iOS 17.1 Released in October Alongside iPadOS 17.1 and MacOS 14.1

These updates brought a suite of bug fixes, security updates, and a few new features. The features mostly add functionality to the Music app and allow AirDrop to continue transferring files when out of range by switching from the local peer-to-peer wireless transfer to an internet connection. The security updates make a long list of bug fixes (as usual), including several more image processing bugs.

iOS also got a 17.1.1 update in early November, which includes no security content, but a couple of bug fixes: the wireless pay features on some iPhone 15 models occasionally stopped working after wirelessly charging in some cars. That’s been fixed. The weather Lock Screen widget sometimes wouldn’t show snow, and that’s been fixed as well.

The Bottom Line: There’s nothing particularly exciting about these patches, but the security content in 17.1 is worth it all on its own.

Scams Following the Headlines

One point you’ll often hear me repeat is that scammers depend on urgency. A sense of urgency pushes us to skip safety checks and take risks we wouldn’t normally consider. For example, say you’re navigating stepping stones across a stream when you notice the water level violently rising. Under the circumstances, you may skip some stepping stones. You may even jump straight for the shallows, knowing that getting your shoes wet is a small price to pay to escape an urgent situation. If a scammer can convince you that the water level is rising and offer you what looks like a safe landing spot, then they can expect to see you jump right into their trap.

The news is a powerful source of urgency. Whenever something big hits the headlines, scammers use it to convince people to jump. Here are a few of the scams following the headlines in the past month.

Donation Scams Lure with Fake Charities for Israel or Palestine

Fake charities are nothing new, but the urgency of the Israel-Hamas war combined with Israel’s blockade on humanitarian access to Gaza, make the idea of donating to an ad-hoc charity more appealing. If Doctors Without Borders can’t get in, then maybe a smaller, more local group is a better donation? This logic is sound. Disasters usually provoke small local groups to ask for funds, and these ad-hoc groups may have access and expertise that major organizations cannot match. Even when legitimate, these organizations may not have polished websites, and may use unusual or unfamiliar donation mechanisms, like some GoFundMe clone you’ve never heard of. It’s challenging to vet such groups, to sort the real charities from the scams. Security news site Bleeping Computer has done the legwork to reveal a few scams trying to cash in on the situation in Gaza and Israel that emerged during October.

The Bottom Line: Do not make charity contributions using cryptocurrencies. Research a group before you make a donation by checking to see if they list a contact number, if they explain who manages and retains responsibility for the organization, who endorses it, and what kinds of evidence it offers of its activity.

Open Medicare Enrollment Is Open Season for Scammers in the USA

In the USA, people covered by Medicare may make changes to their healthcare plans in October and November. This season is a major news and advertising event, as Medicarees are pelted with text messages, emails, and advertisements reminding them to revisit the details of their plan. This barrage provides cover for scammers, who lure people into buying a better plan that doesn’t exist. The FTC publishes a bulletin of advice about how to avoid Medicare scams.

The Bottom Line: Never deal directly with someone who calls you out of the blue. If it seems like it might be a legitimate call, thank them for the call and hang up, then look up the official number for that organization, and call them back at the official company number. Medicare does not contact you to sell a plan or to request personal information, especially your social security number, bank account info, or medicare number. Anyone asking for that kind of information is not calling from Medicare.

Lost Package? Try Lost Password

As the holiday season supercharges online retail, expect more package delivery scams. These take the form of a text message pretending to be from your package delivery service saying that your package cannot be delivered. Sometimes they say the address was incorrect and they need you to open a link to fill out a form to correct your address. Sometimes they want you to open the link and fill out the form so that you can schedule a new delivery attempt. Either way, the form you fill out will instead steal that information.

What’s curious about this particular scam is it’s a little unclear what the scammers are doing with the information they gather in this fashion, since it doesn’t include a clear way to solicit or steal money. The United States Postal Service offers a writeup of this scam, suggesting that the scammers might be after any personal and identifying info they can scrounge out of your account: scams are more effective if the scammer can convince you that they're legitimate by reciting details about you like your address. But it may be as simple as stealing your password to the package delivery website. If you’ve used the same password in other places, then they could get into those accounts as well.

The Bottom Line: Our own Rhett Intriago wrote up how to spot when a text is really a USPS text scam. Package delivery companies may send you a text only if you’ve signed up for text message updates on your package, but they will not send you texts with links in them. If you believe you’ve actually missed a package and need to schedule a new delivery time, visit your package delivery provider’s website directly, rather than by any link in a message. Also, using a password manager to generate unique passwords for every website and service will insulate you from this kind of scam, and you won’t have to remember as many passwords.

