Con Watch: Do Smart Speakers Pose a Threat?

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

Voice-activated assistants such as Amazon Echo and Google Home have become very popular. More than 20 million homes already are using a voice-activated assistant or “smart speaker,” and with good reason. They are tremendously helpful for so many things. If you need to know the score of last night’s baseball game, get the latest weather forecast, start your coffee brewing, or even turn down your thermostat, smart speakers are ready to do the job.

Security and privacy are always a concern with any of the new technology that we use and the Echo and her friends are no exception. While these voice-activated assistants can be hacked, the threat is low: hacking them is complicated and criminals haven’t found an easy way to monetize hacks.

But the threat does exist. Any time you use a device that is connected to the Internet, there are risks of your network being hacked and exposed. Fortunately, there are some simple steps you can take to protect yourself.

Security Steps for your Voice-activated Assistant

  1. Don’t store passwords, contact information or credit card information on your smart speaker.
  2. Your router is a critical part of your home network. Change the default administrative password on your router if you didn’t do so when you first got it. If you don’t change it, it is simple for a hacker to access your router through the easily accessible default administrative password.
  3. Change your Wi-Fi network password.
  4. Strengthen your router’s encryption capabilities by using WPA2 encryption.

These steps can dramatically protect your voice-activated assistant from being hacked. However, the biggest threat posed to you by your smart speaker has nothing to do with hackers. It is a relatively simple scam that merely enlists your speaker to unknowingly lure you into becoming a victim.

The scam occurs when you ask your voice-activated assistant to call a business for you. Your smart speaker picks the top position in a search engine, and that’s where things go wrong.

For years scammers have been setting up bogus tech support websites for your favorite tech companies, such as Facebook and Instagram. By paying for ads in search engine results or by manipulating the algorithms used by the search engines, the scammers manage to get their bogus websites into top positions in Google and other search engines. Unbeknownst to you, your smart speaker calls on of these phony tech support websites, which then scams you out of money or personal information. You may even be conned into giving the scammer remote access to your computers.

Scammers also use similar tactics on people looking for help with the repair of common household appliances, such as refrigerators and washing machines. Your voice-activated assistant may unwittingly call a number for a fraudulent repair business, where you are asked to pay a small fee for a next-day service call. Unfortunately, this is all a scam. No service person comes the next day.

Just last year alone, Google removed more than three million fake business profiles; the number of phony business websites is probably much larger.

The best place to look for a telephone number for tech support, customer service, or warranty information is on the company’s official website, on your bill, or in the warranty documents that came with your appliance or device.

Also, be very careful even when you call the number for tech support or customer service. Clever scam artists — the only criminals we refer to as artists — purchase telephone numbers that are a single digit off of the legitimate phone numbers for many companies’ tech support or customer service numbers in order to take advantage of common consumer misdials.

Voice-activated assistants can be very useful, but you have to take precautions to secure them and be aware of their limitations.

Featured image: Zapp2Photo /

Con Watch: The New Danger of Synthetic Identity Theft

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

Anyone who has watched the dystopian movie Blade Runner knows about the damage that synthetic humans can supposedly do. That film was science fiction, but did you know that synthetic identities are very much a reality? Unfortunately, it will take more than a hardened retired cop to save you from these replicants.

Synthetic identity theft occurs when a criminal takes information from a variety of sources to create a new identity to take out loans, purchase goods and services, or obtain credit cards. Often synthetic identity thieves combine real and fake information to create a new fictional person. They may use your Social Security number and combine it with the name, address, and phone number of someone else.

According to risk management firm ID Analytics, synthetic identity theft accounts for as much as 85 percent of all identity theft. The Federal Trade Commission (FTC) calls it the fastest growing type of identity fraud.

In 2007 a man in Arizona became a victim of synthetic identity theft when his Social Security number was stolen and combined with more than 30 different names and addresses. Among the phony names used was Gaylord Focker, which was the name of the character played by Ben Stiller in the movie Meet the Parents.

Children are the most common victims of synthetic identity theft because often years go by before a problem is recognized. A study done by Carnegie Mellon’s CyLab indicated children’s Social Security numbers are 51 times more likely to be used in synthetic identity theft fraud than adults’.

The absence of a credit report is an important factor in synthetic identity theft. When someone applies for a credit card or some other form of credit, the company granting the credit will generally search the files of the three credit reporting bureaus to determine credit worthiness. If no file is found, as would be the case with synthetic identity theft, a new file would then be established. This now provides a starting point for the thief to establish credit to later exploit.

Often the synthetic identity thief will start with credit card issuers that offer credit lines of up to $500 to people without good credit histories. Gradually they may add accounts such as cell phone accounts, retail store accounts, and car loans, and obtain credit cards with increasing credit limits. All the while they are making on-time payments in order to increase their credit score to put them into a better position for the ultimate payoff, which is referred to as a “bust out.”

