1. Home
  2. News
  3. Tech News
  4. Privacy

Privacy

Recent Articles

Sort by:

Los Angeles sues Weather Channel app over privacy issues

The suit claims consumers’ location data is being sold to advertisers without consent

Millions of consumers use the Weather Channel’s app to keep up with their local weather conditions, but a suit filed by the City of Los Angeles claims the app is keeping up with you.

In a suit filed late last week, the City of Los Angeles claims the company that owns the Weather Channel is manipulating users into activating location tracking by suggesting the information would only be used to provide specific weather forecasts. The suit charges that information is also used to help advertisers better target consumers.

As it turns out, knowing where individuals are at any given moment is very valuable. For example, advertisers use that information to target a consumer when he or she is near their place of business.

The City of Los Angeles lawsuit claims the Weather Channel has sold data collected from its app to companies that mine this sort of data. Citing an article in the New York Times the city said at least 75 companies collected precise location data using information obtained through the app.

The suit charges that consumers weren’t adequately informed of this arrangement. It said the notices supplied by the app failed to provide complete details about how their data would be shared and used. The suit claims  incomplete messages like that are “fraudulent and deceptive” and violate California’s Unfair Competition Law.

Tech industry crisis

The suit strikes at the heart of a crisis the technology industry is now facing. Since Facebook revealed in March that user data had been unlawfully used by a political marketing firm, big tech firms have been in a defensive posture and under increasing regulatory pressure.

As the annual Consumer Electronics Show (CES) gets underway this week in Las Vegas, Apple addressed the issue head-on in a billboard, declaring “What happens on your iPhone stays on your iPhone.”

“If the price of getting a weather report is going to be the sacrifice of your most personal information about where you spend your time day and night, you sure as heck ought to be told clearly in advance,” Michael Feuer, the Los Angeles city attorney, told the Times.

A spokesman for IBM, who owns the Weather Channel app, said the company has always been transparent in its use of personal data. It said the company will vigorously defend the lawsuit.

Millions of consumers use the Weather Channel’s app to keep up with their local weather conditions, but a suit filed by the City of Los Angeles claims the...
Read lessRead more

Britain raises new privacy concerns about Facebook

Social media company pushes back against 'selective leaks'

Facebook finds itself once again in the crosshairs as a British parliamentary group released company documents showing the social media giant used member data to help friends and punish rivals.

A British parliamentary committee released emails that focus on how Facebook operated during the period of its most rapid growth, from roughly 2012 to 2015. The documents show that Facebook executives considered member data to be their most prized commodity and used it to profit from its accumulation.

The documents also show that CEO Mark Zuckerberg and COO Sheryl Sandberg were intensely involved in decisions that had the objective of keeping members as engaged on the site as possible.

In one series of emails, Zuckerberg raised the prospect of charging developers for access to user data in an agreement to obtain user data from the developers.

“It’s not good for us unless people also share back to Facebook and that content increases the value of our network, he wrote. "So ultimately, I think the purpose of (the) platform — even the read side — is to increase sharing back into Facebook.”

User data issues

Facebook has been wrestling with user data issues since March when it revealed that user data was unlawfully transferred to a political marketing firm, which used it in the 2016 U.S. presidential election. Facebook has said it was slow to respond to that issue but has since increased user data safeguards.

Facebook had taken steps to keep the documents private. Those materials have been under a court-ordered seal as part of a lawsuit in California involving Facebook and an app developer.

In a statement Wednesday, Facebook said the documents were selectively leaked to "suggest things that are false." The company says the documents don't tell the full story.

Congressional response

Sen. Edward Markey (D-Mass.), a frequent Facebook critic, said it should not be up to Zuckerberg and other Facebook executives to decide who has access to user information.

"When he testified before Congress, Mark Zuckerberg repeatedly insisted that Facebook does not sell its users’ data," Markey said. "We now know, however, that Facebook executives discussed requiring companies to buy digital advertisements in order to access users’ personal information."

Markey says if there is any evidence of a pay-for-data model it would "fly in the face" of the statements Facebook has made to Congress and the public.

Facebook finds itself once again in the crosshairs as a British parliamentary group released company documents showing the social media giant used member d...
Read lessRead more

Facebook bug allowed websites to see users’ likes and interests

The company has patched the bug and says it hasn’t seen the bug exploited

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users’ profiles without them knowing about it.

The bug was first discovered in May by Ron Masas, a security researcher at Imperva. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” Masas told SiliconANGLE.

Masas said the bug allowed websites to see the user’s interests as well as their friends' interests, even if their privacy settings were set to allow only friends to see their interests.

One of many security issues

Facebook said it fixed the bug within days of being alerted to it. The company says it hasn’t seen the vulnerability be exploited for malicious purposes.

“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

The data vulnerability is among several others to have affected Facebook recently. It follows the Cambridge Analytica scandal, in which a political data firm improperly harvested information on 87 million users to use for election profiling.

More recently, Facebook admitted that millions of user account tokens had been stolen by hackers who breached its system.

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users’ profiles without them knowing about it. The bug wa...
Read lessRead more

Tim Cook calls for stricter digital privacy regulations

Apple’s CEO says the crisis of data collection is real and ‘should unsettle us’

During a speech given at a privacy conference in Brussels on Wednesday, Apple’s chief executive Tim Cook called for stricter digital privacy laws, saying consumers’ personal information is being "weaponized against us with military efficiency."

Cook, who didn’t specifically call out any major tech companies, said technology and the business of selling ads targeting to users has created a "data industrial complex” that is affecting individuals and entire societies.

"We shouldn't sugarcoat the consequences. This is surveillance,” Cook said in an impassioned keynote address at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC). “And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us very uncomfortable. It should unsettle us."

Companies hoarding personal data

Although Cook didn’t mention Facebook or Google by name, his comments come on the heels of several massive data breaches like the Cambridge Analytica scandal, in which the information of 87 million users was “improperly shared” to profile voters.

"Every day, billions of dollars change hands, and countless decisions are made, on the basis of our likes and dislikes, our friends and families, our relationships and conversations. Our wishes and fears, our hopes and dreams," Cook said. "These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded, and sold."

"Your profile is then run through algorithms that can serve up increasingly extreme content, pounding our harmless preferences into hardened convictions," Cook said.

Called for new privacy laws

Apple’s CEO praised the "successful implementation" of the EU’s new data privacy law, GDPR. He said U.S.-based companies should consider implementing similarly stringent privacy regulation laws.

“This crisis is real. It is not imagined, or exaggerated, or crazy,” he said during the keynote, which can be viewed below. “And those of us who believe in technology's potential for good must not shrink from this moment.”

He said Apple would fully support the introduction of a “comprehensive federal privacy law in the United States.”

“There, and everywhere, it should be rooted in four essential rights," Cook added. Consumers should have the right to have personal data minimized, the right to knowledge, the right to access, and the right to security, he said.

During a speech given at a privacy conference in Brussels on Wednesday, Apple’s chief executive Tim Cook called for stricter digital privacy laws, saying c...
Read lessRead more

Facebook may acquire a ‘major’ cybersecurity firm

Sources familiar with the company’s plan say the acquisition could happen by the end of the year

In the wake of a series of highly publicized data breaches, Facebook is reportedly looking to beef up its security defenses by acquiring a major cybersecurity firm.

Sources with knowledge of the matter told The Information that the company has already offered deals to “several” security firms, but the sources stopped short of naming which companies Facebook has expressed an interest in acquiring.

Facebook wants to close the deal by the end of this year, according to the report.

Preventing another hack

The purchase would enable the company to buy software that could be integrated with Facebook’s existing services. The software could give it access to security tools, such as tools for automatically detecting hacking attempts or securing users’ accounts.

A large acquisition like this would also help increase the company’s trustworthiness in the eyes of consumers, investors, and government regulators by showing that it’s taking the issue of data security seriously.

Word of Facebook’s goal of acquiring a cybersecurity firm comes nearly a month after the company announced that hackers had stolen access tokens for 30 million accounts.

Earlier this year, CEO Mark Zuckerberg was called upon to testify before Congress following the Cambridge Analytica scandal in which the information of 87 million users was “improperly shared” to profile voters. At the hearing, Zuckerberg answered questions related to the privacy policies of the social networking platform.

“We were too slow to spot and respond to Russian interference, and we’re working hard to get better,” Zuckerberg said in a statement at the time.

“Our sophistication in handling these threats is growing and improving quickly. We will continue working with the government to understand the full extent of Russian interference, and we will do our part not only to ensure the integrity of free and fair elections around the world, but also to give everyone a voice and to be a force for good in democracy everywhere.”

In the wake of a series of highly publicized data breaches, Facebook is reportedly looking to beef up its security defenses by acquiring a major cybersecur...
Read lessRead more

Facebook provides new details about latest security breach

Social media giant says fewer users were impacted than first reported

Facebook now says 30 million users -- not the 50 million, as originally reported -- had their login tokens compromised in a breach discovered last month.

The tokens for those 50 million users, plus an additional 40 million, were reset as a precaution.

In a security update, Facebook said its investigation found that unknown hackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The flaw that allowed the attackers to get in involved Facebook's "View As" feature, which allows users to see what their profile looks like to other members.

The interaction of three different software bugs allowed the hackers to steal access tokens, in effect allowing them to access the corresponding accounts. The tokens work like digital keys that keep users logged in to Facebook so they don't have to repeatedly enter their username and passwords.

Spike in activity

In the security update, Facebook reported that the attack was revealed when engineers saw an unusual spike in activity that started on September 14.

"On September 25, we determined this was actually an attack and identified the vulnerability," the company said. "Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed."

As a precaution, Facebook turned off “View As” and said it is working with the FBI to determine the parties that might be responsible for the attack.

While fewer Facebook users were affected than first reported, Facebook has revealed the extent of compromised information was greater for some than for others.

Exposed data

Attackers accessed two sets of information on about 15 million users. It included name and contact details such as email and phone number.

For another 14 million users, the attackers accessed additional information that was included in their profiles, such as username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in.

For 1 million users, Facebook has determined that the attackers did not access any information. Facebook users concerned about this breach can determine whether they were affected by visiting the Facebook help center.

Facebook's update follows criticism from Ireland's Data Protection Commission (DPC), which enforces privacy regulations for the European Union (EU). At the time, the agency complained that Facebook's initial disclosure of the breach was light on details.

Facebook now says 30 million users -- not the 50 million, as originally reported -- had their login tokens compromised in a breach discovered last month....
Read lessRead more

Facebook's latest data breach could be costly

European fines could exceed $1 billion

Facebook's data breach, disclosed last week, will likely be costly for the social media giant as European privacy regulators demand answers.

On Friday, Facebook announced that a security breach compromised about 50 million login credentials but said the issue had been resolved. But Europe has the world's toughest privacy rules and the European Union could impose fines that – by some estimates – could be in excess of $1 billion.

Ireland's Data Protection Commission (DPC) complained that Facebook's initial disclosure of the breach was light on details. The DPC said Facebook appears unable to tell users the extent of the risk they face.

The DPC said it wants answers from Facebook and those replies will determine whether there will be fines and how much they are. Later, the commission tweeted that Facebook had begun to fill in some blanks.

“Facebook issued a blog on Friday last indicating that 50 million accounts were potentially affected by a security issue,” the agency wrote. “We understand that the number of EU accounts potentially affected is less than 10 percent of that. Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”

General Data Protection Regulation

The EU's General Data Protection Regulation took effect in May and imposes heavy penalties on companies found to be in violation of it. Offenders can be required to pay $23 million or 4 percent of the previous year's international revenue. Under that formula, Facebook could face a fine in excess of $1 billion.

This isn't the first time Facebook has had to deal with a privacy issue. It faced a harsh backlash in March, when it revealed that personal information on millions of users had fallen into the hands of a political marketing firm.

In that case, there was no breach of its system. A third-party app developer had been granted access to the data but was not allowed to give it to anyone else. Facebook said the developer then sold the data to Cambridge Analytica, a political marketing firm.

At its developer conference in May, Facebook reaffirmed its commitment to protecting user data. CEO Mark Zuckerberg said the company would take a “broader view” of its responsibility to protect users' privacy.

Facebook's data breach, disclosed last week, will likely be costly for the social media giant as European privacy regulators demand answers.On Friday,...
Read lessRead more

Hackers get access to 50 million Facebook accounts

The company says it has reset the affected login credentials

Facebook reports hackers breached its system and gained access to some 50 million login credentials, in effect giving them access to the accounts.
The breach was uncovered three days ago when it was found that attackers exploited a vulnerability in the platform's "View As" code, a feature that allows users to see what their profile looks like when another person is accessing it.
"This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts," Facebook said in a security update. "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
The social media giant says its engineers have reset the affected access tokens. Affected users will not have to take any action, except they will have to re-enter their username and password the next time they log in to their account.

Another 40 million accounts reset as a precaution

In addition to the 50 million users whose tokens were compromised, another 40 million had their tokens reset as a precaution. Facebook said they had been subject to a “View As” look-up in the last year.
"As a result, around 90 million people will now have to log back into Facebook, or any of their apps that use Facebook Login," the company said. "After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."
Meanwhile, Facebook said it is temporarily turning off the "View As" feature while it conducts a security review.
Facebook said it has not determined whether any of the compromised accounts were misused or if hackers accessed any information.
The company has been under pressure for much of the year on privacy issues. In March it revealed that a third party firm sold personal information on millions of users to a political marketing firm, in violation of its terms of service.
Facebook reports hackers breached its system and gained access to some 50 million login credentials, in effect giving them access to the accounts....
Read lessRead more

Google is fighting back against efforts to expand 'right to be forgotten' rules

The search engine is arguing that applying the rule globally could infringe on people’s right to expression

In May 2014, the European Court of Justice implemented the “right to be forgotten” rule for internet users, allowing consumers to request that any information about themselves be de-listed from search results.

Four years later, the ruling has resurfaced as Google finds itself in a battle with France’s data protection agency -- the Commission nationale de l'informatique et des libertés (CNIL). CNIL is arguing that the right to be forgotten rule be expanded to cover more than just the European Union; it says the rule should give users the option to have things de-listed from search engines globally.

While CNIL acknowledged that Google does delete some search results from Europeans when requested, the main issue is that the results aren’t deleted everywhere. According to CNIL’s complaint, some non-EU versions of Google still displayed the de-listed information.

A censorship issue

At a hearing in front of 15 European Union judges, Google was strong in its stance that expanding the right to be forgotten rule would in fact infringe on some users’ freedom of expression.

Other media outlets -- including Reuters, The New York Times, Buzzfeed, and several nonprofit organizations -- agree with Google’s stance that expanding the current rule would be censorship.

“This case could see the right to be forgotten threatening global free speech,” said Thomas Hughes, the executive director of the freedom-of-expression group Article 19. “European data regulators should not be allowed to decide what internet users around the world find when they use a search engine.”

“The [Court of Justice of the European Union] must limit the scope of the right to be forgotten in order to protect the right of internet users around the world to access information online,” Hughes said.

What’s been removed

Earlier this year, Google provided an update on its efforts in the last four years since the right to be forgotten rule was put into effect.

Google reported it made good on requests covering 2.4 million URLs.

In a February report, Google noted that deciding what to de-list can become problematic, and those that have been deleted thus far comprise only 43.3 percent of requests.

“Search engines like Google must consider if the information in question is ‘inaccurate, inadequate, irrelevant or excessive’—and whether there is a public interest in the information remaining available in search results,” said Michee Smith, Google’s product lead on the project.

In the four years since right to be forgotten was enacted, the main request from consumers is tied to social media and directory services containing personal information. The second highest request is linked to news outlets and government websites.

In May 2014, the European Court of Justice implemented the “right to be forgotten” rule for internet users, allowing consumers to request that any informat...
Read lessRead more

Alleged Russian hacker extradited to the U.S.

Officials accuse him of pulling off biggest ever breach of a financial firm

The operators who defraud American consumers and businesses hardly ever face justice, mainly because they operate offshore.

But U.S. officials say they have a Russian national in custody who they accuse of carrying out one of the biggest hacks in history.

Federal officials report that Andrei Tyurin, a Russian who was accused of being a key player in a hack of JPMorgan Chase and other large companies, is now in their hands after he was extradited from the Republic of Georgia.

U.S. officials charge that Tyurin has been the mastermind behind a number of high-profile cyber attacks against U.S. financial firms while also engaging in credit card fraud and money laundering.

Single biggest hack

“Tyurin’s alleged hacking activities were so prolific they lay claim to the largest theft of U.S. customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims," said Manhattan U.S. Attorney Geoffrey Berman. "As Americans increasingly turn to online banking, theft of online personal information can cause devastating effects on their financial well being, sometimes taking years to recover."

Berman and other law enforcement officials who have had their sights on Tyurin for years, call his extradition a significant milestone. In most cases, they have been powerless to apprehend people outside the U.S. who are scamming consumers.

Tyurin appeared in court in Manhattan with his attorney and entered a not guilty plea to charges conspiracy, computer hacking, identity theft, and wire fraud.

Could cut a deal

Legal experts say Tyurin may be in a good position to cut a deal with prosecutors since he most likely has a lot of information about others who are involved in international hacking and scams. It's not unreasonable to think his knowledge could be useful to prosecutors who are conducting investigations into a number of different areas, including interference in the 2016 presidential election.

The case at hand centers on the 2014 JP Morgan hack, which investigators said appeared to center on alleged efforts to manipulate stock prices. JP Morgan security personnel brought these concerns to public attention, fearing they might be part of an intrusion by Russian intelligence agents.

U.S. officials accuse Tyurin of working with other hackers in a coordinated attack on financial services firms' networks. Officials say they believe the hackers were able to gather sensitive information on more than 100 million people who were the firms' clients.

Prosecutors allege that stolen information was used in wide-ranging schemes, from stock manipulation to bitcoin money laundering.

The operators who defraud American consumers and businesses hardly ever face justice, mainly because they operate offshore.But U.S. officials say they...
Read lessRead more

Yahoo Mail reportedly scans commercial emails to help advertisers

Almost 200 million Yahoo inboxes are scanned for data to help advertisers learn users’ buying habits

Yahoo Mail is still scanning the inboxes of its users for commercial emails in order to help advertisers target ads based on users’ interests, the Wall Street Journal reported on Tuesday.

The emails that are scanned typically include order confirmations and other messages from online retailers. Oath, Yahoo’s owner, uses the information to put users into interest groups. Advertisers then show ads based on those interests.

Oath uses algorithms to identify commercial emails, then scans those emails for keywords that could provide insights into a user’s purchasing habits.

“Yahoo mined users’ emails in part to discover products they bought through receipts from e-commerce companies such as Amazon.com,” said the Journal. “In 2015, Amazon stopped including full itemized receipts in the emails it sends customers, partly because the company didn’t want Yahoo and others gathering that data for their own use.”

The company allows users to opt out of receiving targeted ads based on email scanning, but the page through which users can do so is difficult to find. Users have to navigate into the Ad Interest Manager and select “opt out” under both 'Your Advertising Choices' and the 'On Yahoo' tabs.

Yahoo’s rivals don’t scan emails

Users first noticed that Oath gave itself permission to read users’ emails when it updated its privacy policy back in April. However, the fact that the company is still pitching this ability to advertisers goes against the policies of most of its competitors.

Last year, Google confirmed that it would stop scanning users’ consumer email accounts in order to serve up targeted ads. Microsoft says it has never engaged in the practice, nor has Apple.

Oath says that scanning retail emails is part of the trade-off consumers make in exchange for free online services.

"Email is an expensive system. I think it's reasonable and ethical to expect the value exchange, if you've got this mail service and there is advertising going on," Doug Sharp, Oath's Vice President of Data, Measurements & Insights, told the Journal.

Yahoo Mail is still scanning the inboxes of its users for commercial emails in order to help advertisers target ads based on users’ interests, the Wall Str...
Read lessRead more

T-Mobile experienced a data breach on August 20

The carrier said an ‘unauthorized capture of data’ occurred this week

On Thursday, T-Mobile announced that it was hit with a data breach on August 20 that may have allowed hackers to gain access to the personal information of around 2 million of its customers.

“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile said in a statement disclosing the breach.

T-Mobile said its cyber-security team “discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities.”

Information comprised included the name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid) of users.

Financial data not compromised

“None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised,” T-Mobile said.

The company said anyone whose data has been stolen has been or will shortly be contacted via text message.

T-Mobile didn’t say how many customers were affected by the breach. However, a T-Mobile spokesperson noted in a statement to Motherboard that the breach affected “about” or “slightly less than” 3 percent of the carrier’s 77 million customers, which would be around 2 million users.

T-Mobile says consumers with questions or concerns about the incident can contact Customer Care.

“If you are a T-Mobile customer, you can dial 611, use two-way messaging on MyT-Mobile.com, the T-Mobile App, or iMessage through Apple Business Chat,” the carrier said. “You can also request a call back or schedule a time for your Team of Experts to call you through both the T-Mobile App and MyT-Mobile.com. If you are a T-Mobile For Business or Metro PCS customer, just dial 611 from your mobile phone.”

On Thursday, T-Mobile announced that it was hit with a data breach on August 20 that may have allowed hackers to gain access to the personal information of...
Read lessRead more

Facebook deletes another 652 pages and accounts

The company said it removed accounts that were engaging in "coordinated inauthentic behavior"

Facebook says it has removed 652 pages and accounts from its platform after determining their owners aren’t real, but groups based in Russian and Iran.

The purpose of the posts on those pages, Facebook said, was to spread misinformation and sow discord ahead of the U.S. midterm elections. The company said the owners of the accounts were engaging in "coordinated inauthentic behavior."

The company said the owners of the accounts were carrying out distinct campaigns and so far, it has not established any kind of direct link between the groups. But it was clear they were using the same or similar tactics and were trying to mislead others about who they were and what they were doing.

Determined and well-funded

"We ban this kind of behavior because we want people to be able to trust the connections they make on Facebook," the company said in a blog post. "And while we’re making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well funded."

Facebook said it is investing in people and technology and working more closely with law enforcement. It announced those steps earlier this year when it revealed that Cambridge Analytica, a political marketing firm, made unauthorized use of Facebook data to target ads during the 2016 presidential election.

Facebook said it received a tip last month from FireEye, a cybersecurity firm, warning that it identified a group called Liberty Front Press as a potential bad actor. Facebook says a subsequent investigation was able to link the account to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same administrators.

One part of the network, a Facebook group called Quest 4 Truth, identified itself as an independent Iranian media organization. But Facebook said its investigation showed it was connected to Press TV, an English-language news network affiliated with Iranian state media.

Not who they say they are

The overarching theme, says Facebook, is that the account owners portray themselves as independent media organizations when they are not.

Earlier this week Microsoft reported that it had taken control of six domains owned by the Russian hacker group APT28, which was using the domains to spoof government and conservative websites.

Facebook CEO Mark Zuckerberg says his company has moved from a reactive stance to a proactive one. In a conference call with reporters, Zuckerberg said it's the only way to stay one step ahead of groups trying to use social media platforms to spread discord among Americans.

Facebook says it has removed 652 pages and accounts from its platform after determining their owners aren’t real, but groups based in Russian and Iran....
Read lessRead more

Researchers find security flaws in most tracker apps

The devices’ unencrypted data is apparently easily accessible

That tracker app you installed on your family members' smartphones may be providing more information than you think, and not just to you.

German researchers at the Fraunhofer Institute analyzed 19 legal tracker apps available in the Google Play Store. The researchers closely examined how the apps collect information and how they protect highly sensitive user data.

They concluded that all 19 apps revealed 37 major vulnerabilities, with none of the apps programmed with default security features in place.

The research team stresses that tracker apps have legitimate uses. Parents often use them to monitor their children's location and to see messages and pictures they post online. They're perfectly legal so long as the person being monitored is aware of it and agrees to it.

Data stored in plain text

The researchers take issue with these apps' security features, or rather the lack of them. They found that most apps store highly sensitive data on a server in plain text, without any type of encryption.

"We only had to open up a certain website and guess or enter a user name into the URL to retrieve an individual's movement profile," said Siegfried Rasthofer, who headed the project.

The researchers said they were able to read out complete movement profiles for all app users, not just the ones being monitored. They suggest this security flaw could allow thousands of people to be tracked in real time.

"It enables total surveillance," said Stephan Huber, a member of the research team.

Lack of proper encryption

The researchers said they were also able to read the app users' login information because the developers either used improper encryption or no encryption at all. In one app, the team was able to easily access 1.7 million login credentials.

The Fraunhofer researchers said they informed the app developers and the Google Play Store team of their findings. They say Google has removed 12 of the 19 apps from its store.

That tracker app you installed on your family members' smartphones may be providing more information than you think, and not just to you.German researc...
Read lessRead more

Researchers say security vulnerabilities lurk in most fax machines

It may be old technology but these devices can infect your network with the latest malware

If you're still using a fax machine, you're not only old fashioned, you're probably vulnerable to cyber attacks.

Researchers at Check Point, a cyber security firm, have uncovered vulnerabilities in the communication protocols used in tens of millions of fax devices. If the attacker has the fax number, that’s all they need to exploit the flaws and potentially seize control of a computer network.

Specifically, the Check Point researchers focused on the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers. Its protocols are also used by other manufacturers' faxes and multi-function printers.

Check Point says the protocols are also employed in online fax services such as fax2email, and researchers say it is likely that these are also vulnerable to attack by the same method.

HP has already issued a patch

Once informed of the findings, Check Point says HP quickly developed a software patch for its printers, which is available here.

There are a reported 45 million fax machines still in use, both in homes and offices. The '80s technology is especially prevalent in healthcare, law offices, banking, and real estate, and these networks often contain vast amounts of sensitive data.

“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multi-function office and home printers,” said Yaniv Balmas, Group Manager, Security Research at Check Point. “This groundbreaking research shows how these overlooked devices can be targeted by criminals and used to take over networks to breach data or disrupt operations."

Here's how it works

It's a fairly simple hack. Once the attacker obtains a fax number, they send an image file to the machine. Embedded within the image is a code that the machine recognizes, decodes, and uploads into its memory.

Check Point says this process gives the attacker the ability to break into any device that is connected to the fax's computer network.

Dom Chorafakis, founder of the cyber security consultancy Akouto, says the simplicity of the attack is what makes it so dangerous.

"The malware is embedded within a specially crafted [message] and delivered over the phone line via standard fax, so there are no defensive measures like firewalls or antivirus that can be put into place to prevent this attack," Chorafakis told ConsumerAffairs. "End users have to rely on equipment vendors to check their firmware and provide updates.

While these attacks can be hard to stop, there are a couple of ways to protect yourself before being targeted. First, check your machine's manufacturer for available firmware updates and apply them.

For businesses and organizations, the fax machine should be on a secure network segment separated from applications and servers that carry sensitive information. That will limit the ability of malware to spread across networks.

If you're still using a fax machine, you're not only old fashioned, you're probably vulnerable to cyber attacks.Researchers at Check Point, a cyber sec...
Read lessRead more

The Weekly Hack: Golf nonprofit can’t access its own logos until it pays hackers in Bitcoin

The non-profit that runs the PGA Championship is at the mercy of a cryptocurrency hacker

Staffers at the nonprofit PGA of America are locked out of their own computer servers and unable to access critical files that they were planning to use for the upcoming Ryder Cup in France, GolfWeek is reporting.

On Tuesday morning, staffers received a message on their computers and were unable to access their own files. “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm,” the message read.

The files, which include promotional banners, logos, and signage, will be destroyed if employees attempt to go around the hackers to get them back, the message warned.

Instead, the hackers have invited employees to use a decryption software that they claim has been made “exclusively” for PGA. That, of course, will cost money.

The message also includes a Bitcoin wallet number but no specific amount requested. Officials told GolfWeek that they have no intention of paying the ransom. The magazine reports that many of the files were created over a year ago and “cannot be easily replicated.”

Hacks tied to demands for a ransom paid in cryptocurrency have become increasingly common, affecting random people whose data had been stolen in previous hacks or the city of Atlanta, to name a few instances.

PGA of America is a nonprofit that is separate entity from PGA tours. In addition to the Ryder Cup, it also operates events that include the PGA Championship.

Healthcare

As medical records move online, it’s becoming clear that healthcare workers are in over their heads when it comes to data security. According to industry publications, hospitals and clinics have been suffering a record number of data breaches this year.

From April to June, the industry reported 142 data breach incidents affecting 3.14 million patient records. The figures are “nearly three times the number reported in the first part of the year,” Health IT News is reporting.

In July, another 860,000 patient records were compromised, according to an analysis of government data conducted by Healthcare Analytics News.

The attacks come following a report last year which found that 70 percent of healthcare workers lack cybersecurity awareness.

WhatsApp

The messaging app that has taken off with world travelers, people who work in tourism, or others who want a data-free method to contact overseas numbers could get users in major trouble.

Security researchers say that they have have warned WhatsApp about a flaw they discovered in the site that allows attackers to impersonate users and alter their text messages. The attackers can do so by taking advantage of the “quote” feature used in group chats.

“We believe these vulnerabilities to be of the utmost importance and require attention,” Checkpoint Research said. WhatsApp has not made clear whether it is working to fix the flaw.

“We encourage you to think before sharing messages that were forwarded,” the company said in a blogpost. “As a reminder, you can report spam or block a contact in one tap and can always reach out to WhatsApp directly for help.”

Airplanes

A security researcher says that he was able to use weaknesses in satellite equipment to hack commercial aircraft. Ruben Santamarta recently told Forbes that he was able to view the workings of hundreds of passenger and commercial aircraft and says he is the first person make the discovery.

Vulnerable airlines included Southwest, which says it already fixed the issue in December after being notified by a government agency. Other airlines that were named by Santamarta either didn’t respond or claimed that they had also already fixed the issue as well, Forbes reports.

Staffers at the nonprofit PGA of America are locked out of their own computer servers and unable to access critical files that they were planning to use fo...
Read lessRead more

Facebook is allegedly asking banks for customers’ financial data

However, the tech giant is denying the report

Facebook is asking large banks to share their customers’ credit card transaction data, shopping habits, and checking account balances to help it launch a new financial services initiative, according to a report from The Wall Street Journal.

Now, Facebook is speaking up in an effort to make clear that it’s not asking banks for its users’ financial transaction data or shopping habits.

In a statement to TechCrunch, Facebook spokesperson Elisabeth Diana said the social networking platform is working with banks to increase its chatbot capabilities. However, the company denies that it’s seeking access to its users’ financial data in order to serve up targeted ads or use that information for other purposes.

Facebook says it won’t collect information

“A recent Wall Street Journal story implies incorrectly that we are actively asking financial services companies for financial transaction data – this is not true,” Diana said.

The company says it’s looking to partner with banks and credit card companies to offer customer service through a chatbot in Messenger or help users manage their accounts within the app.

“Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management,” Diana continued. “Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates.”

Bank integration with Facebook

Facebook said it is considering a new initiative that would let users see their checking account balances from within Messenger.

“The idea is that messaging with a bank can be better than waiting on hold over the phone – and it’s completely opt-in,” Diana said.

“We’re not using this information beyond enabling these types of experiences – not for advertising or anything else. A critical part of these partnerships is keeping people’s information safe and secure.”

Anonymous sources told the Journal that Facebook has talked to large banks including JPMorgan Chase, Citigroup, Wells Fargo, and US Bancorp about what types of banking services Facebook Messenger could provide for customers.

Facebook is asking large banks to share their customers’ credit card transaction data, shopping habits, and checking account balances to help it launch a n...
Read lessRead more

The Weekly Hack: Feds nab Ukrainian hackers allegedly behind attacks on Chipotle and Arby’s customers

The international hacking ring stole nearly 15 million customer credit card records, authorities say

The FBI has three Ukrainian nationals in custody who are leaders of an “international crime supergroup” called FIN7, the Department of Justice said Wednesday.

The group allegedly hacked the servers of Chipotle, Arby’s, Chili’s, and nearly 100 other United States companies in order to access consumer data and sell it on the dark web.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia,” federal authorities said. The group allegedly stole more than 15 million customer credit card records in the breaches.

Chipotle and Arby’s both admitted last year that customer credit card data was targeted via a malware attack, while Chili’s said last May that customer credit card data may have been “compromised.”

According to the Department of Justice, the attacks were part of a prolific hacking campaign “that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information.”

Authorities say that the hackers posed as a security firm called Combi Security to recruit members in Israel and Eastern Europe. They launched their attacks by sending emails to employees of the companies that they were targeting. The emails were apparently so legitimate-looking that the recipients subsequently downloaded attachments containing malware -- yet another reminder to never download attachments from an unfamiliar source.

The defendants -- Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kolpakov, 30 -- were arrested by foreign authorities. They now face 26 felony counts in a U.S. District Court in Seattle.

The Ivy Leagues

Yale University is offering one free year of identity theft monitoring, corporate America’s favorite way to apologize for a data breach, after university officials discovered that hackers stole 119,000 records affecting alumni, faculty, and staff nearly a decade ago.

“I am writing, with regret, to inform you that, between April 2008 and January 2009, intruders gained electronic access to a Yale database and extracted names and Social Security numbers, including yours,” says a letter that the University recently sent out to affected people.

As Yale News reports, the prestigious university has repeatedly fallen victim to hackers. Even their computer science department is not immune. A 2012 data breach in the department was blamed on a former employee with a weak password.

Reddit

Reddit  said Wednesday that a hacker stole some users’ email addresses, as well as a 2007 database containing encrypted passwords.

The “security incident,” as Reddit describes it, occurred between June 14 and 18.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company said.

The FBI has three Ukrainian nationals in custody who are leaders of an “international crime supergroup” called FIN7, the Department of Justice said Wednesd...
Read lessRead more

Hewlett-Packard offers hackers a bounty to break into their printers

The company is the latest to take a proactive approach in finding bugs

Hewlett-Packard (HP) is offering hackers a bounty of up to $10,000 if they can find vulnerabilities in the company’s printers.

CNET is reporting that HP quietly started a hacking bounty program in May. A total of 34 researchers have joined, including one who already earned $10,000 for detecting a flaw.

Printers are one of many consumer products that are vulnerable to hacking. Like other unexpected hacking targets, they can fall to the wayside when it comes to the attention of security researchers, who may be more interested in protecting webcams and other obvious targets.

"As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up," said Shivaun Albright, HP's chief technologist of print security, in a statement.

Taking a proactive approach

With nearly every industry proven to be vulnerable to hackers, researchers have said that businesses need to be more proactive in patching security holes.

As a result, hacking corporate clients in exchange for a “bounty”or fee has grown into a full-time career for some researchers. Recently, the automaker BMW honored the Keen Research group for their findings that hackers could remotely access its cars and wreak terror on drivers.

Hewlett-Packard (HP) is offering hackers a bounty of up to $10,000 if they can find vulnerabilities in the company’s printers.CNET is reporting that HP...
Read lessRead more

The Weekly Hack: Idaho inmates exploit prison tablets to hack money

The company says it will shut down almost all services until it gets its money back

The tablets being provided to inmates in prisons all over the country come with special strings attached. Emails, for instance, can take up to 48 hours to reach their intended destination due to security screenings. The email costs a minimum of 35 cents to send and attaching pictures or exceeding word limits costs extra. Apps and other features designed to appeal to bored inmates all come with their own charges.

The telecommunications giant JPay in recent years has distributed free tablets to tens of thousands inmates with the anticipation that they will spend enormous amounts of money to access the features to make the tablets worthwhile. In New York alone, JPay has predicted that it will earn $8.8 million within two years by giving free tablets to 52,000 inmates in the state.

One enterprising group of inmates in Idaho is now facing punishment for hacking a piece of that pie for themselves. JPay and the Idaho Department of Corrections announced Friday that prison inmates found a vulnerability in their tablets and used it to add $225,000 worth of credits to their own JPay accounts. Most inmates loaded $1,000 or less into their accounts, though one took nearly $10,000. In all, a total of 364 inmates allegedly benefited from the scheme, but only briefly.

After the alleged hack was discovered, JPay announced that it has since recovered $65,000 worth of the credits. Apparently, however, the company needs the inmates’ help to get the rest of its own money back. The firm announced that it is suspending almost all service on the tablets -- everything but email -- until the rest of its money is refunded from the inmates involved in the scheme.

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” an Idaho Department of Corrections spokesman told the Associated Press.

Using a fee-based model to bring the comforts of home to prisoners, the jail communications firm JPay is part of an industry that profits enormously off of inmates, or more likely, their families. The firm also handles prison phone calls that used to cost as much as $14 per minute (until the FCC capped prison phone fees under the Obama administration) and commissary accounts in which family members have been charged fees as high as 45 percent of whatever amount they were sending to the inmate.

JPay also handles many of the debit cards that inmates are given upon release from prison to help pay for getting home. But the money in those cards often becomes inaccessible without explanation or is whittled away by various fees, one lawsuit contends.

JPay was purchased by Securus several years ago, another jail telecommunications giant that profits from high fees. Securus in recent years has successfully lobbied some counties to replace in-person jail visits with costly video visitation systems. Securus, which reportedly lets cops track phone calls in real time, has also proven to be vulnerable to hackers.

Even if the money is not returned, JPay will probably come through this theft just fine. Numerous advocacy groups have described the jail communications industry as one that benefits from having a monopoly in whatever facility in which they are operating.

Jail communications “often do not result in stronger lines of communication at all,” the Electronic Frontier Foundation has said. “Many communications services are offered under unfair terms and with artificially inflated fees that are only possible because the services operate monopolies at each prison or jail.”

Voting machine vendor admits vulnerability

In other hacking news, the nation’s largest provider of electronic voting machines recently admitted in a letter to a Senator that it installed remote-access software on some of its machines. Experts agree that such software is known to be widely vulnerable to hacking.

Voting machines in particular were expected to be completely disconnected from the internet or any remote internet activity.

What’s more, the firm, called Election Systems and Software, previously denied using such technology. The company reportedly now claims that it stopped using the remote software in 2007.  

The tablets being provided to inmates in prisons all over the country come with special strings attached. Emails, for instance, can take up to 48 hours to...
Read lessRead more

An Uber driver in St. Louis secretly livestreamed passengers on nearly 700 of his rides

Uber and Lyft cut ties with a driver who secretly filmed and broadcast his interactions with passengers to thousands of viewers

The women who stepped into Jason Gargac's Chevy had no idea that strangers were publicly rating their appearance from behind the comfort of a computer screen.

Gargac, an aspiring police officer in St. Louis, said he initially took a job driving for Uber to make ends meet. But not long after, he became a television host of sorts.

On Twitch, a live streaming platform, Gargac played to the camera between rides, thanking people for tuning in and sharing his own critiques of his passengers’ looks. The passengers, on the other hand, appeared to have no idea that they were being recorded as they stepped into his car and began talking.

In the approximately 700 rides that Gargac filmed, his passengers often embarrassed themselves -- or worse. The passengers would reveal their last names, addresses, crushes, family problems, and gripes with bosses, all while strangers mocked them online.

Uber and Lyft eventually cut ties with driver

Uber and Lyft initially downplayed the news that one of their drivers was making entertainment out of peoples lower moments, a discovery that was revealed by the St. Louis Post-Dispatch newspaper.

Gargac admitted to the newspaper that he purposely worked weekend nights because passengers were more likely to be intoxicated then.

Passengers who discovered that they had been filmed and complained to Uber about it said they were only offered a $5 credit and a promise to not be paired with Gargac again.

Both companies initially told the Post-Dispatch that Gargac was not breaking any laws because Missouri is a one-party consent state when it comes to recordings.

But after the local newspaper published an investigative report about Gargac’s livestream channel this past weekend, both companies changed course and said that they had cut ties with him completely.

Gargac, whom the Post reported did not want his own last name printed in their newspaper, was also kicked off Twitch. Until his channel went offline, it had amassed over four thousand followers, a figure that made Gargac feel “forever grateful,” according to a Tweet he sent out to his fans in June.

Meanwhile, passengers interviewed by the paper said they they felt deeply violated.

Recordings all too common

Ethics aside, secret recordings in Uber and Lyft cars are legally murky territory because it’s unclear whether they count as a private space, experts say.

But common sense dictates that passengers and drivers alike should expect to be filmed, as many Uber and Lyft users film rides for their own protection.

Still, drivers typically don’t air the footage unless the passengers become violent, as the infamous Miami doctor Anjali Ramkissoon did two years ago. Nearly three million people reveled in footage showing Ramkissoon attempting to hit her Uber driver and throw his possessions out of the window.

The footage elevated Ramkissoon, a neurologist, to the status of internet celebrity that the public loved to hate. Ramkissoon was fired shortly after the incident and said that she had to change her cell phone number because strangers would not stop calling to yell at her.

Drivers and passengers have also been captured engaging in sex acts in the car, using racist language, or simply behaving rudely. Uber’s own former CEO Travis Kalanick even proved that he wasn’t immune to the trap.

Last year, an Uber driver who realized he was transporting the company’s then-CEO confronted Kalanick about low wages and other problems that Uber drivers face. Kalanick dismissed the concerns as people not taking responsibility “for their own shit.”

Like other passengers caught in embarrassing moments, Kalanick later said he was ashamed of his behavior.

The women who stepped into Jason Gargac's Chevy had no idea that strangers were publicly rating their appearance from behind the comfort of a computer scre...
Read lessRead more

Facebook suspends another data analytics firm over fears of data misuse

The social media platform appears to be cracking down on user privacy

Facebook has suspended the Boston-based analytics firm Crimson Hexagon after reports indicated that the company’s contracts with other countries -- including the United States and Russia -- violated Facebook’s surveillance rules.

