Amid rising concerns about China’s growing international data collection apparatus, a newly divided US Congress is applying fresh scrutiny to the possibility that imported Chinese technology could be a Trojan horse.
In a letter to the US National Highway Traffic Safety Administration, shared exclusively with WIRED, Representative August Pfluger asks some tough questions as to whether Washington is really prepared for the security threat posed by the coming influx of Chinese-made smart and autonomous vehicles (AVs) to the United States.
“I remain concerned that a lack of US oversight in AV technology has opened the door for a foreign nation to spy on American soil, as Chinese companies potentially transfer critical data to the People’s Republic of China,” Pfluger writes.
While AV technology may be some years away from widespread commercial use, pilot projects are already on the roads around the world. As of earlier this year, more than 1,000 AutoX autonomous taxis were on the roads in California. AutoX, a Chinese startup backed by one of the largest state-owned car companies in the communist country, was granted approval by California in 2020.
As American regulators have green-lit those test projects, Pfluger writes, “there remains a serious lack of oversight regarding their data governance.”
Earlier this year, WIRED reported on the mounting national security issues posed by Chinese-made vehicles. The massive trove of data being collected by these cars could give adversarial states an unprecedented vantage point into the United States and other Western nations. Beijing has already pioneered the use of big-data analytics to identify dissidents at home, and concerns have mounted that those tactics could be deployed abroad.
Pfluger submitted a detailed list of questions to the National Highway Traffic Safety Administration (NHTSA), which regulates the use of AVs, and asked the regulator to explain how it has vetted the national security risk posed by these Chinese companies.
“Has NHTSA worked independently, or in collaboration with cities or other local governments to limit or prevent Chinese-owned companies from collecting sensitive information from American infrastructure, including information about sensitive government or military facilities, and subsequently sharing such information abroad?” Pfluger writes.
China has certainly had that anxiety about American-made smart and electric vehicles. Earlier this year, for example, Beijing placed firm restrictions on where Teslas could drive, particularly around military installations, amid high-level Communist Party meetings.
Pfluger highlights in his letter that China could use “autonomous and connected vehicles as a pathway to incorporate their systems and technology into our country’s infrastructure.” The United States, like most of its allies, has already banned Chinese corporate giant Huawei from building 5G infrastructure, but these next-generation vehicles would have access to an unprecedented number of emails, messages, and phone calls, and would effectively be moving cameras, capable of photographing an array of critical infrastructure.
As Homeland Security secretary Alejandro Mayorkas told a House committee last week, there are “perils of having communications infrastructure in the hands of nation-states that don’t protect freedoms and rights as we do.” FBI director Christopher Wray warned that China has stolen more data from the United States than all other nations combined, through “increasingly sophisticated, large-scale cyber espionage operations against a range of industries, organizations, and dissidents in the United States.”
“Twitter has seemingly neglected security for a very long time, and with all the changes, there is risk for sure,” says David Kennedy, CEO of the incident response firm TrustedSec, who formerly worked at the NSA and with the United States Marine Corps signal intelligence unit. “There’s a lot of work to be done to stabilize and secure the platform, and there is definitely an elevated risk from a malicious insider perspective due to all the changes occurring. As time passes, the probability of an incident lowers, but the security risks and technology debt are still there.”
A breach of Twitter could expose the company or users in myriad ways. Of particular concern would be an incident that endangers users who are activists, dissidents, or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have far-reaching potential consequences for identity theft, harassment, and other harm to users around the world. And from a government intelligence perspective, the data has already proved valuable enough over the years to motivate government spies to infiltrate the company, a threat the whistleblower Zatko said Twitter was not prepared to counter.
The company was already under scrutiny from the US Federal Trade Commission for past practices, and on Thursday, seven Democratic senators called on the FTC to investigate whether “reported changes to internal reviews and data security practices” at Twitter violated the terms of a 2011 settlement between Twitter and the FTC over past data mishandling.
