Dating App Technology

Our experts have studied the most popular online dating apps (Tinder, Bumble, OkCupid, Badoo, Mamba, Zoosk, Happn, WeChat, Paktor), and identified the main threats to users. We have informed developers in advance of all detected vulnerabilities and as of the date this text is published, some are already fixed and others should be corrected in the near future. However, not all developers have promised to fix the defects.

Threat 1. Who are you?

Our researchers have found that four of the nine apps they have researched allow criminals to determine who is behind a nickname based on the data provided by the users themselves. Tinder, Happn, and Bumble, for example, let everyone see the work or study location specified by a user. Using this information, it is possible to find their accounts on social networks and discover their real names. Happn, in particular, uses Facebook accounts for data exchange with the server. With very little effort, anyone can find the names and last names of Happn users and other info from their Facebook profiles.

And if someone intercepts the traffic of a personal device where Paktor is installed, he will be surprised to learn that he can see the e-mail addresses of other users of the application.

In the end, it is possible to identify Paktor and Happn users on other social networks 100% of the time (60% for Tinder and 50% for Bumble).

Online dating sites like Plenty of Fish are known to be safer. You can read a Plenty of Fish review for 2015 right here.

Threat 2. Where are you?

If anyone wants to know where you are, six of the nine apps will help him out. Only OkCupid, Bumble and Badoo keep locked user location data. All other applications indicate the distance between you and the person you are interested in. By moving and saving data on the distance between you, it is easy to determine the exact location of the “prey”.

Happn not only shows how many meters separate you from another user, but also the number of times your paths crossed; so it’s even easier to follow someone. Although it’s amazing, it’s the main feature of the app.

Threat 3. Unprotected data transfer

Most applications transfer data to a server over an SSL encrypted channel, but there are exceptions.

As our researchers have noted, one of the least secure applications is Mamba. The analytics module used in the Android version does not encrypt data about the device (model, serial number, etc.) and the IOS version connects to the server over HTTP and transfers all unencrypted data (and therefore not protected) messages included. This data can not only be viewed, but also modified. For example, it is possible for a third party to change a “How are you?” In a request for money.

Mamba is not the only application that lets you manage someone else’s account because of an unsecure connection. This is also the case with Zoosk. However, our researchers were only able to intercept Zoosk data when new photos or videos were uploaded – and the developers quickly solved the problem shortly after our notification.

Tinder, Paktor, Bumble for Android and Badoo for iOS also put pictures online via HTTP, allowing an attacker to find out which profiles their potential victim is viewing.

When using Android versions of Paktor, Badoo and Zoosk, other details like GPS data and device information can land in the wrong hands.

Threat 4. Attack of the middleman (HDM)

Almost all online dating application servers use the HTTP protocol, which means that by verifying the authenticity of the certificate, it is possible to protect against HDM attacks where victim traffic passes through a server “thug” before to arrive at the legitimate server. The researchers installed a fake certificate to see if the applications would verify its authenticity; if they were not, they would actually be able to spy on other people.

It turned out that most applications (five out of nine) are vulnerable to HDM attacks because they do not verify the authenticity of the certificates. And almost all apps provide permissions through Facebook; failure to verify the certificate may lead to the theft of the temporary authorization key in the form of a token. The tokens are valid for 2 or 3 weeks during which criminals have access to some of the victim’s accounts data on the victim’s social networks in addition to having full access to their profile on the dating app.

Threat 5. Superuser rights.

Regardless of the exact type of data that the application stores on the device, it is possible to access this data through superuser rights. This only applies to devices based on Android; it is rare for malware to have root access in iOS.

The result of the analysis is not at all encouraging. Eight of the nine apps for Android is ready to provide too much information to cybercriminals with super-user access rights. Researchers have been able to obtain usage tokens for social networks from almost every application in question. The credentials were encrypted, but the encryption key was easy to extract from the application itself.

Tinder, Bumble, OkCupid, Badoo, Happn, and Paktor store all message history and user photos with their tokens. Thus, someone who has access privileges can easily access confidential information.

Conclusion

The study showed that many encryption applications do not handle sensitive user data cautiously enough. This is no reason not to use these services: you simply need to understand the issues and minimize the risks when possible.

Technological Breakthroughs of 2017

Virtual Reality

Oculus Rift, HTC Vive, Pokemon Go, Snapchat. RA and the RV are carving out an increasingly bigger place. According to many experts, the market is now ready for this type of technology and 2017 will be the year when we will see virtual versions of virtually everything, with the marketing opportunities that go with it.

Automatic learning (AI)

Commonly called “machine learning”, it will probably be one of the most important buzzwords of 2017. The recent sophistication of artificial intelligence technologies now allows systems to learn for themselves from data they collect. This is not a science fiction, it is a major technological breakthrough in recent years, which has for example led to the very significant improvement of automated translation services.

Whether it is a good or a bad thing, many experts predict the demise in the medium term of entire trades. Maybe it will not happen in 2017, but maybe it will be the year when the trend will get worse. Some sectors will be hit more quickly than others, for example the financial sector. Citygroup, among others, predicts that within 10 years, 30% of banking jobs will be automated.

Mobility

Something that seemed unthinkable just a few years ago: four out of five consumers now use their smartphones to make purchases. The motive is more and more omnipresent in the acts of our daily life. One of the biggest trends ahead, according to journalists, will also be the shift of an increasing number of employees to work remotely with the new mobility tools. Working from home (or from around the world!) Could soon become a reality for a growing number of people disenchanted by transportation and 9 to 5. With all the mobile phones it’s important that you know how to avoid getting hacked because technology is getting more complex an criminal organizations are taking advantage.

HOW BAD WILL IT NEED TO GET BEFORE THE IRS ASKS THE THIEF FOR IDENTIFICATION?

