Chuck's Cyber Wall
As most of us know, when you order something off the internet, you get Site Notifications – these are the alerts that tell us the delivery driver is close or the package has arrived. With a growing trend towards online shopping over the past decade, whether we’re actually making purchases online or looking for the best prices, we’re increasingly going to the internet to buy stuff.
While we’re more aware of security threats than ever before, cybercrime damage costs are expected to land well above the $8 trillion annual estimate. We’ve also seen an explosion of security integration. Businesses across the world are addressing security concerns and implementing protections for themselves and their customers.
But that doesn’t mean they always have your best interests at heart.
If you’ve gone to a retail website recently, whether on a mobile device or from your computer, you’ve seen that a great deal of them are asking you to approve notifications. Some of these are fairly benign and often helpful. For example, location notifications help with GPS, display local store inventories, and provide information relevant to businesses close to you. As helpful as this might be, it’s still important to be judicious when allowing these notifications.
Before we move forward, you should know that almost all apps on mobile devices collect and transmit information about your location. Also, turning off these features can make it much more difficult for you to be located when calling emergency services such as 9-1-1 and will affect the usefulness of GPS and mapping programs. Yes, having your location exposed carries an inherent risk that has been addressed by both the FBI and NSA, as well as numerous cybersecurity firms. That being said, the majority of us are still going to keep these services active on our devices, just for the sake of convenience.
Okay, having established that site location is useful enough to most of us that we’re likely to continue using it, that doesn’t mean you have to allow everyone to track you. When you allow access to your location, information about your IP address and nearby access points is gathered and sent to a geolocation service provider who provides the actual location estimation to the website requesting it.
Web browsers typically encrypt this information and use random client identifiers that expire after two weeks, but this is not true for all website or mobile phone applications.
There’s been a great deal of chatter about push notifications in cybersecurity circles for the past few years. Most of us will agree that this is a feature that has been long asking to be abused, and now we’re there. As is the case with most software used for scamming, how things are said matters. While efforts are made to ensure location tracking protects privacy (as much as possible), those that push information to you are far less trustworthy.
So, what is a Push Notification?
These are pop-up windows sent by a webpage or app asking you to click “allow” for various reasons. Apps often include this as part of the install process, where permissions accessed could include access to your contacts, camera, location, microphone, etc. On the computer or in web browsers, you may be prompted to “allow” to watch a video, receive notifications, or read an article. You should probably be asking yourself, why does a game on my phone or a funny cat video need this information?
Much of the push notification software is written by companies that pay website owners and app developers to use their software. The push notification software will usually provide clients with some analytics information. Yet everything it gathers is transmitted back to the company who wrote the software and often sold online to marketing firms and, of course, scammers and hackers. Most website owners and app developers don’t really know how much data is being gathered about their customers. Likewise, most users don’t fully grasp what they’re consenting to when they allow these notifications.
A recent study of push notification software has shown that approving notifications allows the company’s advertising partners to display whatever message they want in your browser, whenever they want, and in real-time. These messages often include misleading notifications about security risks, ads for dating sites, online medications, and fake investment opportunities, to name but a few. In addition, some of these notifications can be used for credential phishing, malware installation, and other security threats.
Even if you turn off all the options on your mobile devices, you will still see push notifications on some websites and when installing apps. There are options to turn off notifications in most web browsers under the Privacy and Security headers, but when it comes to apps, the only thing we can do is pay attention to what information they ask for and only allow those necessary for the app to function.
Since we already established that removing all tracking abilities from our devices is probably something we’re not going to do, how can you stay safe?
Be security conscious and aware. Only allow notifications from sites that you trust or with whom you often do business. I spend a lot of time at Home Depot and find it very convenient that my searches pull up the location nearest to me, so allowing them to access my location works for me. That being said, anytime I receive a request to Show Notifications, my first instinct is to click “Block” on that notification.
That should be your first instinct as well.
Director of Cybersecurity and Marketing
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small businesses, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com