Data Security

"This is not a breach"

Apple Pay competitor CurrentC defended the security of its mobile payment system in a Wednesday conference call, just hours after its parent company MCX reported that hackers had obtained some users’ e-mail addresses.

MCX CEO Dekkers Davidson said the attack, which targeted the company’s email vendor, was “not a breach” of the CurrentC app itself. He also emphasized that the incident affected mostly dummy e-mails used in the yet-unreleased service’s ongoing testing phase. Davidson also revealed that some dummy zip codes were stolen and that CurrentC’s systems had withstood several repeated attacks during the past week.

Davidson added the hack hasn’t made the company hesitant to store customer information in the cloud, a plan that’s been criticized given that CurrentC’s main competitor, Apple Pay, doesn’t collect any traceable information at all.

“In terms of consumers’ information and any payment credentials, they’re not stored on a device. They’re not actually present in the physical world,” Davidson said. “And that we think is a design or implementation that makes it far more secure than the world we live in today, and far more secure than many of the alternatives that have been advanced over the last few years.”

While MCX is a joint venture by retailers in order to create a retailer-owned payment system, Davidson said that the service is “first and foremost” about customer engagement. Part of that customer engagement will include a consumer privacy dashboard so that users can elect what information, if any, they would like to share with merchants.

MCX has been under scrutiny after reports suggested that MCX members CVS and Rite Aid disabled Apple Pay because of a contractual agreement for exclusivity. However, Davidson said that the company welcomes competition, and that it is the merchants’ choice whether or not to accept other forms of mobile payment. He added that MCX member retailers are not subject to fines if they choose to adopt Apple Pay, which registered 1 million credit cards in its first three days.

Davidson added that although some MCX merchants have blocked Apple Pay, MCX is open to member retailers using both Apple Pay and CurrentC simultaneously once the latter service goes public early next year.

“We have a great deal of respect for Apple, of course, and Apple Pay,” Davidson said. “We believe and our merchants believe we require two to three strong players in the space to build the ecosystem.”

Retailers joined forces to create the digital wallet, which has received cold reviews

Nearly 70% of Americans are worried they'll be hacked. Just 18% are afraid of being murdered

Americans are more worried that their credit card information will be stolen by hackers than they are about being murdered, sexually assaulted or having their home targeted by a burglar, according to a Gallup poll released this week.

Sixty-nine percent of Americans said they frequently or occasionally worry about having credit card information they use in stores stolen by computer hackers, making hacking by far the most feared crime in the United States, according to the poll. The second-ranking crime that Americans worry about is having their computer or smartphone hacked, with 62% of Americans occasionally or frequently worried about such a breach.

By comparison, 45% of Americans are worried about their homes being burglarized, 28% about being the victim of terrorism and 18% are worried about getting murdered.

Target, Home Depot and Neiman Marcus have all reported massive hacks in the past year, affecting many millions of customers. Fully one quarter of Americans say they or someone in their household has had information from a credit card used at a store stolen by computer hackers during the last year.

In a year when social media giants and governments alike have made headlines for tracking users online without their consent, battening down the virtual hatches has become a vital part of Internet hygiene.

Blocking tracking technologies, however, also disables those handy auto-fill log-ins and web personalization features, preventing you from easily shopping online and making your web experience feel as if you’re back in 1999.

So we went in search of privacy tools that don’t impact your browsing experience. We tested browser tools ranging from the basic Private Mode on all browsers to full-featured ad blockers. We looked at the four most-used browsers in the United States: Chrome, Firefox, Safari and Internet Explorer. Here’s what we found to be most helpful for safeguarding your privacy and anonymity — and what measures of convenience you might have to give up if you use them.

The lowdown on cookies

Cookies are small text files that contain one or more bits of information about your computer, most commonly a user ID a website assigns you in order to keep track of your movements through the site. Cookies are often essential to using a site successfully, enabling you to check out from shopping sites or click around Facebook without having to repeatedly re-enter your password.

These first-party cookies come from the website you’re on and exist mostly to offer you a personalized web experience. Benefits include greeting you by name, giving you weather data relevant to your home location and keeping track of your achievements in a game.

It’s the third-party cookies from ads on the websites you visit that track you as you move between websites. Advertisers place these cookies in their advertisements, allowing them to follow your movements among the network of sites where they advertise.

Information about your surfing patterns goes toward compiling a profile of preferences and basic personal data — things like location, age and gender — that is used to create targeted advertising. If you’ve clicked on a lot of gardening sites, for example, targeted ad placements could even show you ads for tools or plants on non-gardening sites. If that bothers you, you can disable third-party cookies in your browser settings.

