Posts

FaceApp is Fun, But Putin Will Own Your Privacy

FaceApp quite literally owns your face forever (or atleast the image of your face).

It’s funny how we spend billions of dollars a year on health and beauty products and treatments designed to keep us looking, as Carrie Underwood sings, “young and beautiful”, but when a fun app comes along that gives us a goofy look or makes us look 30 years older, we jump at the chance to see it and share it with all of our friends on Social Media.  That’s exactly the case with FaceApp, an app that alters photos to make you look years older or alter facial expressions, looks, etc.  Thanks in part to use by celebrities such as Underwood, the Jonas Brothers and LeBron James, more than 150 million users have uploaded their photos to the app and it is now the top-ranked app on the iOS App Store in 121 countries. Free, fun and harmless, right?  Maybe, maybe not…

Every app is uploading your data and daily habits and locations, combining it with your social media profile and exploiting or selling it. That’s the profit model of the internet, not just FaceApp. That’s not what makes this particular app unique or noteworthy.  Wireless lab, creators of FaceApp is based in St. Petersburg, Russia, which means that by default, Vladimir Putin has a picture of you someplace on his hard driveLet’s be clear, Russia can get into any centralized database of facial recognition photos it wants to – this just makes it easier for them.

Not only that, but FaceApp retains a perpetual license to utilize your photo in any way it sees fit. In their words you are granting FaceApp “a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you”.

This makes it not just a privacy issue, but also a security issue, as there is no guarantee that your photos and device data are stored securely. In fact, there is almost no chance that they are stored securely. In addition to your photo, some other personal information is transmitted, and you are never alerted to the fact that either are being uploaded.

For now, it seems that they are only uploading the photo that you choose to upload, but I see no reason why they won’t slyly begin uploading every photo in your album as their terms of service don’t preclude that evolution. Facebook didn’t always collect and sell our information as they do now, but that didn’t stop them when profit is involved.  Information collection companies start by collecting very little until we stop paying attention, and then they transmit everything. They love the slippery slope of boiling the privacy frog!

So-what can you do about it?

  • The Democratic National Committee sent out a warning to campaigns recently telling people to delete the apps from their phone.  It’s a start, but deleting the app doesn’t get rid of your data in the cloud, and doing so is time-consuming and confusing.
  • For the fastest processing, try sending the requests from the FaceApp mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line.
  • If it’s not too late, resist the urge to download the app!  Maybe look at a picture of your parents instead.

Most importantly, the next time you are giving away access to your photos or allowing any app to access data on your phone, read their privacy or data use policy first. You will be amazed at what you are giving away for free that makes them gobs of money.

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

BREACHED! Customer Data from Quest Diagnostics & Lab Corp

Within just a few days of each other, both Quest Diagnostics and Lab Corp, two of the largest blood testing providers in the nation, warned that millions of their customers might have had information breached. In both cases, customers may have had personal, financial and medical information breached due to an issue with the American Medical Collection Agency (AMCA), a billing collections service provider used by both companies.

Between August 1, 2018, and March 30, 2019, someone had unauthorized access to the systems of AMCA. Quest reported that the affected system stored information on roughly 11.9 million of its patients. In addition, LabCorp numbers could be up to 7.7 million customers.

“(The) Information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers),” Quest said in a filing with securities regulators. AMCA did not have access to actual lab test results.

Change Your Behavior After the Breach

If you, like pretty much EVERYONE I know, have used either of these services, follow the steps below to protect yourself against future attacks.

  1. Assume that your identity has been compromised. If you have been a customer of either company, don’t take a chance that you are one of the very few customers that aren’t affected. It’s not time to panic; it’s time to act.
  2. Read the explanation of benefits statement from health insurers to confirm that your charges are correct.
  3. I recommend placing a verbal password on all of your bank accounts and credit cards so that criminals can’t use the information they have from the breach to socially engineer their way into your accounts. Call your banks and credit card companies and request to place a “call-in” password on your account.
  4. Begin monitoring your bank, credit card, and credit accounts regularly.
  5. Visit AnnualCreditReport.com to get your credit report from the three credit reporting bureaus to see if there are any newly established, fraudulent accounts set up. DON’T ONLY CHECK EQUIFAX, AS THE CRIMINALS HAVE ENOUGH OF YOUR DATA TO ABUSE YOUR CREDIT THROUGH ALL THREE BUREAUS.