Sometimes synthetic identity thieves will build their credit scores more quickly by adding their synthetic  identities as authorized users on accomplices’ accounts through a technique called “piggybacking.”  The fraudster can then add the account history of the account in good standing to their credit report. In many instances this is a quick way to establish good credit on behalf of the authorized user and is often legitimately done by spouses or parents adding children to their accounts. Synthetic identity thieves will often trick unsuspecting people into adding the criminal to their accounts as authorized users under the guise that they are doing this to merely establish or repair a legitimate credit history. Once the synthetic identity thief has established good enough credit, he or she busts out by incurring large debts that are never repaid.

One of the biggest problems with synthetic identity theft is that it can be difficult to recognize in a timely manner. When  a criminal uses your Social Security number, but not your name, the negative information caused by their actions does not appear on your regular credit report. Instead, the information is added to  a sub-file of your credit report, causing your credit score to drop precipitously. Because this negative information does not appear on your primary credit report, credit monitoring will not discover or report the negative information and even a credit freeze will not help.

Some telltale signs of synthetic identity theft include being contacted about an account that you never opened or a debt that you didn’t incur. Also look for aliases listed on your credit report. A dramatic lowering of your credit score coupled with a lack of negative information on your primary credit report is another indication.

If you discover that you have become a victim of synthetic identity theft, notify each of the three credit reporting agencies of the crime and ask them to investigate the matter and remove the false information from your sub-files.

Parents also should, as much as possible, try to limit the places that have their child’s Social Security number and become familiar with the Family Educational Rights Privacy Act, which helps you protect the privacy of your child’s school records and enables you to opt out of information sharing by the school with third parties.

A new law, the Economic Growth, Regulatory Relief and Consumer Protection Act, will make it easier for banks and credit card companies to verify Social Security numbers with the Social Security Administration. Unfortunately, the law doesn’t take effect until next summer and is only a pilot program.

Featured image: Shutterstock.

Con Watch: Is Your SIM Card Safe?

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

What Is a SIM Card?

A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate you on your cell phone. The SIM card is able to be transferred between different devices, and often is, such as when you get a new phone but keep the same cell phone number.

What Is the Danger?

If identity thieves take over your SIM card, they can control your email and any other accounts you access through your cell phone, such as Amazon, eBay, PayPal and Netflix. Even more worrisome, criminals can also intercept security codes sent by text message as part of dual factor authentication, which is often used to verify your identity for more secure transactions, such as online banking. The thief now has the opportunity to empty your bank accounts and cause financial havoc. They can easily reset your password on any online accounts that you have that are tied to your cell phone number. If that weren’t bad enough, they now also have access to any personal information, such calls or texts, that could potentially be used to blackmail you.

How Do They Get Your SIM Card Information?

A criminal calls your phone carrier claiming to be you and telling them your phone has been lost or damaged. Then they ask the carrier to transfer or swap your SIM card to a new phone controlled by the criminal. This is known as SIM card swapping.In another type of scam known as porting, the thief calls your carrier, saying they want to transfer the phone number to a new company.

In order for the scam to work, the identity thief needs to have personal information about you so that when they call your carrier, they can impersonate you effectively. They are quite adept at contacting victims by email or telephone and getting them to supply Social Security numbers by posing as a legitimate company or agency. Even if one is cautious about giving out personal information, it can often be bought on the Dark Web thanks to all of the recent corporate data breaches, including those at Marriott, Equifax, and Facebook.

Recently, Sydney, Australia police charged a man with involvement in a conspiracy where criminals took over the mobile phone accounts of 70 people and gained access to their bank accounts, using them to purchase more than $100,000 in goods. It was estimated that this type of crime cost Australians at least $10 million in the last year.

In February, 20-year-old college student Joel Ortiz became the first American to be convicted of crimes related to SIM swapping. Ortiz was sentenced to ten years in prison for hacking into the online Bitcoin wallets of his victims, stealing more than $5 million in Bitcoin.

How Do You Protect Yourself?

The best thing you can do to protect your SIM card from porting or swapping is to set up a PIN or password for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you.

AT&T will allow you to set up a passcode for your account that is different from the password that you use to log into your account online. Without this passcode, AT&T will not swap your SIM card.

Verizon enables customers to set up a PIN or password to be used for purposes of authentication when they contact a call center.

T-Mobile will allow you to set up a passcode that is different from the one you use to access your account online. This code will not only protect you from criminals attempting to call T-Mobile and swap your SIM card, but will also prevent someone with a fake ID from making changes to your account at a T-Mobile store.

Sprint customers can establish a PIN that must be provided when doing a SIM swap.

Remember to never provide personal information in response to an email, phone call or text. You can never be sure who is really contacting you. If you think the communication might be legitimate, contact the real company or agency directly using a phone number or address that you know is accurate in order to confirm whether or not the original contact was legitimate.

These simple steps can help protect you from becoming a victim of SIM swapping.

Featured image: