Microsoft’s AI Recall Tool Is Still Sucking Up Credit Card and Social Security Numbers

What a week! On Monday, police arrested 26-year-old Luigi Mangione and charged him in the murder of UnitedHealthcare CEO Brian Thompson. Mangione’s five-day escape from the police ended when he was seen eating at a McDonald’s in Altoona, Pennsylvania. This place is around 300 miles from Manhattan. Thompson was shot there on the morning of December 4. Police found Mangione with fake IDs and a 3D-printed “ghost gun.” This type of gun is called the FMDA, or “Free Men Don’t Ask.”

A wave of strange drone sightings in New Jersey and nearby states caused a lot of trouble. This quickly caught the attention of federal authorities. Many people asked why the US military couldn’t shoot down the drones. The FBI, Department of Homeland Security, and experts say the drone mystery might not be a mystery at all. The drones are likely just airplanes.

As for more land-based threats, we explored the far-right world of “Active Clubs,” small groups of young men. These men focus on fitness and hold extremist beliefs. They are connected to several violent attacks. Robert Rundo, who helped create the Active Club network, was sentenced in federal court this week. Despite this, Active Clubs are growing around the world.

Finally, we looked into cheating schemes that use tiny cameras to gain an unfair advantage in poker. We also examined how humans will use generative AI to make the world more dangerous.

But that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

In May, Microsoft jubilantly announced Recall. This is an AI feature for some Windows PCs. It takes screenshots every five seconds. You can easily search through the digital footprint it creates. Forgotten where you saw a recipe online? Tapping a couple of keywords into Recall could, in theory, find the dish again. It didn’t take long for the privacy and security community to find gaping holes in the feature.

In response, Microsoft delayed the launch of Recall. They also made some significant changes. Recall is now opt-in instead of on by default. They improved the encryption of information captured by Recall. Additionally, they added authentication to access the stored data. Recall finally launched for some users this month.

However, this week, testing of Recall by Tom’s Hardware demonstrated that a key safeguard put in place by Microsoft can still fail. Tom’s Hardware tested the “filter sensitive information” setting. They found that it still captured some sensitive data in screenshots. This included credit card numbers and Social Security numbers. The publication typed a credit card number, username, and password into Notepad. These details were captured in the screenshots. I filled out a loan application PDF in Microsoft Edge. I entered my social security number, name, and date of birth. Recall captured that,” Avram Piltch writes. The tool, however, didn’t record details when they were entered on a couple of online stores.