The internet of things (IoT) has introduced many smart devices with features that make our lives considerably more convenient by applying connectivity to everyday tasks. However, these conveniences also introduce both security and privacy concerns that need to be proactively addressed such as data and credential theft, spying and manipulation via device settings/functions. The following are best practices you can use to address the security concerns presented by IoT devices:
- Immediately change default credentials. Malicious actors know or can easily obtain the manufacturer’s default credentials.
- Enable MFA (multi-factor authentication) on all devices which support it as MFA will further protect your devices if your credentials are compromised or stolen.
- Review device default privacy and security settings – these settings are chosen by manufacturers, make sure they work for you and reset as/if necessary.
- Disable features you don’t plan to use – doing so minimizes the device’s attack surface or potential for manipulation.
- Keep device firmware up-to-date – apply updates/patches promptly as malicious actors seek to exploit known vulnerabilities which are addressed by patches.
- Do not connect IoT devices to untrusted networks such as public WiFi networks – malicious actors may target devices connecting to these networks.
- Secure your home WiFi network.
- Use long and unique passwords for each device. For password tips please see the following Connect article, Under Lock and Passphrase.
- Set up a firewall at your router to act as a barrier between your devices and possible threat actors.
- Consider disabling SSID broadcasting. This prevents automatic transmission of your network name or SSID into the open air. If disabled, users will have to know your network name to connect to it. For more information, please see the following article from Lifewire: Disable SSID Broadcast to Hide Your Wi-Fi Network.
Additionally, for tips on router security, see the following NYU IT Security News & Alerts blog post: Home WiFi Router Security: What You Should Know.
Two fitness apps, “Fitness Balance” and “Calorie Tracker” were recently found to be charging users without their consent and have been removed from the App Store. These apps had phony positive reviews in the App Store and were displaying pop-ups which prompted users to scan their fingerprint to unlock features. However doing so would result in an automatic charge to the user’s credit card, ranging from $99-139. iPhone X users who had double click to pay enabled were protected against the charge.
It is recommended that iPhone X users enable “Double Click to Pay” and that all other iPhone users disable Touch ID for payments via Settings, Touch Id & Passcode, and disable “User touch ID for iTunes & App Store”. Victims of this scam can submit a report to Apple.
Marriott has announced a breach of their Starwood reservation database which has exposed the personal information of 500 million people. Starwood hotels include: W Hotels, St. Regis, Sheraton Hotels and Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. This breach impacts anyone who made a reservation between 2014 and September 18, 2018.
Marriott has confirmed that hackers were able to access names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender information, Starwood loyalty program account information as well as reservation information. Credit card numbers and expiration dates were potentially exposed. Marriott has set up a website (https://answers.kroll.com) containing incident information, resources, FAQs, and customer next steps, including free WebWatcher enrollment. WebWatcher monitors monitors sites where personal information is shared and notifies consumers if their personal information is found on these sites. U.S. guests who enroll in WebWatcher will also receive free fraud consultation services and reimbursement coverage.
As phishing attempts related to this breach will likely arise, Marriott states that emails to customers concerning this breach will not have attachments or requests for information. The FTC advises that the safest way to access breach information is via the Marriott website: https://answers.kroll.com.
For those who have made a reservation at a Starwood hotel during the period impacted by the breach (2014- September 18, 2018):
- Monitor your financial accounts to ensure there are no unauthorized transactions. Many credit card providers offer a service whereby you can request notification (by text or email) of charges that exceed a certain amount.
- Change your Marriott/Starwood account password even if your account has not been reported as compromised. This is a simple step which may protect you from possible negative impacts.
- Place a fraud alert on your credit files. Fraud alerts warn creditors that you may be a victim of identity theft and that they should verify that anyone seeking credit is really you.
- Consider a credit freeze so that identity thieves will be unable to open new lines of credit.
- Fraud alerts and credit freezes are now free services. For more information, please see: the following blog posts from the NYU IT Security News & Alerts blog:
Social engineers continue to get more sophisticated in their attempts to trick you. A current example is that the green padlock symbol, a recognizable element of site safety, that’s visible in your browser’s address bar, is now being used in many phishing sites. The green padlock symbol denotes that the data exchanged between the browser and website is encrypted with SSL (Secure Sockets Layer) technology and cannot be read by third parties. Further, the “https” which follows the green padlock in your browser’s address bar means a site has a valid SSL certificate. Phishers are now adopting SSL, registering domain names and creating certificates for their websites. Hence, the green padlock security indicator can no longer be solely relied upon to determine a website’s safety or security.
- Experts suggest that users look for inconsistencies in a site’s URL and webpage.
- It is a recommended best practice to visit a site by typing the URL into your browser’s address bar or locating a site via an internet search.
- It is not advisable to visit sites via embedded links in email messages as this is a commonly used method for directing victims to spoofed sites.