Apple continues to tighten iOS security, and iOS 16.3 (and iPadOS 16.3, and macOS Ventura 13.2) includes support for physical security keys. In other words, a physical device can verify your Apple ID login in place of a passcode. It’s a great way to boost your security, and here’s how it works.

These keys work in tandem with two-factor authentication (2FA), so you still need your password. If you already have 2FA set up on your account, you’re familiar with logging into a new Apple device using your email address and password and then having a six-digit code sent via SMS or to another device (like an iPhone or a Mac) that you're already logged in on. The security key replaces that second step, the passcode.

The thinking is that having something physical that stays with you is more secure than a passcode, which can be guessed, brute-forced, or viewed over your shoulder. Apple says the security key provides “extra protection from targeted attacks, such as phishing or social engineering scams.” While a scam website or app might trick you into revealing a six-digit number, getting you to hand over a physical object is much harder.

If you want to start using security keys with your Apple ID, you first need to have 2FA switched on for your account. If you haven’t already enabled it, open Settings on your iPhone, then tap your name at the top, followed by **Password & Security** and **Turn On Two-Factor Authentication**. Follow the instructions for setting up a phone number to receive SMS messages, and specify any other trusted devices you want to use it with.

How Security Keys Work

Generally speaking, 2FA comes into play when you log in on a new device or on a device you haven’t used for a long time—this isn’t a process you need to do every time you open your Mac or unlock your iPhone, as they’ll be designated as trusted devices. 2FA adds an extra step to the login process, in addition to a username and password, because those details can be guessed, tricked out of you, or leaked on the web.

Once you set up security keys, they become the extra step. They either plug directly into a lightning or USB port on your device, or (on iPhones only) they can communicate wirelessly via the NFC protocol. They essentially prove that you are who you say you are, giving you access to your Apple ID and all of your apps and services.

Security keys can be set up from iPhones, iPads, or Macs.

Photograph: Apple

It’s important to note that you don’t want to lose your security key. Apple will prompt you to set up two to begin with, so you can keep a backup in a safe place. But if you do somehow misplace both of them, there’s a chance you might be permanently locked out of your account (there may be recovery options, but Apple isn’t specifying what they are, perhaps for security reasons).

You also need to follow this process when logging in to your Apple ID in a new web browser, and there are a few places where it won’t work (at least not yet). Perhaps the most important one is iCloud for Windows, so you might want to hold off if you use your Apple account on Windows devices. And you can’t use security keys with Apple devices running older software or with Apple IDs assigned to children.

Setting Up Security Keys

The first step is buying a couple of security keys, which go for around $50 each online. Apple says you need keys certified to work with the FIDO (Fast ID Online) standard, and with the right connections for your devices: NFC (iPhones) only, lightning, USB-C, or USB-A. It’s fine to use adapter dongles and cables with these security keys, which should make it easier to find keys that work across everything you’re going to use.

With your physical keys in hand and the latest software updates installed, you can set everything up from an iPhone or an iPad by going to Settings, tapping on your name at the top, and choosing **Password & Security**. Choose **Add Security Keys** to be directed through the process of associating them with your Apple ID. At the same time, you can review all the devices that are currently linked to your Apple ID.

The YubiKey 5C NFC is one security key recommended by Apple.

Photograph: Yubico

On macOS, make sure you’re running the latest software, then open the **Apple** menu and choose **System Settings**. Click on your name at the top of the navigation pane on the left, then pick **Password & Security** and click **Add** next to the Security Keys heading. You’ll then be taken through the steps needed to associate your keys with your account, and you’ll be shown the devices you’re already using with your Apple ID.

You need to add at least two security keys to your account, as we mentioned earlier, and you can add up to six. Head to the same screens on iOS, iPadOS, or macOS if you want to delete one or more of your security keys—you’ll see a **Remove All Security Keys** option. If you select this, the two-factor authentication process will revert to using the passcode method, as it did before.

How to Unlock Your iPhone With a Security Key

The company will soon require users to pay for a Twitter Blue subscription to get sign-in codes via SMS. Security experts are baffled.

Twitter announced yesterday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.

Twitter's two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.

“While historically a popular form of 2FA, unfortunately, we have seen phone-number-based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post published Friday evening. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

In a July 2022 report about account security, Twitter said that only 2.6 percent of its active users have any type of two-factor authentication enabled. Of those users, nearly 75 percent were using the SMS version. Almost 29 percent were using authenticator apps, and less than 1 percent had added a physical authentication key.

SMS-based two-factor authentication is insecure because attackers can hijack targets' phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS two-factor is significantly better than having no second authentication factor enabled. 

Increasingly, tech giants like Apple and Google have eliminated the option for SMS two-factor and transitioned users (typically over many months or years) to other forms of authentication. Researchers worry that Twitter's policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor seem like a premium feature.

“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon's usable privacy and security lab. “But if their motivation is security, wouldn't they want to keep paid accounts secure too? It doesn't make sense to allow the less secure method for paid accounts only.”  

While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor turned on started encountering a pop-up overlay screen on Friday that advised them to remove two-factor entirely or switch to “the authentication app or security key methods.” 

It is unclear what will happen if users do not disable SMS two-factor by the new deadline. The in-app message to users implies that people who still have SMS two-factor turned on when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove text-message two-factor authentication by March 19, 2023,” the notification says. But Twitter's blog post says that two-factor will simply be disabled on March 20 if users don't adjust it before then. “After 20 March 2023, we will no longer permit non–Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA still enabled will have it disabled.”

Twitter did not return a request for comment about what will happen to accounts that still have SMS two-factor enabled on March 20. The company also did not answer questions about the possibility that the policy change will result in a significant loss of two-factor adoption on the platform.

