Intego Mac Security Podcast

Apple has officially announced support for encrypted RCS messaging, as the new RCS standard is finalized. Microsoft announces plans to phase out Windows 10, the operating system a majority of its users are currently running. The FBI issues a warning about using online file converters. And Amazon will soon be listening to your Alexa conversations, whether you like it or not.

• Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch
• Apple will soon support encrypted RCS messaging with Android users
• US Mac growth suggests Microsoft may have done Apple a huge favor
• Desktop Windows Version Market Share Worldwide
• FBI Denver Warns of Online File Converter Scam
• Are “corrupt my file” sites safe? Here’s why to avoid corrupt-a-file services
• Amazon is taking away the option of not sending voice recordings to the cloud
• Password reuse is rampant: nearly half of observed user logins are compromised

If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.

Transcript of Intego Mac Podcast 388

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, March 20, 2025. This week’s Intego Mac Podcast security headlines include: Apple has officially announced support for RCS encryption as the new RCS standard is finalized. Microsoft announces plans to phase out Windows 10, the operating system a majority of its users are currently running. The FBI puts out a warning about using online file converters. And Amazon will soon be listening to your Alexa conversations, whether you like it or not. Now here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:51
Good morning. Josh, how are you today?

Josh Long 0:53
I’m doing well. How are you, Kirk?

Un-patched Passwords app vulnerability allowed phishing attacks

Kirk McElhearn 0:55
I’m doing fine. We have an interesting news story about I’m trying to figure out the best way to say this, that Apple’s Passwords app—we’re linking to 9to5Mac—was vulnerable to phishing attacks for nearly three months after launch. This sounds like really, really serious to me, and yet this has been, I don’t know. This came out yesterday, and there have been a few articles about it, but no one seems to be saying that this is a big problem.

Josh Long 1:20
Well, I think there’s a couple of reasons for that. One, this was already patched. This is not like a brand new fix that Apple just came out with. This was patched in iOS 18.2 and we’re now up to what is it, 18.3.2, so this patch has been out for a little while, but the researchers who discovered this vulnerability published some research about it, and so that’s why just now we’re starting to hear more about this.

Kirk McElhearn 1:48
Can you tell me how this worked?

Josh Long 1:51
Okay, this is kind of braindead simple. This is like textbook 101 security stuff. What Apple was doing wrong is that they did not require you to use HTTPS to fill in your passwords. And so what would could potentially happen is that somebody on your Wi-Fi network—so imagine a scenario where you are using someone else’s Wi-Fi, and they have an elaborate system set up, because they specifically want to phish your, let’s say, PayPal credentials, and so they have a server set up at their house or on their business network or whatever, that is set up to look exactly like the PayPal website. And because you’re connected to their Wi-Fi, usually, by default, you’re using their DNS—which means that when your device goes to look up the actual numerical address for paypal.com then their Wi-Fi would report back to you, “here’s the address for paypal.com.” So your browser would actually be going to that IP address, which might be a server that they’ve maliciously designed to look like PayPal, and would actually be able to steal your credentials. So the whole fix for this is basically that Mysk, the organization that reported this to Apple, said, “Um, duh. You need to use HTTPS. You need to require HTTPS before you decide to fill in passwords.” And so that was the whole fix. Was Apple just had to say, “Oh yes, okay, we will check for HTTPS before we fill in passwords.”

Kirk McElhearn 3:35
Let me see if I understand this. I’m in Safari, and I go to a website to log in, and I load the page, and if it’s not an HTTPS, the Passwords app was still filling in the password, even though it should know that this is dangerous, that the password is not sent encrypted. Is that the problem here?

Josh Long 3:51
That’s pretty much it. So that’s that’s the whole vulnerability. And there’s very limited circumstances when somebody might have actually pulled off one of these types of attacks. This was more of a hypothetical. And hey, you should be following best practices here and making sure that you’re requiring HTTPS. Thankfully, Apple did fix this within a few months of the rollout of this new Passwords app.