“We don’t allow developers to build surveillance tools using information from Twitter or Facebook or Instagram,” a Facebook spokesperson said. “We take these allegations seriously, and we have suspended these apps while we investigate.”

Though no evidence has been found thus far indicating that any user data has been obtained, Facebook plans to investigate “whether the analytic firm’s contracts with the U.S. government and a Russian nonprofit tied to the Kremlin violate the platform’s policies.” Crimson Hexagon has also completed work for the Turkish government.

Though it isn’t against Facebook policy to use data from users for general insights, according to BBC,  “where Crimson would fall foul of Facebook’s rules is if the data was used to create tools for surveillance, though Facebook has never clarified how its policy works in practice.”

According to Crimson Hexagon’s Chief Technology Officer Chris Bingham, the company “only collects publicly available social media data that anyone can access” and “does not collect private social media data.”

Trying to right the ship

Facebook received a ton of backlash following news of the Cambridge Analytica scandal in March. The company is now being investigated by the Securities and Exchange Commission (SEC), the Justice Department, and the FBI for its treatment of the scandal.

Questioning in the investigation is focused primarily on how much Facebook knew in 2015 -- when it initially learned that Cambridge Analytica had improperly accessed the data of tens of millions of users. At the time, Facebook did not alert any shareholders or any of its users.

In an effort to prove to users that their privacy and security is of the utmost importance, Facebook then launched a series of privacy updates. The company has not only audited thousands of apps that had access to users’ data, but it also suspended 200 apps in the process. Facebook also drastically upgraded users’ privacy settings, putting control back in the hands of social media users.  

Facebook has suspended the Boston-based analytics firm Crimson Hexagon after reports indicated that the company’s contracts with other countries -- includi...
Read lessRead more

SEC to investigate if Facebook properly warned investors of data issue

How much did Facebook know about Cambridge Analytica’s misuse of data?

Facebook is currently under investigation from the Securities and Exchange Commission (SEC), the Justice Department, and the FBI, as authorities from these agencies are working to uncover how much the social media giant knew about the misuse and improper gathering of users’ data during last March’s Cambridge Analytica scandal. Specifically, the investigation is focusing on whether Facebook gave investors enough advance notice of what was going on.

Questioning is primarily focused on what Facebook knew in 2015 -- when it initially learned that Cambridge Analytica had improperly accessed the data of tens of millions of Facebook users -- and why the company didn’t share that information with its users or investors at the time. The news didn’t become public until March 2018. Investigators will also look into the words and actions from Facebook executives -- including CEO Mark Zuckerberg.

Facebook confirmed having received questions from federal agencies and reported that the company and its representatives will be cooperating with the investigation.

“We are cooperating with officials in the U.S., U.K., and beyond,” said Facebook spokesperson Matt Steinfeld. “We’ve provided public testimony, answered questions, and pledged to continue our assistance as their work continues.”

Facebook’s recent scandal

The Cambridge Analytica data breach first became public last March, when it was revealed that a professor used Facebook login credentials to ask users to sign up for what was said to be a personality analytics tool that would be used for academic research.

According to Facebook, the professor then violated the terms of service by selling the data of millions of Facebook users to the political marketing company Cambridge Analytica -- a company using the data to target potential voters.

In the U.K., the company allegedly targeted Facebook users inclined to vote for Britain leaving the European Union, whereas in the U.S., it was targeting users to support the Trump campaign.

Facebook reportedly removed the app -- called “This is Your Digital Life” -- as soon as the company became aware of the data breach, though it learned that not all of the data was deleted, as was required. Facebook then moved to suspend Cambridge Analytica’s account.

“We are constantly working to improve the safety and experience of everyone on Facebook,” Facebook said in a statement. “In the past five years, we have made significant improvements in our ability to detect and prevent violations by app developers.”

Changes in privacy

Since the scandal, Facebook has taken measures to protect users’ privacy moving forward.

The platform has audited thousands of apps that had access to users’ data, and it has suspended 200 apps in the process. The company has also restricted access to data for all developers using Facebook and Instagram.

The social media platform also drastically changed its privacy settings, condensing much of the settings into one easy to navigate screen.

“People have also told us that information about privacy, security, and ads should be much easier to find,” said Erin Egan, Facebook’s chief privacy officer. “Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place.”

Facebook also modified the way users see and access advertisements, as they gave users more control over the ads they view.

Facebook is currently under investigation from the Securities and Exchange Commission (SEC), the Justice Department, and the FBI, as authorities from these...
Read lessRead more

The Weekly Hack: Former Microsoft employee lets consumers track their own hacks

An unofficial database promises to alert consumers if any of their data was stolen

Businesses and government agencies across the world now suffer data breaches on a weekly basis, but they often leave out specific details about the scope of the hack, or, in some cases, fail to alert consumers about the hack at all.

In comes HaveIBeenPwned, a website developed by former Microsoft employee Troy Hunt. The service, which has actually been around since 2013 but has proven to be more useful as hacks grow more common in recent years, invites consumers to submit their email addresses into an online database, which then promises to uncover any data breaches linked  to the account in question.

Travel booking sites, flush with credit card information and other consumer data, have proven to be popular targets to hackers, and HaveIBeenPwned is now reporting that one such site appears to have been a major target.

Over five million accounts on Yatra, a travel-booking site based in India and available across the globe, had user data compromised, according to the service.

HaveIBeenPwned tweeted on Wednesday that the breach dates back to 2013 and includes phone numbers, passwords and PIN numbers. But Yatra never disclosed the apparent breach to consumers, according to the Huffington Post.

In a recent interview, Hunt explained that consumers are growing used to data breaches as a normal part of online life and that they are more concerned with how companies handle such breaches rather than whether or not they simply occurred. It would seem, then, that Yatra joins the ranks of Equifax and others accused of failing this important litmus test.

A single computer in Alaska

A state agency in rural Alaska says that 500 people may have had their data exposed in a hack that was possibly linked to Russian cyber criminals.

The Alaska Department of Health and Social Services announced that a computer in northern Alaska was found to be infected with a virus. That same computer also had unauthorized software installed onto it, and according to the state’s investigation, had accessed websites in Russia.

It’s unknown how or why that computer was targeted, but according to the agency, it contained documents “including information on pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, social security numbers, driver’s license numbers, first and last names, birthdates, phone numbers, and other confidential data.”

Alaskans are invited to call the agency to see if they were affected.

Businesses and government agencies across the world now suffer data breaches on a weekly basis, but they often leave out specific details about the scope o...
Read lessRead more

Study finds one app secretly recorded screen activities

Researchers say the app sent screenshots of user activity to a third party

Many smartphone users are paranoid that their phone is secretly listening to their conversations in order to serve up targeted ads. To find out whether that popular theory is true, researchers at Northeastern University recently conducted a study of more than 17,000 apps to find out if any of them actively overhear or record user activity.

The researchers found no instance of any app unexpectedly activating the microphone or dispatching audio files without a user’s permission. Of the 17,260 Android apps included in the year-long study, over 9,000 had permission to access the camera and microphone. The researchers used an automated program to interact with each app and then analyzed the traffic generated.

Although the researchers did not find any evidence of apps secretly recording their user to serve up targeted ads, the team found at least one instance in which an app sent screen recordings and screenshots to a third-party mobile analytics company.

Recorded what users were doing within the app

The researchers found that a popular food delivery app called GoPuff recorded and sent screen recordings to a mobile analytics company called AppSee. The app recorded footage of a screen where users had to enter their zip code.

After being contacted by the researchers, GoPuff added disclosure of this policy to its privacy policy and removed the AppSee SDK. AppSee also claims it deleted the recordings it had obtained.

“In this case it appears that Appsee’s technology was misused by the customer and that our Terms of Service were violated,” AppSee's CEO told Gizmodo. “Once this issue was brought to our attention we’ve immediately disabled tracking capabilities for the mentioned app and purged all recordings data from our servers.”

The researchers didn’t definitively conclude that smartphones never record users without permission. They only said that they did not find find any evidence of the practice in their study. The study had its limitations, including the fact that the automated systems might have missed some audio files processed locally on the device.

Many smartphone users are paranoid that their phone is secretly listening to their conversations in order to serve up targeted ads. To find out whether tha...
Read lessRead more

California passes strict new online privacy law

The new law will give consumers in the Golden State sweeping control over their personal data

On Thursday, California legislators passed the California Consumer Privacy Act of 2018. Under the new law, the data-harvesting practices of Amazon, Facebook, Google, and Uber will be restricted and consumers will have control over their personal data.

The new law gives consumers the right to know what information these big tech companies are collecting, as well as why they’re collecting it and where it’s being shared. Under the new law, consumers can also choose to bar tech companies from selling their data to third parties, including advertisers.

The new privacy rules are set to take effect in 2020, but only in the state of California.

"The state that pioneered the tech revolution is now, rightly, a pioneer in consumer privacy safeguards, and we expect many additional states to follow suit," James P. Steyer, CEO and founder of Common Sense Media, said in a statement.

"Today was a huge win and gives consumer privacy advocates a blueprint for success. We look forward to working together with lawmakers across the nation to ensure robust data privacy protections for all Americans,” Steyer added.

Online privacy protection

News of the new legislation comes about a month after the European Union implemented strict new privacy rules known as General Data Protection Regulation, or GDPR.

However, the Norwegian Consumer Council recently stepped forward with claims that tech firms such as Google, Facebook, and Microsoft instituted changes to their user controls that only give consumers “the illusion” of privacy.

The California Consumer Privacy Act has gotten the support of most privacy advocates, but some have pointed out that there are a few loopholes in the law that could cause problems. For example, the law would allow tech companies or ISPs to charge higher prices to consumers who opt out of having their data sold to third parties.

"For the first time California is explicitly allowing 'pay for privacy' deals that are in direct contradiction to our privacy rights," Emily Rusch, executive director of the nonprofit California Public Interest Research Group, said in a statement.

State Senator Hannah-Beth Jackson (D), who supported the law, said paying for online privacy is a “dangerous and slippery slope.”

California’s new law provides some of the toughest online protections in the country.

“I think it’s going to set the standard across the country that legislatures across the country will look to adopt in their own states,” said state Sen. Bob Hertzberg (D).

On Thursday, California legislators passed the California Consumer Privacy Act of 2018. Under the new law, the data-harvesting practices of Amazon, Faceboo...
Read lessRead more

Adidas warns millions of U.S. customers of potential data breach

The U.S. website is the likely culprit of the company’s data concerns

On Thursday, Adidas reached out to millions of customers in the United States to warn them about a potential data breach that occurred within the company’s U.S. website. According to a company statement, Adidas is referring to the situation as a “potential data security incident.”

“On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas customers,” the company said.

Based on a preliminary investigation conducted by outside data security firms, the leaked data was limited in nature.

“The limited data includes contact information, usernames, and encrypted passwords,” the statement said. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Cause for concern

Adidas found out about the possible data breach on June 26, and though it informed customers right away, the company is still uncertain when the breach took place.

“We are alerting certain customers who purchased on adidas.com/US about a potential data security incident,” a company spokeswoman told Bloomberg. “At this time, this is a few million consumers.”

A data breach -- though not uncommon for major brands as of late -- does have the ability to tarnish the reputation of a company. Based on a recent study by KPMG, 55 percent of global consumers have decided against purchasing something from companies that have had issues with online privacy.

Moreover, since 2017, several major brands have had issues with matters of data privacy, including Sears, Best Buy, Saks Fifth Avenue, Lord & Taylor, and Under Armour -- among countless others. Most recently, Delta Airlines reported a cyber attack that released the payment information for thousands of customers.

Despite this most recent incident, Adidas is looking to rectify the issue for consumers and is continuing to work to prevent future attacks on data privacy.

“Adidas is committed to the privacy and security of its consumers’ personal data,” the statement said. “Adidas immediately began taking steps to determine the scope of the issue and to alert relevant customers.”

On Thursday, Adidas reached out to millions of customers in the United States to warn them about a potential data breach that occurred within the company’s...
Read lessRead more

Data breach may have exposed the personal information of 340 million people and businesses

Financial information was not leaked, but a range of personal characteristics were compromised

A database controlled by a Florida-based marketing and data aggregation company may have been compromised, exposing individual records on nearly 340 million people and businesses.

Security researcher Vinny Troia found that nearly 2 terabytes of data were exposed, which includes records of 230 million consumers and 110 million businesses.

"It seems like this is a database with pretty much every US citizen in it," Troia, founder of the New York-based security firm Night Lion Security, told Wired. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”

If these estimates are accurate, the leak would be even larger than the Equifax data breach of 2017, which exposed the personal data of around 145 million people.

Highly personal information

Although credit card information and Social Security numbers don’t appear to have been leaked, the alleged breach reportedly exposed highly personal information, including phone numbers, home addresses, email addresses.

It also exposed more than 400 personal characteristics, including interests, habits, if the person owns a dog or cat, and the age and gender of the person’s children. Wired noted that in some cases, the information may have been inaccurate or outdated.  

Despite the fact that no financial information was included, experts say that the wide range of personal data revealed could still make it possible for bad actors to create a more complete profile of individuals or help scammers steal identities.

Troia said he informed Exactis and the FBI that he was able to access the database on the internet earlier this month. The data is no longer publicly accessible. Exactis has not yet confirmed the leak.

A database controlled by a Florida-based marketing and data aggregation company may have been compromised, exposing individual records on nearly 340 millio...
Read lessRead more

The Weekly Hack: In Australia, a paperless real estate transaction may have cost a woman her house

On futuristic payment platforms, homeowners and cryptocurrency traders watch their money disappear

Australia is currently in the process of rolling out a new law that requires all real estate transactions -- from mortgage payments to home sales -- to go paperless.

The online-only property exchange and payment system is run by a company called Property Exchange Australia (PEXA), which is either a government-sponsored monopoly or an important disrupter and leader of the digital revolution, depending on who you talk to.

But like other digital “disruptors,” the PEXA platform may not be as secure as the company would like the public to believe. Dani Venn, an Australian woman and a former contestant on the reality show MasterChef, recently lost $250,000 after hackers stole the funds she had earned from selling her home.

Venn had planned to use the proceeds to purchase a new house. Instead, hackers somehow intercepted the payment, leaving the family homeless for the time being.

PEXA is reportedly trying to help the family, but the company is also denying that it bears any responsibility or liability in relation to the theft. In an interview with a local newspaper, the company claimed that the hacker had gained access to the victim’s money because of a hack on her email account rather than attacking the PEXA system itself.

But Venn does not buy that story. “I feel I want to pull out all my money from the bank. I don’t trust these big corporations. They don’t care about ordinary Australians,” she told the Sydney-Morning Herald.

The theft comes just several weeks after another homeowner reported losing more than $1 million from the PEXA system. Independent property brokers in Australia told the paper that the PEXA system does not require users to verify their identity thoroughly enough.

South Korean cryptocurrency market

Repeated hacks are taking their toll on the cryptocurrency market. Less than two weeks after a multimillion dollar cryptocurrency theft in South Korea sent the value of Bitcoin tumbling worldwide, a different trading platform in South Korea reported falling victim to a similar attack.

The South Korean cryptocurrency exchange Bithumb on Wednesday announced that about $31.5 million worth of its virtual coins had been stolen. Bithumb, which is the world’s sixth largest cryptocurrency trading platform, promised to compensate all affected customers.

Still, a refund for victims doesn’t address the underlying security problem facing crypto-traders. “No security measures or regulations can 100% guarantee safety of virtual coins,” a security expert told the Guardian. “It is held anonymously and in lightly secured systems, which makes them an irresistible target.”

Bitcoin’s value has so far remained steady following the more recent hack, hovering above $6,000.  

Military contractors

A group of hackers based in China are going after military contractors in the United States and Southeast Asia, according to the security firm Symantec. The hackers appeared to be interested in learning how affected companies operate.

Symantec's report follows a Washington Post story last week detailing how a group of hackers backed by the Chinese government accessed 600 gigabytes worth of data that belonged to a United States Navy contractor. The hackers collected declassified but sensitive data, including information on a supersonic missile project, according to the FBI, which is now investigating the breach.

Though troubling, this has hardly been the worst hack on a government contractor. The news once again highlights security holes that even companies that do military business are apparently not patching.

Australia is currently in the process of rolling out a new law that requires all real estate transactions -- from mortgage payments to home sales -- to go...
Read lessRead more

Supreme Court rules police need warrant to track your phone location

Proponents say the decision is a major win for consumer privacy

The Supreme Court ruled on Friday that law enforcement must obtain a search warrant to get access to cell phone location information.

The 5-4 decision was written by Chief Justice John Roberts, who sided with the court’s four other liberal judges.

The decision is seen as a victory by advocates of increased privacy rights, who argued that protections were needed when the government gets involved with a third party -- like a phone provider -- to obtain information.

This is seen as a loss by the Justice Department, which argued that an individual’s privacy rights are diminished when it comes to information that has been voluntarily shared with others.

The background

The ruling follows a contentious ruling regarding a series of armed robberies that occurred in 2010 and 2011.

The police got a court order to get access to 127 days of cell phone tracking for a suspect named Timothy Carpenter. The location information found on Carpenter’s phone matched the robbery locations, and that information was used to convict him.

However, Carpenter appealed his conviction to the Supreme Court on the grounds that the police need to first obtain a warrant before getting his location from a cell-phone provider, as is stated in the Constitution.

Rather than obtain a warrant, which would have required the police to prove to a judge there was probable cause to believe the phone records contained evidence, the police opted to obtain a court order under the Stored Communications Act.

“The government’s position fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location, but also everyone else’s, not for a short period of time, but for years and years,” Chief Justice Roberts wrote.

Present day

Because of limited technologies seven years ago, the information used at Carpenter’s trial wasn’t as precise as location information taken off phones today. It didn’t log where he was when his phone wasn’t in use or where he was when he sent texts. Police personnel were able to see his location where he made phone calls within a mile to two miles, which worked in their favor in terms of the robberies.

Last November when this case made its way to the Supreme Court, justices were conflicted on whether they wanted to break with the third-party doctrine, which states that there is no reasonable expectation of privacy when an individual shares information with a third party (phone provider). Under this doctrine, police wouldn’t need a search warrant to obtain the pertinent information.

However, many justices have noted the stark differences in technology from when these laws were written to the present day. Chief Justice Roberts noted that allowing government access to historical GPS data represented an infringement of Carpenter’s Fourth Amendment Rights.  

“This is a groundbreaking victory for Americans’ privacy rights in the digital age,” said ACLU attorney Nathan Freed Wessler. “The Supreme Court has given privacy law an update that it has badly needed for many years, finally bringing it in line with the realities of modern life. The government can no longer claim that the mere act of using technology eliminates the Fourth Amendment’s protections.”

The Supreme Court ruled on Friday that law enforcement must obtain a search warrant to get access to cell phone location information.The 5-4 decision w...
Read lessRead more

The Weekly Hack: Genealogy website downplays hack of 92 million users

MyHeritage says that it found ‘no evidence’ that the stolen data was used

Services that claim to help consumers discover their ancestry have taken off in recent years, but is it wise to trust an online service with your DNA? The genealogy website MyHeritage admitted on Monday that data from more than 92 million user accounts was accessed.

MyHeritage is characterizing what happened as a “cyber security incident,” the term that has become the corporate world’s phrasing-of-choice to describe an apparent hack.

The stolen information included email addresses and encrypted passwords, though MyHeritage is downplaying the impact that the hack could have on consumer privacy. “There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday.

“We believe the intrusion is limited to the user email addresses...Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security,” the company added.

The breach took place in October 2017 but was not caught until January 4, according to the company.

MyHeritage, much like competitors 23andme and Ancestry.com, offers a service in which users can submit a saliva sample for DNA analysis. 

Whether such services can be trusted with saliva samples and DNA information became a concern after police in California captured the so-called Golden State Killer earlier this year. Suspect Joseph James DeAngelo Jr. was arrested in April thanks in part to the genealogy site GEDMatch, authorities said. Police submitted a DNA sample from a crime scene to the site and said that it had matched the suspect’s DNA that they had already taken.

Ticketfly

The online ticketing site Ticketfly announced on Thursday that hackers stole the names, addresses, email addresses, and phone numbers of 27 million customers, though Ticketfly said that users’ credit card information was safe.

Ticketfly’s site went briefly offline after it detected the hack. But with the site up and running again, the company is requiring all users to change their passwords as a precaution.

“Upon first learning about this incident we took swift action to secure the data of our clients and fans,” a company spokesperson told Variety.

Canadian Banks

Several weeks ago, Mexico’s biggest banks lost millions of dollars to cyber criminals, and now America’s neighbor north of the border is dealing with its own bank hacking woes.

Canada’s fourth and fifth largest banks have released statements admitting that so-called “fraudsters” stole personal and financial information belonging to bank customers.

