By Sophos Home
Over time, the state of cybersecurity evolves. New threats emerge, but so do new security technologies. As encryption has become more prevalent, many threats that were once serious have been diminished. Other attacks that were performed once or twice as a proof of concept never evolved into the widespread threat that we were warned they could.
Your online safety practices should make you feel safe and comfortable. But there’s real value in knowing which threats are serious, and which ones are mostly hot air. Sophos Home debunks five common cybersecurity myths.
1) Juice jacking – don’t charge your phone via a public USB port
One common piece of travel advice is to avoid using public USB ports to charge your devices. Because USB can transmit data as well as power, the story goes that bad actors might place fake USB chargers in outlets in places like airports and coffee shops. When you plug your phone in, these rogues could steal the information stored on your phone. The practice even has a name: “juice jacking.” And it got a huge boost in awareness when the Los Angeles County District Attorney’s Office spoke out against it.
There’s just one problem: like urban legends of razor blades in Halloween apples, it’s technically possible. But nobody’s actually doing it, aside from some initial proof of concept attacks at events or conventions. In fact, when TechCrunch followed up with the LA County DA’s office about their warning, they admitted that they didn’t actually have any confirmed reports of juice jacking they could point to.
If you want to play it safe, it doesn’t hurt to bring your own portable battery when you leave the house, or to charge your devices at an outlet. But don’t be scared to use a public USB charger. Most modern phones will warn you if data is being transferred, and the likelihood that it will happen at all is far lower than the awareness-raising campaigns makes it seem.
2) Tap-to-pay cards are targeted by criminals
Tap-to-pay cards have been used around the world for a long time, and as the technology finally started coming to the U.S., it was greeted with suspicion. Some people worried that touchless transactions could be carried out by thieves. You can actually buy special wallets that block the radio frequencies these cards use to protect yourself.
The truth is that swiping these cards would require someone to stand incredibly close to you for the several seconds to ring up the transaction. You would almost certainly become uncomfortable and move before they succeeded. But suppose someone did swipe your tap-to-pay debit card. What are they actually stealing?
Your tap-to-pay card uses a process called tokenization. For each transaction, your card generates a new set of numbers and symbols for verification. If someone managed to get close enough to you to swipe your card, they’d wind up copying your token for the next transaction. So they could only use your stolen info once. And they couldn’t spend much, because tap-to-pay cards have a transaction limit on every tap.
The limit varies across countries and vendors. Visa and Mastercard tap-to-pay cards have a maximum of $250, while Apple Pay requires a signature for anything over $50. That means your fraudster would wind up with a limited amount of money, that they could only spend in one transaction. On top of that, they’d need to spend the money before you did. Since your card generates a new token for each swipe, if you used your card before they did, their copy of your token would be rejected.
If that sounds ridiculously complicated, it is! It would be a tremendous amount of effort for an extremely limited payoff. The fact is there are much easier kinds of theft to commit. Anyone looking to commit credit or debit card fraud will have a much easier time doing so with an old-school magnetic strip card.
3) You should always use a VPN
The question of when and whether to use a VPN is complicated. The short and simple answer is you should always assume someone is tracking you on the internet. How much you care about that and what you choose to do about it is up to you. Your traffic is being snooped on by most of the people who handle it, including your internet service provider, big data brokers like Facebook and Google, and the cloud companies that host most websites. Many of these companies can and do sell your browsing information, your location history, and more. VPNs will help with some of these would-be snoopers, but not all of them.
Tracking from your ISP
When you go online, your internet service provider is allowed to collect your traffic data and sell it. This data could theoretically point back to you, but there’s so much of it that nobody is ever likely to dig through it. Modern encryption means that they don’t see much of your traffic, but a VPN could protect you from them a little.
Tracking from hosting companies
Most sites these days live on cloud hosts like Cloudflare and Amazon Web Services. While your ISP can’t see your traffic, these companies can, which is another issue. A VPN could theoretically protect your privacy from them. But they aren’t the only snooper, either.
Tracking from data brokers
Once you’re on a webpage, data brokers like Google and Facebook are peeping on you from the page itself. If you’re logged into Facebook as you browse, any web page with a Facebook “like” or “share” button can connect you to your profile. Likewise, Google Analytics reports your traffic back to Google. These companies are very good at what they do, which is using your traffic to serve you very targeted ads. And when you’re logged into these accounts, a VPN can’t help you.
It’s not hopeless. Firefox has a fairly robust built-in feature set intended to cordon off how much of your browsing Facebook can access, but no other browser currently does.
Tracking from your phone
You have another potential tattletale: your phone. If you have apps like Facebook or Google Maps, your phone is sending info on your location back to FB and Google constantly. Even with your location services off, nearby available networks can give data brokers a great idea of where you are. Again, that’s not really something a VPN can protect you from.
Will a VPN really help?
In the long run, a VPN can help protect you from some kinds of internet snooping. But so much data collection is taking place on you, all the time, that if you really want to protect yourself, a VPN is only going to be one piece of a much larger puzzle. For most of us, the necessities and conveniences of modern life mean that we’re not likely to go to the extreme lengths needed to truly hide ourselves away from data collection.
One final thing to bear in mind: even if you don’t trust your ISP, cloud hosts, Facebook, or Google, handing your traffic over to a VPN means trusting the VPN company. Like all companies, some VPNs are much more respectable than others. Any web activity is an act of trust. As an internet user, it’s up to you to decide who to place that trust in.
4) Public Wi-Fi isn’t safe
For years now, the common wisdom has been to avoid connecting to public Wi-Fi. But the truth of the matter is that modern web traffic is encrypted enough you don’t really need to worry about it.
Most websites you visit are secure. On a secure website, you should see a lock on the left hand side of your address bar, and the web address should start with “https” instead of “http”. As of 2019, 80% of websites are protected with https secure encryption.
This encryption is meant to protect you from snooping or tampering, regardless of where you are. Even if you connect to the Wi-Fi at your coffee shop, a potential scammer would have to know exactly which website you were going to and set up a fake version to divert you to. The odds against that happening are pretty astronomical, so go ahead and check your email while you wait for that mocha.
5) Apple MacOS is not affected by malware or cyberattacks
One of the benefits and weaknesses of Apple products is the relatively closed environment that they represent. Selling apps for the iPhone requires rigorous approval, as they seek to protect their brand, enhance security, and preserve their revenue streams. Apple’s preference for proprietary processors also gives them a little extra safety.
Because Apple had strong security for so long, it was commonly accepted for years that Mac machines and iPhones can’t get viruses. But that’s simply not the case. Just like any other machine, there are plenty of dangers out there, including the Shlayer trojan that’s infected nearly 10% of Apples.
That means that having strong antivirus software is important. A solid antivirus program can help protect you from malware, block viruses, check for trojans, and more.
Stay protected from the right threats
Everyone wants to stay vigilant and stay protected online. But part of effective protection is knowing which threats are serious and which ones are exaggerated, so that you put your time and effort into the right places. Watch out for scams and phishing attempts, and always have reliable security software protecting your devices, to make sure that you stay as safe as possible.