & Market Leaders 2016-2021 cautions that the scale of connectivity related to consumer IoT will lead to unmanageable cybersecurity risk created by botnets in excess of 1 million units. The research found that botnets that disrupt internet services form part of the near-term threat landscape and will be used for more malicious purposes in the future. Botnets are expected to be used not only to disrupt services, but also to create a distraction in order to enable multi-pronged attacks. While the research calls on IoT manufacturers to implement security-by-design, it also found the market is wide open for challenger security vendors.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.