Apple announces support for RCS encryption

Kirk McElhearn 4:18
Okay. Speaking of encryption, Apple has officially announced that they will soon support encrypted RCS messaging with Android users. I think it was more than a year ago that Apple said that they would support RCS messaging, which is the basic protocol that Google designed to lock phone carriers into buying software from Google so that they could use RCS. But RCS does provide more features between different messaging apps. And one of the problems if we go back two years when Google had this ad campaign about how, what was it, Android users had the green bubbles instead of the blue ones, like, that’s a big deal. Anyway, Apple initially said they’d support RCS, which they did, I believe, with iOS 18.1. And now the standards organization is working on, or has finalized, a standard for encrypted RCS messaging, so Apple will support this when it is available.

Josh Long 5:10
This has been, it feels like, kind of a long time coming. This was one of the things that Apple promised right off the bat, when the very first time that they ever said, we’re getting RCS, they said and we’re going to push for encryption be part of the standard. I think this was a good move, much better than Apple trying to adopt Google’s proprietary encryption layer that they add on to RCS with Google Messages. So this is definitely the much better way, to have it be part of the standard. It should have been that way in the first place. I’m kind of shocked, actually, that RCS didn’t have encryption built into the standard to begin with.

Kirk McElhearn 5:45
But that means that other messaging apps can also support this and become interoperable. So you won’t necessarily need Apple’s iMessage or Google’s Messages app.

Josh Long 5:54
This is a good thing for everybody. Other players can put out their own apps that will be perfectly interoperable with this new encrypted RCS standard. So this is a very good thing for everybody.

Microsoft to phase out Windows 10

Kirk McElhearn 6:05
We have a story from 9to5Mac which is kind of interesting if you’ve been paying any attention to Apple’s earnings, which we don’t really discuss too much. Mac shipments grew up last year, in the fourth quarter of last year, about 26% from the previous year, and a lot of this is due to the new lower price laptops that Apple’s released. And Apple has been iterating these devices a lot, and they just released a new inform MacBook Air at $100 lower. And it looks like that. This growth in Mac sales could suggest that, according to 9to5Mac Microsoft may have done Apple a huge favor.

Josh Long 6:42
Yeah, this is a really interesting way to frame this, but I can kind of see where they’re coming from. Now, I was a little bit skeptical at first, because I’m like, really like, I don’t, I don’t think that just people being upset over the discontinuation of Windows 10, which is what they’re getting into here. They’re saying October 14 2025 is going to be the cut off date, unless Microsoft decides to move it again, which they’ve done things like this in the past, where they’ve given a hard cut off and then there’s been enough pressure that they’ve kicked the can down the road a little bit further. But as of right now, Microsoft is saying that october 14 of this year is going to be the last day that they will ever offer any Windows 10 updates for free to anybody. So if you want continued security updates after that, then you’re going to have to pay for it.

Kirk McElhearn 7:35
It’s interesting that you say for free, because as Mac users and Apple device users, we always get updates for free and operating systems for free, and Microsoft doesn’t do that.

Josh Long 7:44
I’ve always been a little bit uncomfortable with the way that Microsoft chooses to do this, but once you get to this cut off date, Microsoft says, Well, you can pay us for extra years of support if you want to continue to get security patches for that thing that we say that we’re not providing security patches for you can actually just pay us a bunch of extra money every year, and we’ll continue to offer security updates for a year or two or three or however many they decide to go. So what’s I think it’s really important to take a step back here and look at what the actual Windows market share is right now.

Kirk McElhearn 8:25
Yeah, you gave me this number before, and I was really surprised.

Josh Long 8:28
Almost 59% of Windows PCs are running Windows 10, this operating system that’s getting cut off, and the number two is Windows 11, way down at about 38%.