Were a breach to happen, the details would, of course, dictate the consequences for users, Twitter, and Musk. But the outspoken billionaire may want to note that, at the end of October, the FTC issued an order against the online delivery service Drizly along with personal sanctions against its CEO, James Cory Rellas, after the company exposed the data of roughly 2.5 million users. The order requires the company to have stricter policies on deleting information and to minimize data collection and retention, while also requiring the same from Cory Rellas at any future companies he works for.
Speaking broadly about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary for policy at the Department of Homeland Security, urged vigilance from companies and other organizations. “I wouldn’t get too complacent. We see enough attempted intrusions and successful intrusions every day that we are not letting our guard down even a little bit,” he said. “Defense matters, resilience matters in this space.”
Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group who worked in Twitter security from 2011 to 2012, points out that while current chaos and understaffing within the company does create pressing potential risks, it also could pose challenges to attackers who might have difficulty in this moment mapping the organization to target employees who likely have strategic access or control within the company. He adds, though, that the stakes are high because of Twitter’s scale and reach around the world.
“If there are insiders left within Twitter or someone breaches Twitter, there’s probably not a lot standing in their way from doing whatever they want—you have an environment where there may not be a lot of defenders left,” he says.
Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don’t come or they’re delayed by hours.
The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter’s access feature. The situation also provides an early hint that troubles within Twitter’s infrastructure are bubbling to the surface.
Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter’s offerings and build new features per new owner Elon Musk’s agenda.
Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”
Twitter’s communications department, which reportedly no longer exists, did not return WIRED’s request for comment about problems with SMS two-factor authentication codes. Musk did not reply to a tweet requesting comment.
“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It’s hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced.”
SMS texts are not the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree that it’s better than nothing. As a result, even intermittent or sporadic outages are problematic for users and could put them at risk.
Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. In August 2020, for example, Twitter Support tweeted, “We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing verification code delivery, but we’re making progress. We’re sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren’t receiving a code.”
That means it will be very difficult for the thieves to abscond with their profits in a spendable form without being identified, says Michelle Lai, a cryptocurrency privacy advocate, investor, and consultant who says she’s been tracking the movements of the stolen FTX funds with “morbid fascination.” But the real question, Lai says, is whether identifying the thieves will offer any recourse: After all, many of the most prolific cryptocurrency thieves are Russians or North Koreans operating in non-extradition countries, beyond the reach of Western law enforcement. “It’s not a question of whether they’ll know who did it. It’s whether it will be actionable,” says Lai. “Whether they’re onshore.”
In the meantime, Lai and many other crypto-watchers have been closely eyeing one Ethereum address that is currently holding around $192 million worth of the funds. The account has been sending small sums of Ethereum-based tokens—some of which appear to have little to no value—to a variety of exchange accounts, as well as Ethereum inventor Vitalik Buterin and Ukrainian cryptocurrency fundraiser accounts. But Lai guesses that these transactions are likely meant to simply complicate the picture for law enforcement or other observers before any real attempt to launder or cash out the money.
The pilfering of FTX—whether the theft totals $338 million or $477 million—hardly represents an unprecedented haul in the world of cryptocurrency crime. In the late-March hack of the Ronin bridge, a gaming cryptocurrency exchange, North Korean thieves took $540 million. And earlier this year, cryptocurrency tracing led to the bust of a New York couple accused of laundering $4.5 billion in crypto.
But in the case of the high-profile FTX theft and the exchange’s overall collapse, tracing the errant funds might help put to rest—or confirm—swirling suspicions that someone within FTX was responsible for the theft. The company’s Bahamas-based CEO, Sam Bankman-Fried, who resigned Friday, lost virtually his entire $16 billion fortune in the collapse. According to an unconfirmed report from CoinTelegraph, he and two other FTX executives are “under supervision” in the Bahamas, preventing them from leaving the country. Reuters also reported late last week that Bankman-Fried possessed a “back door” that was built into FTX’s compliance system, allowing him to withdraw funds without alerting others at the company.