Browse in private mode

Seeing targeted advertising probably doesn’t bother most people if all they’re surfing for is news, cute cat pictures or a new iPhone. But for looking up information about something like health concerns, privacy mode allows you to browse without associating the search with your existing profile.

To open a private window in your browser:

• Firefox: Ctrl/Cmd+Shift+P
• Chrome: Ctrl/Cmd+Shift+N
• Safari: Safari/Private Browsing
• Internet Explorer: Ctrl/Cmd+Shift+P

This turns off your web history and enables the cookies necessary for the site to work but blocks third-party cookies. At the end of the session, all cookies are deleted.

The downside

Browsing in private mode does not stop the website from recording that you were there based on your IP address, which can still be tracked. And, crucially, private mode doesn’t stop social networks from tracking you. It’s best used for hiding activity on a shared computer rather than actually remaining invisible online.

Block third-party cookies

Third-party cookies aren’t the only way to track people around the Internet, but disabling them in your browser’s settings means advertisers can no longer store files on your browser to track your web surfing.

Here’s how to block third-party cookies, assuming you’re running the most recent versions of the browsers (a good idea from a security point of view):

• Chrome: Preferences > Show Advanced Options (at the bottom) > Privacy > Content settings > Check “block third party cookies and site data.”
• Internet Explorer: Tools > Internet Options > Privacy > Move the slider to the level of cookies you want blocked
• Firefox: Preferences > Privacy > History > Select “Use custom settings for history,” then set “Accept third-party cookies” to Never.
• Safari: Preferences > Privacy > Select to block cookies “from third parties and advertisers.”

The downside

Some websites require third-party cookies to work; for example, Microsoft asks you to accept cookies when downloading an update. In these cases, head into your browser settings and add the sites as exceptions.

Block the Flash super cookie

Sites may store Flash cookies on your computer regardless of whether you have allowed third-party cookies. Flash cookies can’t be easily deleted, and they may be downloaded to your computer from any website running Adobe Flash (such as sites with video or an interactive application). Designed to locally store your settings for the rich web apps that Flash enables, the capability for the Flash plug-in to allow other sites to store files in a user’s computer can also be hijacked by advertisers wanting a new way to track Internet users.

Flash cookies can identify you across different browsers on the same device and, in some cases, have been found to regenerate deleted browser cookies. Because they have far more storage (up to 100KB) than other cookies, they can contain more complex information about your habits. Like browser cookies, Flash cookies are used by websites to deliver a customized experience as well as give advertisers extra data.

Cookie cleaners and Flash player settings

Blocking Flash entirely could be an option with script-blockers such as NoScript (Firefox) or ScriptNo (Chrome). However, such plug-ins stop all Flash and Java on all pages, breaking the sites in many cases, until you can customize the settings so that trusted objects and pages can run freely. This can take a long time and represent a pain for the less technically minded.

If you use Firefox, you can download the BetterPrivacy, which automatically deletes Flash cookies as they crop up (as well as clearing cookies already there). You can also whitelist necessary Flash cookies, such as cookies used when playing a game.

If you’re not on Firefox, you’ll have to dig into your computer. First, disable future Flash cookies from being left on the machine. If you’re on a PC, open Control Panel and click on Flash player > Local Storage settings by site. You’ll find the default is “Allow All Websites to Store Data”; change it to “Block All Websites from Storing Data.” Then you can easily delete the Flash cookies by hitting the neighboring Delete All button, followed by “Delete All Site Data and Settings.”

If you’re on a Mac, change your Flash settings online at Macromedia by clicking on Global Storage Settings in the (pretty clunky) Flash-based settings manager. Uncheck the box for allowing third-party Flash content to store data on your computer. Then pull the slider for how much data third-party companies can store on your machine to None (far left).

Finally, to delete sites that have already left cookies on your computer, grab the free download CCleaner (Mac/PC), which deletes both Flash and browser cookies.

The downside

Sites including eBay use Flash cookies to verify your identity, so deleting them across the board can mean needing to re-enter passwords more frequently.

Dodge tracking you never signed up for

Microsoft recently announced it would not scan any of the content in its Outlook.com inboxes to use in targeted advertising, but Google makes no such promise with Gmail — quite the opposite.

As for the social networks, Facebook, Twitter and LinkedIn track users even after they’ve signed out — and even if you don’t click on a social media sharing button. The very act of landing on a page with a social-share button means it relays back to the social network. Sophos’ security blog has a straightforward account of how Twitter does it and how you can opt out. (Remember that opting out doesn’t stop ads or the collecting of information.)