A spokesman for the Bank of Montreal told Reuters that less than 50,000 customers had their data accessed. Simplii Financial, the other bank that was hacked, said that 40,000 clients had “certain personal and account information” accessed. The banks’ handling of the breach is now being scrutinized by lawmakers.

“When will the Liberals take action to protect Canadian consumers with a digital bill of rights and stop letting these companies off the hook?,” Canadian Member of Parliament Brian Masse said, pointing to a similar measures that currently protects consumers in the European Union.

The EU’s data protection laws are generally stricter and more consumer-friendly than those implemented in the rest of the world.

Booking.com

Travel site Booking.com wasn’t actually hacked, but hackers are telling the site’s partner properties that attempts were being made to steal hotel cash and data on guests.

Scammers reportedly sent out emails and texts warning that Booking.com had been hacked. The emails directed recipients to change their password by clicking on a link, which actually exposed all information that customers with hotel reservations had submitted through the site.

”...in this case, there has been no compromise on Booking.com systems,” a Booking.com spokesman told the Daily Mail. “This property has been targeted by phishing emails sent by cyber criminals and by clicking on those emails, the property compromised its account.”

Nevertheless, Booking.com promised to compensate affected customers and hotels.

Cryptocurrency

The cybersecurity firm Carbon Black has a new report detailing the full scope of cryptocurrency hacks that have become regular news stories.

According to company’s new research, cybercriminals stole a total of $1.1 billion in cryptocurrency over the past six months. Their method of choice is the “dark web,” or sections of the internet that are untraceable and only accessible via special software and above-average tech skills.

In an interview with CNBC, a Carbon Black strategist warns that it is “surprisingly easy” for hackers to steal cryptocurrency.  

Services that claim to help consumers discover their ancestry have taken off in recent years, but is it wise to trust an online service with your DNA? The...
Read lessRead more

Cambridge Analytica CEO accused of embezzling $8 million

The former CEO reportedly withdrew the money from the firm shortly after reports of the Facebook data breach began circulating

Alexander Nix, the former CEO of Cambridge Analytica, allegedly embezzled $8 million from the company before it shut down and filed for bankruptcy last month.

Nix is accused of stealing the money after British journalists began reporting on the company’s involvement in the Facebook data sharing scandal, but before the company collapsed, according to the Financial Times.

Investors who want to rebrand and relaunch the political ad consulting firm are currently trying to get the money back, and Nix has said he intends to repay part of the money.

Sources say the money was supposedly intended to help get potential successor data firm, Emerdata, off the ground, with one person adding that Nix said the withdrawal was made in exchange for “unbooked services.” 

Nix appeared before British lawmakers for a second time on Wednesday to testify about his role in the data sharing scandal that exposed the information of millions of Facebook users without their consent. At the session, Nix denied that he had withdrawn the money.

"The allegation made in that article is false, the facts in that article are not correct," he said.

Alexander Nix, the former CEO of Cambridge Analytica, allegedly embezzled $8 million from the company before it shut down and filed for bankruptcy last mon...
Read lessRead more

The amazing, ever-changing story of the Equifax hack

From back-pedaling to clarifying to updating, the official story of the Equifax hack has a way of never staying the same

There's no delicate way to announce that cybercriminals have stolen sensitive information about half of the United States population, but Equifax at least deserves points for trying.

Equifax, one of “big three” agencies that control the shadowy credit reporting industry, first announced its discovery of an unfortunate “cyber security incident” in early September.

The incident potentially impacted 143 million consumers, then-chairman and CEO Richard Smith said, adding that the firm “acted immediately to stop the intrusion.” An Equifax-led investigation into the matter would be complete in several weeks, the company said.

That turned out to be an extremely optimistic assessment. Another eight months passed until, finally, in a May 8 filing to the SEC, Equifax quietly said its investigation into the breach was complete, at least where the hack of government-issued identification is concerned.

“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators,” the credit reporting behemoth wrote in the filings. “It does not anticipate identifying further impacted consumers.”

The filing, Equifax seems to hope, will finally bring this dark chapter in its history to a close. Over those previous eight months, the Equifax breach evolved from a “clearly disappointing event” that Equifax said would soon be resolved to an ongoing international scandal and criminal case.

From a small sale to insider trading

Though Equifax said it “acted immediately” upon discovering that consumer information was accessed on July 29 of last year, some people questioned why the official announcement about the incident did not arrive until September 7.

It didn’t take much digging for financial journalists to find a potential answer. Later that day, Bloomberg News was reporting on its discovery that three Equifax executives sold $1.8 million worth of their shares in the company on August 1, one day after Equifax had said the breach was discovered.

John Gamble, the company’s Chief Financial Officer, sold a reported $946,374 worth of stock. Joseph Loughran, the president of U.S. information solutions, and Rodolfo Ploder, president of workforce solutions, sold a respective half a million and quarter million worth of options.

In a statement to Bloomberg, an Equifax spokesperson initially described the $1.8 million sale as “a small percentage of their Equifax shares” and added that the executives “had no knowledge that an intrusion had occurred at the time.”

By November, Equifax had backtracked slightly, saying that it had agreed to launch an investigation into the sale. Luckily for the executives, the Equifax-led investigation found that the suspicious-looking stock dumping was perfectly legal.

But by March, a former Equifax executive was facing federal insider trading charges -- only this executive was a different one from the three that were cleared in the company investigation.

Jun Ying, a former information officer, "used confidential information to conclude that his company had suffered a massive data breach” and “dumped his stock before the news went public,” federal prosecutors said.

It remains unclear why Ying knew about the breach while other executives did not. Equifax says it is cooperating with authorities, explaining to the press in March that "we take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”

John Gamble, the Chief Financial Officer who sold nearly a $1 million worth of his stock on August 1, remains at the company and is “responsible for all financial functions” at Equifax, according to his Equifax bio.

Monitoring credit and giving away rights

One potential way to keep people from panicking or getting angry about their data being stolen is to frame the unpleasant announcement as a chance to get something for free.  

“Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers,” the first Equifax press release revealing the breach said in big, bold letters.

Shortly after, Equifax had its new crediting monitoring website live and ready to go.

At the unfortunately titled page equifaxsecurity2017.com, users were instructed to enter the last four digits of their social security numbers and their last names. From there, they could find out if they were impacted by the breach and enroll in credit monitoring.

But some consumers reported being told that their data was impacted, regardless of whether they put in a correct name and matching social security number. And after reading through the terms and conditions, advocacy groups warned that consumers may be walking into a trap. By agreeing to the terms on the website, consumers were agreeing to waive their rights to sue the company, according to a vague arbitration clause included in the fine print.

The National Consumer Law Center was among the advocacy groups warning consumers that the open-ended language in the clause would prevent consumers from taking Equifax to court.

“Consumers and media have raised legitimate concerns about the services we offered and the operations of our call center and website,” CEO Rick Smith responded in an editorial in USA Today. “We accept the criticism and are working to address a range of issues.”

Former New York Attorney General Eric Schneiderman, Sen. Elizabeth Warren, and other prominent Democratic lawmakers pressed Equifax about the arbitration clause. Equifax subsequently agreed to reword the agreement, explaining in the new fine print that the arbitration measure only applied to the credit monitoring service itself, not “the cyber security incident” in question.

Meanwhile, as that controversy played out, the official Equifax Twitter account continued to urge consumers to visit their security page and sign up for free credit monitoring. It took several weeks for people to notice that Equifax had been sending people to the wrong page.

Instead of sending consumers to equifaxsecurity2017.com, the Equifax Twitter account instead directed consumers to securityequifax2017.com, a fake phishing site that someone had created for the express purpose of ridiculing Equifax for creating “an easily impersonated domain.”

Equifax eventually apologized for the confusion, admitted that it had shared the wrong link, and removed the offending posts.

Credit locking, and more of the same

Several months later, in February 2018, Equifax rolled out Lock & Alert, a service offering a credit “lock,” marketed as a step below a credit freeze. While locks are not as secure as credit freezes, they are also cheaper and easier to implement.

In fact, Equifax said that its lock service was completely free. And, responding to the previous criticism about arbitration agreements, Equifax explicitly said that consumers who signed up for Lock & Alert were not agreeing to any arbitration provision.

“The consumer-empowerment approach that is offered through Lock & Alert is what people have come to expect,” Equifax said in promotional materials.

Not long after, consumers discovered that the experience of locking one’s credit might not be as empowering as they were led to believe.

It turned out that consumers who signed up for the service were unknowingly agreeing to let Equifax use their information for marketing purposes, according to advocacy group US PIRG, which reviewed the site’s fine print. And a reporter at NBC News found that the service didn’t work; an error message repeatedly appeared on the screen saying that “we are experiencing technical issues.”

“I think it's fair to say as with any service we did have some initial operational issues shortly after the launch,” Equifax spokeswoman Nancy Bistritz-Balkan told NBC News. “But our team has been working around the clock to document the issues and address it appropriately.”

Equifax goes abroad

Equifax focused its breach investigation on United States consumers, giving only a brief mention to impacted people in Canada in the UK. “Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” is all the firm had to say about the matter in September.

When people questioned what “limited personal information” for “certain UK and Canadian residents” actually meant, Equifax clarified that 400,000 people in the UK and 100,000 Canadians were affected.

That might sound like a figure a little too significant to describe as “limited,” but Equifax said that the breach was related to something else, an apparent “process failure,” as the company called it, that occurred a year earlier.

“This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016,” Equifax told the British press.

Several weeks later, Equifax revised the number yet again. The company announced that 700,000 UK residents would receive notices about their data being hacked.

An additional 14 million records in the UK were also stolen,  Equifax clarified, but the cases were not considered serious enough to warrant direct notifications to those consumers.

An Equifax spokesman later offered this explanation about the many discrepancies affecting British Equifax victims to the BBC: "This information does not change the number of consumers affected or any of the UK figures/statements already provided.”

More people exposed

In March, Equifax said that an additional 2.4 million consumers in the United States had their information hacked, bringing the original figure of 143 million Americans that Equifax had tallied closer to 145.5 million. Though the announcement seemed like new information, Equifax insisted that it was not.

“This is not about newly discovered stolen data,” interim CEO Paulino do Rego Barros Jr. said. In what has become a familiar talking point, he said a new analysis of the stolen data had simply provided Equifax more clarity.   

“It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals,” Barros explained.

Exposed phone numbers and passports

In February, Equifax submitted a document to the Senate Banking Committee saying that hackers also accessed phone numbers, email addresses, and the expiration dates for credit cards. That appeared to be worse than the “ birth dates, addresses, and, in some instances, driver’s license numbers” and “credit card numbers” that Equifax said had been stolen to the public.

An Equifax spokesman explained to Wall Street Journal that "in no way did we intend to mislead consumers." Rather, she said that the list given to Congress only reflected “minimal portion” of consumers affected.

Based on the statements from Equifax, the public seemed to have the impression that their passport data at least was safe.

“And some data — like passport numbers — were not stolen,” the Associated Press confidently reported in February.

However, Sen. Elizabeth Warren published an independent report not long after claiming that passport information was, in fact, stolen. Equifax said that the senator’s characterization of what was stolen was not accurate.

“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” an Equifax spokeswoman told the New York Post in February.

But in an SEC filing in early May, Equifax indicated that scanned images of passports were stolen from thousands of consumers who had used the agency’s dispute portal.

In a statement, Equifax said it hadn’t been trying to hide that information. The passport information that it said wasn’t hacked came from a different data set than the stolen passport data it had discovered more recently.

“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,” an Equifax spokeswoman told ConsumerAffairs in a statement.  

“In response to a request from Congress to provide quantities of each data element impacted, in the interest of completeness, we manually reviewed the images stolen from the dispute portal in order to include the numbers of government-issued identifications contained within those images,” she added.

No unauthorized activity on core services

Throughout its repeated “updates” and disclosures about what was hacked, Equifax has maintained that it found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

What that statement actually means is up for debate. Senators and consumer groups have complained that the definition of “core consumer or commercial credit reporting databases” is overly broad.

From a consumer standpoint, identity theft crimes possibly related to the hack already seem to be taking place, affecting “core” business at least where victims are concerned.

Earlier this year, an accountant and several consumers went public with stories about identity thieves collecting government benefits on their behalf. Experts said the crimes could have been made possible thanks to the Equifax hack, as well as vulnerabilities on the social security website itself.

“While I’m not entirely sure how the thief obtained my personal information, it’s likely that the Equifax data breach...contributed to the identity theft,” accountant Jim Shambo, one such identity theft victim, wrote in a blog post.

Luckily for Equifax, such scenarios could turn out to be beneficial for the credit reporting agency. Or as Equifax CEO Rick Smith told a conference  in August;  “Fraud is a huge opportunity for us. It is a massive growing business for us.”

Equifax has not yet returned an inquiry from ConsumerAffairs asking, among other questions, whether there is any truth to the allegations leveled by Warren and others that it has profited off its own breach.

But, in the grand tradition of Equifax disclosures, Smith also appears to have changed his story and updated his perspective on the matter.  A month after saying fraud was a “huge opportunity” for Equifax, the CEO published an editorial in USA Today clarifying that the Equifax hack had been “humbling” and bad for the company.

“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith wrote. “We will make changes and continue to strengthen our defenses against cyber crimes.”

Two weeks after making that promise, Smith suddenly decided to retire. He left with a compensation package worth $90 million.

There's no delicate way to announce that cybercriminals have stolen sensitive information about half of the United States population, but Equifax at least...
Read lessRead more

The Weekly Hack: Nihilist Arby’s account falls victim to teenage hacker demanding $130

In a week of poetic hacks, Nihilist Arby’s portfolio went dark and a phone-tracking service for cops had its servers broken into

Nothing matters and Arby’s wants your money, according to the regular, depressing message delivered by the parody Twitter account Nihilist Arby’s. Or, in the Nihilist account’s own words: “Do drugs. Punch a stranger. Make love to your cousin. Enjoy Arby's. Arby's doesn't judge. Arby's doesn't care.”

Punk bassist and humor-writer Brendan Kelly amassed 345,000 followers with his weekly Tweets parodying Arby’s and life itself. But for a page that regularly reminds fans that they will one day die and nothing is permanent, it’s somewhat poetic that every single Tweet on the Nihilist Arby’s account was recently deleted by a teenager trying to extort Kelly for a grand total of $130.

Kelly told PR Week on Thursday that he could no longer access his account after hackers logged on and changed his password. He later learned that his account information had been sold on a message board.

With his entire portfolio offline, Kelly got some unexpected help from the real Arby’s.

The fast-food chain, which has 827,000 followers on Twitter, offered to contact a Twitter representative to help Kelly get his account back, explaining in an interview with PR Week that people had mistakenly assumed Arby’s was behind the attack.

"We never want to be a brand that comes in and sends a cease and desist and tears it down because it has such a big fan base,” an Arby’s spokesman said. Twitter reportedly went to work on the case, and the Nihilist Arby’s page now appears to be restored, with the satirical Tweets back online.

“Did I die? Whatever. it was pretty much the same, honestly,” Nihilist Arby's told fans yesterday.

It’s not the first time that Nihilist Arby’s has received help from the non-Nihilist one. The chain several years ago surprised Kelly with a delivery of free sandwiches and a therapy puppy.

Grades and lunch money

Speaking of teenage hackers, high school students in Michigan were caught hacking the school district's computer system in an attempt to change their grades and give themselves more lunch money.

In a message to parents, the school district said that its investigation into the matter was still ongoing and that it would be working with forensic data experts to understand the full extent of the hack.

“Though we encourage our students to take responsible action, sometimes they make choices that do not reflect our guiding principles,” a message reads on the school’s website.

Law enforcement’s phone-tracking company of choice

Those who have served time, or have a loved one currently serving time, have probably heard of Securus Technologies, one of the few companies that controls phone communications and sometimes even in-person visitations between inmates and the outside world.

What Securus does with all that phone data has remained somewhat unclear until recently. It turns out that the company also offers law enforcement a service that allows them to surreptitiously track the location of nearly every cell phone in the country, according to data recently uncovered by the New York Times.

As Securus now faces a potential Senate investigation for helping police spy on phone locations without a court order, an independent hacker took it upon himself to show just how unstable Securus’ own cybersecurity is.

The site Motherboard is reporting that a hacker showed them stolen data -- such as usernames, passwords, and internal company files -- that they obtained by breaking into the Securus servers.

BMWs

Security researchers recently found flaws in the software of BMWs that could allow hackers to remotely gain access to the automaker’s luxury vehicles.

The findings by the Keen Research Group come at a time when consumer groups and safety researchers have expressed concerns about the security of the software that powers cars, both self-driving vehicles and normal ones. Experts and the industry itself have repeatedly described modern cars as “computers on wheels,” with Blackberry estimating that more than 100 million lines of code powers the average sedan.

Researchers at the Keen Research Group studied BMWs, they wrote in their report, because its vehicles are now often “equipped with the new generation of ‘Internet-Connected’ Infotainment systems.”

“While these components have significantly improved the convenience and performance of customers’ experience, they have also introduced the opportunity for new attacks,” the researchers explain.

After publishing their technical report describing over a dozen vulnerabilities related to the technology, BMW announced it would use a software “patch” to fix the problem, which was also developed by the Keen Research Group. Consumers are invited to visit the dealership so they can receive the software upgrade.

Rather than try to hide the findings, BMW announced that it is honoring the Keen Research Group for their work and plans more partnerships in the future.

"In response to what has become a race between technological progress and new, presently unknown attack scenarios, the BMW Group has launched a comprehensive cybersecurity action plan, which includes tests conducted both internally by the BMW Group and with the help of independent institutions," the company said.

Nothing matters and Arby’s wants your money, according to the regular, depressing message delivered by the parody Twitter account Nihilist Arby’s. Or, in t...
Read lessRead more

The Weekly Hack: Attackers steal $15 million from Mexico’s central bank

Chili’s customers who dined at the restaurant are advised to check their credit card statements

An unknown group of hackers stole the equivalent of $15.3 million from Mexico’s central bank, the Bank of Mexico, the institution admitted on Wednesday.

The bank assured reporters that no individual accounts were harmed, but the hack raises further questions about the online security of financial institutions worldwide. The hackers had targeted interbank payment systems, or online transfer systems that allow banks to transfer money to each other in real time.

Meanwhile, people who use Citibanamex, the country’s second largest bank, were unable to withdraw cash from ATMs or conduct transfers this week, but the bank denied that its systems were compromised.

The Bank of Mexico, meanwhile, said that it switched to a slower, more secure online system after the hack to avoid any more breaches.

Chili’s

Brinker International, the restaurant conglomerate that owns Chili's Grill & Bar, says that any customers who dined at the restaurant in March or April may have had their credit card data accessed in a hack.

Brinker says that credit card or debit card numbers, as well as cardholder names, were stolen in an attack currently under investigation. The restaurant cautions against canceling cards unless users notice suspicious activity, but in the meantime, it is offering free credit monitoring to all affected consumers

Signal

Tech experts have recommended that people who are concerned about their cybersecurity or who need to conduct sensitive conversations over the phone should use the messaging app Signal.

The SMS app boasts fully encrypted messaging, which prevents even seasoned hackers or government officials from cracking the app’s code. But even Signal isn’t perfect.

Security researchers this week identified a potential vulnerability in the app, in which they said that a malicious attacker could send an unprompted message to a stranger.

Researchers reported the vulnerability to Signal’s developers, who promptly created a patch to fix the problem.

An unknown group of hackers stole the equivalent of $15.3 million from Mexico’s central bank, the Bank of Mexico, the institution admitted on Wednesday....
Read lessRead more

Facebook suspends 200 apps from its platform

The company says its privacy investigation of thousands of apps is ongoing

Facebook has suspended 200 apps from its platform amid an investigation into companies that had access to large amounts of data on Facebook users.

Company CEO Mark Zuckerberg announced in late March that Facebook would restrict the amount of data apps have access to while investigating how these apps used the data before the restrictions were enacted.

Zuckerberg acted in response to the revelation that an app had sold vast amounts of user data to Cambridge Analytica, a political marketing firm. The data was used to target ads in support of Donald Trump's presidential campaign and the campaign in support of Britain leaving the European Union.

Ime Archibong, vice president of Product Partnerships at Facebook, says “thousands” of apps have been investigated so far, with 200 suspended from the Facebook platform. In a blog posting, Archibong says the suspensions do not mean the apps misused data, only that there are grounds for a further audit.

“Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website,” Archibong writes. “It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.”

Rocked to its core

The Cambridge Analytica scandal rocked Facebook to its core, resulting in Zuckerberg making numerous apologies and testifying before House and Senate committees. It also focused attention on major technology companies and what they do with users' data.

Facebook stressed that the app developer who sold data to Cambridge Analytica did not have the right to do so, adding that the move was in violation of Facebook's terms of service agreement. But the social network giant came under criticism for a nearly two-year delay in disclosing to users what had happened.

Facebook users who took part in the app developer's quiz, entitled “This is Your Digital Life,” gave the app developer access to their Facebook data, and the data belonging to their Facebook friends, most of whom were unaware of that fact.