“On the surface, this sounds like a good degree of concern for users’ safety, but if you pay for Twitter Blue—and are, therefore, a customer who is serious about your Twitter usage and who Twitter should care about the most—you can continue to use that less secure method of authentication. Huh?” says Jim Fenton, an independent identity privacy and security consultant. “And if you aren't a Twitter Blue subscriber, and they downgrade you to just password-based authentication, now they've fully taken something that's purported to improve users’ security and done exactly the opposite.”

On Friday evening, the Twitter account “T(w)itter Takeover News” echoed the company's comments about phone-number-based 2FA being abused by scammers. The account tweeted that “Twitter changed its policies … regarding SMS based 2FA because Telcos Used Bot Accounts to Pump 2FA SMS. They were losing $60mn/yr on scam SMS.” Shortly after, Elon Musk’s Twitter account replied, “Yup.”

Musk has long said that he is in a war against Twitter bots, but he has struggled to deal with separating legitimate bots from malicious ones. Meanwhile, Twitter's SMS two-factor mechanism had outages and reliability problems in mid-November amid chaos inside the company during the early days of Musk's leadership.

Eliminating SMS two-factor “might very incrementally decrease Twitter's costs by not requiring Twitter to pay some telco provider a fraction of a cent to send those SMS messages,” Fenton says. But he adds that the cost savings would likely be extremely minor.

Fenton notes, too, that the move would make more sense if Twitter were also announcing support for the new authentication mechanism known as “passkeys” that tech giants have increasingly been adopting as a way to reduce user reliance on passwords. “Twitter would basically be saying that they’re substituting a new authentication method that also doesn’t require buying a hardware security key,” Fenton says. “But the Twitter Blue exception still wouldn't make sense.”

As the situation plays out, the big question is whether any of it will result in stronger security for Twitter users' accounts. 

“I don't think we really know whether this will nudge people to go ahead and get an authenticator app or whether a lot of people will just give up on 2FA,” Carnegie Mellon's Cranor says. “In general, two-factor authentication is not widely adopted by users unless they are forced to use it. I think a lot of other companies will be watching to see whether disallowing text-message 2FA is a good idea or not.”  

Whether Twitter will be transparent about the impacts of the changes and release updated statistics is another question entirely.

Twitter’s Two-Factor Authentication Change ‘Doesn't Make Sense’

Plus: The FBI got (at least a little bit) hacked, an election-disruption firm gets exposed, Russia mulls allowing “patriotic hacking,” and more.

Discovering that hackers have had stealthy access to your corporate network for three years is bad enough. Web hosting company GoDaddy this week confessed to something even worse: A group of hackers it had repeatedly spotted inside its network had returned—or never left—and have been wreaking havoc in its network since at least March 2020, despite all the company's attempts to expel them.

We'll get to that. Meanwhile, the rise of pig butchering scams has left an increasing number of victims financially destitute—and the scammers are only growing more sophisticated. This week we detailed new techniques that criminals are using to drain people’s bank accounts through social engineering and legitimate-looking financial apps that are designed to trick targets into giving the scammers their cash under the guise of bogus investments. 

Speaking of bogus investments, 24 percent of new crypto tokens that gained any value in 2022 were pump-and-dump schemes, according to new findings from the cryptocurrency-tracing firm Chainalysis. The creators of these tokens hype them to draw in buyers, then sell off all their holdings once the value rises, thus tanking the price and leaving investors holding crypto that is suddenly worth nothing. Chainalysis found that one token creator was responsible for at least 264 successful pump-and-dumps last year. 

Of course, what goes up must come down—especially if it's a suspicious object flying over the United States in the past two weeks. After the US shot down a Chinese spy balloon earlier this month, it went on to take out three additional unidentified aerial objects. But don’t worry, there aren’t more spy balloons than normal—the government is just paying closer attention to what’s in the sky.

While the mainstream media focused on spy balloons, another top story was emerging on TikTok and other social media platforms: a February 3 train derailment in East Palestine, Ohio, which spilled toxic chemicals into the ground and waterways and forced the small town’s residents to flee. The relative lack of news coverage, a growing list of questions about the health and environmental impacts of the spilled chemicals, and mistrust of government regulators and officials created the perfect recipe for misinformation and conspiracy theories.

The notion that the government is, at best, slow and ineffective has some truth, however. This week, US Customs and Border Protection revealed that it had finally implemented the system update necessary to cryptographically verify data on e-Passports—16 years after the US and Visa Waiver countries began issuing passports that contain RFID chips loaded with traveler details. 

If you’re planning a trip but don’t want anyone to know where you’re going, we’ve compiled a complete guide to make sure you’re not accidentally sharing your location.

But that’s not all. We’ve rounded up the top security and privacy news from the week that we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

GoDaddy revealed in a statement on Thursday it had discovered that hackers inside its systems had installed malware on its network and stolen parts of its code. The company says it became aware of the intrusion in December 2022 when customers—the company hasn't said how many—began reporting that their websites were being mysteriously redirected to other domains. GoDaddy says it's investigating the breach and working with law enforcement, who have told the company that the hackers’ “apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”

It gets worse: GoDaddy revealed in an SEC filing that it believes the hackers are the same group that it found inside the company's networks in March 2020, and which had stolen the login credentials of 28,000 customers and some of GoDaddy’s staff. Then in November 2021, the hackers used a stolen password to compromise 1.2 million customers’ WordPress instances, getting access to email addresses, usernames, passwords, and, in some cases, their websites’ SSL private keys. “Based on our investigation, we believe these incidents are part of a multiyear campaign by a sophisticated threat actor group,” the filing reads.

“We apologize for any inconvenience this may have caused to any of our customers or visitors to their websites,” the company said in a statement. “We are using lessons from this incident to enhance the security of our systems and further protect our customers and their data.”

That apology—and pledge to improve security—would be more reassuring if it weren’t the third time GoDaddy confessed to being breached by the same hacker group in as many years.

