In the era of smartphones, online social networking is within reach. "Pulling the group", gradually become a lot of people's way of network communication, usually, "pulling the group" is carried out between people who know each other, but recently, Hunan, Shandong, Beijing and other places have appeared strangers "pulling the group" to send welfare, some users really grab the welfare in the group of strangers pulled, but behind the "welfare" of this white is a hidden trap.
Strangers "pulling groups" to send red envelopes Behind the "welfare" is a trap
In November, the Toyota police station in Xinning County, Hunan Province, received a report that xiao He, the reporter, said that he was dragged into a "welfare group" by a stranger while using an app called DingTalk, and then deceived.
Victim Xiao He: I was inexplicably in a DingTalk group, did not receive any verification information from him plus my friend, or he invited me to join the group, and then there was a person in that group who was sending red packets, and then I clicked on this red packet to see if it was really a red packet.
Although I entered the group that I did not know, the red envelope that could be grabbed was real, and Xiao He asked in the group what group it was, and soon someone gave a reply.
Victim Xiao He: Another person inside said that you can do the task of brushing orders, he will give us a URL, let you go to the URL to download an App called "Letter", go there to do the task, you can earn a day ranging from 100 to 300.
Xiao He downloaded the App recommended by others in the DingTalk group, and after registration, someone quickly found it through the network and told Xiao He that he could use the recharge to improve his level, and the higher the commission of the single swipe. So Xiao He "recharged" 43776 yuan four times, and did not expect that after the fourth recharge was completed, she found that the brush single App recommended in the DingTalk group could not be used normally.
Victim Xiao He: I sent him a message to the so-called "teacher", and then he kicked me out of the group, and even the (swipe App) account could not be logged in, and then I called the police.
Ms. Li of Zibo, Shandong Province, also suffered a "same- style" scam as Xiao He in Hunan in November. The stranger pulled Ms. Li into the DingTalk group, and then sent out a red envelope, and Ms. Li clicked and snatched 3.99 yuan. Then, the person who sent the red envelope next had a lot of benefits, so that everyone should not leave the group. Later, Ms. Li was also guided to download a so-called swipe single App, and then was encouraged to recharge.
On the one hand, Ms. Li recharged on the spot, on the other hand, it was impossible to withdraw the short account transferred out, after recharging 38,000 yuan, Ms. Li suddenly realized and then called the police, at present, the case is being further investigated.
Being "pulled" without permission to social apps poses a security risk
The use of online brushing can "lie and earn" psychology to carry out network fraud is not a new routine, but in recent cases, it reflects the situation that criminals use social apps to actively "pull groups", and victims are forced into groups and then deceived. Scammers take the initiative to find the door, without the consent of the victim can be pulled into the group, such a social app has what kind of setting problems, by the criminals to exploit the loophole? Let's see
After searching the official website of DingTalk, the reporter saw the intelligent mobile office platform described as "500 million users and 19 million organizations" using the software. The reporter downloaded the DingTalk App and registered with the mobile phone number, in the "DingTalk" App interface, the reporter saw the "initiate group chat" function, the platform provided ordinary users with channels to build groups through "mobile phone number addition", "face-to-face group", "sweep" and "mobile phone contact"; in addition, the platform also provided users with a "new organization" way to pull the group.
In the "Contacts" menu below the main interface of DingTalk App, the reporter found the option of "create enterprise / organization / team", the reporter randomly entered information, created a "enterprise organization", and then the page appeared "add members" option, the reporter followed the steps recommended by the platform, randomly entered two mobile phone numbers, and named the names of the members with the letters VV and CC, and the page prompted the group to be created successfully. When the reporter clicked into the group, he found that the two members just added were already in the group, and there was no need to ask for their consent.
Without user confirmation, DingTalk App provides strangers to build groups, pull groups of functions, such a setting for what purpose, is there a security vulnerability? The reporter tried to communicate with the dingTalk App official, but after the reporter called the manual customer service phone number provided in the 2019 version of its privacy notice, the prompt number was suspended.