Earlier this month Zuckerberg appeared at a developers conference and reaffirmed his company's commitment to privacy. Among the changes Zuckerberg announced was a new tool that allows users to delete any personal information about them that Facebook has collected.

Facebook has suspended 200 apps from its platform amid an investigation into companies that had access to large amounts of data on Facebook users.Compa...
Read lessRead more

Chili's data breach exposes customer credit card information

The Tex-Mex chain is still unsure how many customers have been affected by the breach

On Saturday, Chili’s parent company Brinker International announced that its payment systems had been infected with malware, potentially exposing customers’ credit and debit card information.

The company confirmed that personal data such as social security numbers, birthdates, or federal or state identification numbers are still secure, as Chili’s doesn’t request that information from their customers. However, credit or debit card numbers and cardholder names are at risk, though the incident was limited to only some restaurants.

In a company news release, Brinker said it believes the timeline of the breach was limited to March-April 2018, but the company is continuing to investigate the scope of the issue.

“We are working diligently to address this issue and our priority will continue to be doing what is right for our Guests,” Brinker said in the release. “We are committed to sharing additional information on this ongoing investigation with our Guests to learn more.”

What this means for Chili’s

News of the data breach adds Chili’s to a long list of retailers that have been impacted by similar issues just this year, including Sears, Whole Foods, Under Armour, and Kmart. The news is particularly bad for Chili’s because the chain has been suffering from a rather significant sales decrease for nearly a decade.

Additionally, data breaches like this one often result in customers losing trust in brands. A recent KPMG study found that 19 percent of consumers would no longer shop at a retailer that has experienced a breach, while 33 percent would take a long break.

One positive in these circumstances is Brinker’s near immediate response to the situation. The company’s response came just one day after the breach was discovered, which differs greatly from how Facebook’s recent data breach wasn’t made public until it was discovered by reporters.

What this means for consumers

Following the breach, Brinker said it will be working with third-party forensic experts to determine its severity and potential impact. The company stated that it would provide fraud resolution and credit monitoring services for guests, and it will continue to update its website as more information is made available.

Company officials reiterated that the breach only impacted customers at certain Chili’s locations between March and April and that it was safe for consumers to use debit and credit cards at store locations going forward.

Consumers who used their cards at Chili’s locations during that time period are urged to closely monitor their accounts for any suspicious activity. In its statement, Brinker recommended that customers contact a credit reporting agency and their bank or credit provider to enable additional protections.

“We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this issue,” the company said in a news release.

On Saturday, Chili’s parent company Brinker International announced that its payment systems had been infected with malware, potentially exposing customers...
Read lessRead more

The Weekly Hack: 4Chan trolls spewing racism try to steal votes in high school science competition

Three black teenagers reached the finals of a NASA competition. Internet hackers decided to go after them

For this year’s annual high school science competition sponsored by NASA, many people paid attention to one invention in particular: a water filter designed to bring cleaner drinking water to public schools.

Public health researchers have for years warned that the water from fountains in public schools is contaminated with lead, bromide, and other chemicals corroding from old pipes.

Mikayla Sharrieff, India Skinner, and Bria Snell, all in the 11th grade at Benjamin Banneker Academic High School in Washington, D.C, had  engineered a filter designed to detect contaminants in public school water fountains.

The girls had reached the finals of the NASA competition last month. They were the only black, female group of high school scientists to make the final rounds this year. Winners were to be decided by online voting.

This apparently caught the attention of 4chan, an online message board that experts warn has attracted increasingly hateful and racist users in recent years. A recent attack in Toronto was linked to a 4chan message board.

NASA said in a statement that it was ending voting early to prevent people from hacking the vote, showing how even NASA is apparently not immune to online trolls.

“Some members of the public used social media,” NASA said in a statement, “to attack a particular student team based on their race and encouraged others to disrupt the contest and manipulate the vote.”

NASA claimed that it closed the competition before the votes were compromised. The winners will be announced later this month.

But reporters found some evidence suggesting that a voting hack could have already taken place.  An analysis by CNN found several threads on 4chan boards in which users directed each other to an anonymous privacy software to help “hack the voting system” and send votes to a group of boy high school scientists in the competition.

“...users posted racist insults and urged members to spread the campaign to other 4chan boards,” CNN reported.

Credit card chips

Those frustratingly slow readers for credit cards equipped with chips were supposed to be a small price to pay in exchange for safer credit cards. That is, until hackers figured out how to hack the chip readers.

The Better Business Bureau says that scammers are inserting thin microchips into the chip reader slot, allowing them to steal credit card information.

Other than catching someone in the act of putting a microchip into the credit card machine, a job that would likely fall on the cashier, there is no easy way to detect that the machines have been hacked.

“If you insert the card and it’s very tight, that could be a sign,” a Better Business Bureau spokesman told a Fox affiliate, “so make sure that you report it to the merchant.”

Small businesses

Major corporations that do not encrypt their data have proven to be vulnerable to hackers again and again. But it turns out that smaller businesses, with fewer resources to protect themselves from a hack, may also be a popular and easier target. Small local businesses in New Jersey make just as ripe targets as big business, the New Jersey Business Journal recently reported.

Sure enough, hacks targeting local businesses have been reported across the world this week. A salon in the United Kingdom said Friday that it was targeted with ransomware, or a type of malware that shuts down a computer system until owners hand over money.

In this case, information about all of the salon’s appointments had been deleted. In their place was a message demanding 30,000 pounds and a warning that more records would be deleted if the salon did not comply. The salon was warned by an IT support worker not to hand over the money.

The city of Atlanta was targeted with a similar type of ransomware attack earlier this year, and lawmakers in the state of Georgia are now mulling over a bill to make “unauthorized computer access “ a crime in the state.

But a group of so-called ethical hackers, who say they hack for moral and ethical reasons, say that the law would only serve to criminalize their work. To protest the bill, the hackers targeted local restaurants and a church, changing their websites to add clips of pop songs.

The hackers have threatened to retaliate further if the law passes, a local newspaper reported.

For this year’s annual high school science competition sponsored by NASA, many people paid attention to one invention in particular: a water filter designe...
Read lessRead more

Equifax filings now admit passport information was stolen

Hackers made off with information on thousands of passports as part of the massive 2017 breach

Earlier this year, Senator Elizabeth Warren published a report charging that the Equifax hack was worse than the company initially disclosed, in part because hackers had accessed consumer passport information.

“Equifax failed to disclose the fact that the hackers gained access to consumers’ passport numbers,” says the report published by Warren’s office in February.

A passport breach poses obvious identity theft concerns, but it is also a national security risk. Security experts have previously identified passport theft as a terrorism threat.

At the time, Equifax denied that any passport data was stolen. Instead, the company claimed that hackers were unsuccessful in their attempt to hack passport data.

“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” Meredith Griffanti, an Equifax spokeswoman, told the New York Post in February.

But Equifax is now saying that passport data was stolen from several thousand consumers. The company made the admission in filings it submitted to the Securities and Exchange Commission (SEC) in response to an ongoing congressional investigation.

Hackers steal information on thousands of passports

The passport breach affected consumers who were trying to challenge information on their credit reports, according to the SEC filings. Equifax directed such consumers to submit complaints to an online dispute portal. The customers were then required by Equifax to submit scans of their ID cards to verify their identity in some cases -- information that was subsequently accessed in the 2017 hack.

Equifax says in the recent SEC filings that hackers accessed information uploaded to that dispute resolution center and made off with scans of 3,200 passports or passport cards. “As part of the dispute process, some consumers may have uploaded government-issued identifications through the portal,” Equifax explains in the SEC filing.

Though this particular aspect of the 2017 hack had not previously been disclosed to the public, Equifax says that it has already notified each affected customer individually. The company claims it had no legal duty to disclose the passport information being stolen to the rest of the general public.

“Because the company directly notified each impacted consumer, the company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal,” the filing says, adding that the “government-issued identifications that were uploaded by consumers to Equifax’s online dispute portal” were “stolen by the attackers.”

Stolen information and harder repercussions

Hackers also managed to steal scans of 38,000 driver’s licenses, 12,000 social security cards, and 3,000 forms of other ID from the same online portal.

Asked about why Equifax appeared to be giving inconsistent answers about whether passport data had been stolen, the company responded that it had been discussing a different aspect of the hack in the earlier answers it gave this year.

“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,”  spokeswoman Meredith Griffanti tells ConsumerAffairs via email. “The analysis conducted on the data elements stolen from those tables found that there were no passport numbers within the passport field accessed by the attacker.”

Warren’s office is continuing to push for harsher repercussions for Equifax. Last month, she and two other lawmakers found that consumers had filed more than 20,000 complaints to Consumer Financial Protection Bureau (CFPB) following the cyber attack.

Earlier this year, Senator Elizabeth Warren published a report charging that the Equifax hack was worse than the company initially disclosed, in part becau...
Read lessRead more

Twitter users urged to change their passwords

The company says a glitch caused user passwords to be stored in unmasked form

Twitter is urging its 330 million users to change their passwords right away after it accidentally “unmasked” user passwords by storing them in an unencrypted format in an internal log file.

The company says it has since resolved the mistake and that an internal investigation revealed no indication that passwords were stolen or misused. However, users are still being urged to change their password as a precaution.

"We recently found a bug that stored passwords unmasked in an internal log," stated a tweet from the official Twitter Support account. "We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password."

Issue in the hashing process

The platform explained in a blog post that Twitter “hashes” passwords using the Bcrypt hashing algorithm, but the glitch caused passwords to be written on an internal computer log before the scrambling process was completed.

"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Twitter said.

Users are advised to change their passwords on Twitter and anywhere else they use their Twitter passwords, including third-party apps like TweetDeck or Tweeterrific. The replacement password should be strong and unique. The company also recommends enabling two factor authentication and using a password manager.

Twitter didn’t say how many user passwords may have been exposed or how long the bug lasted. However, a person familiar with the company’s response told Reuters the number was “substantial” and that passwords were exposed for “several months."

Twitter is urging its 330 million users to change their passwords right away after it accidentally “unmasked” user passwords by storing them in an unencryp...
Read lessRead more

Cambridge Analytica files for bankruptcy

The company said it lost virtually all of its customers and suppliers as a result of the Facebook data-mining controversy

Cambridge Analytica, the political consulting firm embroiled in the Facebook privacy scandal, announced on Wednesday that it is ceasing operations and filing for bankruptcy.

The decision comes two months after the London-based company -- which was originally hired by President Trump’s election campaign -- was accused of improperly harvesting data from up to 87 million Facebook users through a personality quiz. It was later revealed that the data was used for targeted political advertising.

In a statement posted to its website, Cambridge Analytica blamed negative media coverage for the data scandal. It said it lost virtually all of its customers and suppliers as a result of the controversy and was forced to file for bankruptcy in both the U.S. and in the U.K.  

Severely damaged reputation

A former Cambridge Analytica employee revealed that Julian Wheatland, the company’s chief executive, said the damage to the company’s reputation was too severe to continue operating and it was “futile” to try to rebrand the company’s offerings.

“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by [a third-party audit], the siege of media coverage has driven away virtually all of the Company’s customers and suppliers,” the company said in a press release.

“As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the Company into administration.”

The firm maintains that its business practices are common to other online advertisers and that Cambridge Analytica has been “vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.”

Cambridge Analytica, the political consulting firm embroiled in the Facebook privacy scandal, announced on Wednesday that it is ceasing operations and fili...
Read lessRead more

Facebook reaffirms its commitment to privacy

The company also announced a slew of new features and add-ons at its annual developer conference

At its annual developer conference -- dubbed F8 -- Facebook chief Mark Zuckerberg heralded changes to the social media platform.

The most important change involved giving its users the power to delete any personal information Facebook has collected. Also announced were a new dating tool, a virtual reality (VR) headset, and video chats for its Instagram app.

In his best business-like tone, Zuckerberg reaffirmed Facebook’s commitment to rebuilding the trust of its 2+ billion users. At the top of that list are personal privacy and building community.

"We are all here because we are optimistic about the future," said Zuckerberg. "We have real challenges to address but we have to keep that sense of optimism too. What I learned this year is we have to take a broader view of our responsibility."

Clear History

Facebook’s Chief Privacy Officer Erin Egan doubled down on Zuckerberg’s pledge in announcing the company’s plans for a feature called Clear History.

“This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward,” Egan said.

When a user clears out their history via the new setting, Facebook will delete any and all information that identifies who the user is. However, the company isn’t giving up its dependency on user data or taking away its ability to collect and repurpose demographic information for advertisers. It’s simply taking out all the dots that might connect the identity of the user.

Showing its good side

Facebook is holding true to the promise for privacy Zuckerberg made to Congress, but it also added a couple of other features to Facebook’s new collection of manners.

One of those is Crisis Response, a centralized section of Facebook where people can get real-time updates about recent crises as well as connect with people on ways to help or donate.

Another show of compassion is a blood donation feature for people in India, Bangladesh, and Pakistan where they can register as blood donors. The goal for Blood Donations on Facebook is to make it easier for people who want to donate to find opportunities nearby. People in those countries will be able to view nearby blood donation camps, requests for blood donations, and blood banks from a single place on Facebook.

What else is in store?

Goodness and mercy weren’t the only things in play at the conference. There were also some tidbits for the Facebook faithful and lures for the geeks.

New bells and whistles include:

  • A Groups tab designed to help users more easily connect to their existing groups and interact with content from all their groups.

  • A Video Chat add-on in Instagram. This new Skype-like wrinkle gives people a way to video chat in real-time, even when they all can’t be in the same place.

  • Oculus Go -- a virtual reality headset that gives gamers and curious techies the full-on spatial VR experience. The price point for Oculus Go starts at $199 for the 32 GB version.

  • Facebook Dating. While bringing a private information-oriented add-on might seem a little risky given the company’s recent scolding, Facebook says it’s actually been working on the idea for a dating feature for years.

“People already use Facebook to meet new people, and we want to make that experience better,” said Zuckerberg. “People will be able to create a dating profile that is separate from their Facebook profile — and potential matches will be recommended based on dating preferences, things in common, and mutual friends. They’ll have the option to discover others with similar interests through their Groups or Events.”

Facebook’s safety net for the dating feature is that whatever people do within that section is sacred territory and will not be shown to their friends.

At its annual developer conference -- dubbed F8 -- Facebook chief Mark Zuckerberg heralded changes to the social media platform.The most important chan...
Read lessRead more

The Weekly Hack: Thieves steal Ether coins and phone numbers

If it connects to the internet, it’s vulnerable to hacks. Cryptocurrency traders are learning this again and again.

Tens of thousands of dollars worth of cryptocurrency have been stolen by hackers, once again raising concerns about the security of blockchain technology.

MyEtherWallet.com is a free site that allows consumers to trade Ethereum, or Ether, a cryptocurrency currently valued in the ballpark of $650. The site warns all visitors that it doesn't consider itself responsible should hackers access users’ Ether accounts.  

“We cannot recover your funds or freeze your account if you visit a phishing site or lose your private key,” a notice on the site says. “You and only you are responsible for your security.”

That’s bad news for MyEtherWallet users who recently fell victim to a DNS hijacking scam. Hackers apparently redirected people who visited MyEtherWallet.com to a fake look-alike site. When users logged into the spoof site, the hackers were able to access their passwords and subsequently empty their accounts.

In all, the hackers reportedly made off with 215 Ether -- or the equivalent of $160,000.

According to a statement that MyEtherWallet published on Reddit, the hack was no fault of their own. Instead, the site blames vulnerabilities in Google’s DNS servers for the theft.

“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system,” MyEtherWallet  said. “It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

It’s unclear if affected traders will get their funds back. MyEtherWallet adds in its statement that “we are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.”

Uber’s Dubai competitor

Careem, a Dubai-based ride-hailing app that is Uber’s largest competitor in the Middle East, admitted that it discovered a security breach that exposed consumer data back in January.

The company did not disclose the breach until Monday because “Cybercrime investigations are immensely complicated and take time.”

“We wanted to make sure we had the most accurate information before notifying people,” a statement published by Careem added. Now that the breach has been disclosed, Careem is advising users to change their passwords and to monitor their bank accounts for any suspicious activity.

Phone numbers

Law enforcement in Colorado are asking for the public's help in finding suspects accused of taking part in a popular and relatively easy phone hijacking scam.

Using online services that identify the carriers of any phone number, identify thieves took information to a mobile phone store, where they impersonated the carrier to get a new phone without paying for it. Instead the cost of the phone showed up as an unpleasant surprise on consumers’ monthly bill.

According to the Federal Trade Commission, reports of this crime doubled since 2013, with 2,658 complaints submitted in 2016.

Yahoo rises from the grave

The company Yahoo may be no more after getting sold to Verizon in 2016, but it still owes the government some money -- $35 million to be exact. The SEC is fining Yahoo for failing to alert investors and consumers about a massive security breach that happened back in 2014.

The SEC alleges that Yahoo’s information security team learned that “Rusian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels’” several days after the attack took place in 2014.

To be more specific, the security team that stolen information included “usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.”

Yahoo eventually did disclose the breach two years later, shortly before it closed the deal with Verizon. Altaba, the company behind the Yahoo brand, has now agreed to pay a  $35 million penalty for the cover-up.

Shipping companies

Forget pirates. A group of hackers based in Nigeria have figured out how to steal money from shipping companies via the internet, according to a report by a cybersecurity firm.  

The hacking group, which goes by the name Gold Galleon, attempted to steal at least $3.9 million from maritime shipping businesses and their customers, the researchers said.

Tens of thousands of dollars worth of cryptocurrency have been stolen by hackers, once again raising concerns about the security of blockchain technology....
Read lessRead more

Altaba agrees to $35 million data breach settlement

The company formerly known as Yahoo waited two years to reveal that hackers compromised a billion accounts

Altaba, formerly known as Yahoo, has agreed to pay a $35 million fine to settle charges that it failed to promptly disclose a massive data breach relating to hundreds of millions of user accounts.

The Securities and Exchange Commission (SEC) ruled that the company essentially misled investors because the stock price plunged after the breach was finally revealed.

The SEC found that within days of the breach, Yahoo knew that Russian hackers had broken into the network and made off with usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.

The regulator says the information was reported to Yahoo's senior management, but the company failed to properly investigate the circumstances and adequately consider whether the public should be notified.

Delayed for two years

The SEC says Yahoo waited two years, until it was in the process of selling its operating business to Verizon in 2016, before revealing the data breach.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, Co-Director of the SEC Enforcement Division. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”

Last year, Yahoo executives were pressed by members of a Senate committee to answer questions about the breach. Then-CEO Marissa Mayer was asked to describe Yahoo's efforts to notify affected users and what steps the company had taken to mitigate consumer harm.

Last month a federal judge ruled that affected Yahoo users can move forward with a lawsuit against the company. The judge turned aside Verizon's objections, saying affected users might have behaved differently had they known their data had been compromised.

Harm to investors

The SEC settlement specifically addresses investors – people who had purchased Yahoo stock without knowing the company faced a potentially expensive liability. The order found that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications.

The SEC also said Yahoo failed to reveal information about the breach to its auditors or outside counsel to learn what it was obligated to disclose.

Altaba, formerly known as Yahoo, has agreed to pay a $35 million fine to settle charges that it failed to promptly disclose a massive data breach relating...
Read lessRead more

Facebook releases its complete guidelines for policing content

The company wants to provide clarity on how it decides which posts to take down

Facebook published 27 pages of previously secret rules today on how the site’s moderators decide which photos, videos, and posts should be removed and which can stay online.

The company said it spots potentially problematic content by using either artificial intelligence or reports from other users. That information is then passed on to its 7,500+ human content reviewers who work around the clock in over 40 languages.

Detailed policies

Facebook said it does not allow hate speech about “protected characteristics,” including race, ethnicity, national origin, religious affiliation, sexual orientation, sex, gender, gender identity, serious disability, or disease.

It said there are “some protections” around immigration status and three “tiers of severity” by which posts are judged. Here are a few of the site’s rules:

  • The sale of marijuana is not allowed (even in states where it’s legal)

  • Sexual activity in general is banned unless “posted in a satirical or humorous context”

  • Photos of breasts are allowed if they depict an act of protest

  • Guns can only be shown to adults aged 21 or older, and sales between individual people are not allowed

  • Bullying rules don’t apply to comments made about public figures

Providing clarity

A shorter version of the guidelines had leaked before, but the full guidelines had not been released to the public until today.

In releasing the detailed guidelines (which include specific examples), Facebook hopes to provide transparency about its content-policing process, which has in the past been criticized for appearing to be inconsistent at times.

“We decided to publish these internal guidelines for two reasons,” said Monika Bickert, Vice President of Global Policy Management at Facebook, in a statement.

“First, the guidelines will help people understand where we draw the line on nuanced issues. Second, providing these details makes it easier for everyone, including experts in different fields, to give us feedback so that we can improve the guidelines – and the decisions we make – over time.”