Good News! Two Ransomware Gangs Have Vaporized

Ransomware gangs are groups of digital data kidnappers. They break into the computers of individuals or the networks of corporations and deploy software that encrypts everything it can find. Then they contact the owners with the demand that they will only unencrypt the data if they’re paid a ransom. Ransoming corporate data troves and networks this way has become a multi-billion dollar criminal industry over the past decade, and an extreme nuisance. Dan Goodin, writing for Ars Technica, details how two famous ransomware gangs vanished in the same week. The first, Trigona, was allegedly destroyed by a group of pro-Ukrainian hacker activists. The second group, Ragnar Locker, was methodically disrupted by interpol.

The Bottom Line: It’s nice when your team wins.

More Good News: US Tech Giants Team Up with Indian Law Enforcement

Amazon & Microsoft are teaming up with India’s Central Bureau of Investigation to tackle tech support scams. The team up, called Operation Chakra-II, is new but it’s already led to arrests. We are likely all familiar with the tech support scams flowing from illegal call centers, many of which are based in India: we wrote about some in last month’s newsletter.

The Bottom Line: Hopefully we will get fewer tech support scams soon. In the meantime, continue to treat any unsolicited call from tech support as a scam: hang up. If there is any chance it’s legitimate, then call the company’s officially listed number. Be careful when searching the internet for tech support services: double-check the URL to make sure that the website you visit is the official website of the company you’re looking for.

Bluetooth Gizmo Can Shut Down Nearby iPhones, Sort Of

A device called a Flipper Zero is a little consumer gadget that can record and then mimic radio signals, including the ones used by things like garage door openers, car key fobs, the chip in your hotel key card, and more. As Ars Technica reports, this gizmo is meant as a toy for nerds, but also to help security experts test the security of various systems, like hotel room doors. It’s a fairly simple device, so the idea is that if this thing can break your door lock, then your lock needs an update.

It turns out that the Flipper Zero can also send so many Bluetooth requests to an iPhone that the iPhone becomes unusable: too many pairing requests popping up to get anything done. It’s an annoyance, and under the right circumstances it could be used to create real problems, but it requires bringing the Flipper Zero physically near the iPhone. Pranksters have been using it to annoy people on their morning commute.

The Bottom Line: Should you find yourself being spammed by Bluetooth requests, have a look around for somebody with a Flipper Zero. They’ll be nearby. You haven’t been hacked, though, your device’s data isn’t at risk. You can turn off Bluetooth in your iPhone’s Control Center to prevent this annoyance.

More and More Major Services Let You Drop Passwords (Hooray!)

Google, WhatsApp, and Amazon all joined the growing club, which includes Apple, of web services that allow the use of passkeys for their login process. Passkeys are a secure replacement for passwords—a new technology that lets your device serve as the key for your online accounts, so you don’t need to remember a password.

Passwords have become a real nuisance. They’re easy to lose, easy to forget, and easy to accidentally give away to scammers.

Passkey technology is a crucial next step in online security because they’re faster than passwords, they’re much more secure than passwords, and they cannot be accidentally given away by clicking a link in a scammer’s email or text.

To set up a passkey, you log in to the service, such as Amazon, where you want to use the passkey instead of a password, and navigate to the page where you would go to change your password. There, if the service supports passkeys, it will offer a passkey option. Click that option, select which service you want to use to store your passkey, and you’re done. Password managers including iCloud Passwords, 1Password, Dashlane, and (new as of this month) Bitwarden can all store your passkeys, but not every password manager has implemented them yet, nor has every website started using them.

The Bottom Line: If you use iCloud to manage your passwords for any of Google, WhatsApp, or Amazon, then simply navigate to your account’s settings page and set up a new passkey for a password-free, no-memorization-required login process.

How to Prevent Apps from Accessing Your Location

Turning your iPhone’s Location Services on or off is easy to do within your Privacy settings. When you turn Location Services off completely, none of your apps will be able to track or use your location, impairing the functionality of apps like Weather or Maps. You can instead turn off location services on an app-by-app basis here’s how:

Open the Settings app, and tap Privacy & Security. Tap Location Services. You’ll see a list of all your apps that want to use your location. Some apps will request more location use than others. For example, the Weather app wants to use your location Always or Never, but the Messages app requests location access either Never or While Using the App. Go through your list of apps and decide whether or not each one needs to use your location. Tap on the app and select either Never, Always, or While Using the App, and toggle on Precise Location if you want the app to know exactly where you're located. For example, you may decide that the Maps app needs your precise location, while Google searches in the Chrome app give good results with just your approximate location, and photo editing apps shouldn’t need your location at all. A few other examples: the clock app does need your location to adjust for time zones when you travel, but messenger programs shouldn’t need it at all, and neither does News or Music or anything in those categories.

Thanks for reading, cheers!