How you should respond to the security threat likely inside your computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.


Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past November. While software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reports. In addition, since the flaw is hardware-based, the “fix” is only good until the next exploit is discovered.

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity community. Since that time, public attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businesses, the impact on consumers has been somewhat overlooked.

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like Meltdown, Spectre, and Zombieload—pose to consumers, their data, and the performance of their computers.

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed.

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied.

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in a heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

Sign up for the #DataInsecurity Digest

Welcome to The #DataInsecurity Digest, a publication of the National Consumers League, which has been advocating for Congress and the Administration to pass comprehensive data security protections for years.

Since 2015, The #DataInsecurity Digest has delivered important, consumer-focused data security news, policy analysis, and information about upcoming events directly to subscribers’ inbox biweekly.

Curated by NCL’s Vice President of Public Policy, Telecommunications, and Fraud John Breyault, the publication is a collection of the latest coverage and analysis of data security issues by trusted authors, with commentary offered by Breyault.

We’d love your feedback! Drop author John Breyault a line at johnb@nclnet.org to tell him what you think!

Scammers coming out of woodwork to prey on vulnerable

Today’s economic news is grim. Nearly 40 million Americans have found themselves without employment due to the COVID-19 pandemic. For the newly jobless, state unemployment insurance benefits are a lifeline that helps them keep the lights on and provide food for their families. Unfortunately, the combination of billions of dollars in federal stimulus money flowing to state unemployment funds and the tens of millions of new claimants has created a once-in-a- lifetime opportunity for identity thieves: unemployment benefits scams.

According to the Secret Service and media reports, organized rings of criminals are working to siphon off unemployment insurance payments, potentially worth hundreds of millions of dollars, intended for workers who have been laid off due to the COVID-19 pandemic. In the state of Washington, for example, scammers reportedly made off with nearly $1.6 million in a single month. This scam is reportedly even affecting consumers who have not yet lost their jobs.

The recent spike in this type of scam is unfortunately not unique. When news captures the public’s attention—think major hurricanes, terrorist attacks, and economic slowdowns—scammers come out of the woodwork to take advantage of legitimate fears and concerns. In today’s coronavirus environment, there is an unprecedented opportunity for criminals to use the public’s fears about the virus and the resulting economic downturn to defraud consumers.

Since the pandemic began, NCL’s Fraud.org project has seen an uptick in complaints about a variety of scams preying on increasingly vulnerable, financially strapped, and fearful consumers.

“Scammers running phishing schemes, stimulus check fraud, and even pet adoption scams have all been working overtime to use the COVID-19 pandemic as a way to defraud consumers,” said John Breyault, director of NCL’s Fraud.org campaign. “We forecast these scams will continue to increase and evolve and are eager to get the word out about how Pennsylvanians can protect themselves.”

Over the last several months, NCL has devoted monthly Fraud Alerts to giving consumers the tools to spot and avoid some of the many types of scams related to COVID-19. Alerts have featured the most pernicious types of scams that are increasing due to coronavirus, ranging from job scams to increased reports of fraudulent robocall activity.

“As the coronavirus has upended daily life, robocall operators have quickly shifted to blasting out spam phone calls offering all manner of coronavirus-related products and services,” said Breyault. It’s estimated that at least one million robocalls per day are inundating Americans’ cell phones. Fraudulent robocallers are offering air duct sanitation services, work-from-home opportunities, cut-rate health insurance, and immune-system boosting nutritional supplements. Other robocalls have reportedly offered free insulin kits to diabetics, along with free coronavirus testing kits.

“At best, consumers who respond to these calls are setting themselves up to lose money for a non-existent product or service,” said Breyault. “At worst, delaying needed emergency treatments on the belief that a fake coronavirus treatment will save your life could be deadly to you and those you come into contact with.”

In May, NCL hosted a virtual fireside chat with Pennsylvania Attorney General Josh Shapiro and a panel of consumer protection experts on the growing threat of scams linked to the COVID-19 pandemic. NCL’s Breyault and AG Shapiro discussed what they are hearing from consumers, tactics for reaching the most vulnerable populations, and the importance of collaboration for getting key messages out to consumers.

“The work [NCL] is doing to get the word out is so important,” said General Shapiro. “There will be some people who hear my voice, and some people who hear your voice. But the key is that collectively we are warning people about scams and that we’re working together to share actual information—not myths—and not propaganda by one group or the other.”

NCL urges Administration to take action to combat COVID-themed fraud, patient harms online

April 10, 2020

Contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC – April 10, 2020 – The National Consumers League (NCL), in partnership with 42 patient and provider advocacy, public health, industry, and research groups, has issued joint letters to Vice President Mike Pence, the U.S. Department of Justice (DOJ), U.S. Federal Trade Commission (FTC), U.S. Food and Drug Administration (FDA), and other state and federal leaders calling for swift action to protect consumers against COVID-19 misinformation, scams, and fraud online.