"We want people to know about these standards, we want to give them clarity," Bickert said.

Getting user feedback

The company admits that its enforcement “isn't perfect.”

“We make mistakes because our processes involve people, and people are not infallible," Bickert said. For this reason, Facebook is also adding a way for users to appeal when one of their posts gets taken down because of sexual content, hate speech, or violence.

Users will get a message explaining why the post was taken down and can follow a link to request a review, which will be handled by a team member “typically within 24 hours.”

“We are working to extend this process further, by supporting more violation types, giving people the opportunity to provide more context that could help us make the right decision, and making appeals available not just for content that was taken down, but also for content that was reported and left up,” Bickert said.

Facebook published 27 pages of previously secret rules today on how the site’s moderators decide which photos, videos, and posts should be removed and whic...
Read lessRead more

Hackers targeted some Gmail accounts to send spam

Consumers are being urged to not respond to any suspicious emails

A number of Gmail users have reported finding messages in their “Sent” folders that appeared to have been sent from themselves. Users said they discovered messages for things like “growth supplements” delivered to email addresses they didn’t recognize.

“My email account has sent out 3 spam emails in the past hour to a list of about 10 addresses that I don’t recognize,” a user posted on Gmail’s Help Forum.

“I changed my password immediately after the first one, but then it happened again 2 more times. The subject of the emails is weight loss and growth supplements for men advertisements,” the user continued.

Forged email headers

The messages contained forged email headers to make them appear to have been sent “via telus.com,” a Canadian telecommunications company.

The forged email headers allowed the messages to slip past spam filters. The fact that they appeared to have been sent by the affected user is what caused them to end up in the Sent folder.

Many users were concerned that the messages were an indication that their account had been hacked. However, Google assured users that their accounts were secure and that the issue had been fixed.

“We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it,” Google confirmed to Mashable. “This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder.”

“We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident,” the company said.

Report as spam

Google encouraged Gmail users to report any suspicious email as spam, noting that more information on how to report spam can be found by visiting the site’s Help Center.

TELUS, meanwhile, confirmed that its servers aren’t generating the emails.

“We have identified spam emails being circulated that are disguised to appear as if they are coming from http://telus.com. We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server,” a spokesman for the carrier said in a statement.

“We are working with our 3rd party vendors to resolve the issue, and are advising our customers not to respond to any suspicious emails.”

A number of Gmail users have reported finding messages in their “Sent” folders that appeared to have been sent from themselves. Users said they discovered...
Read lessRead more

New report calls the FTC’s consumer privacy efforts into question

Raising the bar on expectations and self-reporting could benefit everyone

A new white paper -- "Understanding and Improving Privacy ‘Audits’ under FTC Orders’" -- calls the Federal Trade Commission (FTC) on the carpet for its lenient approach to privacy audits required of tech companies like Facebook and Google.

"These audits, as a practical matter, are often the only ‘tooth’ in FTC orders to protect consumer privacy," wrote Megan Gray, an FTC attorney and non-residential fellow at Stanford Law School. "They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security."

While the FTC’s privacy audits are regarded as an efficient way of keeping tech companies in line with privacy commitments made to consumers, Gray urges the agency to improve its privacy standards if it intends on being serious about protecting consumers.

The paper illuminates how privacy audits are not actually audits as most understand them to be.  Rather, because the FTC’s language only requires third-party "assessments," tech companies get away with submitting reports that are essentially a confirmation that they did all that was required.

Take Facebook for instance

A contemporary example would be Facebook’s run-in with its users’ privacy. Under the social media company’s agreement with the FTC, all it’s required to do is undergo twice-yearly privacy audits to show it isn’t misinforming its users about their privacy.

However, none of Facebook’s audits brought Cambridge Analytica’s data mining into question. Despite Facebook knowing about the misuse as far back as 2015, Congressional leaders implied that Facebook wasn’t following the FTC’s instructions as rigorously as it should have been.

In the FTC’s complaint against Facebook, the agency harped on the word "deceptive" in questioning Facebook on how it handled users’ private information in areas like profile and app settings.

As an example, the FTC brought up the fact that in November 2009, approximately 586,241 users had used their Friends’ App Settings to "block" Platform Applications that their Friends used from accessing any of their profile information, including their Name, Profile Picture, Gender, Friend List, Pages, and Networks.

Yet, in Facebook’s December 2009 Privacy Changes, its users could no longer restrict access to their "publicly available information," and all prior user choices to do that were overridden. Although Facebook reinstated those settings soon thereafter, the FTC found that the settings weren’t stored to a user’s Profile Privacy restrictions and instead were essentially hidden.

Better protection of consumers’ privacy is needed

Gray offers several ways the FTC could improve its privacy audits. At the top of her list would be requiring the FTC to end its reliance on a company’s simple confirmation that its privacy protection is up to snuff.

Gray suggests that the current method could be greatly improved if the FTC detailed its expectations in what it wants privacy auditors to examine and have assessors report directly to the FTC instead of the company being audited.

"Simply ‘staying the course’ puts consumers...in an untenable situation, with real-world consequences," concludes Gray. "It’s time to dive deeply into understanding these third-party privacy assessments and consider meaningful proposals for their improvement. The FTC is an extraordinary agency, and it is more than capable of rising to this challenge."

In an email to ConsumerAffairs, the FTC stated that Gray currently has no involvement with current privacy or data security investigations and that the comments made in her paper do not reflect the agency's views.

A new white paper -- "Understanding and Improving Privacy ‘Audits’ under FTC Orders’" -- calls the Federal Trade Commission (FTC) on the carpet for its len...
Read lessRead more

Facebook says it will adopt Europe’s stringent privacy rules worldwide

The company will gradually launch new privacy protections to users in the coming months

Facebook has announced that it plans to roll out Europe’s strict new privacy rules to users worldwide. 
The social media giant says it’s taking steps to comply with the EU’s General Data Protection Regulation (GDPR), which is slated to go into effect on May 25 and aims to give consumers control of their personal data. Companies that don’t comply with the law will have to pay a fine.
“We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook,” the company said in a blog post. 
"As soon as GDPR was finalized, we realized it was an opportunity to invest even more heavily in privacy," Facebook said in statement. "We've also sought input from people outside Facebook with different perspectives on privacy, including people who use our services, regulators and government officials, privacy experts, and designers."

Consumers must give consent

Per the new legislation, companies must ask consumers for their consent on sharing their data using clear, easy-to-understand statements. 
Companies won’t be able to lump different things together in order to get consumers to agree to data sharing. Children under 16 must have a parent opt-in to data collection on their behalf.  Users must also be able to rescind their consent.
The new law gives consumers the ability to access the personal data being stored by companies. Consumers can see where their information is stored and find out what purpose it is being used for.
Applied to Facebook users, the new privacy law gives users the option to choose whether they want to allow the platform to use partner data to display relevant ads. Users will also be asked whether they want to continue sharing political, religious, and relationship information on their profile, and the company’s facial recognition feature will be disabled by default. 
The rollout of the new law is the latest action taken by the company to ensure users that their information is safe in the wake of the Cambridge Analytica data sharing scandal, in which it was revealed that the personal data of up to 87 million users had been accessed without their knowledge.
Last month, Facebook announced it would be giving users more control over their privacy settings by consolidating 20 privacy screens to just one and giving users more control over the ads they view.
Facebook has announced that it plans to roll out Europe’s strict new privacy rules to users worldwide.  The social media giant says it’s taking ste...
Read lessRead more

The Weekly Hack: ‘Despacito’ fans receive message to ‘Free Palestine’

​Vevo and Youtube respond by taking down the popular music video

People watching the music video “Despacito” this week may have been slightly confused by the cover photograph and description displayed on their screens. Before the music video started, a photograph of masked men pointing their guns at the camera — a clip from a Spanish Netflix show — appeared in the video display.

Underneath, the title of the video was changed to say, “x – hacked by prosox & kuroi’sh @OpIsrael ???? FreePalestine ft. Maluma.”

Videos uploaded by Taylor Swift, Selena Gomez, Drake, and Shakira were also altered by the same group.

In several posts on Twitter, the hacker who identifies themself as Prosox told YouTube and Vevo that it was a harmless prank and that they did not remove the actual music videos.

But the breach was apparently not amusing to YouTube and Vevo, as both sites temporarily took down “Despacito” and the other affected videos in response.

“I did not delete despacito must believe me,” Prosox added, in a post ridiculing Vevo’s security.

Virgin Island nation

Hackers have targeted the government of Sint Maarten, a small Caribbean nation located within the island nation of Saint Martin.

It’s unclear what the hackers did exactly. On its website, the Sint Maarten government only admits that some sort of cyber-attack took place and that they are now recovering from it.

“The Ministry of General Affairs hereby informs the public that the recovery process of the Government of Sint Maarten ICT Network is progressing steadily,” a local newspaper reported on April 6.

Hacking gaps found in power chords

Researchers in Israel identified a new method that hackers would be able to use to launch a hypothetical cyber-attack: hacking computer power chords.

“In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel,” write researchers at the Ben-Gurion University of the Negev. Preventing such an attack would require installing special filters in power outlets, they say.

Researchers this week have also identified a method in which hackers would be able to use data from shared word documents in “Rich Text Format” (as opposed to Doc format) to steal data from consumers’ Microsoft Outlook accounts. The research is yet another reminder to never open attachments sent from strangers.

People watching the music video “Despacito” this week may have been slightly confused by the cover photograph and description displayed on their screens. B...
Read lessRead more

Facebook’s Zuckerberg apologizes before Congress and promises change

The Senate responds with a rigid new bill to ensure consumer privacy

Mark Zuckerberg’s “I’m Sorry 2018” tour played to an SRO crowd on Capitol Hill on Tuesday with the Facebook honcho taking all the punches he could withstand and promising all the privacy changes he could muster up.

Zuckerberg’s nearly four-hour Q&A match with 42 Senators focused on his company’s repeated privacy missteps and its breakdown in detecting the Russia-led crusade to influence U.S. voters.

“We were too slow to spot and respond to Russian interference, and we’re working hard to get better,” said Zuckerberg in a prepared statement.

“Our sophistication in handling these threats is growing and improving quickly. We will continue working with the government to understand the full extent of Russian interference, and we will do our part not only to ensure the integrity of free and fair elections around the world, but also to give everyone a voice and to be a force for good in democracy everywhere.”

Not so fast, Facebook

However, despite Zuckerberg vowing transparency and verification rules to protect its business and its flock, there were two Senators already loaded for bear, introducing a privacy bill of rights to protect the personal information of all American consumers, not just Facebook’s.

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) put into play a bill -- tagged CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) -- that would make “opt-in” the default option for whether users want their information collected or repurposed in any shape, form, or fashion.

While Facebook has offered its users the option to “opt-out” on the data it collects since 2010, it’s likely that most consumers never really paid attention to what information they were giving away until now.

“The startling consumer abuses by Facebook and other tech giants necessitate swift legislative action rather than overdue apologies and hand-wringing,” said Senator Blumenthal. “Our privacy bill of rights is built on a simple philosophy that will return autonomy to consumers: affirmative informed consent. Consumers deserve the opportunity to opt in to services that might mine and sell their data – not to find out their personal information has been exploited years later.”

Making privacy the king

In hopes of reversing a platform such as Facebook’s power over a user’s personal info, the CONSENT Act:

  • Requires edge providers to obtain opt-in consent from users to use, share, or sell users’ personal information

  • Requires edge providers to develop reasonable data security practices

  • Requires edge providers to notify users about all collection, use, and sharing of users’ personal information

  • Requires edge providers to notify users in the event of a breach

  • Ensures that requirements are enforced by the FTC

This bill covers every conceivable corner of a user’s potentially sensitive information, too. Included are restrictions on:

  • financial information

  • health information

  • information pertaining to children

  • Social Security numbers

  • precise geolocation information

  • content of communications

  • call detail information

  • web browsing history

  • application usage history

To prove their seriousness, Blumenthal and Markey built some legal weight into their proposal by treating any violations of the measure as an infraction of the Federal Trade Commission Act. That act was created with the sole objective of "protect[ing] the process of competition for the benefit of consumers, making sure there are strong incentives for businesses to operate efficiently, keep prices down, and keep quality up.”

The Federal Trade Commission Act also has the power to protect privacy, giving the FTC the permission to penalize companies that violate their own policies through false advertising and other actions that can harm consumers.

Mark Zuckerberg’s “I’m Sorry 2018” tour played to an SRO crowd on Capitol Hill on Tuesday with the Facebook honcho taking all the punches he could withstan...
Read lessRead more

Child advocates call for FTC probe of YouTube

The group says the site is illegally collecting children’s data

In a complaint filed Monday, a group of child, consumer, and privacy advocates claim YouTube illegally collects data about underage viewers and uses that data to advertise to its youngest users.

The group of advocates, led by the Campaign for a Commercial-Free Childhood, said it wants the Federal Trade Commission to investigate Google -- which owns YouTube -- for violating the Children’s Online Privacy Protection Act (COPPA), which sets strict rules for how companies can collect data about children under the age of 13.

Per COPPA regulations, companies that run websites targeted at children must notify parents and obtain their consent before collecting any personal data.

“Acted duplicitously”

The group says YouTube avoided COPPA requirements by saying in its terms of service that YouTube is only intended to be used by those over 13, even though Google knows YouTube is widely used among kids in the 6-12 age range.

The site even caters to young viewers, the group said, citing content that is specifically aimed at children under 13.

“Google has acted duplicitously by falsely claiming in its terms of service that YouTube is only for those who are age 13 or older, while it deliberately lured young people into an ad-filled digital playground,” said Jeff Chester of the Center for Digital Democracy. “Just like Facebook, Google has focused its huge resources on generating profits instead of protecting privacy.”

Calls for a fine

The group wants YouTube to change how it deals with content for children, pay a fine for allegedly profiting off young viewers, and “assess civil penalties that demonstrate that the FTC will not permit violations of COPPA.”

"Google has made substantial profits from the collection and use of personal data from children on YouTube. Its illegal collection has been going on for many years and involves tens of millions of US children," the complaint reads.

YouTube issued a statement saying that it “will read the complaint thoroughly and evaluate if there are things we can do to improve. Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.”

This isn’t the first time a complaint has been filed against YouTube for the way it handles children’s privacy. In 2015, advocacy groups said the site was violating FCC laws about advertising to children.

In a complaint filed Monday, a group of child, consumer, and privacy advocates claim YouTube illegally collects data about underage viewers and uses that d...
Read lessRead more

Facebook implements new transparency and approval process for political ads

The social media company leaves no stone unturned in trying to reclaim its users’ trust

In the face of everything else it’s trying to remedy, Facebook is doubling down on how it deals with what it calls political “issue ads.”

It’s a new layer of approval for anyone who wants to pay to have their political voice heard on Facebook. On top of the existing authorization process, advertisers will have to confirm their identity and location before they’re cleared to advertise.

As Facebook continues to fend off the voodoo stemming from its Cambridge Analytica misstep, with CEO Mark Zuckerberg coming to Capitol Hill today to answer to lawmakers, the company wants the world to know that it’s serious about changing how it deals with political ads and pages.

“We know we were slow to pick up foreign interference in the 2016 US elections,” wrote Facebook’s Rob Goldman, VP of Ads and Alex Himel, VP of Local & Pages. “Today’s updates are designed to prevent future abuse in elections — and to help ensure you have the information that you need to assess political and issue ads, as well as content on Pages.”

And, hoping to make this move perfectly clear, Facebook CEO Mark Zuckerberg stressed that these steps “won't stop all people trying to game the system. But they will make it a lot harder for anyone to do what the Russians did during the 2016 election and use fake accounts and pages to run ads.”

How will these changes appear?

Going forward, political ads on Facebook will be clearly marked as “Political Ad” and will feature information about who the ad is “paid for by.” The full rollout of the new identifiers is expected later this spring.

At the center of Facebook’s political ad target are “issue ads,” the type that advocate for controversial matters. The social media platform says it’s working with third parties to craft a list of political hot potatoes which will vary depending on voter climate.

Facebook is also upping its ante on artificial intelligence and bringing in more people to help pinpoint political advertisers that should have gone through the authorization process but somehow got past its filters.

“We realize we won’t catch every ad that should be labeled, and we encourage anyone who sees an unlabeled political ad to report it. People can do this by tapping the three dots at the top right corner of the ad and selecting ‘Report Ad,’” Goldman and Himel went on to say.

As if to cover all the transparency bases, Facebook is also implementing a tool that will give its users the option to see all of the ads a page is running. That add-on is currently being tested in Canada with the intention of taking it worldwide if all goes according to plan.

In the face of everything else it’s trying to remedy, Facebook is doubling down on how it deals with what it calls political “issue ads.”It’s a new lay...
Read lessRead more

The Weekly Hack: Attackers posing as honor students tried to change grades

A hack of several major pipelines has also raised concerns about the potential for environmental disaster

Police in Virginia are now investigating a hacking attempt to change grades at a local high school. Back in November, police say, an email purporting to be from the Oaktown High School’s Honor Council,  the school panel dedicated to “honor and integrity,” directed recipients to a link that they said had news about the school.

But users who opened the link were then targeted by malware that recorded their keystrokes and other data, allowing hackers to access log-in information to the school’s computer system. Shortly after the emails circulated, the school found multiple cases of grade changes being requested.

It’s unclear who was behind the hacking attempt, but it wouldn’t be the first time that students have hacked into a public school system to change grades, as the Washington Post reports.

While it may seem like a harmless crime to students, prosecutors have gone after such cases aggressively. One University of Iowa wrestler who attempted such a stunt now faces charges from the FBI.

Every Facebook user

Facebook admitted Wednesday that nearly every one of its users has had their data collected by “malicious actors.”

In response to the ongoing Cambridge Analytica scandal, Facebook published a blog post Wednesday updating people on changes they are making to privacy settings.

Buried in that blog post, Facebook announced that they are disabling a popular search feature that had let users search for each other by phone number and email. According to Facebook’s Chief Technology Officer Mike Schroepfer, the feature posed a security risk for nearly every one of Facebook’s users.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them,” Schroepfer wrote. Hackers figured out how to “abuse” this feature, as well as the the account recovery feature, to scrape data from “most” Facebook users.

Pipelines

Environmentalists have long warned that the aging, cheap pipes that deliver oil and natural gas are ill-equipped at preventing natural gas explosions or leaks. As oil and gas companies have become more dependent on digital technology, it turns out that even these supposedly modern safety improvements also put people at risk.

Hackers reportedly launched a cyber attack on Latitude Technologies, a Texas-based firm that handles computer communications for the oil, gas, and utility industries. The hack forced four major natural gas pipeline companies, including Energy Transfer Partners, to temporarily shut down their computer systems.

It’s unclear what the motives of the hackers would have been, but a security expert told the New York Times that the energy industry’s increasing dependence on technology  poses an environmental and safety hazard. The systems may allow attackers to remotely cause “explosions, spills, or fires, which easily will threaten human life, property and the environment,” the expert said

Police in Virginia are now investigating a hacking attempt to change grades at a local high school. Back in November, police say, an email purporting to be...
Read lessRead more

Facebook ups its possible data misuse total to 87 million users

Cambridge Analytica says it’s no more than 30 million

In updated estimates, Facebook says it’s possible that up to 87 million people had their data repurposed by Cambridge Analytica.

However, that metric comes with a precautionary warning.

“We wanted to take a broad view that is a conservative estimate,” said Facebook CEO Mark Zuckerberg in an interview. “I am quite confident that given our analysis that it is not more than 87 million. It very well could be less, but we wanted to put out the maximum we felt that it could be as that analysis says.”

In response, Cambridge Analytica argued that figure loudly and defiantly.

“Cambridge Analytica licensed data for no more than 30 million people from GSR (Global Science Research), as is clearly stated in our contract with the research company,” the company wrote in a press release. “We did not receive more data than this.”

Cambridge wants its name cleared, too

Cambridge Analytica wants its name expunged from the list of entities behind any manipulation of data regarding Trump’s bid for the White House.

“We did not use any GSR data in the work we did in the 2016 US presidential election,” claims Cambridge Analytica in an attempt to define its position..

“When Facebook contacted us to let us know the data had been improperly obtained, we immediately deleted the raw data from our file server. We carried out an internal audit to make sure that all the data, all derivatives, and all backups had been deleted, and gave Facebook a certificate to this effect.”

Where do we begin?

The “millions” figures quoted by Facebook and Cambridge Analytica started out as 270,000 -- the number of respondents that used GSR’s “thisisyourdigitallife” app.

However, in addition to harvesting metrics on Facebook users who used the app, it has also been revealed that information was collected on those users’ “friends” on Facebook. That, in turn, raised the number of affected individuals exponentially.

Cambridge Analytica used the statistics it collected to build user profiles. The company credited the use of those profiles in helping the Trump ‘16 campaign take advantage of key biases and demographic changes.