Take Action on Your Accounts

  1. Change your passwords. We hear all the time about stupid things people do when it comes to creating passwords; the most commonly used passwords in the United States for the past several years include “123456”, “password” and some variation like “password1234”. The bottom line is it is nearly impossible to effectively create and remember all the passwords we need to function in our daily lives. It seems there are two ways people handle this. They continue to use the same (usually poor) passwords over and over, or they do what I highly recommend and use a password manager program.
  2. Enable two-step logins. Two-step logins are when two separate passcodes are required to log in to one of your online accounts. One of the most common and popular forms is called text verification, and I’m sure you’ve already experienced it. That’s where you log in to your online account with your regular username and password, and then a secondary passcode is sent to your phone by text or even better, through an App like Google Authenticator. Without that second passcode, no one gets into the account.
  3. Set up account alerts. To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. As a result, if you spend even a dollar at a store, you receive an email or text notifying you of the purchase. If you receive an email for an amount you didn’t spend – bingo – you’re probably a victim of fraud.
  4. MOST IMPORTANTLY, FREEZE YOUR CREDIT. Some websites and cybersecurity experts will tell you to place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau. Learn more about freezing your credit by watching the video here.

Contact Credit Companies

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

12th Day: Holiday Security Tips All Wrapped up Together

Would you like to give the people you care about some peace on earth during this holiday season? Take a few minutes to pass on our 12 privacy tips that will help them protect their identities, social media, shopping and celebrating over the coming weeks. The more people that take the steps we’ve outlined in the 12 Days of Christmas, the safer we all become, collectively.

Have a wonderful holiday season, regardless of which tradition you celebrate. Now sing (and click) along with us one more time.  

On the 12th Day of Christmas, the experts gave to me: 

12 Happy Holidays,

11 Private Emails,

10 Trusted Charities

9 Protected Packages

8 Scam Detectors

7 Fraud Alerts

6 Safe Celebrations

Fiiiiiiiiiiive Facebook Fixes

4 Pay Solutions

3 Stymied Hackers

2 Shopping Tips

And the Keys to Protect My Privacy

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Roomba Selling, I Mean Sharing our Home Data?

What a difference a word makes. On July 24, Reuters published a story about an interview with Colin Angle, the CEO of iRobot Corp. They are the makers of Roomba, the popular robotic vacuum. In the interview, Angle excitedly talked about all the benefits that could come from using the data Roomba collects (think the dimensions of a room as well as distances between sofas, tables, lamps and other home furnishings) to share with other Smart Technology such as home lighting, thermostats and security cameras. The rest of the article went on to talk about market competition, potential future developments, stock prices, and, oh yeah, a brief nod to security concerns.

When asked about those concerns, Angle said iRobot would not be sharing data without its customers’ permission, but he expressed confidence most would give their consent in order to access the smart home functions.

The problem though is that the writer did not use the word “share”. Instead, he used the word “sell”—as in iRobot would be selling our data to the likes of Amazon, Apple and Google. (You won’t find that in the article now as Reuters printed a retraction a few days later—after privacy advocates went crazy!)

When Angle was questioned by others about this policy, he made it as clear as could be:

“First things first, iRobot will never sell your data. Our mission is to help you keep a cleaner home and, in time, to help the smart home and the devices in it work better. There’s no doubt that a robot can help your home be smarter. It’s the data it collects to do its job, and the trusted relationship between you, your robot and iRobot, that is critical for that to happen. Information that is shared needs to be controlled by the customer and not as a data asset of a corporation to exploit. That is how data is handled by iRobot today. Customers have control over sharing it. I want to make very clear that this is how data will be handled in the future.”