The New York Field Office of the FBI has led some of the most high-profile hacking investigations in recent cybersecurity history, including the takedown of Silk Road and the hyperactive Anonymous splinter group LulzSec. Now it may be investigating itself. CNN on Friday reported that the FBI had been breached by hackers, though it had limited the intruders’ access. CNN’s sources told the news outlet that the incident had occurred at the New York Field Office and that the attack had specifically penetrated systems used in its investigation of child exploitation images. “This is an isolated incident that has been contained,” the FBI told CNN in a statement, though it noted that its investigation of the breach is ongoing.

An Israeli firm called Team Jorge claims to have used hacking and disinformation services to meddle in dozens of elections worldwide on behalf of its clients, according to an explosive, undercover investigation by a consortium of journalists. Members of the reporting group, which includes journalists from _The Guardian_, _Le Monde_, _Der Spiegel_, _El País_, Radio France, _Haaretz_, and The Marker, posed as prospective clients and recorded a meeting with executives from the firm. In the meeting, the execs boasted of their ability to hack Telegram and Gmail accounts, as well as wielding an army of bots that had been used to carry out social media disinformation campaigns in 33 countries, including nations in Africa, South and Central America, as well as the US and Europe. The company suggested in conversations with the undercover reporters that its hacking methods took advantage of vulnerabilities in SS7, a phone system protocol long understood to be vulnerable. The company's founder, Tal Hanan, a former member of the Israeli special forces, denied “any wrongdoing” when confronted by the journalists.

Russia has long turned a blind eye to its citizens hacking foreign targets—so long as they don't target locals. The Russian parliament, known as the Duma, is now considering a law that would officially absolve Russian hackers of legal liability for hacking “in the interests of the Russian Federation.” The proposed law, which was first reported in Russian state media, would apply to both Russian citizens in Russia and abroad, though the details of the proposal have yet to be released. The proposed legal change provides further evidence—if anyone needed it in the midst of Russia's ongoing war and cyberwar in Ukraine—that the Russian government intends to turn the country into a safe haven for hackers of every stripe, from state-sponsored to criminal to politically motivated.

Oakland's city government has become the latest US city to fall prey to ransomware, declaring a state of emergency eight days after a serious ransomware attack crippled portions of its IT systems. Though it's not clear exactly which municipal systems have been hit—911 dispatch, fire, and other emergency services seem to be unaffected—Oakland's interim city administrator, G. Harold Duffey, referred in a statement to “ongoing impacts of the network outages” from the cyberattack and said that the city was working with forensics firms on investigating the breach.

Hackers Ran Amok Inside GoDaddy for Nearly 3 Years

Everything you need to know about the past, present, and future of data security—from Equifax to Yahoo—and the problem with Social Security numbers.

The History of Data Breaches

Data breaches have been increasingly common and harmful for decades. A few stand out, though, as instructive examples of how breaches have evolved, how attackers are able to orchestrate these attacks, what can be stolen, and what happens to data once a breach has occurred.

Digital data breaches started long before widespread use of the internet, yet they were similar in many respects to the leaks we see today. One early landmark incident occurred in 1984, when the credit reporting agency TRW Information Systems (now Experian) realized that one of its database files had been breached. The trove was protected by a numeric passcode that someone lifted from an administrative note at a Sears store and posted on an “electronic bulletin board”—a sort of rudimentary Google Doc that people could access and alter using their landline phone connection. From there, anyone who knew how to view the bulletin board could have used the password to access the data stored in the TRW file: personal data and credit histories of 90 million Americans. The password was exposed for a month. At the time, TRW said that it changed the database password as soon as it found out about the situation. Though the incident is dwarfed by last year’s breach of the credit reporting agency Equifax (discussed below), the TRW lapse was a warning to data firms everywhere—one that many clearly didn’t heed.

Large-scale breaches like the TRW incident occurred sporadically as years went by and the internet matured. By the early 2010s, as mobile devices and the Internet of Things greatly expanded interconnectivity, the problem of data breaches became especially urgent. Stealing username/password pairs or credit card numbers—even breaching a trove of data aggregated from already public sources—could give attackers the keys to someone’s entire online life. And certain breaches in particular helped fuel a growing dark web economy of stolen user data.

One of these incidents was a breach of LinkedIn in 2012 that initially seemed to expose 6.5 million passwords. The data was hashed, or cryptographically scrambled, as a protection to make it unintelligible and therefore difficult to reuse, but hackers quickly started “cracking” the hashes to expose LinkedIn users’ actual passwords. Though LinkedIn itself took precautions to reset impacted account passwords, attackers still got plenty of mileage out of them by finding other accounts around the web where users had reused the same password. That all too common lax password hygiene means a single breach can haunt users for years.

The LinkedIn hack also turned out to be even worse than it first appeared. In 2016 a hacker known as “Peace” started selling account information, particularly email addresses and passwords, from 117 million LinkedIn users. Data stolen from the LinkedIn breach has been repurposed and re-sold by criminals ever since, and attackers still have some success exploiting the data to this day, since so many people reuse the same passwords across numerous accounts for years.

Data breaches didn’t truly become dinner table fodder, though, until the end of 2013 and 2014, when major retailers Target, Neiman Marcus, and Home Depot suffered massive breaches one after the other. The Target hack, first publicly disclosed in December 2013, impacted the personal information (like names, addresses, phone numbers, and email addresses) of 70 million Americans and compromised 40 million credit card numbers. Just a few weeks later, in January 2014, Neiman Marcus admitted that its point-of-sale systems had been hit by the same malware that infected Target, exposing the information of about 110 million Neiman Marcus customers, along with 1.1 million credit and debit card numbers. Then, after months of fallout from those two breaches, Home Depot announced in September 2014 that hackers had stolen 56 million credit and debit card numbers from its systems by installing malware on the company’s payment terminals.