All finger pointing aside, how does this get fixed?

Whether this is a matter of misdirection or re-direction, the PR battle between Facebook and Cambridge Analytica probably isn’t going away soon. But for Facebook users, it appears that CEO Mark Zuckerberg is being proactive, and things are getting better.

“So, now we have to go through every part of our relationship with people and make sure that we’re taking a broad enough view of our responsibility,” assured Zuckerberg. “And it’s not enough to give people tools to sign into apps, we have to ensure that all of those developers protect people’s information too. It’s not enough to have rules requiring they protect information, it’s not enough to believe them when they tell us they’re protecting information — we actually have to ensure that everyone in our ecosystem protects people’s information.”

At the top of Facebook’s list of new promises is a rather adamant pledge: “We’re not asking for new rights to collect, use or share your data on Facebook. We’re also not changing any of the privacy choices you’ve made in the past.”

Lining up right behind that pledge are more plums for any concerned Facebook user:

  • Personalized experience: Everyone’s experience on Facebook is unique, and we’re providing more information on how this works. We explain how we use data and why it’s needed to customize the posts and ads you see, as well as the Groups, friends and Pages we suggest.

  • What we share: We will never sell your information to anyone. We have a responsibility to keep people’s information safe and secure, and we impose strict restrictions on how our partners can use and disclose data. We explain all of the circumstances where we share information and make our commitments to people more clear.

  • Advertising: You have control over the ads you see, and we don’t share your information with advertisers. Our data policy explains more about how we decide which ads to show you.

  • One company: Facebook is part of the same company as WhatsApp and Oculus, and we explain how we share services, infrastructure and information. We also make clear that Facebook is the corporate entity that provides the Messenger and Instagram services, which now all use the same data policy. Your experience isn’t changing with any of these products.

  • Device information: People have asked to see all the information we collect from the devices they use and whether we respect the settings on your mobile device (the short answer: we do). We’ve also added more specific information about the information we collect when you sync your contacts from some of our products, including call and SMS history, which people have recently asked about.

  • Addressing harmful behavior: We better explain how we combat abuse and investigate suspicious activity, including by analyzing the content people share.

When will Facebook users see these changes?

Facebook can quickly make shifts in controls users can click on or off and start its path towards cleaning up its act, but that’s only a start.

“I wish I could snap my fingers and in three to six months solve all these issues,” Zuckerberg said. “I think the reality is complex. I think this is a multiyear effort.”

In updated estimates, Facebook says it’s possible that up to 87 million people had their data repurposed by Cambridge Analytica.However, that metric co...
Read lessRead more

Facebook CEO to testify before Congress next week

House Energy & Commerce Committee will question Mark Zuckerberg about privacy

Facebook CEO Mark Zuckerberg will testify before the House Energy and Commerce Committee next week, the committee has announced.

Zuckerberg has been in the eye of the Facebook storm over privacy issues since it was revealed that user data had been illegally obtained and used by a political marketing firm.

In a joint statement, committee chairman Greg Walden (R-OR) and ranking member Frank Pallone, Jr. (D-NJ) said the hearing will be an opportunity to shed light on critical consumer data privacy issues.

They said that as a result, all Americans may better understand what happens to their personal information online. The hearing is scheduled for 10 a.m. ET on April 11.

Zuckerberg declined an invitation to appear before a British Parliamentary committee investigating the same issue. Officials in both nations say they want to learn more about what data Facebook collects from users and who has access to it.

The scandal

In March, the New York Times reported that Cambridge Analytica, a political marketing firm, used Facebook user data to target ads on behalf of the British campaign to leave the European Union and the U.S. presidential campaign of Donald Trump.

Facebook said Cambridge Analytica was never authorized to receive the data, and obtained it from an app developer who had conducted a survey on Facebook. People who took the survey were informed that the developer would have access to their Facebook profiles -- as well as the profiles of all their Facebook friends. However, the friends were never informed their data was being accessed by a third party.

Since the revelation, Facebook has made a number of changes in the way it handles and safeguards user data, including severing ties with a major data broker and giving users more control over privacy settings.

Facebook is currently under investigation by the Federal Trade Commission (FTC) and several state attorneys general

Facebook CEO Mark Zuckerberg will testify before the House Energy and Commerce Committee next week, the committee has announced.Zuckerberg has been in...
Read lessRead more

Facebook ramps up its purge of pro-Russian propaganda

Nearly 200 additional accounts and pages are chopped from its rolls

Facebook is not done with Russia… yet.

The social media leader is still uncovering accounts linked to the Internet Research Agency (IRA), the Russian company bent on turning Facebook into a propaganda fest.

And as soon as Facebook finds them, they’re axed from the platform. On Tuesday, the company announced that it had removed 70 Facebook and 65 Instagram accounts, plus another 138 Facebook Pages that were controlled by the IRA. Many of the offending Pages were also sneaking in Russia-favored advertisements and those, too, have been removed.

Facebook has a serious dog in this fight and not afraid to give up the large number of users who visit these sites. An estimated 1.08 million unique users follow those suspect Facebook Pages and 493,000 unique users follow a minimum of one of the Instagram accounts.

Those users are mostly eastern European (Russia, Ukraine, Georgia, Kyrgyzstan, et al), but also include 42,000 Brazilian users.

‘We’ll keep fighting’

Losing money doesn’t seem to be an issue for Facebook, either — especially when it comes to losing face. On the income side of the Russian-influence equation, a related $167,000 was spent on Facebook and Instagram ads since 2015.

“The IRA has consistently used inauthentic accounts to deceive and manipulate people,” wrote Alex Stamos, Facebook’s Chief Security Officer. It’s why we remove every account we find that is linked to the organization — whether linked to activity in the US, Russia or elsewhere.”

“We know that the IRA — and other bad actors seeking to abuse Facebook — are always changing their tactics to hide from our security team. We expect we will find more, and if we do we will take them down too. But we’ll keep fighting and we’re investing heavily in more people and better technology to constantly improve safety on Facebook.”

While the IRA’s most heralded invasion is the one surrounding the 2016 Presidential election, the new dearly departed are accounts that were “targeting people living in Russia,” Facebook CEO Mark Zuckerberg said in a post.

Increased investment in security

Zuckerberg seems determined to wipe every bit of mud thrown on his company’s face -- mud that was first slung when it was discovered that Cambridge Analytica plucked profile data from Facebook users to slant advertising to benefit Donald Trump’s presidential campaign and other right-wing candidates.

And the Facebook CEO is putting his money where his mouth is. “We have also significantly increased our investment in security. We now have about 15,000 people working on security and content review. We'll have more than 20,000 by the end of this year,” Zuckerberg said in a post.

He goes on to remind the world that Facebook found and took down 30,000 fake accounts leading up to France’s 2017 presidential election; worked in tandem with Germany’s Federal Office for Information to examine the threats it was was seeing relating to its 2017 elections; and Facebook’s deployment of Artificial Intelligence tools that “proactively detected and removed fake accounts from Macedonia trying to spread misinformation.”

Zuckerberg closed his post with this promise: “Security isn't a problem you ever fully solve. Organizations like the IRA are sophisticated adversaries who are constantly evolving, but we'll keep improving our techniques to stay ahead -- especially when it comes to protecting the integrity of elections.”

Facebook is not done with Russia… yet.The social media leader is still uncovering accounts linked to the Internet Research Agency (IRA), the Russian co...
Read lessRead more

Panera Bread’s website involved in a data leak

The company says the issue has now been resolved

Consumers who ordered food online from the bakery-cafe chain Panera Bread via the company’s website could potentially have had their payment information exposed.

Panerabread.com leaked eight months’ worth of customer records from its website, according to a report by KrebsOnSecurity.

The data leak included customer names, email and home addresses, birthdays, and the last four digits of credit card numbers. The beach affected "millions" of customers who ordered food on the company's website, panerabread.com, the blog post said.

Issue has been resolved

Panera claims that fewer than 10,000 consumers had potentially been affected by the breach and stated that the issue has since been resolved.

Although their investigation is ongoing, Panera maintains that there is no evidence of payment records or other large amounts of personal information being accessed or retrieved.

“Panera takes data security very seriously and this issue is resolved,” the company said in a statement. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.”

“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.”

Consumers who ordered food online from the bakery-cafe chain Panera Bread via the company’s website could potentially have had their payment information ex...
Read lessRead more

Saks, Lord & Taylor become latest retailers to be hit by data breach

A cybersecurity firm says five million payment records were compromised

Hudson’s Bay Co. says customer payment card information may have been stolen from shoppers at certain Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores in North America.

The retailer said in a statement that it has identified the issue and taken steps to contain it, but it has stopped short of disclosing how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

Five million records taken

However, one cybersecurity firm analyzed the available data and found that five million credit card and debit card numbers had been compromised in the breach.

Gemini Advisory LLC said in a report that the information was stolen from 83 Saks Fifth Avenue or Saks Off Fifth stores, and from all Lord & Taylor locations. Approximately 125,000 of the five million records compromised have been released for sale on the “dark web,” the firm said.

“Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present,” Gemini Advisory said.

Hudson Bay says it is “working rapidly with leading data security investigators to get customers the information they need, and the investigation is ongoing.” The company is coordinating with law enforcement authorities and the payment card companies for the investigation.

Consumers affected by the breach will not be liable for fraudulent charges, the company said.

Hudson’s Bay Co. says customer payment card information may have been stolen from shoppers at certain Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor...
Read lessRead more

The Weekly Hack: Atlanta held for ransom and must pay in Bitcoin

Atlanta officials say the city is being held hostage

Welcome to the future. Hackers are currently holding a major American city for ransom and are demanding that they be paid in Bitcoin.

Atlanta officials confirmed on Monday that a ransomware attack had kicked much of its computer system offline. Without the system functioning, Atlanta is unable to collect online bills from residents, which perhaps isn’t such a bad thing for people who are behind on their water bills or traffic ticket payments.

But the attack has frightening implications for government agencies. "This is much bigger than a ransomware attack, this really is an attack on our government," Mayor Keisha Lance Bottoms told a news conference. "We are dealing with a hostage situation."

The attackers have indicated that it will not restore Atlanta’s websites or computer system until they are paid $51,000 in Bitcoin.

Ransomware, as its name suggests, freezes or infects computers and then provides a message asking for a ransom if users want their systems unlocked. Like other malware, it works by sending an email to unsuspecting users with a “phishing” link.

Atlanta officials have not yet indicated whether they will pay the ransom.

As of Friday afternoon, Atlanta’s page for allowing residents to pay their water and sewer bill was still not loading. The municipal court online payment webpage says; “City of Atlanta is currently experiencing technical issues which is impacting the ability to take payments at this time.”

Under Armour

Under Armour warned a whopping 150 million people on Thursday to change their password. The company owns a popular application called MyFitnessPal that tracks nutritional intake and workout routines. Hackers gained access to all 150 million users’ passwords, names, and email addresses.

The company denies that credit card information was accessed but says they are getting law enforcement involved.  

“We do not know the identity of the unauthorized party. Our investigation into this matter is ongoing,” the company announced.

Italian soccer (football) team

It happens to the best of us. The Italian newspaper Il Tempo is reporting that SS Lazio, a football team in Italy, was tricked into paying the final portion of a player’s contract to hackers.

A Dutch soccer club had traded their star defender, 26-year-old De Vrij, to SS Lazio in 2014. A hacker impersonating the Dutch team recently sent SS Lazio an email asking for the final installment of his contract, or two million Euros.

The Dutch team says they never sent that email and never received the final payment. Authorities are reportedly investigating the issue.

Welcome to the future. Hackers are currently holding a major American city for ransom and are demanding that they be paid in Bitcoin.Atlanta officials...
Read lessRead more

Under Armour says 150 million MyFitnessPal accounts were affected by data breach

Users are being urged to change their account password right away

Under Armour has disclosed that 150 million MyFitnessPal diet and fitness app accounts were affected by a security breach. The number of records compromised make this the largest data breach this year and one of the top five in history.

The company said it became aware of the hack on March 25, but it believes that an unauthorized party had access to the accounts since late February. Information made vulnerable to cyber criminals in the breach includes users’ email addresses, usernames, and hashed passwords.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers), which the company does not collect from users,” Under Armour said in a statement.

“Payment card data was also not affected because it is collected and processed separately. The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

Users urged to change passwords

Four days after discovering the breach, Under Armour notified MyFitnessPal users via app and email notifications. The company said users could safeguard their account and information by taking the following measures:

  • Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.

  • Review your accounts for suspicious activity.

  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.

  • Avoid clicking on links or downloading attachments from suspicious emails.

Under Armour said it doesn’t know the identity of the unauthorized party and is currently working with data security firms to assist in its investigation. It did not provide details on how the hackers got into its network in the first place.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” Under Armour informed its customers. “We continue to make enhancements to our systems to detect and prevent unauthorized access to user information."

Under Armour has disclosed that 150 million MyFitnessPal diet and fitness app accounts were affected by a security breach. The number of records compromise...
Read lessRead more

State Department proposes that all visa applicants disclose social media identities

The move expands the Trump administration's cross-check of U.S. visitors and immigrants

The U.S. State Department wants to widen its scrutiny of U.S. visa applicants by asking them to unveil their social media handles.

According to a Bloomberg report, the new visa applications will ask applicants to “provide any identifiers used by applicants for those platforms during the five years preceding the date of application.”

This move broadens the Department’s vetting of visa applicants. It’s possible the new information could uncover any possible ties to groups, sympathies, posts, or messages that warrant concern.

What information will be asked for

If this request is approved, additional questions will ask for five years of previously used telephone numbers, email addresses, and international travel information; whether the applicant has been deported or removed from any country; and whether specified family members have been involved in terrorist activities.

Prior to this, email addresses, phone numbers, and social media identities were asked for from applicants who the Department thought should be more closely examined. Last year, about 65,000 people fit that profile.

Visa processing is a heavy burden for the State Department. There are an estimated 14 million visa applications a year that take 21 million annual hours to process.

A diligent and thorough process

In the aftermath of the 2015 terrorist attack in San Bernardino, California, Congress raised concerns about the use of social media by terrorist groups and requested that the Department of Homeland Security (DHS) broaden its social media background checks.

In turn, DHS established a task force for using social media to screen immigration applicants. Additionally, the U.S. Citizenship and Immigration Services (USCIS) and the Immigration and Customs Enforcement (ICE) tested programs that expanded social media screening of those applicants.

Last December, DHS got the approval to put those supplemental background checks in place.

The State Department provides a full list of FAQs for anyone considering applying for a visa. Also available are updated answers to questions regarding the Trump administration’s immigration restrictions.

The U.S. State Department wants to widen its scrutiny of U.S. visa applicants by asking them to unveil their social media handles.According to a Bloomb...
Read lessRead more

Facebook memo puts besieged company on the defensive again

The company says the 2016 memo was purposefully provocative to stir debate

On a day when Facebook took additional steps to tamp down the furor over its handling of user data, company CEO Mark Zuckerberg was forced to explain an internal Facebook memo that surfaced in the media.

BuzzFeed published a 2016 Facebook memo to employees in which company vice president Andrew "Boz" Bosworth argued that Facebook should be prepared to do whatever is necessary to increase user growth.

“We connect people. Period," Bosworth told Facebook employees. "That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.”

Fuel for critics

Facebook critics were quick to pounce on the memo, calling it further evidence that the company plays fast and loose with user privacy. Facebook has been pilloried since it revealed that an app developer obtained Facebook user data, then sold it to a political marketing group.

Zuckerberg released a statement strongly disavowing the contents of the Bosworth memo. However, he pointed out that Bosworth was often purposely provocative in an effort to bring critical issues into the open for debate.

"Boz is a talented leader who says many provocative things. This was one that most people at Facebook including myself disagreed with strongly," Zuckerberg said. "We've never believed the ends justify the means."

Bad timing

The memo's release comes at a bad time for Facebook, which has spent much of this week taking steps to reassure lawmakers, regulators, and users. On Thursday, Facebook's vice president for product management, Guy Rosen, participated in a conference call with reporters to discuss steps Facebook is taking to protect election security for the upcoming midterms.

Rosen identified four main election security areas that Facebook is working on:

  • Combating foreign interference

  • Removing fake accounts

  • Increasing ads transparency

  • Reducing the spread of false news

"This is a comprehensive approach we deploy in elections around the world, and we’re here today to share our thinking about what we are doing so that you can better understand our approach," Rosen said.

Also this week, Facebook announced tweaks to the site that will cause all Facebook users to see more local news in their news feeds. Previously, the change was made only for U.S. users.

Facebook also moved this week to exclude third-party data providers from its advertising platform, limiting what marketers know about users' shopping habits. According to industry insiders who spoke with CNBC about the move, it makes data brokers less effective while giving Facebook more control over the data used to target ads.

On a day when Facebook took additional steps to tamp down the furor over its handling of user data, company CEO Mark Zuckerberg was forced to explain an in...
Read lessRead more

Boeing is the latest to be hit by WannaCry ransomware

The attack is a reminder that Microsoft Windows users should double-check their system

Boeing Company’s computer system was struck by the WannaCry computer virus on Wednesday. The company’s worst fear was that crucial aircraft production equipment might be crippled, but Boeing’s IT team came to the rescue and averted the crisis.

“All hands on deck” was the message the airline builder fired off to its leadership team. In an internal memo, Mike VanderWel, Boeing’s chief engineer of commercial airplane production, said the attack was “metastasizing” and he worried it could spread to Boeing’s production systems and airline software.

A virus that lives up to its billing

Boeing became the latest to find out just how serious the WannaCry virus can be and how important up-to-date security settings are.

Simply put, WannaCry makes you, well, wanna cry. The virus is what’s called a “ransomware cryptoworm.” It targets computers running Microsoft Windows and holds users hostage until they make a ransom payment in Bitcoin or another untraceable cryptocurrency.

Even though Microsoft had released patches to fight off the virus, WannaCry is still able to paralyze computers where the patches haven’t been applied or older Windows systems that Microsoft no longer supports.

When WannaCry first hit the scene in May, 2017, it brought more than 230,000 computers to their knees worldwide. No one was spared, either. The ransomware attack hit universities, governments, hospitals, utilities, and others including Nissan, FedEx, Honda, and even the Russian railway system.

WannaCry’s victims were held up for between $300-$600 in ransom money before the virus’ masterminds would unlock the files the malware was holding hostage.

In December 2017, the United States, United Kingdom, and Australia formally alleged that North Korea had masterminded the attack. That assertion was backed by both Microsoft and the UK's National Cyber Security Centre. North Korea denied any involvement.

How to protect yourself from WannaCry

If you haven’t updated your virus protection or system software since last May, you might be still be vulnerable to WannaCry. When the virus first hit the scene, ConsumerAffairs produced an in-depth guide on the essential steps consumers should take to secure their Windows-driven computers -- where to find the patches and what to do if you’re unable to download Microsoft’s updates.

WannaCry isn’t the only bad actor out there in the virus world. Microsoft has identified 16 ransomware bandits that go after everything from documents to media files. In a list of FAQs, the Windows support team gives consumers a complete rundown of how to protect themselves from a costly attack.

Boeing Company’s computer system was struck by the WannaCry computer virus on Wednesday. The company’s worst fear was that crucial aircraft production equi...
Read lessRead more

The government is investigating Facebook’s privacy issues

The FTC confirmed that it has opened a 'non-public' probe

The Federal Trade Commission has confirmed it has opened an investigation into Facebook's privacy practices.

The announcement from Acting Director Tom Pahl said the agency responds when any company does not live up to its promises to protect privacy.

"Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements," Pahl said in a statement.

"Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Facebook once again in FTC crosshairs

Facebook has dealt with the FTC on privacy issues in the past. It signed a consent decree with the FTC in 2011 after a privacy issue arose. The agreement required Facebook to notify users and get permission before sharing personal data beyond the user's privacy settings.

Rob Sherman, deputy chief privacy officer for Facebook, released a statement saying the company appreciates the opportunity to answer any questions the FTC might have.

Facebook found itself at the center of a media firestorm over a week ago when it was revealed that an app developer who legally accessed Facebook user data, with user's permission, then sold the data to a political consulting firm, in violation of Facebook's terms of service.

The Federal Trade Commission has confirmed it has opened an investigation into Facebook's privacy practices.The announcement from Acting Director Tom P...
Read lessRead more

Facebook accused of collecting call and text messages on Android phones

The company claims it’s something users opt-in to, but can easily change

New reports suggest that Facebook has been logging Android users’ call and SMS (text) history without their permission. The company says that’s not exactly the case, but text history logging is something the user can choose as an opt-in feature.

According to an Ars Technica report, a New Zealander was poring through an archive of his personal data that he had downloaded from Facebook. What he found was not only the typical photos, posts, and contacts, but nearly two years worth of data including names, phone numbers, and the length of each call he made from his Android phone.