Kirk McElhearn 8:40
That’s an interesting number, 59% because you could say that it’s more than half or almost two thirds, but it’s a huge number. And 59 compared to 38 is, what, 50% more, are still using Windows 10. Now there are a lot of reasons for this, because the majority of Windows PCs are used by businesses that don’t want to upgrade. They don’t want to upgrade their software, they may not be able to upgrade because of the hardware. So they’re using 10-year-old computers that can run Windows 10 fine, but they can’t run Windows 11.

Josh Long 9:10
This is a really good point, because one of the things that Windows 11 did, very controversially, was they started requiring newer hardware than they’ve ever really required in the past. Previous versions of Windows typically will run on very old machines. And in fact, I mean, technically, there are some ways that you can kind of hack Windows 11 to get it to run on older hardware than it officially supports. But Microsoft has decided that, well, we’re going to now require you to have this particular version of the Trusted Platform Module. And so that means that your hardware needs to be basically this year or newer. And so they don’t really go back all that many years—a bit ironically for Microsoft, which always had been supportive of very old hardware in the past. Now they’re shifting toward a more Apple-like approach, where they’re essentially telling you your machine needs to be roughly, well, let’s call it five years old or newer to continue using the latest operating system. It’s kind of funny to see Microsoft making that shift.

Kirk McElhearn 10:20
I think another way to look at it is, you know, there’s a lot of inertia in the business PC market. And since the arrival of Apple’s M series processors in late 2020 the battery life in laptops has been really good. These are computers that are very fast, that are not that expensive, and maybe that the businesses have finally caught up. You know, you’ve got 10,000 laptops for employees, and maybe you didn’t want to upgrade them in the end of 2020, but in 2023, 2024, you started thinking, “These are old Windows 10 laptops.” Again, a new Apple laptop for whatever cost is for businesses when they’re buying in bulk, the latest MacBook Air starts at $999 which is, well, the first M1 MacBook Air was $999 then the price went up, and now it’s going back down. And this could be Apple targeting this sort of market for the laptop.

Josh Long 11:11
I think one of the key points here is that the techies who are helping to influence these decisions are able to look at things from a little bit different perspective now. Because once upon a time, you could just continue to use that old hardware, and as long as it was kind of still working for you, you could get by with using, you know, a potentially 6, 7, 8-year-old computer pretty easily and and beyond, with the latest operating system, or at least one that was still getting patches. And, well, that may not necessarily be the case anymore going forward with Windows. But on the Apple side, it’s kind of always more or less been that way. And so, you know, if you really like Apple hardware, and you know, maybe you like Apple’s operating systems, for certain business scenarios, that that might make more sense for you to just switch to Apple.

Kirk McElhearn 12:00
One other thing that I’m thinking of is laptops in particular. So for mobile employees, they probably don’t have any vertical apps, in other words, made for the industry or for this specific business. The people using these devices are probably using the web browser for everything. So they don’t necessarily need a Windows PC. They can’t really go to a Chromebook because it doesn’t have enough power and battery life. But if everything’s in the web browser, if all these services and access to email and to company data is in a web browser, you don’t need any fancy computer.

Josh Long 12:34
Well, it’s funny you mentioned Chromebooks, because I was actually going to say, well, the real secret is, if you’re going to do everything in a browser anyway, you could probably just get a Chromebook, which is way cheaper than a MacBook, but okay.

Kirk McElhearn 12:44
But they don’t have the battery life and there are other limitations.

Josh Long 12:49
Sure, it really does depend on what exactly you’re gonna be using your computers for. If literally all you’re doing is stuff in a web browser, like checking email or, you know, you’re using Google Docs, or maybe even Office 365, you can do that in a browser too. So for a lot of different work tasks, for kind of an average employee, you’re probably spending at least 90% of the time in the browser anyway. And so maybe for some people, you don’t even really need a Mac anymore. However, I will say that obviously there are a lot of advantages to using an Apple computer, not the least of which is all kinds of Apple-specific technologies like AirDrop and things that make it really convenient to be able to take work that you are working on on your phone and bring it over to your Mac or vice versa. It’s really, really nice to have some of those interoperabilities that Apple offers.