An even more devastating and sinister attack was taking place at the same time, though. The Office of Personnel Management is the administrative and HR department for US government employees. The department manages security clearances, conducts background checks, and keeps records on every past and present federal employee. If you want to know what’s going on inside the US government, this is the department to hack. So China did.

Hackers linked to the Chinese government infiltrated OPM’s network twice, first stealing the technical blueprints for the network in 2013, then initiating a second attack shortly thereafter in which they gained control of the administrative server that managed the authentication for all other server logins. In other words, by the time OPM fully realized what had happened and acted to remove the intruders in 2015, the hackers had been able to steal tens of millions of detailed records about every aspect of federal employees’ lives, including 21.5 million Social Security numbers and 5.6 million fingerprint records. In some cases, victims weren’t even federal employees, but were simply connected in some way to government workers who had undergone background checks. (Those checks include all sorts of extremely specific information, like maps of a subject’s family, friends, associates, and children.)

Data Breaches: The Complete WIRED Guide

And according to tracing firm Chainalysis, one very prolific scammer ran at least 264 of those scams in 2022 alone.

Over just a little more than a decade, the crypto world has exploded from a single currency to millions of coins and assets, each promising a small share in the next big thing. The challenge for anyone putting their money into that minefield-posing-as-a-goldmine is to distinguish digital treasure from the many, many scam-ridden penny stocks of the digital economy. A new study has put a number to just how prevalent those garbage assets have become: About a quarter of the new crypto tokens launched last year—counting only those that gained any value at all—were clear-cut, short-term cons, scamming buyers within a week of their release.

In a portion of its annual crime report released today, cryptocurrency tracing and blockchain analysis firm Chainalysis published a new study of so-called “pump-and-dump” scams that involve crypto tokens—blockchain-based digital assets that are, at least in theory, shares in some valuable company or project. In a pump-and-dump scam, the scammer “pumps” the price of an asset they hold, often with baseless hype, and then sells their entire holding without warning. That causes the value to crash, thus “dumping” the devalued asset on the marks they tricked into buying in. In its research, Chainalysis focused on one particular form of pump-and-dump schemes, those carried out by the creator of a new token, rather than scammers who manipulate a preexisting one for profit.

“Looking at our blockchain data, we realized the best way we could contribute is by looking at tokens created for the express purpose of a pump-and-dump by the liquidity provider,” says Kim Grauer, head of research at Chainalysis, using the term “liquidity provider” to mean the creator or issuer of a token. “There are millions of these tokens. How many are legitimate, and how many are scams?”

The answer: a whole lot of them are scams. Looking across the million-plus crypto tokens created in 2022, Chainalysis found that only a tiny fraction of them, 9,902, ever convinced anyone to buy them and thus gained any value. Of those, they found that fully 24 percent were brazen, short-term pump-and-dumps perpetrated by the token's creator, dumped within their first week on sale.

Even more shocking, perhaps, was the number of serial offenders in that world of token scams. By tracing the profits of pump-and-dumps, Chainalysis followed the money to the crypto wallets of hundreds of serial scammers. They found that 445 individuals or organizations pulled off more than one short-term pump-and-dump last year. Of those, 23 carried out more than 10. One very busy pump-and-dump entrepreneur had carried out no fewer than 264.

Despite the prevalence of those one-week scams—and the amount of effort some scammers appear to have put into carrying them out repeatedly—Chainalysis found that they weren't particularly profitable. The total haul (or loss, for the scammers' victims) was just $30 million, a mere 0.5 percent of the $5.9 billion in total scam revenue that Chainalysis measured for 2022. But the findings nonetheless highlight just how thoroughly the crypto token world has been corrupted by scammers of the most shameless sort.

Given that the average haul for pump-and-dumps that Chainalysis measured was just over $3,000, Grauer argues it's a low-risk, low-reward scam, likely carried out by people in countries where a few thousand dollars goes further than in the West. “Maybe they live in a part of the world where that’s a lot of money,” Grauer says. “These are people systemically extracting small amounts of money when they can, and it must be profitable for them or they wouldn’t do it 264 times.”

Chainalysis began looking at pump-and-dumps in late 2021 when Dutch police started using its software tools to investigate a token-based scam that victimized some of the country's citizens. (Chainalysis declined to reveal which token.) After that case, the company's researchers decided to see if they could build a filter to spot and count pump-and-dumps more broadly. “We thought, ‘Let’s build that out. Let’s take this boilerplate example and expand it,’” Grauer says.

The researchers ultimately built a tool to scan blockchain data for any token that was sold off by its creator or issuer within the first week after its release, hitting its peak and then losing at least 90 percent of its value by a day later. To further hone its filter, Chainalysis also integrated data from the service Token Sniffer, which looks at the open-source code of tokens to check for signs of scams, like code elements designed to prevent the quick sale of tokens on the decentralized exchanges where they're typically traded. That relatively strict definition means the total number of pump-and-dump scams in 2022 was likely far higher than the roughly 10,000 Chainalysis conservatively measured.

While Chainalysis was able to pinpoint many of the worst culprits in that scam ecosystem, it didn't try to find those scammers' real-world identities. But Grauer says in many cases the scams could be easily traced to accounts where their profits were cashed out on centralized exchanges, many of which have know-your-customer requirements, and thus possess identifying information they could hand over to law enforcement. That suggests a government agency could probably use Chainalysis' findings to start sending subpoenas to exchanges and identifying scammers—perhaps even the most prolific ones that Chainalysis has pointed to.

But for now, Grauer says, it's perhaps revealing enough just to see how awash in scams the token economy truly is, and exactly which con artists are the source of the problem. “With pumping and dumping, we can show: Here’s the cohort of bad actors. Here they are, 445 of them,” Grauer says. “We can identify them. We can see them. And it’s quite powerful to see how many there are.”

