• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, just do these three things to protect yourself:

• Enable multi/two-factor authentication for any accounts that support it. The Passwords app has a built-in authenticator app to make it easy to generate 2FA codes.
• Check for camera and microphone access in the status bar. If you ever see a green or orange dot in your iPhone’s status bar, it indicates an app recently used your camera or microphone. If you recently used FaceTime or a similar app, there’s no cause for concern, but if you didn’t recently use your microphone or camera, there may be an app using them without you noticing.
• Turn off app-tracking permissions. Apps will sometimes ask for permission to track your activity outside the app, but you can disable app tracking completely.

What should you do in the following scenario?

You made a new friend online, and you get along very well. They share the same values as you and are interested in the same things as you. One day, your new friend tells you about some medical issues they are having and shares that they are unable to pay for the procedure they need. What do you do? 🤔

1. Send them money to help pay for the procedure.
2. Ask them for a video call first to verify their identity.
3. Stop all contact with them.
4. Direct them to medical bill assistance resources.

Scroll to the bottom to see how you did!

Ring’s Super Bowl commercial advertised a new feature called Search Party, which is used in the ad to help locate a lost dog. In the ad, the user simply uploads a photo of their missing dog, which prompts all Ring cameras in the area to activate and use AI to search for the dog. Of course, Ring tries to sell this as a wholesome feature only for finding lost pets, but in reality, the company demonstrated that it can turn its cameras into a mass-surveillance tool with the push of a button. You can read more about Search Party and its potential for misuse at 404 Media.

In a related story, the FBI recently released images of a suspect in the disappearance of Nancy Guthrie, taken from Guthrie’s Nest doorbell camera. Interestingly, it was previously reported that Guthrie did not have a Nest subscription, which meant that while the camera may have captured footage of the possible assailant, the doorbell would not have retained the recording long enough for law enforcement to obtain it. Yet, Google, Nest’s parent company, has provided the agency with the footage anyway. While it’s, of course, a good thing that the FBI now has a solid lead thanks to this newly released footage, it does beg the question of how much data Google (and other smart home companies) retains when a user deletes it. Head over to The Verge for more on how the FBI obtained Guthrie’s doorbell footage.

The Bottom Line: Ring and Google are not exactly the most privacy-friendly companies, and Ring’s recent partnership with Flock only further demonstrates this. It would not be surprising if Nest adopts a feature like Ring’s Search Party, turning its own network of doorbell cameras into surveillance tools. Remember, if a camera network can be used to track a dog, it can be used to track a person—for legitimate or nefarious reasons. If you are looking for a doorbell camera, we definitely recommend against Ring and Nest. There are plenty of alternatives on the market, though there are not any that offer a level of privacy high enough for us to recommend.

Avoiding Romance Scams

Valentine’s Day is tomorrow, and that means we’re likely to see a rise in romance scams. These types of scams involve scammers befriending their victims, either romantically or platonically, and eventually asking for money. Victims usually comply, believing that they are simply helping out a friend. Scammers will use social media to find out more about the victim to make befriending them easier, and the rise of artificial intelligence makes it harder to tell when you’re being scammed and when you’re actually making a friend. Kurt the CyberGuy (via Fox News) wrote a pretty useful guide to romance scams, which should help you navigate online relationships.

The Bottom Line: We highly recommend checking out the guide linked above for the best strategies for avoiding romance scams. In general, you should be wary of people you meet online, and never send money to anyone you haven’t met in person or haven’t known for very long.

Discord to Start Requiring Users to Verify Age

Discord has announced that it will be rolling out age-verification requirements beginning next month. Users will be able to verify their age either by submitting to a facial scan, which will be analyzed by AI to determine their age, or by uploading an image of their ID. Without verifying their age, users’ accounts will be set as teen accounts and will be unable to access age-restricted content. Discord claims that the data used to determine a user’s age never leaves the user’s device and will be deleted immediately after the age verification process is complete. However, who would trust a company that had 70,000 photo IDs stolen last October after requiring age verification in select countries?

Since the announcement, Discord users have expressed anger and frustration with the company’s choice to require age verification worldwide. In just two days, Google searches for “Discord alternatives” have jumped nearly 10,000% as users jump ship. In response, Discord has gone on the defensive, assuring users that most people will not need to verify their ages, as the company’s AI is able to determine most users’ ages without the facial scan or ID, which seems to imply that Discord’s AI is already analyzing user activity and possibly their messages to determine ages. That’s only speculation on our part, though, since the company has not specified how exactly its AI can identify a user’s age. It’s hard to know whether there is any truth to this hard backpedaling or if Discord is simply trying to stop bleeding users.

