Social engineering is the new method of choice for hackers. Here’s how it works.


Is your name and your phone number all it takes for a hacker to take over your cellphone account?

Marketplace‘s latest investigation has found that just a few pieces of personal information could leave you and your accounts vulnerable.

It happened to Erynn Tomlinson. The former cryptocurrency executive lost about $30,000 in cryptocurrency after hackers used a few of her personal details during interactions with Rogers customer service representatives to ultimately gain access to her account.

« I don’t know how to describe it. I was sort of in shock at the whole thing, » said Tomlinson about realizing hackers stole savings she was planning on using for a mortgage.

Tomlinson is a victim of the latest type of hack plaguing the telecommunications industry: it’s called a SIM swap, and hackers use what’s known as social engineering to make it happen.

Social engineering fraud typically happens through email, phone, or text — or in Tomlinson’s case, through online chat windows. Hackers use charm and persuasion to convince a customer service representative they are actually the account holder.

If at first you don’t succeed, hack again

The hackers might have a few pieces of publicly available personal information: a person’s name, email address, birthdate, postal code or phone number.

Hackers use some of those details to try to sweet talk a representative into handing over more information and ultimately gain access to an account.

« The attackers are very sophisticated. In this case, Rogers didn’t provide any friction for them and made it far too easy, » Tomlinson said of her experience.

In an increasingly cashless world, many people rely on digital apps for banking and online purchases. Experts say hackers are taking advantage of this. (Hannah Yoon/Canadian Press)

As far as Tomlinson can tell, the hackers had only her name and her phone number. Over a series of eight different online chats, the hackers managed to obtain her date of birth, email address, account number, the last four digits of her credit card, and other details about her account.

Armed with this information, the hacker convinced a Rogers rep to activate a new SIM card linked to Tomlinson’s account, which could then be placed into a phone in their possession. A SIM card is a chip used to identify and authenticate a subscriber to a service provider.

Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson’s sensitive accounts, including those tied to her finances.

  • Watch Marketplace‘s investigation into social engineering fraud at 8 p.m. Friday on CBC-TV and online.

Tomlinson used two-factor authentication on her sensitive accounts, an extra security step that sends a message to your cellphone before granting access. Tomlinson believes the SIM swap allowed the hackers to divert those incoming messages to a new device, effectively bypassing her security measures.

She first became aware something was wrong when her cellphone stopped working. After stopping by a nearby café to use the Wi-Fi, she realized one of her financial accounts was at zero. She rushed home and logged onto her other accounts, and also saw them being drained.

In total, the hackers managed to steal the equivalent of $30,000 in cryptocurrency.

« I hope this is a bit more of an extreme case, » she said. « But I think … every Canadian is at risk right now. »

Social engineering on the rise

Tomlinson’s losses may sound extreme, but companies around the world say social engineering attacks are on the rise.

Canada’s federal privacy commissioner now requires all companies to report any security or privacy breaches. Since November 2018,  there have been more than a dozen reports of social-engineering breaches in this country’s telecommunications sector alone.

In an email, the Office of the Privacy Commissioner told Marketplace the trend « clearly raises concerns. »

The emergence of social engineering fraud comes as no surprise to ethical hacker and cybersecurity expert Joshua Crumbaugh.

« Social engineering’s been a popular thing, I mean, since the beginning of time — we just gave it a new term. It’s the same thing that grifters and con men have been doing forever … they’re just exploiting basic human weaknesses or vulnerabilities. »

Joshua Crumbaugh is an ethical hacker and cybersecurity expert whose company, PeopleSec, teaches skills for avoiding cyberattacks. (David MacIntosh/CBC)

It’s human nature to want to help and avoid conflict, which is why Crumbaugh says the key to a successful social engineering hack depends on who picks up the other line.

Chances are if one person is not willing to help, the next person likely is, he says.

« It’s just psychology. So if you understand how somebody’s going to react to something, you can easily manipulate somebody into giving you information or access to things that maybe they shouldn’t. »  

Marketplace calling

To see how Rogers would respond to a social engineering attack, Marketplace asked Crumbaugh to try to hack into Marketplace host Charlsie Agro’s personal account, providing him only with her name and phone number.