Crypto Buyers Beware: 1 in 4 New Tokens of Any Value Is a Scam

The social media platform helped push the story into the mainstream while also fueling misinformation and conspiracy theories.

“This is kind of the ultimate event for driving conspiracy theories and various anti-government and anti-media sentiment,” says Meghan Conroy, a US research fellow with the Atlantic Council, an international affairs think tank who has followed social media coverage of the derailment. “There’s a lack of clarity about what’s happening on the ground in Ohio.” 

While the EPA is monitoring air and water quality in East Palestine, some of the long-term health and environmental effects of the chemical burn and spill are unknown. (In fact, it wasn’t until Sunday—nine days after the derailment—that the EPA provided a full list of chemicals aboard the train, which was operated by Norfolk Southern Railway.) Investigations are underway, and the results aren’t immediately available. The situation has created what is called a data void, says Conroy. Unsatisfied with answers from the media and government, people look elsewhere for answers, and some step in to fill the gaps.

It’s typically people on the political right who are distrustful of the media and government who drive these types of conspiracy theories, but the train derailment is unique in that it has enthralled both sides. “What we are seeing here are folks across the ideological spectrum taking guesses about why we’re not getting much information,” Conroy says. 

People have insisted there’s a media blackout at play. Some, including US representative Ilhan Omar, a Minnesota Democrat, have taken to social media to slam the national news for failing to cover the disaster, despite several stories from _The New York Times_, CNN, and NPR all reporting on the derailment in the immediate aftermath. 

Then there’s the decision to burn off one of the chemicals—vinyl chloride, a carcinogen—to avoid an explosion, which Ohio governor Mike DeWine described as one of “two bad options.” The science around the chemical burn is foreign to many, and alarming. But experts say the outraged response has gone too far. Several government agencies have reported that they have not found dangerous levels of chemicals in the air and water, yet doubt continues to make its way through social media.

“Some of the social media posts are not accurate or, at minimum, overblown,” Daniel Westervelt, a research professor at Columbia University’s Lamont-Doherty Earth Observatory who focuses on ocean and climate physics, says, like posts that have compared the toxic spill to the Chernobyl disaster. After reviewing Drombosky’s viral video, Westervelt said a lot remains unknown about the derailment and suggested taking “certain claims with a grain of salt” when asked if the information presented was accurate. 

“This was a controlled burn that was carefully timed to coincide with the ideal meteorological conditions to maximize the amount of ventilation of the gases and thereby minimize the health risk,” Westervelt says in response to confusion about burning the chemicals, including vinyl chloride. “While this course of action isn't perfectly ideal, it may have been the best available option, and there is no silver bullet.” 

Sonya Lunder, a senior toxics policy adviser, found the information in Drombosky’s viral video a reliable scientific explanation. (Drombosky has noted that the content is now outdated and encouraged people to share more recent updates.) But other content, Lunder says, raises concerns by overstating the potential impact of the chemicals. “There’s this tension between calling people’s attention to a problem by telling them it could affect them, and it’s not in this case as accurate,” Lunder says. “It kind of dilutes attention from the places where these pollution hazards are bad.”

Drombosky says he had around 80,000 TikTok followers before he started making videos about the derailment, and he knew how to make a compelling one. He is disappointed with how major news outlets covered the event and thinks the same sort of criticisms about bias and lack of expert credentials that follow TikTok creators plague mainstream media too. His coverage is opinionated and lays blame on the train operator, Norfolk Southern Railway. “There’s going to be crazy people on TikTok. But have you seen Newsmax? Have you seen Fox? It’s so crazy that people are so quick to jump, well, TikTok could be a little problematic.”  

East Palestine residents face uncertainty in the wake of the chemical disaster, and it’s not clear how long a small Ohio town can hold the attention of TikTok. But TikTok’s ability to dictate the top news story is now undeniable.

_Updated at 5:30 pm ET, February 15, 2023 to clarify the number of views received by Drombosky's initial TikTok video about the derailment._

The East Palestine, Ohio Train Derailment Created a Perfect TikTok Storm

After 16 years, the agency has implemented the software to cryptographically verify digital passport data—and it’s already caught a dozen alleged fraudsters.

The United States government is notorious for taking a “better late than never” approach to its tech rollouts. Following that tradition, US Customs and Border Protection (CBP) confirmed today that after 16 years it has finally performed the necessary software upgrades to verify the cryptographic signatures stored in passport RFID chips. 

Since 2006, the United States and many other countries have embedded these little chips in the back panel of their passports, or “e-Passports” as they're known. The chip digitally stores the personally identifying information of the document's owner, including name, date of birth, passport number, and biometric data like your photo, along with a cryptographic signature meant to act as a check against tampering or forgeries. For years, the US has required that Visa Waiver countries issue e-Passports to their citizens who want to enter the US. Yet in all this time, CBP hadn't actually deployed the software to execute these validity checks.

In early 2018, US senator Ron Wyden of Oregon and former senator Claire McCaskill of Missouri wrote a letter to CBP calling on the agency to implement the cryptographic verification, given that the RFID e-Passport infrastructure had been in place for years. Last week, five years after that request, CBP informed Wyden's office that it has had the e-Passport verification system up and running since June 2022. 

CBP says that so far the validation process has checked more than 3 million passports from Visa Waiver program travelers and has “contributed” to the arrest of 12 people who were allegedly attempting to enter the US with “fraudulent” identification.

“During primary processing, the e-Passport technology alerted on the documents, and the travelers were referred to secondary where CBP officers determined that the travelers were in possession of fraudulent travel documents,” the agency says in a statement.

“Upgrading passport security is a commonsense way to ensure people entering our country are who they say they are. It is already making America safer, without resorting to invasive searches or massive databases of private data,” Wyden says in a statement to WIRED. “I commend CBP for following through and ensuring forgers and criminals can’t use fraudulent passports to skate through security at the border.”