Kirk McElhearn 13:44
All right, we’re gonna take a break. When we come back, we’ll talk about some new scams and more.

Voice Over 13:50
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Download a free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego: world-class protection and utility software for Mac users, made by the Mac security experts.

FBI warns against using online file conversion apps

Kirk McElhearn 15:02
It’s not often that the FBI warns people about online scams, even less often than I think the FBI in Denver warns people, but the Denver FBI came out with a warning about using online file converters. Now there are lots of file converters online. You could convert a certain type of image file to another type of image file. You could make it bigger or smaller. You can upload a bunch of files and have them converted into a PDF. You can upload a PDF to have the pages split. You can do all sorts of things like that. The Denver FBI field office is warning that agents are increasingly seeing a scam involving free online document converter tools. Basically, people are uploading documents with personal information, their social security number, their banking information, cryptocurrency wallets, email addresses and passwords, and they don’t realize that. Well, the FBI says they don’t realize they’ve been affected by malware. But that’s not it. It’s that these websites are actually collecting this data. You should not send personal data to anyone like that that you don’t know, particularly some random website, which is probably in China anyway.

Josh Long 16:05
I think the real important takeaway here is that you don’t know what whatever random website is going to be doing with your data. Very often, these websites either don’t have a privacy policy, or if they do, the privacy policy might even tell you what they’re allowing themselves to do with anything that you submit to them. I wrote an article a while back called, “Are corrupt-my-file sites safe?” And if you can believe this—I don’t know if you remember this; this was a few years ago. Originally we talked about this, there’s apparently a whole category of sites that will intentionally corrupt files for you, and they give scenarios like: “Didn’t finish that assignment? Need more time to finish the report? Life happens. Upload your file. We’ll corrupt it for you, and then you can send it to your professor or your boss and say, ‘Oh, I submitted it. What, didn’t you get it?’ And they’ll go, ‘oh yeah, but it didn’t work.’ ‘Oh well, oh, it’s just, it must have gotten corrupted somehow. That’s okay.’ And so you give yourself a little extra time to do the report.” And Well, the reality is, this has some potential problems, because you don’t know what that site—which is already encouraging unethical behavior—you don’t know whether they’re going to be doing something unethical with whatever you’re actually submitting to them. I found that a lot of these sites don’t have a privacy policy. They don’t give you any kind of deletion policy for uploaded files. So for all you know they might keep them permanently. They don’t say whether they’re deleting them securely after they corrupt them for you, or in the case of this new version of of this, the file conversion sites, they’re probably not going to tell you whether they’re going to delete those files, whether they’re going to delete them in a secure manner, how long they’re going to keep them. It’s kind of the same thing as the file corruption sites all over again. It’s just a variation on this existing, really serious privacy problem and something that people need to be aware of.

Kirk McElhearn 18:13
I must admit, I don’t remember this article if we talked about it on the podcast, this one slipped my mind. It’s kind of a digital “my dog ate my homework,” isn’t it? You send someone a file like, as you say, your professor or your boss or something, and it can’t be read, which is actually kind of dumb. But I’ve seen a lot of these websites, and there are some, for instance, that reduce the size of PDFs. There are some that can convert music files from one format to another, or convert video files, is a very popular one. And I was actually looking for a website like this a couple of weeks ago, and there were so many that came up in my search where you could upload a file and get the thing done. No, I wasn’t sending any, you know, sensitive information, but there’s apparently enough of a demand for these sites and they’re free. And remember, if they’re free, you’re the product. So they’re banking on collecting data from people, either maliciously or not, but they’re offering a service. There’s a reason why. Now, a lot of them might be ad-supported, and I didn’t see ads because I have an ad blocker, but there’s no such thing as a free lunch. I mean, people have known this for a long time, haven’t they?

Josh Long 19:17
You do need to be very, very careful about any of these sorts of things. So yes, it’s it’s a good reminder that you you can’t just blindly trust everybody on the internet.