On the first attempt, Crumbaugh called the company’s customer service line, posing as Agro’s personal assistant. The call ended quickly, with the rep refusing Crumbaugh’s access to the account unless Agro phoned and added him as user.

He called back minutes later and, with a different rep on the phone, instead posed as Agro herself. He did not disguise his voice. This time, the agent requested Agro’s birthdate and email address as verification, which Crumbaugh was able to provide after some quick searches online.

The agent also asked Crumbaugh to provide the PIN and postal code attached to the account. Crumbaugh guessed at a PIN number and, after another online search, provided a postal code. Both were off by a single digit but the agent still allowed Crumbaugh to access the account, which could have ultimately locked Agro out.

Watch how ethical hacker Joshua Crumbaugh uses social engineering to gain access to Charlsie Agro’s Rogers account:

Cybersecurity expert Joshua Crumbaugh hacks into Marketplace host Charlsie Agro’s Rogers account using only her name and phone number. 1:00

Crumbaugh believes companies need to better educate their customer service representatives on how to identify and prevent social engineering hacks.

« We have got to do more in making our people aware that these things happen, » he said.

Marketplace asked the Canadian Wireless and Telecommunications Association — the wireless industry’s main lobby group, representing Bell, Rogers and Videotron, among others — what it is doing to help protect consumers from social engineering attacks.

CWTA president Robert Ghiz said each of its members is responsible for their own security, but that the companies have measures in place to keep customers’ data safe, including PINs, passwords, security questions and voice identification.

He also said many telecommunications companies are undertaking training for their staff, and that he believes protecting consumers against social engineering attacks is a top priority for CWTA members.

« It’s got to be about educating those front-line services and training those front-line services — and it needs to continue to be vigilant into the future, » Ghiz said.

When Marketplace pointed out that an incorrect PIN and postal code didn’t keep our ethical hacker out of Agro’s account, Ghiz said he believes the security measures in place are largely working, noting there are millions of calls coming in every week.

« There’s always going to be some human error that’s going to exist, » he said.

Rogers responds

In an email, Rogers said it takes its customers’ privacy and security very seriously and the company is continually strengthening its security measures and verification processes. It reinforces those measures with « ongoing training in authentication best practices for front-line team members. »

When provided with the results of Marketplace‘s ethical hacking test, Rogers admitted its authentication steps were not followed and said action was taken to reinforce proper protocols with the agent involved.

As for Tomlinson, she says she was not happy with the solutions Rogers offered following her experience: she was initially offered three months of free service, then a year of free service.

She is now pursuing legal action against the company.

Although Rogers would not comment on Tomlinson’s case, as it is before the courts, the company argues it is not responsible for what happened to her.

« What I really want to see is, not just that they give platitudes, and say, ‘Oh, we’re sorry this happened’ from a customer service point of view, but that they make real changes to their policies and their training … so that this can’t happen, » said Tomlinson.

Kevin Mitnick, one of the world’s most famous hackers, says social engineering attacks are happening every day, as they’re relatively easy to perform, with little technical skill needed. (David MacIntosh/CBC)

Kevin Mitnick, an infamous hacker turned do gooder, agrees customer service reps need better training. « The companies need to have policies put into place to come up with a way to have a very high confidence that they’re dealing with the consumer, » he said.

Mitnick has hacked into more than 40 companies, from a McDonald’s drive-thru to Motorola, and was once one of the FBI’s most wanted — eventually serving five years in prison for computer and phone hacking. Today he runs a business that points out security flaws to the corporations he once targeted.

Social engineering attacks are happening every day, Mitnick says, and it is often the first technique hackers turn to, because « calling somebody on the phone is so much easier than doing the technical magic you need to break into a computer. »

Mitnick is adamant: Consumers need to demand more from their vendors. If you aren’t satisfied with the steps your provider is taking to protect your account, vote with your wallet, he says.

« It’s really up to the organizations that need to verify their customers’ information. They’re the ones that are in control … they’re the ones that could affect change, » he said. « The consumer can only demand change — and if they’re unwilling to do it, you go to a different vendor. »

Consumers can help themselves

Crumbaugh says there are some ways consumers can help themselves.

First, if possible, set a PIN on your account. Choose four digits at random; connecting them to an easy-to-guess birthdate or address is a bad idea.