Though the verification has been running since June, CBP says that it still can't verify e-Passports issued by Andorra, the tiny nation between Spain and France that has a population of fewer than 80,000 people. Other than that, though, CBP is running the validation checks for all Visa Waiver countries.

“This was a major investment by the US, so I'm glad to see that they’re using these capabilities and that they work the way they’re supposed to,” says Matthew Green, a cryptographer at Johns Hopkins University. “This system is really just a basic check to help catch people traveling with forged documents, which is something we have an interest in doing. And it is not nearly as intrusive as face recognition or other systems being rolled out at the border, so overall this seems like a good system to have active.”

A 2010 Government Accountability Office report laid out the case for swiftly implementing signature verification for e-Passports. The US Department of Homeland Security (DHS) “does not have the capability to fully verify the digital signatures because it … has not implemented the system functionality necessary to perform the verification,” GAO wrote at the time. “The additional security against forgery and counterfeiting that could be provided by the inclusion of computer chips on e-passports issued by the United States and foreign countries ... is not fully realized.”

More than a decade and a half later, e-Passport digital signature verification is finally something DHS can check off its to-do list.

US Border Patrol Is Finally Able to Check E-Passport Data

Eufy's recent scandal shows it's not so much about the data breach but about how a company responds. Here are a few ways to shop smart.

Own a Eufy security camera or video doorbell? The recent news exposing serious security flaws from the Anker-owned brand may have caused you some anxiety. I have been testing and reviewing security cameras for several years now. Revelations about data breaches and vulnerabilities are a regular occurrence. Arlo, Nest, Ring, Wyze—every major manufacturer you can think of has had its share of scandals. But it can be challenging to look beyond hyperbolic headlines, weigh the seriousness of each issue, and figure out whether you need to worry. 

Security cameras and video doorbells have grown popular as an easy and affordable way to keep an eye on your home. Around 28 percent of Americans protect their property with security cameras, according to a Safewise survey. The systems are easy to install and promise protection from burglars and porch pirates. (Whether they actually make you safer is a question for another day.) To get a better sense of what security camera system you should invest in, how to deal with breaches, and how to find a company you can trust, we spoke to a few experts. We also took a closer look at how Eufy handled its security woes. 

Where Eufy Went Wrong

Late last year, security researcher Paul Moore demonstrated that camera systems sold with the promise of local data storage were, in fact, uploading images to the cloud. Worse yet, it was possible to stream video from a Eufy camera without encryption. When we first asked about these issues, the company issued a strong denial, saying it “adamantly disagrees with the accusations.” A couple of months later, Eufy admitted that most of the allegations were true.

A spokesperson explained to WIRED in an email that Eufy only uploaded images (video thumbnails) to deliver push notifications to customers, and in one other case for its Video Doorbell Dual, where it uploaded a face image of the user (for face recognition) to make it easier to set up multiple doorbell devices without having to upload a new image. Eufy has updated the language around its cloud use to address the first issue and removed the upload requirement for the second.

More serious was the issue of accessible unencrypted live streams outside the Eufy system. Eufy claims this required users to log in to the web portal, enter debug mode, and share a link. It’s unlikely anyone would have stumbled upon these links, but the possibility of unencrypted camera streams is a natural cause for concern. Eufy has now applied peer-to-peer encryption to its web portal (mobile app streams were always encrypted). The company flatly denies using any fixed encryption keys, insisting videos have always been encrypted with a dynamic key.

It’s worth pointing out that this isn't Eufy’s first security scandal. A bug in May 2021 exposed the live and recorded video streams from 712 customers to other Eufy app users, which is arguably worse than the more recent security flaw. But does it matter if a flaw was unlikely to have been exploited? It’s more important to look at how the company responds to these events.

Sadly, it took more than two months for Eufy’s parent company, Anker, to admit _some_ fault and apologize. Early denials sparked deeper media scrutiny as the company tried to downplay Eufy’s security failings, shredding a hard-won reputation in the process. The multiple incidents, and the fact that Eufy was caught in a lie and forced to pedal back, make it tough to regain trust. 

Eufy’s failings feel especially egregious because the company generally ticks all the right boxes. Its cameras and doorbells strike the balance between quality and affordability. Anker is a respected brand in the accessory space. And Eufy offers support for two-factor authentication, although not by default, and promises completely local storage and on-device processing for features like facial recognition.

Understand the Risks When Shopping

Despite an abundance of security camera manufacturers, pristine reputations are rare, so how do you choose wisely? “You want to go with a brand name,” says Deral Heiland, principal security researcher for the Internet of Things at Rapid7. “One you’ve heard of, because these companies have to protect their branding.”

Big brands come under greater scrutiny. They are targets for security researchers and amateur tinkerers. And they know that bad press will hurt their business. Since regulation is negligible, many no-name or little-known brands sell untested security cameras that may harbor multiple vulnerabilities. When they run into issues, they disappear or change the brand name.

Two-factor authentication (2FA) is also vital, Heiland says. It prevents anyone who has managed to get your login details from accessing your camera. With 2FA, you need the login details and a fingerprint, facial scan, or automatically generated one-time use code from an authenticator app, text message, or email. WIRED doesn’t recommend any security cameras that don’t at least offer 2FA as an option, but we’d like to see it become the default industrywide.

When you install a security camera, it’s worth thinking about what the most compromising or embarrassing thing the camera—outside or inside your house—can see. You need to understand that no internet-connected device is 100 percent safe. 

There is always a risk someone is going to gain access to the camera—“be it hackers plugging data-breached passwords in to see if people are reusing them or police who often go to companies, even without warrants, in hopes of getting footage from people’s devices without their knowledge,” says Matthew Guariglia, a policy analyst for the Electronic Frontier Foundation.