In addition, Facebook uses an alternative to tracking cookies called a conversion pixel, which advertisers affix to their ads to see how many clicks they get. So a website doesn’t need a Facebook button to let Facebook know you’ve been there.

Anti-tracker plug-in Do Not Track Me (Chrome/Firefox/Safari/Internet Explorer) stops a website from sending information back to Facebook or Google unless you actually click one of the +1 or Like buttons. It also blocks other trackers and boasts a clean, intuitive interface for customizing blocking options. The Mask My Email and Make Me A Strong Password features help deter spam and hackers. When you’re signing up for a new account, masking your email address stops potentially dodgy sites from selling your real email address, while the password option creates a hard-to-guess password (that, crucially, isn’t the same as one you already use), then saves it in the plug-in’s encrypted password manager.

On the toolbar, clicking the Do Not Track Me icon shows how many trackers it has blocked — for me, 666 in under 24 hours.

Disconnect (Chrome/Firefox/Safari/Opera) is a similar plug-in that offers the additional benefit of dividing trackers into social, analytic and advertising categories. A graph shows the time and bandwidth saved by blocking trackers requesting information, and you get the option of adding trusted sites (and their cookies) to a whitelist.

The downside

There’s little downside to taking any of these anti-tracking measures. The only thing these scrappy little guys don’t do is block ads; you’ll still see them, but they won’t be targeted based on your previous clicks.

Kill most ads

Many companies (including Facebook, Twitter and Amazon) promise to honor opt-outs for “interest-based” advertising. But while opting out stops companies from delivering targeted ads based on what you’ve clicked on, it does not stop ads based on general information such as your location or other details you may have volunteered while signing up for the account. Crucially, it doesn’t stop companies tracking you and collecting your data.

To prevent ads from showing at all, thus thwarting the purpose of tracking via third-party cookies or other means, try a plug-in such as AdBlock Plus (for Chrome/Firefox/Safari/Internet Explorer), which blocks “annoying” ads: video ads, Facebook ads, pop-ups and the like. By default, a whitelist of ads that fall under the developer’s guidelines for acceptability is allowed, but you can change this setting to disable all ads.

You can also add different filters to block more or different types of ads. For example, the anti-social filter blocks social media buttons from transmitting back to the mother ship that you were there, neatly avoiding the all-seeing Facebook eye.

AdBlock Plus also blocks trackers and websites known to deliver malware.

The downside

Blocking ads deprives sites of revenue, and many websites rely on ad revenue to stay afloat. Unless you tinker with the settings for which ads should be allowed at different sites (a process that may take a long time to complete), you may end up depriving your favorite sites of those caching clicks.

Search securely

Two-thirds of U.S. search traffic is made through Google, distantly followed by Microsoft’s Bing (19%) and Yahoo (10%). While Google’s search algorithms turn up highly relevant results for most of us (in May, 31% of all Internet traffic came from Google, versus less than 2% for Bing and Yahoo combined), there’s an additional trade-off: Search results are also personalized based on what you’ve clicked on in the past.

That may not seem like such a big deal until you consider that Google also combines your search history with other information from your Google accounts, such as YouTube and Gmail, for use in targeted ad campaigns. Search histories can reveal highly personal information such as your interests, religion or health issues, substantially filling out the information already compiled from your YouTube clicks and Gmail messages.

Instead of switching to another Big Three search engine, try DuckDuckGo, which doesn’t log your searches so that all users get the same results. In our test, searches for subjects including current events (“Hong Kong protests”), general knowledge (“why is the sky blue”) and straightforward subjects (Halloween costumes), helpful links turned up in the first half of the page. However, when we typed the more ambiguous phrase “Tuscany fall cuisine,” only Google noted that we wanted autumnal food in Italy, not the town called Tuscany Falls.

DuckDuckGo also offers many of the same convenience features as Google, including a good range of “zero-click info.” For example, type “weather in California,” “650 USD in EUR” or any calculator function such as “square root of 60,” and the answer is displayed above a list of link results.

Similarly privacy-centric search providers include Ixquick, which doesn’t store your IP address or search data (and consequently doesn’t sell any of your information), delivering results based on what the five major search engines are saying. Two or more stars indicate multiple search engines have relayed the same result. However, Ixquick lacks the uber-convenient zero-click search.

Finally, the Disconnect anti-tracker plug-in also has a separate search extension that anonymizes your searches in any of the Big Three search engines as well as DuckDuckGo itself.