He also suggests creating fake answers to common security questions like « What is your mother’s maiden name. »  For example, don’t use your dog’s real name and if you do, don’t make that information public.

Social media is one of the first places hackers look to for clues about your passwords and answers to common security questions, such as your birthdate and where you went on your honeymoon.

Watch as Marketplace asks Canadians how careful they are about their online passwords:

Marketplace asked members of the public about the strength of their passwords. 0:51

« So many people will use their children’s names or birthdates or their animals’ names as passwords, and then you go onto their social media, and they’ve posted a million pictures of the same dog with the name of their dog, and they’re basically putting their passwords out there for everyone to see, » said Crumbaugh.

Crumbaugh also suggests using security questions that require an answer only you know but is not a personal detail like a birthdate.


Source link

قالب وردپرس

Sick Kids orders ‘systematic’ review of Dr. Gideon Koren’s published works


Toronto’s Hospital for Sick Children has announced a wholesale review of the vast body of published work by Dr. Gideon Koren, the former director of the discredited Motherisk lab, amid a Star investigation that identified what appear to be problems in more than 400 of Koren’s papers.

Sick Kids reacted after the Star presented the hospital with the results of the newspaper’s review that found these papers had been inadequately peer-reviewed, fail to declare, perhaps even obscure, conflicts of interest and, in a handful of cases, contain lies about the methodology used to test hair for drugs.

Many of these articles stand in the scientific literature, despite two government commissioned inquiries and an internal investigation by the hospital into Motherisk, following concerns that were first raised about the program by the Star four years ago.

“Despite the actions taken to date, fresh concerns have surfaced in the area of scientific reliability and academic publication conflict of interest disclosures,” Sick Kids said in a news release on Friday. “Here SickKids wishes to acknowledge the investigative work of reporters Rachel Mendleson and Michele Henry of The Star who brought relevant findings to the organization’s attention. They have unearthed publications where, on initial review, it appears that Dr. Koren did not disclose industry support that appears relevant to the primary focus of the publication or otherwise related to the published work.”

Sick Kids acknowledged that while institutions rely on the good faith of scientists to disclose conflicts that could bias their work, “it is regrettable that the Hospital did not conduct any audits of Dr. Koren’s publications which may have identified disclosure issues sooner.”

A prolific author, Koren has published more than 1,500 research papers over the last 40 years, Sick Kids has said. The Motherisk Program he founded at the hospital in 1985 became a trusted source of drug-safety advice for pregnant women and their doctors. Motherisk’s affiliated hair-testing lab made more than $11 million from 2007 to 2015 alone, selling its drug and alcohol tests, primarily to child welfare agencies, as evidence of parental substance abuse in child protection cases.

Sick Kids closed the Motherisk lab in 2015. The counselling function of the Motherisk Program continues at the hospital under new leadership.

The hospital said it will conduct a “systematic examination” of Koren’s published work in an effort to “protect the integrity of the existing medical literature.” It will also undertake a “focused scientific review” of Koren’s hair-testing papers and his “primary research” related to the popular morning-sickness drug Diclectin — two of the problems areas the Star flagged — and will add “new measures to strengthen institutional oversight of publication disclosure practices.”

Koren held cross appointments in the faculties of medicine and pharmacy at the University of Toronto. In an email, Vivek Goel, Vice-President, Research and Innovation, at the university, said the Sick Kids reviews “relate to the clinical testing done by the Motherisk laboratory which is in its jurisdiction.”

“If in the course of the SickKids reviews, issues are identified that involve research conducted under the auspices of the University, then we will be engaged, as appropriate,” he said, adding that the university will “take appropriate actions” if the hospital’s findings involve individuals at U of T.

The more than 400 papers co-authored by Koren that the Star flagged as possibly containing problems include research articles, conference papers, literature reviews, editorials, book chapters, and magazine articles.

We found more than 60 papers that relate to drug and alcohol hair-testing that we deemed problematic because retired judge Susan Lang’s 2015 review of Motherisk exposed failings in the lab, including that hair test results were “inadequate and unreliable” but were used in thousands of child protection cases and a handful of criminal cases.

Sick Kids said it is “in the process of identifying” publications related to the Motherisk drug-testing lab “that could potentially have therapeutic or diagnostic implications to conduct a review.”