Despite those suspicions, TRM Labs’ Janczewski points out that the chaos of FTX’s meltdown might have provided an opportunity for hackers to exploit panicked employees and trick them into, say, clicking on a phishing email. Or, as Michelle Lai notes, bankrupted insider employees might have collaborated with hackers as a means to recover some of their own lost assets.
As the questions mount over whether—or to what degree—FTX’s own management might be responsible for the theft, the case has begun to resemble, more than any recent crypto heist, a very old one: the theft of a half billion dollars worth of bitcoins, discovered in 2014, from Mt. Gox, the first cryptocurrency exchange. In that case, blockchain analysis carried out by cryptocurrency tracing firm Chainalysis, along with law enforcement, helped to pin the theft on external hackers rather than Mt. Gox’s own staff. Eventually, Alexander Vinnik, a Russian man, was arrested in Greece in 2017 and later convicted of laundering the stolen Mt. Gox funds, exonerating Mt. Gox’s embattled executives.
Whether history will repeat itself, and cryptocurrency tracing will prove the innocence of FTX’s staff, remains far from clear. But as more eyes than ever scour the cryptocurrency economy’s blockchains, it’s a surer bet that the whodunit behind the FTX theft will, sooner or later, produce an answer.
The proliferation of contactless payment options shifts how businesses interact with customers at the moment of purchase, from international retailers to local pop-up shops. But there’s no need to fret just yet if you enjoy buying stuff with cold, hard cash. Plastic cards are first on the chopping block.
“I’d suggest that the time is ripe to plan for plastic (and metal) cards to be sent to Shady Pines Retirement Home for the Tragically Overstayed Welcome,” wrote Nick Holland, global head of insights and networks at Money 20/20. During the group’s 2022 conference in October in Las Vegas, financial technology companies touting efficiency and seamless experiences were front and center, as plastic cards faded into the background.
Anyone who is on the fence about using their smartphone for contactless payments should check out Whitson Gordon’s case for adopting the technology. Convinced and need guidance setting up Apple Pay or Google Wallet? Apple and Google offer step-by-step instructions to guide you through that initial setup. After you link your cards to the mobile device and practice the necessary steps to complete purchases, here are a few tips to help you get the most out of smartphone wallets.
Don’t Forget About Phone-to-Phone Payments
You may be comfortable tapping your phone against a checkout terminal, but it might feel like a surprise the first time a business asks you to tap your phone to their phone. Smaller merchants, delivery companies, and take-out restaurants may continue to forgo traditional card terminals altogether as companies like Mastercard and Visa introduce features that use near-field communication chip technology to enable phone-to-phone payments. Similar to the lightning port on the iPhone, the era of credit card readers plugged into smartphones is likely to come to an end.
Make Use of Virtual Card Numbers
Always look to see what your options are when it comes to virtual card numbers. For example, if you choose to get an Apple Card on your iPhone and the number leaks, it can be changed with just a couple of taps. Open your Wallet and tap on the Apple Card. In the top-right corner, select the card icon and choose the button that reads Request New Card Number. Virtual card numbers are not only useful for smartphone payments. Google added the option to use the security feature easily in your web browser.
Add More Than Just Payment Methods
Your debit card and credit card are likely the very first items you connect to your digital wallet. It doesn’t need to stop there! From boarding passes to proof-of-vaccine cards, digital wallets can hold so much more than just payments. It’s even possible to connect your health insurance card for easy access. (The main aspect of a physical wallet that a digital one can never replicate is providing me with a secret receptacle to hoard ancient receipts and scraps of paper.)
Keep a Little Cash on Hand
Even if you choose to use your mobile device instead of a plastic card for most in-person transactions, it still makes sense to keep a few dollar bills in your wallet. Just in case. Your smartphone might get wet and stop functioning. Also, not every store is set up to accept Apple Pay or Google Wallet. Some retailers even offer a small discount to customers who pay with cash.