The downside

Auto-complete in Google Search has been a godsend when it comes to typing searches for news and factoids you can’t quite recall. Not having a search history also means not having those purpled-out links that indicate at a glance which sites you’ve previously visited (handy when you’ve forgotten to bookmark a great source).

The all-in-one option

Not up to fine-tuning settings, cherry-picking plug-ins and switching to a new search engine?

Get a whole new browser. The Epic Browser offers privacy mode as the default and only option. Epic doesn’t store web histories, search queries or cookies. Clicking on a plug icon in the URL bar turns on a proxy feature that anonymizes your computer by routing your traffic through a U.S.-based proxy network.

Epic also blocks trackers with a handy pop-up telling you exactly how many it’s blocked — and just to rub its success in competitors’ noses, it shows how many trackers exist on the other browsers you’re using. On my computer, Firefox had 143 data-collecting trackers (including Amazon, Experian, all the social networks and a ton of ad providers); Safari had 56 (including BuzzFeed, LinkedIn and Tumblr); and my Chrome browser with Do Not Track Me Plus running let through just two (eBay and ad provider Double Click).

The downside

It’s back to the caveman days of manually typing everything in, from passwords to URLs. There’s no auto-fill feature for log-ins or website addresses, because Epic doesn’t store any history. Nor does Epic save passwords, and it doesn’t yet work with password managers, so you’ll either have to remember all your log-ins or save them on your hard drive.

Browsing completely anonymously (mostly)

All of the options we’ve discussed prevent third parties from tracking you within and across websites. However, the website can still see where you came from through your IP address, and that address could be used as an alternate means of tracking your activities. For example, a person or company who disagreed with your comments on a site could use your IP information to track you down and sue you for libel.

To hide your IP address from being uncovered, you will need to use either an anonymous web proxy or virtual private network (VPN) service. Both not only mask your IP address from the website you’re visiting, but will also prevent anyone who monitors your network (e.g., your employer) from monitoring the sites you’re visiting.

The downside

Some of these services have stronger privacy options than others, and many are still susceptible to disclosure if they receive a legal subpoena from the jurisdiction where they’re located. Read our article on VPNs and web proxies for more details.

Future tracking options

What we do online has value to companies now because of what we may buy if we’re shown the relevant advertising. Down the line, we might be the ones negotiating the worth of our web habits.

Encrypt your own web behavior

The Meeco app for iOS recently launched with the ability to log your web visits — where you visited and for how long — and save the traffic into an encrypted cloud accessible only by you. Websites can only see what you click on while you’re on them, not what you do after and before, preventing the site from building a profile of you. The software also analyzes your usage patterns so you can glean insight into your habits — the same insight brands buy from data brokers now. Eventually, the idea is to create a data framework where users can offer such data to brands in exchange for loyalty points, discounts or other incentives.

Founder and CEO Katryna Dow says an aim is to help people understand that the value of their data is invaluable — and, at the moment, immeasurable.

A Meeco browser extension for Chrome and Firefox is available in beta; currently, users must manually add favorite sites to the dashboard, then click them in order to launch the site in the browser’s (natively available) private window.

The downside

Right now, the browser extension does not save the traffic to your Meeco encrypted account (as the iOS app does), but Dow says the company is looking at including the feature in future updates.

Where to draw the privacy line

Being tracked and advertised to by the websites we use is the trade-off for a free Internet. In fact, there are some really good reasons for why you may want to be tracked online,

But not drawing our own line at how much privacy we are willing to give up could mean some companies will cross that line when it comes to where they scrape information about us. Your likes, dislikes and identifying details taken from email, private messages or personal notes could then be linked (as Google already does) to information from other facets of your online life, and companies or the government may eventually make assumptions about who you are before offering you a service. Whether you find that convenient or creepy, it’s something everyone should have control over, not default into.

What do you think? Have you downloaded browser plug-ins to control your privacy, or do you believe that targeted advertising is what makes the Internet go?

This article was written by Natasha Stokes and originally appeared on Techlicious.

More from Techlicious:

• 5 Tips for Getting More Out of Gmail
• Samsung’s New Induction Stove Features Fake LED Flames
• Gigabit Fiber Expanding into More U.S. Cities
• Report: U.S. Falling Far Behind in Internet Speed
• Google Now Supporting USB Security Keys

The iCloud attack coincided with the iPhone 6 releases in China

Chinese users recently attempting to access Apple’s iCloud online data storage service may have had their personal information stolen in what one cybersecurity firm claims was a high-level cyberattack backed by Chinese authorities.

GreatFire, an independent Chinese censorship watchdog, said the hack was a “man-in-the-middle” attack, in which hackers get access to users’ files by getting them to enter their login information into a fake login site. The hackers then set in “the middle” of users and the service, grabbing data at it’s transmitted between the two.