The Bottom Line: Age verification is always going to be messy. You have to be willing to trust private companies with a scan of your face or an image of your ID, and trust that it won’t ever be stolen in a data breach. We recommend avoiding sites and apps that require age verification if possible.

23andMe Class Action Lawsuit Settlement Reached

If you were a 23andMe customer in 2023, you might remember that the company was hit by a massive data breach that year, affecting nearly 7 million users. Last week, 23andMe reached a settlement in a class action lawsuit over the breach, which means anyone whose data was stolen in this breach may be able to submit a claim and receive compensation. For more details, head over to the settlement website.

The Bottom Line: To submit a claim, you will likely need a claim number. If you were affected by this breach, you likely have already received an email or letter with that claim number. Once you have that, go to the settlement website linked above and submit your claim by February 17.

iOS Spyware Disables Camera & Microphone Indicators

Have you ever seen a green dot or orange dot in the status bar of your iPhone? These dots indicate when an app has recently used (or is currently using) your camera or microphone. Apple added this feature so that no app could ever secretly spy on users without them knowing. However, a spyware called Predator now has the capability to disable these dots, making it possible for threat actors to spy using an iPhone’s camera and microphone without the user ever knowing. To make matters worse, Predator is a zero-click spyware, meaning it can infect iPhones with no interaction from the user. You can read more at The Record, or check out Jamf’s deep dive into Predator.

The Bottom Line: Predator is primarily used for government spying and corporate espionage. It is highly unlikely to be used against ordinary citizens and is only a threat if you are a high-profile individual, such as a journalist, activist, politician, etc. Like most spyware, Predator cannot persist through a reboot, so restarting your iPhone is a good way to disrupt it. You can also enable Lockdown Mode to help prevent infection by most spyware, though this is only necessary if you are under constant threat of cyberattack.

Homeland Security Investigating Social Media Accounts

The US Department of Homeland Security has been working to uncover the identities of social media account owners across Instagram, Google, and even Reddit. The DHS has been relying on administrative warrants to obtain personally identifiable information from tech companies, such as email addresses, when and where a user logs in, or what device they are using. Notably, the agency appears to only be targeting individuals who post immigration resources, are critical of the government, or organize protests. According to TechCrunch, Meta would not confirm or deny whether or not it had given the DHS access to the data the department requested.

The Bottom Line: Posting legal resources or criticizing the government should not warrant a response from law enforcement agencies. However, this story highlights once again that you should be careful about what you share publicly on social media.

TikTok Can Track Your Activity Even If You Don’t Use It

Did you know companies like Google and Meta can track you even if you don’t have an account with them or use their apps? They do this using tracking pixels, tiny, invisible trackers embedded in web pages, which track your activity on that page. The BBC asked a cybersecurity analyst to look into TikTok’s tracking pixel and found that it is as invasive as Google’s and Meta’s, if not moreso. The analyst found that TikTok collected not just his activity on webpages totally unrelated to the social media platform, but his email address, too. Read more about TikTok’s tracking practices at the BBC.

The Bottom Line: The best way to combat tracking pixels is by using privacy-focused web browsers like DuckDuckGo, Firefox, or Safari. You can also prevent tracking pixels from collecting your information by using ad-blocking browser extensions like uBlock Origin, though we generally recommend against installing extensions if they can be avoided.

AI Coding Tool Vulnerable to Cyberattack

Vibe coding is a trend that has become increasingly popular as artificial intelligence becomes more advanced. Vibe coding allows inexperienced programmers and developers to provide AI with a concept for a website or app, and the AI will do all of the coding by itself. One of the most popular vibe coding tools is OpenClaw. A threat intelligence team at SecurityScoreboard has found that over 135,000 instances of OpenClaw are “internet-exposed,” meaning hackers and other malicious actors could use vulnerabilities in OpenClaw to access other files on the user’s computer. You can read more about OpenClaw’s vulnerabilities and how to fix them at The Register.

The Bottom Line: Replacing programmers and developers with artificial intelligence is a good way to leave oneself vulnerable to cybersecurity threats. Sacrificing cybersecurity for the convenience that AI offers is never worth it.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 26.3
• The most recent macOS is 26.3
• The most recent tvOS is 26.3
• The most recent watchOS is 26.3
• The most recent visionOS is 26.3

Read about the latest updates from Apple.

The correct answer is C. Stop all contact with them. It also wouldn’t necessarily hurt to direct them to medical bill assistance resources. If they truly are in need of assistance, it could help. However, in all likelihood, in the scenario as described, you are dealing with a romance scammer who is perfectly healthy and simply after your money. The best solution is to block them and avoid any future contact.

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.

Interested in keeping your iPhone secure? Check out:

• Protect Your iCloud Data
• How to Secure Messages on Your iPhone
• Answered: Can iPhones Get Viruses?