“The journals that have published these studies share responsibility for addressing this issue and to the extent our work results in any findings, our plan is to disclose same to the journals,” the hospital said.

Lang, in her 2015 report, pinpointed five papers that falsely claimed that lab’s results had been verified with gold-standard testing, when in fact Motherisk rarely confirmed its screening test results before 2010, contrary to international standards for evidence presented in court. Following Lang’s report, Sick Kids said the hospital’s research integrity adviser reviewed these papers and found that Koren violated some of the guidelines that govern the use of federal research funds, which it reported to the Secretariat for Responsible Conduct of Research, which oversees the Canadian Institute for Health Research.

Koren sent letters identifying “corrigendum” — or correction — to the editors of the journals in which these articles appeared, and corrigenda were published in relation to three of the papers.

However, Sick Kids said that pediatrician-in-chief Ronald Cohn took issue with Koren’s claim in the corrections that “the fact that not all positive results had been (confirmed with gold-standard testing) had no impact on the results,” and wrote to the journals. One of the journals, Therapeutic Drug Monitoring, revised its position and this past summer issued a more severe “expression of concern” in relation to a 2007 article on cocaine detection in maternal and neonatal hair.

The Star, in its ongoing investigation, found that Therapeutic Drug Monitoring, which Koren edited from 2003 to 2015, has recently flagged six more of his papers as requiring further scrutiny. Sick Kids said it is “looking into these articles,” following questions from the Star.

The hospital’s promise to investigate Koren’s work on Diclectin comes five years after Dr. Nav Persaud, a researcher and family physician at St. Michael’s Hospital, co-authored a paper exposing inaccuracies in a 1997 article Koren co-authored on the safety and effectiveness of the drug.

Persaud praised Sick Kids for undertaking a thorough review of Koren’s work, but said, “It’s sad that it took questions from journalists for this to happen.”

“Many red flags have been raised over the years, and hopefully this announcement from Sick Kids means that the red flags will be heeded,” he said.

The Star’s review identified roughly 30 articles that reference morning sickness or Diclectin but do not disclose his financial ties to the manufacturer of the drug, Duchesnay. Koren has served as a paid consultant to the Quebec-based pharmaceutical company, which was also a long-time sponsor of the Motherisk Program, until the relationship ended in 2015.

The hospital reassigned oversight of Motherisk in the spring of 2015 after the Star asked about a morning sickness booklet — co-authored by Koren — posted on the Motherisk website that recommended the drug Diclectin but failed to disclose financial support from Duchesnay.

The Star found about 270 papers that reference, in some way, “The Research Leadership for Better Pharmacotherapy during Pregnancy and Lactation.” Sick Kids disclosed in 2015 that Koren created this name to refer to donated funds, and that the primary donor in the years leading up to the Motherisk scandal was Duchesnay.

Sick Kids said Friday that the hospital “was unaware that Dr. Koren had published on morning sickness and/or Diclectin without disclosing his relationship with Duchesnay.”

“The responsibility for disclosing relationships (conflicts of interest) in a publication rests with the author,” Sick Kids said.

In addition to reviewing the financial disclosures on nearly 20 years of Koren’s published work, the hospital told the Star it is “undertaking an analysis of Dr. Koren’s industry funding over time with a view to aligning funds on hand with dates of disclosures, for purposes of notification.”

Sick Kids will also review the science behind seven of his studies on the effectiveness of Diclectin.

Following questions from the Star last month, Sick Kids interim CEO, Dr. David Naylor, sent a letter to Koren asking him to contact journals to inform them of papers about morning sickness or Diclectin in which he did not disclose support from Duchesnay as well as all papers referencing The Research Leadership for Better Pharmacotherapy during Pregnancy and Lactation in which he did not disclose funding sources. Naylor, in the letter which has been posted on the Sick Kids website, also warned Koren to “cease and desist” from identifying himself in publications as being affiliated with Sick Kids.

“Falsely claiming an ongoing affiliation with an institution where you no longer work is a form of academic misconduct,” Naylor said.

The Star also identified nearly 200 articles that appeared in Canadian Family Physician, the official journal of the College of Family Physicians of Canada. The journal acknowledged in an editorial last year that it did not subject these articles — published regularly beginning in at least 1995 as “Motherisk Updates” — to a double-blind, peer-review process because of its “longstanding relationship with Motherisk.” The journal withdrew its recommendation of Diclectin as a first-line treatment for morning sickness, citing Persaud’s findings.

Sick Kids said on Friday that it “would be pleased to assist Canadian Family Physician in reviewing a sample of these studies to determine whether they accurately reflected the literature available at the time of publication, and is prepared to do so independently as needed.”

Dr. Nick Pimlott, Scientific Editor of Canadian Family Physician, said that it will work with its editorial advisory board to “systematically and thoroughly review articles authored by Dr. Koren.” Articles with evidence of fraud or scientific misconduct would be retracted, he wrote to the Star in an email. Pimlott said it is “highly likely” the advisory board would implement “a process of peer review for all such articles” going forward.

In regards to the 1997 study that Persaud raised concerns about, Sick Kids said on Friday that, after confirming that the study overstated the number of subjects, the hospital retained an independent reviewer to assess the paper’s claim that antihistamines — one of the main ingredients of Diclectin — have a protective effect against major malformations. The review found this claim was not supported by the data, concluding that antihistamines are neither protective nor harmful.

Koren then sent these findings to the journal where the study appeared but the journal declined to print a correction “given the length of time that had passed,” Sick Kids said.

The Star’s investigation into Koren’s publications is being conducted in partnership with Ryerson University School of Journalism students Stefanie Phillips, Emerald Bensadoun, Kate Skelly and Alanna Rizza.


Source link

قالب وردپرس

Schmidt’s Deodorant Works Even on Extra Sweaty Pits Like Mine | Healthyish


I sweat a lot. Not, like, an excessive amount but I will never be the person who goes into a heated yoga class and walks out looking the same as I did before (I’ve tried). Because of this, I have always been hesitant to give up my conventional, chemical-laden antiperspirant for something safer for my health. But after a friend sent me a horrifying article on the potential effects of antiperspirant deodorants, I decided that I had to make the switch, so I started my search for a natural alternative.

I tested a lot of natural deodorants before finding the one. I tried a bestseller from Goop, sampled multiple recommendations from friends, and even tried the brand that Emma Watson swears by. While all of these products touted non-toxic ingredients and had great reviews, all of them also had issues. Some were unable to protect against odor, many didn’t absorb wetness and almost all had a texture so rough that it actually hurt to use. After testing and disliking six different brands, I was ready to give up. Then my aunt introduced me to Schmidt’s.

Jaime Schmidt founded Schmidt’s out of her kitchen in Portland, OR in 2010. In search of a natural deodorant that she could use while pregnant, Schmidt decided to formulate her own. Despite having little experience making consumer goods, she began testing different formulas until she found the ideal one. The result? An aluminum-free, cruelty-free deodorant that was rid of parabens, phthalates and artificial fragrance. Oh, and this product actually worked.

“Once I realized that my deodorant countered a common customer perception—that natural deodorants don’t work—I decided to go all in and strategize turning Schmidt’s into a legitimate business,” says Schmidt. Since its humble beginnings, Schmidt’s has grown massively. The company, which now sells soaps and toothpastes in addition to deodorant, has a loyal following. You can now find Schmidt’s in thousands of retailers, including Target, where I bought my first stick. Three months later, I haven’t looked back.

healthyish schmidts 1

Photo by Alex Lau

The Coconut Pineapple scent is my jam.

Schmidt’s is my stick of choice because, to start, it actually stays on throughout the day. With Schmidt’s, I can apply in the morning, go to work, and not have to worry about my deodorant lasting through EOD. (Not having to reapply deodorant in the bathroom during a busy workday is a game-changer.) I also like Schmidt’s because it’s easy to apply. Whereas other natural deodorant sticks were rough and caused underarm rashes, Schmidt’s glides on smoothly.

In addition to their Signature Stick Formula, Schmidt’s also sell a Sensitive Skin Formula that does not contain baking soda, and I’ve found that it applies even more smoothly than their original stick (I’m partial to the coconut pineapple scent). Schmidt’s also sells glass deodorant jars for those who prefer not to use stick deodorants.

