Microsoft's Recall Feature May Still Expose Credit Card Information and Passwords, Serving as a Goldmine for Cybercriminals
Microsoft's AI-powered app, Recall, designed to capture screenshots on Copilot+ PCs, has received updates aimed at improving its privacy and security features. However, independent tests and security experts have raised concerns about the app's ability to effectively protect sensitive information.
Initial tests have shown that Recall's filter for sensitive information like credit card numbers, passwords, and personal data is not foolproof. While the filter can be effective when obvious keywords like "password" or "pay" appear on the screen, it often fails when such keywords are missing, resulting in Recall inadvertently capturing sensitive data[2][4].
For instance, Recall has been found to capture screens with bank account balances and deposit lists, as well as text files with usernames and passwords, even if they didn't contain the words "username" or "password"[1]. Similarly, while Recall did not capture screenshots of a PayPal account page, it did capture the login screen showing the username[3].
Moreover, Recall's screenshots are accessible to anyone with the user's PIN number, even via remote access using TeamViewer remote desktop software[1]. This raises concerns about potential data exposure risks, especially if the PIN number falls into the wrong hands.
Microsoft has acknowledged these issues and has stated that they will continue to improve Recall's sensitive data filter and welcome user feedback. To bolster privacy and security, Microsoft has implemented encryption, biometric security, and filtering improvements. The company's Virtualization-based Security Enclave (VBS) now encrypts and stores Recall snapshots and the database[4].
Windows Hello logins are now required to view or search Recall snapshots, adding an extra layer of security. Windows Hello also supports using a PIN code for access, but this could potentially compromise user's Recall data if someone has their PIN or can guess it[1].
Privacy advocates and security experts have expressed concerns about vulnerable users, such as domestic violence victims, being harmed by Recall screenshots. Brave browser has announced that it will block Recall by designating every tab as "private", providing an additional layer of protection for its users[5].
Despite these concerns, Microsoft's VP of Enterprise and OS Security, David Weston, has assured that Recall offers significant benefits in terms of productivity and convenience. He emphasised that Recall is an exclusive feature on Copilot+ PCs, which are laptops equipped with a Neural Processing Unit (NPU)[6].
In summary, while Microsoft's Recall app provides a useful tool for capturing screenshots, it is essential for users to be aware of its limitations in protecting sensitive data. Microsoft has acknowledged these issues and is working to improve the app's sensitive data filter. Users are encouraged to provide feedback and exercise caution when using the app to ensure their privacy and security.
References: [1] https://www.techradar.com/news/microsoft-recall-app-raises-privacy-concerns [2] https://www.wired.com/story/microsoft-recall-screenshot-app-privacy-concerns/ [3] https://www.theverge.com/2024/3/15/22983511/microsoft-recall-app-withdrawn-security-concerns [4] https://www.zdnet.com/article/microsoft-recall-app-returns-with-improved-privacy-and-security-features/ [5] https://www.brave.com/blog/brave-blocks-microsoft-recall-app/ [6] https://www.microsoft.com/en-us/copilot/features/recall/
- Despite Microsoft's efforts to improve the privacy and security features of its AI-powered app, Recall, concerns about its ability to protect sensitive information persist.
- Security experts have noted that Recall's filter for sensitive data like credit card numbers, passwords, and personal data is not always effective, potentially leading to the inadvertent capture of sensitive information.
- The accessibility of Recall's screenshots to anyone with the user's PIN number, even via remote access using TeamViewer remote desktop software, increases potential data exposure risks.
- Microsoft, in response to these concerns, has implemented encryption, biometric security, and filtering improvements, as well as requiring Windows Hello logins to view or search Recall snapshots.
- Privacy advocates and security experts have raised concern about vulnerable users, such as domestic violence victims, potentially being harmed by Recall screenshots. Brave browser has announced plans to block Recall as an additional layer of protection for its users.
