How I Lost My $50,000 Twitter Username

Excerpt from this article:

My $50,000 Twitter Username Was Stolen Thanks to PayPal and GoDaddy

I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.

Advertisements

Your Mother’s Maiden Name Is Not a Secret

Excerpt from this article:

Security questions are astonishingly insecure: The answers to many of them are easily researched or guessed, yet they can be the sole barrier to someone gaining access to your account. The cryptology and security expert Bruce Schneier once described them as an “easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password.”

There has been no shortage of incidents demonstrating these questions’ vulnerabilities. In 2005, Paris Hilton’s T-Mobile account was hacked by a teenager who, like anyone who searched “Paris Hilton Chihuahua” on the internet, knew the answer to “What’s your favorite pet’s name?” In 2008, Sarah Palin’s Yahoo account was hacked by a college student who reset her password using her birth date, ZIP code and the place where she met her spouse.

How many of us can answer the premillennial “What city were you in to celebrate the year 2000?” or “What year did you take out your first mortgage?” And how many Indian- or Brazilian-born users went to a high school without a mascot, or grew up on a street with no name? How many of our mothers never changed their names?

The other main type of security question asks for a subjective answer. Such questions imagine lives punctuated by distinct firsts and bests and filled with enduring favorites, but favorites and bests and even firsts can change when people maintain accounts for decades. At some point, both factual and subjective security questions become archaeological. “In what month did you meet your significant other?” requires a framing question: Whom were you with when you set up this account?

A 2015 study by Google engineers found that only 47 percent of people could remember what they put down as their favorite food a year earlier — and that hackers were able to guess the food nearly 20 percent of the time, with Americans’ most common answer being pizza.

 

A Murder Case Tests Alexa’s Devotion to Your Privacy

Excerpt from this article:

Arkansas police recently demanded that Amazon turn over information collected from a murder suspect’s Echo. Amazon’s attorneys contend that the First Amendment’s free speech protection applies to information gathered and sent by the device; as a result, Amazon argues, the police should jump through several legal hoops before the company is required to release your data.

… Let’s look at a few scenarios. These are more or less specific to Amazon’s technology and policies, but variants could apply to Google Home or other digital assistants. This brings up a more basic question: Do you have to give informed consent to be recorded each time you enter my Alexa-outfitted home? Do I have to actively request your permission? And who, at Amazon or beyond, gets to see what tendencies are revealed by your Alexa commands? Amazon claims you can permanently delete the voice recordings, though wiping them degrades performance. Even if you’re smart enough to clear your browser history, are you smart enough to clear this, too? And what about the transcripts?

Another question: How do you know when your digital assistant is recording what you say? Amazon provides several ways to activate the recording beyond the “wake” word. A light on the Echo turns blue to indicate audio is streaming to the cloud. After the request is processed, the audio feed is supposed to close. You can also set the device to play a sound when it stops streaming your audio, but what happens if the device is hacked or modified to keep recording?

Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings

Excerpt from this article:

As we’ve seen time and time again in the last couple of years, so-called “smart” devices connected to the internet—what is popularly known as the Internet of Things or IoT—are often left insecure or are easily hackable, and often leak sensitive data. There will be a time when IoT developers and manufacturers learn the lesson and make secure by default devices, but that time hasn’t come yet. So if you are a parent who doesn’t want your loving messages with your kids leaked online, you might want to buy a good old fashioned teddy bear that doesn’t connect to a remote, insecure server.

We know where you live

“[W]hen you send location data as a secondary piece of information, it is extremely simple for people with very little technical knowledge to find out where you work or live,” Ilaria Liccardi says.

Excerpt from this article:

Researchers at MIT and Oxford University have shown that the location stamps on just a handful of Twitter posts — as few as eight over the course of a single day — can be enough to disclose the addresses of the poster’s home and workplace to a relatively low-tech snooper.

The tweets themselves might be otherwise innocuous — links to funny videos, say, or comments on the news. The location information comes from geographic coordinates automatically associated with the tweets.