“NCL commends the White House Coronavirus Task Force and other officials for their dedication in responding to the coronavirus crisis,” said NCL Executive Director Sally Greenberg. “The COVID-19 pandemic makes your work against healthcare and financial fraud more important now than ever. However to further flatten the curve and save lives, we urge the Administration to quickly implement increased evidence-based actions and to help protect consumers from predatory attempts to take advantage of our new economy.”

Since the start of the pandemic, criminals launched thousands of COVID-specific global scams and phishing attacks, using the coronavirus crisis to profit at patients’ expense. “Criminals have exploited the fear and confusion caused by the coronavirus for their own personal profits. More must be done to mitigate the health and financial harms experienced by consumers nationwide,” said Greenberg. In the past few weeks alone, more than 100,000 website domain names have been registered containing terms like “covid,” and “corona,” most of which have been found to be outright dangerous. The Federal Trade Commission indicated receipt of nearly 14,000 coronavirus-related complaints totaling fraudulent losses nearly $10 million.

NCL has long called for increased regulation and enforcement against illegal online acts that result in public health and economic harm. The joint letter encourages the Administration to move swiftly to enact and enforce existing no-cost solutions to better protect consumers. Additionally, it calls on the Administration to  ground their efforts in science, address systemic internet policy problems and prepare for an ongoing wave of COVID-19 related scams during the economic downturn.

Co-signers of the letters include Alliance for Safe Online Pharmacies, BIO, Coalition for a Safe and Transparent Internet, Consumer Brands Association, Kroll, Lilly, LegitScript, and USP. The full letter can be read here.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneering consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

 

Imposter scams drive big increases in phishing and spoofing complaints in annual top ten scam report

February 27, 2020

At the start of National Consumer Protection Week 2020 (March 1-7), watchdog group issues warning about most common scams plaguing Americans 

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832 

Washington, DC—Consumers on the receiving end of scary calls and emails claiming that the government is coming after them drove a big increase in phishing and spoofing complaints to the National Consumers League’s Fraud.org campaign in 2019, according to the organization’s annual Top Ten Scams report issued today. With National Consumer Protection Week 2020 kicking off this weekend and being observed next week (March 1-7), the national consumer watchdog org is cautioning consumers against imposter frauds and the other most common scams that plagued Americans in 2019. 

In 2019, consumers submitted 5,647 complaints to Fraud.org. Fifty-three percent of complaints reported a monetary loss; the median loss reported was $749. 

In 2019, the percentage of complaints Fraud.org received about scams involving phishing or spoofing nearly tripled versus the previous year. NCL attributes the increase to the high number of imposter scam calls that consumers reported receiving. Scammers reportedly impersonated government agencies such as the IRS, FBI, and USCIS, and some of these criminals even claimed to be representatives of the National Consumers League.  

“Scammers know all too well that impersonating a government agency and threatening consumers is one of the best ways to get victims to pay up, and they depend on authentic-looking emails or spoofing Caller ID to get victims to pay attention to their threats,” said John Breyault, NCL Vice President of Public Policy, Telecommunications, and Fraud and the new report’s author. “The best advice for consumers is to remember that a government agency will never reach out to you via email or telephone to demand money, so hang up or delete. If you’re worried about back-taxes, your immigration status, or a debt you may owe, look up the phone number for the bank or government agency yourself and call to check. Don’t take the word of someone on the phone making threats.” 

Top Ten Scams of 2019

  1. Internet: Gen Merchandise
  2. Fake Check Scams
  3. Advance Fee Loans, Credit Arrangers
  4. Phishing/Spoofing
  5. Friendship & Sweetheart Swindles
  6. Prizes/Sweepstakes/Free Gifts
  7. Investment Related
  8. Computers: Equipment/Software
  9. Employ Agency/Job Counsel/Overseas Work
  10. Internet: Info/Adult Services

Other topline findings from the report include: 

Romance scams and friendship swindles on the rise in 2019. 

The percentage of complaints involving romance scams increased by nearly 50 percent versus 2018. This is especially worrisome considering that romance scams tend to be among the most expensive type of fraud for victims. 

Web remains most common place scammers are finding victims. 

While the telephone was the method of first contact used by scammers in nearly a third of complaints to Fraud.org in 2019, the Internet remains the most likely place for complainants to have encountered a scammer. Almost 45 percent of complaints to Fraud.org in 2019 said that they first encountered a scammer on the Web. 

Wire transfer no longer scammers’ top choice of payment method. 

After many years of wire transfer being the payment method of choice by scammers, credit cards bumped wire transfers as the most frequently-reported method of payment in 2019. More than 44 percent of complainants to Fraud.org reported that their loss occurred because a scammer charged their credit card. 