For the first time in about a month I had time to call the IRS to find out whether they have actually received my mailed tax return along with the affidavit and identification. I had to call because there is no information online. I didn’t think they would be able to tell me anything on the phone either, but I assumed it was worth a try.

After holding (on speakerphone of course) for a little over 15 minutes in an attempt to reach the Identity Theft section of the IRS, I was greeted by a very nice representative who verified that I was who I said I was through a series of identification questions and then proceeded to tell me that “Yes” they (the IRS) have received my affidavit and information through the mail. I also asked if I would actually get my return and if so when might I expect it or if he might have an estimated time-frame. He assured me that I would definitely receive it eventually but that the time-frame could vary anywhere from four months to a little over a year. I also inquired about the possibility of receiving a PIN number to avoid future incidents and he told me that PIN numbers would be issued somewhere around November for current victims to avoid repeat victimization on subsequent tax returns.

He (the IRS representative) seemed or sounded very nervous when I began to question him. I didn’t want him to feel like I was picking on him because it definitely is not his fault that the IRS has failed to handle their business.

I found it amusing that I had to answer so many identification questions just to find out if they received my information – If the identity thief were asked about half these questions before being handed my money no one would have this problem and billions of dollars would not be floating around amongst the pockets of lazy, entitled, scum of the earth.

Billions? Did I say “Billions”? Yes, I did! According to our very own Treasury Inspector General J. Russell George The toll is nearing the billions that could be raked in within the next five years because the IRS cannot keep up. You can read more about that in this article on CNN.com by Scott Zamost: Identity thieves could rake in $26 billion in tax refunds

By the way, if you are a victim of identity theft because of a stolen tax return do not bother to call the “Where is my Refund” section of the IRS or the “Customer Service” division. Call this number: 800-908-4490 between 7am and 7pm, Monday thru Friday and be prepared for a long wait.

Good Luck!

IRS TAX RETURN FRAUD 2012 – THE SHITS FINALLY HITTING THE FAN

Forget about millions, we are now looking at Billions in tax payer’s money gone to criminals. Mind you, the billion amount has a big fat “S” on the end of it!

A very interesting article titled “Identity thieves will rake in billions in stolen tax refunds this year” at Nextgov.com states that, “For the past five years, the IRS has received negative audits from the Government Accountability Office for ongoing security weaknesses that could compromise sensitive taxpayer information” – some of these statements were from the prepared testimony of J. Russell George, the Treasury Department inspector general for tax administration himself.

This article goes on to say that a significantly greater amount of returns based on false income get through than the amount prevented and/or detected by the IRS. And that many of these false returns or fraudulent returns are forged by IRS employees.

And damn, “The IRS does not analyze much data from identity theft cases for patterns that could be followed to prevent future refund fraud.”

All I can say is “Nice” and Really?

Not to mention, their (IRS) computer vulnerabilities are deplorable.

More about that gem here: IRS plagued by computer vulnerabilities five consecutive years

Read and download the last two IRS audits for yourself: (click on link and a new page will open then click link a second time to save or open for viewing)

2012 Report to the Commissioner of Internal Revenue
2011 Report to the Commissioner of Internal Revenue
You’ve got to read this article by: By Aliya Sternstein 04/19/2012 (well you don’t have to, but its very informative)

There’s your tax dollars working for you!

TODAY IS THE OFFICIAL 2012 IRS TAX FILING DEADLINE

Do you know where you tax return is?
If you’re like hundreds of thousands of others who have already filed their tax returns promptly and have discovered that some crook has already filed one for you, then you’re probably pretty upset and have good reason to be.

If you’re just sending out your tax return today, then you have a very good chance of becoming a victim yourself.

How will you know if you are a victim?

If you file electronically you will most likely receive a message from the electronic filing system that a duplicate social security number has been detected or that a tax return has already been filed using your social security number.

If you file by mail, it may be weeks or even months before you even find out you’re a victim. You will receive a letter that says, “more than one tax return was filed for you” or states “you received wages from an employer you don’t know”. And then it will be more months or even, in some cases, a year or two before you will actually get your tax return.

What should you do if you become a victim?

If you file electronically:

Unfortunately you will need to call the IRS to determine whether or not this message is indeed due to identity theft.
Be prepared to hold and be on the phone for at least an hour (don’t do this on your lunch break)
They will tell you to file a police report. However there has been so much identity theft and tax return fraud this year that most police departments will not even take a report.
If your local police department will not take a report don’t worry about it – it probably wouldn’t make much of a difference anyway.
Read this article “Tax Refund Stolen” on what to do (scroll halfway down the page and start with line item number 7)
After following these directions, be prepared for a very, very long wait. From what I understand, you will eventually get your tax return and in some cases with interest tacked onto it. The problem is when? And that “when” is averaging somewhere around at least six months to two years.

Last night I did an interview with Scott Cohn of CNBC’s “Squawk Box” on tax return fraud and identity theft and he brought up some very important issues that I really hadn’t had a chance to think about regarding identity theft – those things being the long-term effects or aftermath of identity theft and how it might continue to affect its victims.

When Scott asked me this question it made me think of things like, what will happen if because of this tax return fraud/identity theft:

Your income is reported wrong and you temporarily lose certain medical benefits because of a sliding scale medical insurance program
Your work record is tainted by reports of incorrect employers, which subsequently become part of some public record system and this causes you not to get a job because an employer thinks you have submitted false information
You apply for financial aid and are deemed ineligible due to incorrect income reports
Your child support is adjusted due to incorrect income reports
The list could go on-and-on.

As I mentioned in my interview, the IRS is similar to credit bureaus in that it’s really easy for negative or erroneous information to appear and stay on your report but you’re going to play HELL trying to get anything removed or eradicated.