Apple confirmed the attack Tuesday, stating that it is “aware of intermittent organized network attacks using insecure certificates to obtain user information.” The firm added that the attacks “don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.”

GreatFire said the hackers involved with the iCloud breaches used servers accessible by only state-run organizations and Chinese authorities, a sign the attacks had the blessing of such authorities. The hack came just as the iPhone 6 was released in China after a delay over the government’s security firms.

The iCloud attack follows a report earlier this month that “a very large organization or nation state” was putting malicious spyware onto iPhones and iPads belonging to Hong Kong’s pro-democracy protestors. GreatFire also previously reported that Chinese authorities had launched attacks on GitHub, Google, Yahoo and Microsoft in an apparent effort to censor those services.

“This is what nation states do to ‘protect’ their citizens. There is nothing surprising or unexpected in this revelation,” said Phil Lieberman, president of cybersecurity firm Lieberman Software. “It would not be hard to find other countries doing similar things.”

Microsoft has fixed a series of software bugs, at least one of which was exploited by Russian hackers, according to a new report

Microsoft on Tuesday issued bug patches Tuesday fixing 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net Framework, some of which fixed security holes exploited in attacks against Western targets linked to Russian hackers. The company’s patches fix more than a dozen vulnerabilities that allow remotely located hackers to take control of a target computer, according to a note from Microsoft.

The issues were first revealed by Dallas-based security firm ISight, which said Tuesday that Russia-tied hackers had been using a previously unknown bug in Microsoft Windows Vista through Windows 8.1 to attack NATO, the European Union and targets in Ukraine since September. ISight partnered with Microsoft to report the bug.

The hacks against Western targets are part of a growing wave of cyberattacks linked to Russia amid that country’s ongoing conflict with Ukraine. However, it’s unclear exactly what data hackers took as part of the attack.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” ISight said Tuesday.

"Your stuff is safe," Dropbox tells users after hacking scare

Dropbox said Monday that a list of login credentials posted online early this week was not made public as the result of it being targeted by hackers, but rather because hackers stole usernames and passwords from other services and attempted to use those credentials to access Dropbox accounts.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” said Anton Mityagin of Dropbox’s security team in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.”

Hundreds of username and password combinations allegedly belonging to Dropbox users appeared early this week on the website Pastebin, a common dumping ground for hackers to post such information. An accompanying message alleged that 7 million Dropbox accounts were hacked in total, The Next Web reported Monday, and the hacker or hackers were asking for money before posting the rest of the information. However, Dropbox later said that a larger list of usernames and passwords posted online were “not associated with Dropbox accounts.”

Dropbox also said it recently reset passwords on accounts which showed suspicious login activity, a move it said prevented the service from being breached. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Mityagin wrote. Dropbox also emailed any affected users and advised them to change their passwords on Dropbox as well as other Internet services.

Hackers often target less secure platforms to steal login information they then use on other websites, as seems to be the case here. That’s why it’s a good idea to use different passwords on different websites as well as activate two-step authentication wherever available.

Officials say hackers with ties to the Russian government were involved in the JPMorgan attack

“It is clear now that there are things we should have done differently"

Facebook has issued a mea culpa for a controversial experiment on its users that gained widespread attention over the summer, promising to revamp its research practices going forward.

In a blog post, Chief Technology Officer Mike Schroepfer acknowledged the social network mishandled a 2012 study that altered the types of posts some users saw in their News Feeds to in order to determine whether such a change would affect the emotional tone of their own posts. The results of the study were published this June, angering some users because no one gave prior consent for the study nor did it clear any kind of review board, a step typically undertaken by academic research organizations.

“It is clear now that there are things we should have done differently,” Schroepfer wrote. “For example, we should have considered other non-experimental ways to do this research. The research would also have benefited from more extensive review by a wider and more senior group of people. Last, in releasing the study, we failed to communicate clearly why and how we did it.”

The company is now instituting a new framework for handling both internal experiments and research that may later be published. Research that is studying specific groups of people or relates to “deeply personal” content (such as emotions) will go through an “enhanced review process” before being approved. Facebook has also set up a panel of employees from different parts of the company, such as the privacy and legal teams, that will review potential research projects. The social network will also incorporate education on research practices into the introductory training that is given to new company engineers and present all the public research it conducts on a single website.

Facebook did not provide any detail on what the enhanced review process would look like or whether external auditors would review the company’s research. The company also retains the right to conduct any experiments it deems appropriate through its data use policy.