While Reuters might have misinterpreted Angle’s comments when it came to the selling of the data – the supply of the data available to potentially provide to companies is not in question. The debate turns from outrage at a company invading our privacy to the very real need to take a good look at our own practices and what we are (knowingly or not) allowing companies to do with our data. We have to be willing to take control of our data:
– limit what we give away
– change our defaults so as to not “permit” companies to share what is collected
– speak up against and, if needed, boycott the products that don’t meet our privacy demands.

Likewise, this is a call to businesses to take responsibility for using data to their advantage but only if they have transparently let their customers know how it is being used and giving them the control (not just through changing default settings!) 

Some Simple Steps to Social Media Privacy

When was the last time you checked your privacy settings on your social media profiles? Being aware of the information you share is a critical step in securing your online identity. Below we’ve outlined some of the top social media sites and what you can do today to help keep your personal information safe.

FACEBOOK Social Media Privacy

Click the padlock icon in the upper right corner of Facebook, and run a Privacy
Checkup. This will walk you through three simple steps:

  • Who you share status updates with
  • A list of the apps that are connected to your Facebook page
  • How personal information from your profile is shared.

As a rule of thumb, we recommend your Facebook Privacy setting be set to “Friends Only” to avoid sharing your information with strangers. You can confirm that all of your future posts will be visible to “Friends Only” by reselecting the padlock and clicking “Who can see my stuff?” then select “What do other people see on my timeline” and review the differences between your public and friends only profile. Oh, and don’t post anything stupid!

TWITTER Social Media Privacy

Click on your profile picture. Select settings. From here you will see about 15 areas on the left-hand side. It’s worth it to take the time to go through each of them and select what works for you. We especially recommend spending time in the “Security and Privacy” section where you should:

  • Enable login verification. Yes, it’s an extra step to access your account, but it provides increased protection against unauthorized access of your account.
  • Require personal information whenever a password reset request is made. It’s not foolproof, but this setting will at least force a hacker to find out your associated email address or phone number if they attempt to reset your password.
  • Determine how private you want your tweets to be. You can limit who (if anybody) is allowed to tag you in photos and limit your posts to just those you follow.
  • Turn off the option called “Add a location to my Tweets”.
  • Uncheck the options that allow others to find you via email address or phone number.
  • Finally, go to the Apps section and check out which third-party apps you’ve allowed access to your Twitter account (and in some cases, post on your behalf) and revoke access to anything that seems unfamiliar or anything that you know you don’t use anymore.

Oh, and don’t post anything stupid!

INSTAGRAM Social Media Privacy

The default setting on Instagram is public, which means that anyone can see the pictures you post. If you don’t want to share your private photos with everyone, you can easily make your Instagram account private by following the steps below. NOTE: you must use your smartphone to change your profile settings; it does not work from the website.

  • Tap on your profile icon (picture of person), then the gear icon* to the right of your name.
  • Select Private Account. Now only people you approve can see your photos and videos.
  • Spend some time considering which linked accounts you want to keep and who can push notifications to you.

*Icons differ slightly depending on your smartphone. Visit the Instagram site for specifics and for more in depth controls.

Oh, and don’t post anything stupid!

SNAPCHAT Social Media Privacy

Snapchat’s settings are really basic, but there’s one setting that can help a lot: If you don’t want just anybody sending you photos or videos, make sure you’re using the default setting to only accept incoming pictures from “My Friends.”  By default, only users you add to your friends list can send you Snaps. If a Snapchatter you haven’t added as a friend tries to send you a Snap, you’ll receive a notification that they added you, but you will not receive the Snap they sent unless you add them to your friends list.  Here are some other easy tips for this site:

  • If you want to change who can send you snaps or view your story, click the snapchat icon and then the gear (settings) icon in the top right hand corner. Scroll down to the “Who can…” section and make your selections.
  • Like all services, make sure you have a strong and unique password.
  • Remember, there are ways to do a screen capture to save and recover images, so no one should develop a false sense of “security” about that.

In other words, (all together now) don’t post anything stupid!

A Final Tip: The privacy settings for social media sites change frequently. Check in at least once a month to ensure your privacy settings are still as secure as possible and no changes have been made.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.