After every security camera scandal, you might see some folks argue that they don’t care who sees footage of their front door or backyard. It’s true that there is little value in many of these video streams, which makes them an unlikely target. But Guariglia says security cameras usually have powerful microphones and often pick up more than we think.

Then there’s the issue of other people’s privacy, whether it’s neighbors, window cleaners, or passersby. Security camera footage is frequently shared online without the knowledge of the people who appear in it. Most cameras offer privacy zones so you can confine recordings to your property, and you should consider placement carefully when you install cameras. 

You should also do some research before you buy. Guariglia suggests asking questions like, “What would it take for police to get footage from the company? Where is your data going to be stored? Does this company have a history of data breaches or bad cybersecurity?” Unfortunately, answers aren’t always easy to find. Apple, Arlo, Eufy, and Wyze state that they won’t share footage without a warrant or court order. Ring, however, has a close relationship with police departments, and Google _may_ share Nest footage in emergency situations where there is a threat to life.

With a local storage system, you can potentially avoid uploading video to a company server and take it out of the manufacturer’s hands. Look for end-to-end encryption (preferably as a default). You can opt for a local system with no internet connection, but you would only be able to review video when you’re home. If you have the technical know-how to hook up internet-protocol cameras and DVRs without cloud services and connect via a Virtual Private Network (VPN) service, Heiland says that’s another potentially secure route. 

Perhaps counterintuitively, it might not be a red flag if your chosen camera brand has had problems in the past, provided the company has fixed them.“It’s better if there have been vulnerabilities reported on a camera because it gives us the ability to take a look at how a company deals with them,” Heiland says. “I’d rather go with a company that’s had multiple vulnerabilities in its cameras and shows a track record of fixing them quickly than a company that’s had no vulnerabilities. Because there’s no such thing as no vulnerabilities.” 

Room for Improvement

Where does Eufy go from here? The flaws have been patched, but it says it’s planning to bring on companies in security consulting, certification, and penetration-testing to conduct a comprehensive assessment of its products and eliminate potential risks. Eufy says there will also be an independent review of its processes and practices from an as-yet-unnamed security expert, and it plans to set up a security bounty program. These are positive steps, perhaps necessary growth for any security brand that expects to be taken seriously. It’s unfortunate that it took another scandal for Eufy to act. 

If you visit a manufacturer’s website, Heiland says it should be easy to find out how to report a vulnerability. If a company has a bug bounty program offering cash rewards to security researchers (incentivizing people to test the cameras and find flaws), all the better. Arlo, Logitech, Nest, and Wyze have some kind of bug bounty program, though the focus and rewards vary. Research should also turn up reports, like this one on Ezviz by Bitdefender, which shows the company is responsive and quick to investigate and fix flaws.

Keeping things secure is not just down to the camera manufacturer. Heiland warns against recycling passwords and strongly suggests picking long, complex passwords (16 to 24 characters) that mix alphanumeric, uppercase, lowercase, and special characters. You can use a password manager to help you keep track. He also recommends setting up security cameras and IoT devices on a network separate from your main computers, laptops, and phones. Most good routers and mesh systems offer guest or IoT network options that allow this.

If you have indoor security cameras, turn them off when you’re home. Look for cameras with shutters and privacy modes, or turn them around, unplug them, or use a scheduled smart plug. Heiland says he would not have a camera in the house but has less of an issue with carefully positioned outdoor security cameras. Just remember that even if you find a system that ticks all your boxes, there’s only so much you can verify.

What to Look for When Buying a Security Camera (2023): Tips and Risks

No, there’s not a sudden influx of unidentified objects in the skies above the US—but the government is paying closer attention.

When U.S. government officials in early February identified and eventually shot down a surveillance balloon attributed to China, the prominent acknowledgment of a spy balloon captured public attention and inflamed tensions between Washington and Beijing. But since then, the prospect of the US government intercepting unidentified flying objects has become quotidian, with three UFOs shot down in the past four days—two near Alaska and one over Lake Huron near Michigan. The spree raises the question, are there more UFOs over US airspace than usual, or is everyone just looking more closely?

Researchers say it's the latter, and they note that even before the balloon mania began, the US government tracked many UFOs in its airspace, including a number of balloons. The US Office of the Director of National Intelligence (ODNI) released a January report, for example, tracking incidents involving UFOs, which the US government calls Unidentified Anomalous Phenomena or UAPs. Between March 5, 2021, and August 30, 2022, the All-Domain Anomaly Resolution Office had 247 reports of UAPs. In a wider pool of 366 UAP reports that also includes newly discovered incidents that occurred before 2021, ODNI said that 163 were balloons “or balloon-like entities,” 26 were “Unmanned Aircraft Systems,” or drones, and six were “attributed to clutter.” So, not all UFOs are balloons, and not all unidentified balloons are spy balloons.

Additionally, CNN reported on Friday that in the past year, the US intelligence community invented a novel technique for conducting real-time tracking of spy balloons or other balloon vehicles of interest. After an incident in which a Chinese spy balloon briefly entered US airspace in 2021, US intelligence forces used data they'd collected about the balloon to look back at radar and other aerial surveillance data to search for previously unidentified past incidents. The results then allowed officials to create models for tracking balloon flights around the world in close to real time.

The heightened alert in recent days may have also led to other tweaks to US radar noise reduction methods to detect more small aircraft at altitudes where planes don't usually fly.

“This isn't new; we just hadn't been detecting them in the past,” says Brynn Tannehill, a RAND Corporation senior technical analyst and a former naval aviator. “I suspect that filters on US systems had previously been ignoring things that were too slow, high, or small to be considered threats. Now that the parameters on the filters have been adjusted, we're seeing more of what was already there for the past few years.”