Read the full 2019 Top Scams report from NCL.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneering consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

 

NCL applauds House passage of safety bills

December 17, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC–The National Consumers League applauds the passage by the House of Representatives of three bills to protect consumers, all of which came from the Energy and Commerce Committee.

“We are grateful for the leadership of Chairman Pallone and Subcommittee Chair Schakowsky in getting these bills through the Committee and to the House floor for passage,” said NCL Executive Director Sally Greenberg. “The House is taking an important in protecting Americans—especially our children—from dangerous products and protecting consumers from overseas scams.  Children are the most vulnerable consumers, and they need our advocacy. Products that prove dangerous to their health and wellbeing – like inclined sleepers and crib bumpers – should no longer be on the market, and we hope the Senate takes up these bills immediately. Thanks once again to the bipartisan efforts through the Commerce Committee and full House leadership for these important consumer protection measures.”

The House passed the following bills:

H.R. 4779, a bill to extend the Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers Beyond Borders Act of 2006, reauthorizes the U.S. SAFE WEB Act, which improved the Federal Trade Commission’s (FTC) ability to combat unfair or deceptive acts or practices that are international in scope, through Fiscal Year 2027 and requires the FTC to issue a report to Congress describing the Commission’s use of and experience with the authority granted by the Act. 

H.R. 2647, the “Safer Occupancy Furniture Flammability Act” or “SOFFA,” adopts the California upholstered furniture flammability standard as a national flammability standard for upholstered furniture to limit exposure to toxic flame retardant chemicals. 

H.R. 3172, the “Safe Sleep for Babies Act of 2019,” designates inclined sleepers for infants as banned hazardous products under the Consumer Product Safety Act. The bill was amended to include the text of H.R. 3170, the “Safe Cribs Act of 2019,” which also designates crib bumpers as banned hazardous products.

###

About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

How consumers must respond to the security threat inside nearly every computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

Consumer group urges District of Columbia to pass critical data security legislation

November 12, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—Today, the National Consumers League, the Nation’s pioneering consumer and worker advocacy organization, testified before the Council of the District of Columbia in support of the Security Breach Protection Amendment Act of 2019.

The following is attributable to NCL’s Public Policy Manager Brian Young:

“This consumer protection bill will help stop breaches before they happen by requiring holders of personal data, to take reasonable steps to secure and safeguard the data they have been entrusted with. When breaches happen, it is often because the business did not utilize current best practices to secure data, and yet, it is the consumer that bears the price for the business’ misstep. Consumers cannot and should not be expected to carry the load when it comes to protecting the data they share with businesses and other organizations. NCL believes that each councilmember has a unique opportunity to safeguard District residents’ data through this bill. NCL urges the Council of the District of Columbia to quickly pass and implement this critical consumer protection bill.”

Brian Young’s full testimony can be found here (PDF).

Video footage of Brian Young’s testimony is available here.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

National Consumers League: Computer chip defects force nearly all consumers to choose between speed and security

October 24, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

New NCL #DataInsecurity report details threat these flaws pose to consumers—both in terms of the security of their data and the performance of their computers—and how they can protect themselves in the future

Washington, DC—A new report released today by the National Consumers League details how consumers have been impacted by a series of processor exploits announced over the last 22 months that leave nearly every computer and server from the past two decades vulnerable to hacking. With sensitive data at risk, patches have been issued that better secure computers and servers. However, these temporary fixes can result in significant performance problems.

The report, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” is part of NCL’s #DataInsecurity Project. Timed to coincide with National Cybersecurity Awareness Month, the report is an opportunity to remind consumers about the importance of being safe and secure when online. The report discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after the necessary security patches are applied—and how they can protect themselves in the future.

“This paper is a part of NCL’s mission to empower individuals to protect themselves from companies that put their data at risk,” said John Breyault, NCL vice president, public policy, telecommunications and fraud. “The scope and severity of these chip flaws is alarming, undermining both the security and speed of computers. Nearly two years after the flaws first made headlines, it is likely that consumers are still not fully aware of the risks they face if they do not protect themselves.”

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits have been discovered on an ongoing basis for nearly two years, with the most recent one found in August 2019. The flaws are a result of a process called speculative execution, a functionality created in the 1990s that allows a processor to predict a user’s next action and perform it in advance, thereby reducing delays and increasing the speed of a computer. Because the flaws are foundational to how a CPU’s hardware is built, each patch is only temporary until the next exploit is discovered. Due to the nature of these flaws, the exploits that take advantage of them may not be traceable.

“Consumers are being forced to choose between the security of their data and the computer speed they were promised,” said Breyault. “We recommend consumers prioritize security, though unfortunately, it comes at a financial and performance cost.” 

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, the NCL report acknowledges that this may not be practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills such as the Consumer Privacy Protection Act of 2017 that would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

The full report can be found here.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Computer chip defects force consumers to choose between speed and security

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.