For me, Schmidt’s is a clear winner. Non-toxic formula? Check. Effectiveness? Check. Inspiring founder? Check. While the process of finding Schmidt’s was by no means easy, I am glad that I saw it through and ultimately let go of my beloved antiperspirant for a healthier option. Now I can confidently swipe my deodorant on every morning without a guilty conscience or underarm rashes. And that is pretty big.

Buy it: Schmidt’s Natural Deodorant, $8.99

All products featured on Healthyish are independently selected by our editors. However, when you buy something through our retail links, we may earn an affiliate commission.


Source link

قالب وردپرس

Drunk Elephant’s D-Bronzi Serum Works Great As Long As You Mix It Right | Healthyish


If you’re reading this, you’ve probably heard of Drunk Elephant. Because whatever instinct steered you to a website called Healthyish probably also led you to this “it” healthyish beauty line. Free of controversial ingredients like silicones, drying alcohols, and fragrances, Drunk Elephant was one of the first brands to hit the skincare scene, and it surpassed the competition quickly after.

Do a quick Google-search for “Drunk Elephant reviews” and it’ll pull up pages and pages of gushing testimonials and breathless “I tried it!” blog posts. Unlike other natural skincare brands, which often skimp on science, founder Tiffany Masterson created the brand to be both clean and clinical, meaning the products still pack a punch. All you have to do is feel the tingle of the T.L.C. Framboos Glycolic Night Serum to know that that stuff is working.

So I was eager to take the D-Bronzi™ Anti-Pollution Sunshine Drops, which launched this summer, out for a test drive. (Plus, I need to troubleshoot my dark olive skin, which in the winter turns so sallow that I look like I’m one Bloody Mary away from jaundice.) If you can get over the name “D-Bronzi™ Anti-Pollution Sunshine Drops,” which took me a week because I knew I would have to type it multiple times, you then have to go through the work of trying to understand what, exactly, this is. Is it self-tanner? Antioxidant serum? Bronzer? All of the above?

Technically, it’s a bronzing serum, which means that it has the deep, nutty color of a serious bronzer paired with, yes, an antioxidant serum. There are also hydrating fatty acids and peptides in the formula, which are beneficial for all skin types. But, even so, the anti-pollution benefits touted in the name seem like more of an afterthought. (It’s a nice afterthought! But it’s still an afterthought.) That’s partly because the pigment is so concentrated that it looks and acts far more like a makeup product than skincare.

Masterson says you can mix the D-Bronzi™ Anti-Pollution Sunshine Drops (ugh) with a number of things, like other serums, oil, sunscreen, or moisturizer. I first mix it with my moisturizer, and am immediately impressed by how sheer and subtle the glow-enhancing effect is, as though I spent a three-day weekend on an alpine hike. It also gives my skin a dewy finish, which I’m very into—until I remember that I still have to put on sunscreen. The SPF blurs out most of the sun-kissed color, and I’m back to square one.

The next day, I mix it with my sunscreen. I usually wear sunscreen that’s fairly liquid in texture, meaning it blends in easily and never looks chalky. But the sunscreen and bronzing serum together make me look a little too dewy, like I ate a Whopper Junior with cheese late last night and now, in the early light of dawn, all of the grease is finally emerging from my pores. And I already have oily skin! No, thank you.

Finally, I go off-label and combine it with my foundation. (It’s IT Cosmetics Your Skin But Better CC+ Cream Oil-Free Matte with SPF 40, in case you too emit more grease than a drive-thru window.) The matte, oil-free foundation blends seamlessly with half a pump of the D-Bronzi™ Anti-Pollution Sunshine Drops. The resulting mixture gives me everything I want: glowing skin, a fresh finish, and just enough coverage to trick people into complimenting my skin. And protection against pollution, I guess.

I really like the D-Bronzi™ Anti-Pollution Sunshine Drops now that I’ve figured out how to pair it. It’ll take some experimenting for you, too, since everyone’s routines and skin types vary. Find the right delivery method, and you’re golden.

Buy it: D-Bronzi™ Anti-Pollution Sunshine Drops, $36

All products featured on Healthyish are independently selected by our editors. However, when you buy something through our retail links, we may earn an affiliate commission.


Source link

قالب وردپرس