Avoid the "blue" in Bluetooth

Bluetooth can connect your phone to your car so that you can use the car’s stereo system. But vulnerabilities expose users to crooks wanting to steal personally identifiable information (PII). The column also covers phone hacking, another popular method of stealing PII.

Elaine was an amateur photographer who enjoyed visiting countries throughout the world. When she traveled, she always rented cars. Two weeks after returning from a trip to China, she checked her bank account and found that her balance was wiped out. Her bank told her to track every transaction from her trip where she might have exposed her personally identifiable information (PII). Elaine checked her credit card and found no malicious activity. Then she remembered that she’d paired her portable Bluetooth device in her rental car, so the car’s system recorded everything on her phone, including account information from transactions she had made via a banking app on her phone. She forgot to delete data stored on the system before she returned the car. A future renter of the car then stole Elaine’s PII and drained her bank account dry.

Bluetooth connectivity a little too generous

How does this hack happen? Bluetooth is a brand name for a wireless networking technology that uses shortwave radio frequencies to interconnect wireless electronic devices like mobile phones, portable computers, printers, faxes and “internet of things” appliances. Bluetooth connects your phone to audio and navigation software, and its hands-free calling system allows you to talk on the phone while driving.

Many new cars come equipped with Bluetooth as standard equipment or as an option. The system microphone is installed above the driver, and the speakers use the car’s stereo system. Consumers can purchase portable Bluetooth systems for older cars.

When you use Bluetooth in a vehicle, the system saves your address book, text messages and internet search history. Rental agencies and subsequent renters of the cars you’ve driven — plus purchasers of the vehicles you’ve owned — now can access your PII and place you at risk for identity theft. You routinely protect your laptops, desktops, tablets, phones and other devices; now you need to protect your “smart car.”

Delete your stored data in the rental car (or your personal vehicle when you sell it) by removing your mobile phone from the “paired phones” list in the Bluetooth setup menu, which will also clear your logs.

Bluetooth presents other mobile security risks including general software vulnerabilities, eavesdropping, denial of services, range of operation and headsets. Webroot outlines these risks in its blog, A Review of Bluetooth Attacks and How to Secure Your Mobile Device:

General software vulnerabilities. All software is vulnerable, including Bluetooth. Hackers continually play the cat-and-mouse game of finding vulnerabilities, which security personnel rush to patch. If this were a TV show, no network would ever cancel it. You can’t eliminate this mobile risk, so turn off your Bluetooth when you’re not using it.

Eavesdropping. Bluetooth technology uses encryption to stop hackers from accessing your data and phone calls. But older Bluetooth devices use outdated software with unpatched security holes. Decrease the risk by not using Bluetooth 1. X. 2.0 or 4.0 – LE, and make sure your device uses the latest versions and protocols.

Denial of service. Hackers use this method to flood networks with tons of activity to shut down organizations’ operations so they can’t serve customers. Recovering can be expensive. Hackers also use this tactic with Bluetooth technology, which stops users from receiving phone calls. It’s almost impossible to stop denial-of-service attacks, but you can curtail them by turning off your Bluetooth when you’re not using it.

Range of activity. Bluetooth is designed so that only devices within a few feet can access it. But hackers have learned to use directional high-gain antennas to receive signals over greater ranges. So, a user might think they’re safe to provide their account numbers and other PII to banks or brokers. Obviously, don’t do this, and, again, turn off your Bluetooth device when you’re not using it.

Bluetooth headsets. Hackers can eavesdrop on your phone calls via these mobile bugging devices. Reduce risk with complex default PIN codes so that hackers will have a difficult time compromising them. And, you guessed it: Power them off when you’re not using them.

Convey these Bluetooth mobile security risks to employees and others to reduce the risk of PII compromises.

Phone hacking

In the July/August 2018 column, I included a section about phone hijacking. I want to address a related serious problem called phone hacking and provide some important tips to help reduce the risks. Phone hijacking differs from phone hacking in that the former is a form of account takeover.

A thief pulls this off when they access enough of your PII to walk into a mobile-phone store and convinces the clerk that they’re the owner of your account and want to upgrade it. The thief then walks out with two new phones. You discover the problem when your phone stops working because the number has been transferred to the new phones.

In a phone-hacking scheme, a cybercriminal breaks into your phone to listen to your messages, steal valuable PII or install malicious software to hack into your bank account.

Webroot provides these tips to help prevent phone hacking:

• Never leave your phone unattended, especially in public places.
• Change your phone’s default passcode. If your phone comes with a simple, default password, change it to something more complex, which, obviously, isn’t “1234” or “0000.”
• Manage your Bluetooth security. Avoid unprotected Bluetooth networks and turn off your Bluetooth when you aren’t using it.
• Protect your PIN and credit card data.
• Avoid unsecured public Wi-Fi. If you don’t need a password, neither do hackers. The security of these public networks is minimal, at best.
• Turn off your “autocomplete” feature to protect critical stored PII.
• Regularly delete your browsing history, cookies and cache.
• Have an iPhone? Enable “Find My iPhone.” If you lose it, you’ll have a better chance of finding it before crooks can.
• Use a security app that increases protection.

Share this information with your business associates, family, friends and clients and include it in your outreach programs. Mobile security is very important. New identity theft scams and new versions of old ones continue to emerge. You’ve been forewarned, so tread with care!

Please contact me if you have identity theft or cyber-related issues you’d like me to research and possibly include in future columns or feature articles, or if you have any questions about this column or other cybersecurity and identity theft issues. I don’t have all the answers, but I’ll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the 2017 Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.

Read more: 'Bluesnarfing' is another way fraudsters can steal your PII from gas pumps, ATMs