In accordance with the requirements of the 2021 version of its privacy notice, the reporter contacted the online customer service of The DingTalk App through the network. The customer service wrote a reply, DingTalk App can add employees by searching for mobile phone numbers, with the purpose of facilitating the addition between enterprises and employees. If the user doesn't accept the action, they can choose to turn on The "Require verification when teams add me" feature in the user settings.
Under further questioning by the reporter, it was learned that although the DingTalk App provides users with the option to open the function of "need verification when the team adds me", the function is turned off by default. In this regard, the reporter told DingTalk customer service that there was a security risk in the setting, but the other party did not give a positive reply.
Cybersecurity protection cannot be sacrificed for the sake of so-called "convenience"
The reporter downloaded the DingTalk App separately from the Apple system and the Android system, and found that the setting function of "the team needs to verify when adding me" is "off by default" under different operating systems, that is to say, once the user does not know to turn on this function before using the DingTalk App, it is possible to encounter the situation of being "pulled by strangers".
Some legal scholars said that online social platforms should regard user information security as the bottom line, and cannot sacrifice network security protection for the so-called "convenience".
The reporter found in the network search that in recent times, some DingTalk users have left messages on the Internet, indicating that they have encountered the experience of being "pulled by strangers". Xiao Chen in Chengdu, Sichuan, was recently pulled into a DingTalk group by strangers, and when she saw someone publish a single advertisement, she had a vigilance and reminded everyone not to be deceived in the DingTalk group, but the message was kicked out of the group as soon as the news was sent. Subsequently, she reported to DingTalk App through online customer service that when she asked why the customer service was "pulled in groups" by strangers, the other party sent a screenshot saying that Xiao Chen could open the function of "the team needs to verify when adding me" in the settings, so as to refuse to be "pulled" by others. And when Xiao Chen asked why this function did not prompt when installing the App, and it was turned off by default? DingTalk App customer service replied: "Everyone has opened this pull group to verify the function, which will seriously increase the cost of communication, so it is better not to open it directly by default."
In DingTalk's privacy policy, the reporter also inquired about such a description - "For enterprise organization users to use DingTalk as an online mobile office, communication and collaboration tool, they have the right to act as a personal information processor on behalf of the enterprise organization to process your personal information as an end user, including entrusting DingTalk to the administrator to open, manage and use DingTalk services to achieve online mobile office."
In order to reduce the cost of communication, the default group manager can "pull the group" without the consent of the other party, is there a problem with such a setting? Some legal scholars said that the setting is contrary to the requirements of laws and regulations such as the Cybersecurity Law.
Chen Yinjiang, deputy secretary-general of the Consumer Rights and Interests Protection Law Research Association of the China Law Society: Operators of online social software, you should inform consumers in advance of your trading rules, especially some important interests involving users, such as information related to the security of users, before providing services. You want consumers to make an autonomous choice with full knowledge, rather than saying that you automatically open some of my permissions, especially to open some of these permissions that may cause security risks to me, and my security You are completely placed in a laissez-faire state, which will lead to my personal security being violated.
The Civil Code implemented this year also clearly stipulates that any organization or individual may not infringe on the privacy rights of others by means of spying, intrusion, leakage, disclosure, etc.; for journalists who personally experience the operation of retrieving the mobile phone number of any stranger in the "DingTalk" App, and without the consent of the strange user, they can "pull the group" function, some legal scholars pointed out that the function setting of the App has been suspected of violating the law, and needs to be dealt with in time to avoid causing more damage to the interests of users.
Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law: There is a problem with this setting itself, and if the parties do not agree, how can they pull him into a group, which is to infringe on his life safety and right not to be disturbed. Network security is the basis of the efficiency of all Internet development, and if there is no basis for solving trust and security problems, it is impossible to expand this interconnectivity, nor can this social attribute be placed above network security.