Amazon to remove option preventing upload of Alexa conversations

Kirk McElhearn 19:29
Hey, Alexa, you also can’t blindly trust Amazon, because they are taking away the option where you do not send your voice recordings up to Amazon’s cloud. So up until now, or very soon, they’re going to make this change. If you use Alexa, you have an option in, I guess, the Alexa app or settings or whatever, don’t send my recordings to the cloud. And Amazon is changing this. And you know, there’s a couple of reasons why. I don’t think Amazon’s changing this in order to collect data. I think they’re doing this in order to get a concordance of spoken word content. Train their AI models.

Josh Long 20:02
The cutoff date is March 28, so if you already have this setting enabled to prevent your voice recordings from being uploaded to Amazon, they’ll just start ignoring that setting and it will disappear, presumably, from your settings, because they’re not going to be honoring that setting anymore. So this sounds a little creepy, and I kind of understand why they’re probably doing this. But at the same time this, this is not the direction that companies should be heading, right? More transparency, more granularity over your privacy—like, those are things that people actually want and care about. And for them to take away a privacy option on a big service like this, I mean, they’ve, you could almost say that Amazon has kind of taken the Echo devices and the Alexa ecosystem and now made it a Trojan horse, because they had some level of privacy that they were promising for all these years. And so now you’ve bought Echo devices, and you have them all over your home to use as a home intercom system, and now they’re going to be taking away this privacy feature and just ignoring it. That’s kind of crazy.

Kirk McElhearn 21:19
Do you know how many times they’re going to get recordings of, “Hey, come on down for dinner,” or “set a timer for five minutes,” which is going to be most of their recordings, right? But there are a lot of people who use this for more personal things. And you were pointing out that in your home, you use it as an intercom to talk to your family. And imagine that people were doing this, and you know, having intimate conversations over the intercom with Alexa, that’s kind of scary.

Josh Long 21:44
Yeah, well, and now—I mean, again, part of the reason behind this might be because of more generative AI-powered things that Amazon is planning to offer in Alexa Plus, which is supposed to be coming out this month—maybe on March 28, which happens to be the date that they’re gonna start ignoring the setting. Not really sure why anybody would care enough to like pay for Alexa Plus. I don’t really find Alexa all that useful, personally. But that’s Amazon’s plan. So if you don’t like that, I guess just either stop using Alexa, or be really careful about the things that you choose to say, and leave your Echo devices muted as often as you can, if you’re not actively using them. There’s a mute button on each of these devices so that you can leave the microphone turned off when you’re not actively talking to it.

Kirk McElhearn 22:37
Okay. If you’re using an iPhone or an iPad or a Mac, you have an option in Settings, Privacy and Security, Analytics and Improvements, and you can opt out to the setting Improve Siri and Dictation. I believe, by default, this is turned on, or at least you’re prompted to leave this on when you set up a device or upgrade to a major operating system. You can turn it off to prevent Apple from uploading your Siri conversations.

Josh Long 23:02
So that’s a good point. So Apple does still allow you to opt out of this—or to not choose to upload your recordings, or transcripts, is the other thing—of your conversations with Siri to Apple. So Amazon is taking a completely different approach, and they’re just saying, “Yeah, you know that thing? Yeah, we’re not going to let you do that anymore.”

Data continues to suggests people tend to re-use passwords.

