Schneier on Security

Clive Robinson • January 17, 2025 4:23 PM

@ Bruce, ALL,

With regards,

“One article claims that this trick has been popular since last summer. I don’t know; I would have expected to have seen it before last weekend.”

You are assuming two things behind your “expectation”,

1, You are in “a target rich environment”.
2, You “the target” have been picked at random.

Well you might be pleased to know that they are from an attackers point of view not true.

Figures show that even social engineers keep records or can obtain records that show the level of “gullibility” of targets (just the same as those marketing databases do). Thus those who have fallen for scams get selected in preference to those who have not.

For various reasons, I keep a very low profile, as I’ve said before I don’t buy on line (since Amazon stole from me). Likewise I don’t use anything other than cash for day to day purchases, and for other items I also buy through friends who have store or similar cards that earn them points or discounts. I also have investigated “gift cards” that can be purchased anonymously for cash and similar.

There are quite a few other things I do to not be “online” and keep out of Databases[1].

One such is to do “product research” from random places where I can get “hands on the keyboard” anonymously[2]

As I’ve repeatedly said I don’t use Email or messaging apps, and I certainly do not use supposedly secure apps.

It’s not that I am trying to hide nefarious activities, I’m trying to remain away from others nefarious activities.

Oh fun story for the begining of the year… Apparently a couple of very well known high street and transport hub emporiums have had data grabbed by attackers of their “third party” data handlers. One is a very well known “coffee” chain, and the other well known “dougnut” chain.

Aside from jokes about the “Law enforcment diet” and how it gives “muffin tops” thus “Cops should be in mortal dred”. The real issue is not that it’s the 2nd party or “Merchant” in the transaction who has “lost the data” but to you the 1st party “Customer” it’s a totally unknown 3rd party you have no contractual relationship with. So no control and near zero chance of getting any redress from.

This is the sort of third party data is handled at the lowest price thus probably has the lowest security.
But to those pulling “social engineering” at scale they crave such data more than a “sugar low fix”. Because it enables them to “group targets” by likely hood of their effective “Return On Investment”(ROI).

So take comfort from the fact you’ve only recently been hit, it means for some reason you are not in one of the many “lowest hanging fruit” groups that get hit over and over.

For those that think I’m paranoid, remember there was many decades ago an observation about computers and their “front panels”. That is any computer was vulnerable to a clever crack if an attacker could get “front panel access”. Well humans are the same, we all have our fears and other human failings of some form, if an attacker can get access to our front panels or as we tend to call it “face time” all “normal humans” can be “socially engineered”.

So doing what you can to reduce the chances of a social engineer getting your front panel access is not “paranoia” but “sensible behaviour”. Because rest assured if they think they can engineer you for their benefit they will. And as the old saying has it,

“It’s not paranoia if they really are out to get you”

And as such financial scams / attacks have now become the number one type of crime people see over even street crime due to the relative safety for the criminal. Even in a target rich environment, your will be sought out and your number will probably come up eventually. The only question is “how soon”…

Thus taking a leaf out of the ICTsec book and applying it to yourself, strongly suggests “air gapping” yourself is a good strategy to consider.

[1] Some databases I can not avoid, and having had my “medical records” supposedly “lost” three times by various UK NHS entities, then given away by a UK Prime Minister to the US based Palantair that has set it’s self up to be a “private spook for hire” perhaps people can understand my caution.

[2] By “hands on the keyboard” I mean I do not use “Bring Your Own Device”(BYOD) Internet cafes and the like. Because your device will be fingerprinted and go into a database which will be built up to identify you by various measures. It’s what we know both Google and Microsoft are doing, and several other big players in “online marketing” and “data brokering”. And almost certainly what successful criminals who are almost certainly as smart if not smarter are doing.

Clive Robinson • January 20, 2025 7:08 PM

@ Bob Paddock,

Re : Brax3

I’ve not looked into it.

However earlier versions just “de-Googled” the smart side of the phone.

Whilst that might keep you somewhat safe from Google for a while,

1, It will not stop your location being logged by the Network Provider or any calls you make/receive likewise SMS’s being logged along with the considerable meta data and plaintext.
2, Nor will it stop the Network Provider selling the data to brokers and giving it to the Government.
3, Nor will it stop the now mainly IP based phone networks logging all your App and similar usage.

But also consider both Apple and Google built “Bluetooth beaconing” using BLE deep in their OSs to form a mesh network to get “physical contact” information during C19.

Then there is Googles changes to amongst other things “Chrome” to make near uniquely fingerprinting your phone effectively trivial.

Further I would not be too sure Google does not deep in it’s OS put WiFi on phones and mobile devices into a “listen only” mode. Where by it can use it’s existing extensive WiFi maps DataBases gathered as part of it’s “street mapping” to get a fairly good “position fix” that is probably more accurate in a building than GPNS systems are.

For their own “sanity” let alone privacy, people should practice not carrying their phones on them.

Sadly the “one way” systems like “Pagers” don’t exist for most people any more, and the “two way” like smart/mobile systems in effect track your every step. And in some cases can tell if you are standing up sitting or recumbent and even what your breathing and several other bio-measures are.

So when you go “shopping” and pay with “Tap-n-Go” or even just plastic be it credit or debit, the time and your location in effect ties you to a “known purchaser” transaction which can quickly be correlated over just three or four purchases to you with a very high confidence….

All sorts of other correlations show up very quickly about some of the most private parts of your life…

As long as you carry a phone on you those correlations “will out”. The only way to stop this is make a habit of not carrying your mobile device around with you.