US government officials said at the beginning of the month that the Chinese spy balloon was roughly the size of three buses. Meanwhile, US Defense Department officials said the UFO the US shot down on Friday was likely not a balloon and was roughly the size of a small car. The object shot down on Saturday, on orders from Canada's prime minister, Justin Trudeau, was described by Canadian officials as cylindrical and seemingly smaller than a surveillance balloon. US officials said the UFO shot down on Sunday was octagonal and didn't seem to be carrying anything.

The White House says that China has been working on a balloon surveillance initiative in recent years “that it has used to violate the sovereignty of the US and over 40 countries across five continents,” according to a statement by National Security Council spokesperson Adrienne Watson. On Sunday, the Chinese government claimed that the US illegally flew over 10 balloons in its airspace in the past year. The Biden administration denied the allegation. “Any claim that the US government operates surveillance balloons over the PRC is false,” Watson said in the statement.

“With the balloon at the beginning of February, the US caught China with its hands in the proverbial cookie jar and made the decision to make it public,” says Jake Williams, a former National Security Administration hacker and an analyst at the Institute for Applied Network Security. “There is likely a ton of statecraft happening in the background, either as a result of the decision to publicly acknowledge the first balloon or that led to the decision itself. Generally, yes, things change once a surveillance target knows they're being surveilled.”

The Biden administration has been been criticized by some Republican lawmakers and others for being slow to shoot down the Chinese spy balloon and hesitant to reveal specific details about the three other UFOs taken out in recent days. (US officials said shooting down the balloon over land would pose an unacceptable risk due to falling debris.) RAND's Tannehill says, though, that from an investigative perspective, it's difficult to process so many cases simultaneously. 

“The White House is caught between rapid response and getting the facts right,” Tannehill says. “Until the path analysis is done, we're guessing at who launched them. Getting the facts wrong publicly would be highly damaging to US credibility.” She adds that the UFO disabled on Saturday that also flew over Canadian airspace “brings another NATO country into the discussion, and it becomes a NATO problem, not just US or NORAD,” the North American Aerospace Defense Command. 

Of the object shot down on Sunday over Lake Huron, the US Defense Department said in a statement, “We did not assess it to be a kinetic military threat to anything on the ground, but assess it was a safety flight hazard and a threat due to its potential surveillance capabilities. Our team will now work to recover the object in an effort to learn more.”

Oh, and if you're still holding out for this flurry of aerial activity to be related to aliens, the White House is here to burst your bubble: “I know there have been questions and concerns about this," White House press secretary Karine Jean-Pierre said at a press conference yesterday, “but there is no, again no indication of aliens or extraterrestrial activity with these recent takedowns.” General Glen VanHerck, commander of the Air Force’s Northern Command, added during a news conference on Sunday, though, “I haven’t ruled out anything at this point.”

The More You Look for Spy Balloons, the More UFOs You’ll Find

Investment schemes are ensnaring victims with increasingly compelling narratives and believable tech.

Gallagher found that the website the scammers were using to distribute their malicious apps was set up to impersonate a real Japanese financial company and had a .com domain. It was even visible on Google as one of the top results, Gallagher says, so victims could find it if they attempted to do some basic research. “To someone who isn't particularly knowledgeable about these things, that part would be pretty convincing,” Gallagher says.

The attackers, who Sophos suspects are based in Hong Kong, developed Windows, Android, and iOS apps off of a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused and abused for fraud. As part of joining the platform, victims had to disclose personal details including tax identification numbers and photos of government identification documents, then start moving cash into their account.

As is often the case in a wide range of scams, the attackers were distributing their iOS app using a compromised certificate for Apple's enterprise device management program. Sophos researchers have recently found pig butchering-related apps that skirted Apple's defenses to sneak into the company's official App Store, though.

The second scam Gallagher followed appears to have been run by a Chinese crime syndicate out of Cambodia. The tech for the scheme was less sleek and impressive but still expansive. The group ran a fake Android and iOS cryptocurrency trading app that impersonated the legitimate market tracking service TradingView. But the scheme had a much more developed and sophisticated social engineering arm to lure victims in and make them feel like they had a real relationship with the scammer suggesting that they invest money. 

“It starts off, ‘Hey Jane are you still in Boston?' so I messaged back, ‘Sorry, wrong number,’ and we had a standard exchange from there,” Gallagher says. The conversation started on SMS and then moved to Telegram.

The persona claimed to be a Malaysian woman living in Vancouver, British Columbia. She said that she ran a wine business and sent a photo of herself standing next to a bar, though the bar was mostly stocked with liquor, not wine. Gallagher was eventually able to identify the bar in the photo as one in the Rosewood Hotel in the Cambodian capital, Phnom Penh.

When asked, Gallagher once again said that he was a cybersecurity threat researcher, but the scammer was not deterred. He added that his company had an office in Vancouver and repeatedly tried to suggest meeting in person. The scammers were committed to the ruse, though, and Gallagher received a few audio and video messages from the woman in the photo. Eventually he even video chatted with her.

“Her English skills were pretty good, she was in a very nondescript location, it looked like a room with acoustic wall pads, kind of like an office or conference room,” Gallagher says. “She told me she was at home, and our conversation quickly steered toward whether I was going to be doing the high-frequency crypto trading with them.”

Cryptocurrency wallets associated with the scam took in roughly $500,000 in a single month from victims, according to Sophos’ monitoring. 

The researchers reported their findings on both scams to the relevant cryptocurrency platforms, tech companies, and global cybersecurity response teams, but both operations are still active and were able to continually establish new infrastructure when their apps or wallets got taken down.

Sophos is redacting all images of people from both scams in its reports, because pig butchering attacks are often staffed using forced labor, and participants may be working against their will. Gallagher says that the most sinister thing about the attacks is how their evolution and growth means more forced labor on top of more devastated and financially ruined victims. As law enforcement agencies around the world scramble to counter the threat, though, in-depth details of the mechanics of the schemes show how they work and how slippery and adaptive they can be.

Source

Wired