Kirk McElhearn 23:24
Okay, we have an article from Cloudflare on their blog. So Cloudflare is a service that acts as they kind of protect websites from malicious traffic, and they say password reuse is rampant. Nearly half of observed user logins are compromised. Now, you know, I’m a writer, and I deal with like writing articles that are truthful, and the number in the article, in the second paragraph, says that 41% of successful logins protected by Cloudflare involve compromised passwords. 41% is not half. It’s, you know, you could say between a third and a half, so Okay, 40% is still a lot, and what they’re saying is they’re looking at a database of leaked credentials. So we’ve talked about the haveibeenpwned website where you can enter your email and you can find if your credentials have been leaked. And there’s been billions of these credentials leaked, and Cloudflare has looked at the logins, and they’ve found that 41% of these have been leaked. This is disturbing because we’ve constantly told people about these credential stuffing attacks, where someone gets the data from these leaks and attempts a whole bunch of different combinations of usernames and passwords, and most people don’t know about this. This is the biggest problem is that it’s hard to communicate this to people, to get them aware. Mod fair points out, the majority of these attacks are against WordPress, and what’s really interesting is, of the successful logins, 52% were legitimate users, and 48% were bots. The ones that were blocked or denied were 90% bots, and 10. Legitimate users. These are really weird numbers that are way too high for reality, and people need to be educated about this. Don’t reuse your password. Don’t reuse your password. Don’t reuse your password, right? Josh, what do we tell people?

Josh Long 25:13
Don’t reuse your password? Well, not only that, but the second part of that is make sure you’re using two factor authentication too, because even if your password somehow leaks, like even if you’re using good password hygiene and using unique passwords on every website, there’s still some possibility that your password may leak right you may accidentally put it into a phishing website at some point, but you can put an extra layer of security in place with almost all websites now, almost all services will allow you to do some kind of two factor authentication, and sometimes they call it two step verification, at least if they offer no other options, getting a text message to as your second factor is Better than nothing at all. We’d prefer you do something more like pass keys, or using your your face ID or your touch ID on your on your MacBook to log into a website, right. Pass keys are much better, much more secure. And also, if the other option would be authenticator apps, where you get a one time use code. But even if you don’t have those options, getting a text message is a second factor. Even though text messages are not encrypted and not very secure, it’s still more secure than just using a password by itself. So you have to turn on some kind of second factor to make sure that people can’t just get your password and log in.

Kirk McElhearn 26:39
You know I was thinking last week when I read an article about Passkeys, about how few websites actually offer pass keys. There are maybe a dozen that I use that offer pass keys like I have a pass key with Amazon, but it asks for it very rarely. I think eBay is the same I’ve set up pass keys, and sometimes they ask and sometimes they don’t, so as much as and we spent a lot of time talking about PASS keys when Apple started supporting them in the password Well, the pre passwords app in the iCloud key chain, but they don’t seem to have rolled out a lot. What I am seeing more often now is websites where you either enter your email and they send you what’s called a magic link to your email address. So this is a link to allow you to log in without a password, which I don’t think is entirely safe, because that email could be intercepted, or you go to log in and you enter username and the password, and you get a second factor code via email. And the problem with that is it’s much slower than text messages, and it may get in your spam folder, and you may eventually not be able to log in.

Josh Long 27:39
I really don’t like the idea of getting your one time code via email, I don’t, I mean, I guess it’s not any worse than sending it over a text message, right? Because with a text message, there’s no encryption. It’s presumably, presumably, they’re sending it over SMS, right? Almost all text messages now, for these kind of two factor systems are sending them over SMS, which is totally unencrypted. We know that foreign adversaries have, like, you know, broken into all of our communications networks in the US, and so anybody who wants to can intercept that text message, theoretically. So that’s not super great, but then also sending you a one time code to your email address is not really a whole lot better, because, again, a lot of people are reusing passwords, and they’ve probably reused their password for their email account that they use for other things, and so the bad guys can just log into their email probably, and get their second, quote, unquote, second factor code that was sent to their email address. So yeah, the magic links. I agree with you. That’s even worse, because, again, sending an email, generally speaking, is kind of like a postcard. There may be points where it’s encrypted along the way, but also once it’s just sitting there on the email providers devices, it may or may not be encrypted for whole periods of time and could be intercepted by some rogue employee or who knows who. So the key takeaway from all this is make sure you’re using unique passwords and turn on two factor authentication if you can for every website.

Kirk McElhearn 29:15
Okay, that’s enough for this week until next week. Josh, stay secure. All right. Stay secure.

Voice Over 29:21
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us in Apple Podcasts or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.

About Kirk McElhearn