After last week’s PR bloodbath, Facebook was quick to step up and clear its name the best it could.

“People have to expressly agree to use this feature,” the company said in their response to the story. “If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.”

Contact importing is commonplace in social apps. FourSquare, Cloze, Brewster, and others all use some form of contact collection. Not wanting to be left out on a good idea, Facebook also introduced a version in their Messenger app in 2015, then followed up with a “lightweight version” of it in its Facebook for Android app.

How it works

Many people gloss over things like fine print, opt-ins, and opt-outs, and this latest development seems to fall under that category. The way Facebook has this option set up is that when a user signs up for or logs into Messenger or Facebook Lite on an Android device, they’re given the option to have a running upload of contacts as well as call and text history.

In the Messenger app, users can either turn it on or off, or click on the “learn more” or “not now” options. On the Facebook Lite app, the choices are to turn it on or select “skip.” For users who decide to turn the feature on, Facebook logs that info as it happens.

Curious Facebook users who do their social networking on an Android device can see what information has been gathered by using Facebook’s “Download Your Information” tool.

How you can change the info Facebook collects

If a user no longer wants their calls and texts tracked, all they have to do is turn the feature off in their settings. For added security, users can also go here to see which contacts they have uploaded from Messenger and delete any uploaded contact information they want to.

Given all that’s erupted out of Facebook’s data collection dust-up, it’s smart for users to double-check what information they’ve given Facebook and others access to.. The company offers a laundry list of ways to update a user’s settings and enhance the security of their data. In a few simple steps, users can decide what apps and games they want to grant permission to collect personal data.

New reports suggest that Facebook has been logging Android users’ call and SMS (text) history without their permission. The company says that’s not exactly...
Read lessRead more

The Weekly Hack: Facebook users targeted and the biggest illegal hack of all time

Universities were targeted in a state-sponsored campaign, prosecutors say

News that the firm Cambridge Analytica harvested profile data from Facebook users to advertise for Donald Trump’s presidential campaign and other right-wing candidates sparked a major backlash against the social media giant this weekend.

Facebook denies that it was a hack, however, explaining to the New York Times that “no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

In fact, Facebook may have a point. As many have noted, Facebook's own policies didn’t block third parties from accessing user data until 2015, after Cambridge Analytica had already obtained information on an estimated 50 million users.

Facebook’s COO Sheryl Sandberg and CEO Mark Zuckerberg responded to the revelations publicly Wednesday with promises to review their policies. The site has approximately two billion users, or a quarter of the planet.

Universities, companies, and governments

In what the US Attorney’s office says is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” the DOJ said today that cyber-criminals in Iran stole $3.4 billion worth of data from 144 American universities. They also allegedly targeted 176 foreign universities, 30 private companies and five government agencies over a four-year period.

The DOJ formally indicted the alleged hackers today, though they were not arrested because they are still in Iran. Prosecutors say they could face detention if they ever try to leave the country.

More than 8,000 American professors were targeted in the attack as part of an effort to steal their research, the government says. The hackers allegedly have links to the Mabna Institute, a tech firm that the DOJ says works on behalf of the Iranian government and Iranian universities.

Orbitz customers

Orbitz, the third-party travel booking site owned by Expedia, announced this week that hackers accessed information on approximately 880,000 credit cards used by customers.

Over a period of several months last year, hackers managed to mine credit information as well as names, birth dates, and addresses on customers who used the site anywhere from from January 2016 to December 2017.

"We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available,” Orbitz said in a statement.

Canadian credit card users

Thieves made off with the rewards points earned by Canadian consumers participating in a grocery store loyalty program.

PC Optimum is a new but popular program in Canada that allows consumers to earn reward points when they shop at certain grocery stores and other retailers.

They may just be points, but they have real value; one victim said she lost more than one million points, allowing hackers to purchase over $1,000 worth of goods with her account. A total of more than 100,000 people had their points stolen.

Physical therapy patients and employees

ATI Physical Therapy, a chain of physical rehabilitation centers across the country, alerted over 35,000 customers yesterday that their data may have been accessed by hackers who were targeting direct deposit data of company employees.

As is becoming the standard when these breaches occur, the company is offering consumers free credit monitoring.

News that the firm Cambridge Analytica harvested profile data from Facebook users to advertise for Donald Trump’s presidential campaign and other right-win...
Read lessRead more

Facebook CEO goes public on data sale scandal

The social media company is trying to get in front of backlash

Facebook CEO Mark Zuckerburg has made a public statement in response to the controversy over one of its partner's illegal sale of Facebook data to a third party.

The data, which includes profiles for an estimated 50 million Facebook users, was allegedly used to target political ads in support of Republican presidential nominee Donald Trump during the 2016 election.

"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you," Zukerberg wrote in a nearly 1,000 word post on Facebook. "I've been working to understand exactly what happened and how to make sure this doesn't happen again."

Facebook actually did nothing illegal. It had a partnership with a third party app -- This Is Your Digital Life -- that allowed the app developer to access data about people who downloaded the app, and their friends. People who downloaded the app were informed of the terms.

Violations of terms of service

What happened next is where it gets sticky. Facebook alleges that the owners of the app sold the data to a political marketing firm, Cambridge Analytica, in violation of Facebook's terms of service. Cambridge Analytica then allegedly used the data to target voters on behalf of the Trump campaign.

In his statement, Zuckerberg said Facebook made a number of policy changes in 2014 that would have prevented the unauthorized distribution of Facebook data had they been adopted earlier.

Among the changes:

  • Limits were placed on the data that apps could access

  • Apps could not access users' friends' data without permission from the friends

  • Developers must receive Facebook permission before they can ask for users' data

Learned of the data sale in 2015

Zuckerberg says it was not until 2015 that Facebook learned from journalists that the app developer had sold the data to Cambridge Analytica. It then demanded the data be deleted, and Zuckerberg says Facebook received certifications that the data had, in fact, been destroyed.

"Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified," Zuckerberg wrote in his post. "We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We're also working with regulators as they investigate what happened."

So far, Zuckerberg's public statement has done little to quell the controversy. An appearance on CNN Wednesday night didn't seem to help either.

Critics say Facebook should have informed its users in 2015 that their data may have been sold to a political marketing firm. A Twitter campaign called #deletefacebook is urging angry Facebook users to abandon the social media platform.

But writing on Engadget, technology journalist Nicole Lee says deleting Facebook is easier said than done. She notes that the site has become too important to too many people who depend on it to stay connected to family and friends.

Facebook CEO Mark Zuckerburg has made a public statement in response to the controversy over one of its partner's illegal sale of Facebook data to a third...
Read lessRead more

Washington demands answers from Facebook about data collection

The company's policies will likely be under close scrutiny

Members of Congress are calling for more oversight of Facebook after information about an estimated 50 million users was allegedly used to influence elections.

Sen. Edward J. Markey (D-Mass.), a member of the Commerce, Science, and Transportation Committee, wrote a letter to the committee leadership asking it to hold hearings and solicit testimony from top Facebook executives.

Markey and others are asking for an explanation of how Cambridge Analytica, a political marketing firm, acquired private data on Facebook users that was allegedly then used in the successful Brexit and Trump campaigns.

In his letter, Markey cited published reports suggesting only a small number of Facebook users had agreed to their information being shared with a third party.

“In light of these allegations, and the ongoing Federal Trade Commission (FTC) consent decree that requires Facebook to obtain explicit permission before sharing data about its users, the Committee should move quickly to hold a hearing on this incident, which has allegedly violated the privacy of tens of millions of Americans,” Markey wrote.

Request for details

Sen. Ron Wyden, (D-Ore.), is asking the social media company to detail the extent that private information was misused. He also suggested a review of how Facebook collects, stores, and shares information.

In a letter to Facebook CEO Mark Zuckerberg, Wyden said the ease with which the site's default privacy settings were exploited for profit and political gain raises questions about the company's business model.

"It also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information,” Wyden wrote. “With little oversight—and no meaningful intervention from Facebook—Cambridge Analytica was able to use Facebook-developed and marketed tools to weaponize detailed psychological profiles against tens of millions of Americans.”

Highly-targeted ads

Facebook has been successful because of the power of its targeted advertising. Commercial enterprises can buy ads that appear in the timelines of consumers of a specific age and gender who have certain interests.

The fact that politicians would also take advantage of this power should not come as a surprise. In the wake of the 2016 U.S. election that sent Donald Trump to the White House, Facebook got a lot of unwelcome attention for the information that appeared in users' timelines -- information that looked like news stories but may or may not have been true.

Facebook spent much of 2017 making adjustments -- such as downgrading links from certain sites and adding "related stories" to broaden the scope of coverage.

However, part of the problem stems from the fact that for a significant number of consumers, Facebook is their primary source of news. The Pew Research Center reports that during the height of the 2016 presidential campaign, 62 percent of adults said they got news from social media sites.

Members of Congress are calling for more oversight of Facebook after information about an estimated 50 million users was allegedly used to influence electi...
Read lessRead more

Former Equifax CIO faces insider trading charges

The former executive allegedly sold $1 million in shares just before the Equifax data breach was announced

A former Equifax executive has been charged by the Securities and Exchange Commission (SEC) with selling nearly $1 million worth of shares before the company announced last year’s massive data breach.

Jun Ying, the former chief information officer of Equifax's U.S. Information Solutions, was allegedly entrusted with non-public information about the company’s breach before the news was disclosed to the public, the SEC said in a statement.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta regional office.

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit,” Best said.

Ying avoided more than $117,000 in losses by selling his shares before the stock price plunged after news of the breach was publicly announced. The US Attorney’s Office for the Northern District of Georgia is also filing criminal charges against Ying, the SEC said.

Largest breach in history

Nearly 150 million Americans were impacted by Equifax's data breach, making it the largest breach in history.

News of the breach was made public Sept. 7, but authorities say Equifax discovered suspicious activity on its network on July 29.

On Aug. 28, Ying allegedly used his confidential information to sell his shares before the news broke. He exercised all his available stock options and received 6,815 shares of Equifax stock, which he sold for more than $950,000 -- a total gain of more than $480,000, prosecutors said.

A former Equifax executive has been charged by the Securities and Exchange Commission (SEC) with selling nearly $1 million worth of shares before the compa...
Read lessRead more

The Weekly Hack: Applebee’s data breach and continued cryptocurrency concerns

Hackers targeted Applebee’s franchises and Japan is cracking down cryptocurrency exchanges

People who dined at certain Applebee’s franchises sometime between November 2017 and January 2018 should pay extra attention to any suspicious activity on their credit cards.

RMH Franchise Holdings announced today that the computer system used by its Applebee’s stores was infected with malware, allowing hackers to access the names and credit card information of customers.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves,” RMH alerted customers in a press release.

RMH said it initially discovered the security breach on February 13. The company owns 167 Applebee’s restaurants across the country.

Cryptocurrency

Hacks involving Bitcoin or one of its many imitators are becoming a regular part of the news cycle. Financial regulators in Japan are now responding by cracking down on seven platforms where people trade cryptocurrency, including the popular application Coincheck, which is based in Japan but used by cryptocurrency traders worldwide.

Coincheck consumers lost an estimated $530 million to hackers in late January in what experts said was the largest cryptocurrency theft to date. The company’s CEO Yusuke Otsuka has promised that affected victims will be compensated.

In the United States, the SEC also released a warning on Wednesday about the security risks that online trading platforms pose.

Meanwhile, users of another cryptocurrency exchange called Binance recently became suspicious that they were being targeted by hackers. Affected individuals reported seeing bizarre discrepancies on their accounts via Reddit, which prompted a response from CEO Changpeng Zhao.. On Wednesday, he took to Twitter to say that “All funds are safe” and promised an investigation.

The announcement didn’t come soon enough for Bitcoin traders. Value of Bitcoin dipped below $10,000 this week, which Mashable reports is likely due to the Binance hack rumors and the SEC warning.

Tennessee senate candidate

A hacker may have impersonated Tennessee Senate candidate Phil Bredesen and emailed his contacts, Bredesen’s campaign warned in a letter to the FBI. Bredesen, the former governor of Tennessee, is running as a Democrat in a race that The Hill newspaper reports is a toss-up, raising concerns among Democrats that hackers could be trying to interfere with the midterm elections.

Academics

A hacking group known for going after government agencies in Asia has been sending emails to Japanese professors in an attempt to steal their research. The group reportedly pretended to be from the Japanese government and sent professors downloads that contained malware. The campaign serves as another obvious reminder to never download unknown files.

People who dined at certain Applebee’s franchises sometime between November 2017 and January 2018 should pay extra attention to any suspicious activity on...
Read lessRead more

Uber sued by Pennsylvania AG for not disclosing hack fast enough

The company admitted over a year after a data breach that it had paid hackers $100,000 to keep quiet

Uber admitted last year that its former security officer and deputies had paid hackers $100,000 to destroy consumer data they had accessed and to keep the breach under wraps.

Over a year after the hack occurred, the company fired the employees who made the payment, publicly apologized, and promised to investigate, but for the Pennsylvania Attorney General, the company-led investigation was too little, too late.

Pennsylvania AG Josh Shapiro is now suing Uber under a state law that requires companies to warn consumers about data hacks within a reasonable time, though the law does not specify exactly how long that time frame is.

Data breach not disclosed for over a year

The names, email addresses and phone numbers of 50 million riders and seven million drivers were compromised in October 2016. However, Uber did not warn its customers or launch a public investigation until Bloomberg reported on the beach over a year later, in November 2017.

Among the seven million drivers, 600,000 of those also had their driver’s license numbers accessed, Uber told the news agency. .

“None of this should have happened, and I will not make excuses for it,” CEO Dara Khosrowshi told Bloomberg at the time. “We are changing the way we do business.”

The Pennsylvania AG’s office determined that approximately 13,500 drivers in the state had their driver’s license information accessed in the hack. Shapiro is seeking to penalize the company $1,000 for every person affected by the breach, bringing the potential fine to $13.5 million.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet,” Shapiro said in an announcement.

Uber’s new Chief Legal Officer Tony West told Recode that he was surprised by the lawsuit.

“While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers,” West told the site.

Drivers can find out if their license information was stolen by searching on the Uber website.

Uber admitted last year that its former security officer and deputies had paid hackers $100,000 to destroy consumer data they had accessed and to keep the...
Read lessRead more

Your entire identity sells for less than $1,200 on the dark web

A security firm breaks down what your personal information is worth

What happens to your personal identity information once it has been compromised, such as in the Equifax data breach?

It often ends up for sale on the dark web, where one security firm says a consumer's entire identity, from Social Security number to Gmail login, can be purchased for less than $1,200.

Simon Migliano, editor-in-chief at Top10VPN.com, which reviews virtual private networks (VPN), writes that every aspect of your online identity is a commodity that can be sold to scammers. The company has broken down what each part of that identity is worth, creating what it calls the Dark Web Market Price Index (DWMPI).

Let's start with your proof of identity, such as a Social Security number or other data to prove who you are. According to the DWMPI, that can sell for around $92.

With it, a scammer can take out a loan or apply for a credit card, netting thousands of dollars. That's a pretty good return on investment, but it doesn't command the highest price on the dark web.

A premium for PayPal

Scammers will pay the most for a consumer's PayPal account log-in. That goes for an average of $247, allowing a thief to quickly clean out the account. After all, it's safer for the thief than trying to use a fake identity to take out a loan.

Your online shopping account login information is also a valuable commodity in the underworld. Thieves pay nearly $165 for account logins for Amazon, Walmart, ebay, Costco, and Macy's, although some individual accounts can go for as little as $10.

Again, it's neat and clean. Thieves can order merchandise that will go on your credit card. They can either use what they purchase or sell it for cash.

Bargain-priced data

Other parts of your identity go for a lot less. While it may be no surprise to learn credit card details are among the most traded on the dark web, fraudsters buy and sell access to Uber, Airbnb, and Netflix accounts for less than $10 each.

"Would-be scammers can easily spend more on their lunchtime sandwich than buying up stolen customer logins for online stores," Migliano writes.

Why so cheap? The sad fact is there is so much competing stolen data to choose from that it tends to drag down the price.

Last year's Equifax hack alone, which compromised more than 148 million consumers, has saturated the dark web with stolen personal data. It means someone could purchase your stolen Spotify account log-in for as little as 21 cents.

Migliano says clever dark web marketers are packaging some of the stolen data into bundles. He says the company found listings offering individuals’ name, billing address, mother’s maiden name, social security number, date of birth, and other personal data.

What happens to your personal identity information once it has been compromised, such as in the Equifax data breach?It often ends up for sale on the da...
Read lessRead more

The Weekly Hack: Beware of Equifax and aliens

Identity thieves can use the Equifax breach to steal social security benefits and leave victims with the bill, but does it even matter if the entire planet is under attack?

Sure, you never technically asked Equifax to monitor your personal data, but credit checks are a necessary step to securing a home, a loan, or a job. But now that half the country’s data has been stolen, you may be tempted to purchase credit protection elsewhere as a precaution.

There’s just one problem. That other, competing credit protection service may “very well be using Equifax to do the back office part,” Sen. Elizabeth Warren told Marketplace in a recent interview. In other words, Equifax could be profiting off the scare it created from its own breach.

The senator’s allegations, made public in an interview this week with Marketplace, came one day before Equifax announced that it will notify an additional 2.4 million consumers that their data was breached.

The customers were among the 145.5 million people whose identities were already confirmed stolen. But Equifax said it could not confirm the specific of identity of those 2.4 million people until Thursday because only partial driver’s license information was taken.

Now that Equifax has identified who the additional victims are, the corporation promises to offer them free identity protection and credit monitoring services.

Social Security benefits

People filing for their taxes are reportedly getting billed by the IRS for Social Security benefits that they never collected. Even people in the business of filing taxes are affected.

Retired accountant Jim Shambo writes on the American Institute of CPAs website that he received an SSA-1099 for $19,236 in Social Security. But Shambo hadn’t even applied to collect the benefits, he writes, let alone receive the money.

And before he had a chance to alert the Social Security office to the fraud, he says received a letter “congratulating me on initiating my Social Security benefits.”

Experts say the problem isn’t unique. In fact, hackers made off with with $6 million in social security benefits stolen directly from recipients’ bank accounts, a report last year found.

Shambo says that people between the ages of 62 and 70 are vulnerable to the Social Security hack. Victims have little recourse, as one man who was billed for benefits in a similar theft told the Detroit Free Press that it took repeated calls and visits to local Social Security offices to get revised tax forms.

Shambo points to two likely culprits for the breach: the Social Security office website itself and Equifax.

Hacking aliens 

Astrophysicists Michael Hippke and John Learned recently published a paper arguing that any attempt to contact “extraterrestrial intelligence” could place our species at the risk of a widespread hack.

They say that sophisticated telescopes could, in theory, pick up a malicious virus that would affect the world’s computers. In another hypothetical scenario, extraterrestrials could use human communication to mess with the world’s collective minds, perhaps by telling everyone that “we will make your sun go supernova tomorrow.”

“True or not, it could cause widespread panic,” Hippke and Learned write.

In the long run, they argue that attempting to contact extraterrestrial intelligence comes with more benefits than drawbacks, but they say being aware of the negative possibilities is important.

If aliens do exists, “there will be a plurality of good and bad civilizations,” the physicists write, and the bad ones may be all too eager to take advantage of the fragility of humans. Even a threatening text could have what the physicists describe as a “demoralizing cultural influence.”

The paper comes after the New York Times released a bombshell report last year about mysterious sightings reported by army pilots and a resulting, unsuccessful UFO research program funded by the Pentagon to look for answers.

But even if aliens do exist, other experts say they may have bigger fish to fry than our computers or our heads. Retired Army Col. John Alexander, a founder of the Advanced Theoretical Physics Group and the author of a book about UFO sightings and theories, told the New York Daily News that the likelihood if an alien-led computer hack “is so remote as to not be worth any concern, let alone time and effort in countering it."

German Government

The German press is quoting anonymous security officials who claim that Russian hackers placed malware in government networks. The hackers infiltrated the network used specifically by the German parliament and other federal offices, the officials said. The Russian group Fancy Bear was reportedly behind the attack.

Germany's government responded that they are investigating the attack but adds that it “was isolated and brought under control within the federal administration.”

Texas was not hacked

Texas officials are pushing back on an NBC report claiming that state computers were compromised by Russian hackers during the 2016 presidential election. The report did not allege that results were changed, only that the state’s voter registration system was “compromised.”

"We have absolutely no evidence that there was any penetration or any compromise of any of Texas' voting or voting registration systems,” the Texas Secretary of State responded to the station.

Sure, you never technically asked Equifax to monitor your personal data, but credit checks are a necessary step to securing a home, a loan, or a job. But n...
Read lessRead more

Belgian judges demand Facebook destroy data it collected on non-users

Facebook, which faces 100 million euros in fines, defended the practice

In Europe, where consumers are protected by tougher privacy and data regulations than they are in the United States, judges have once again ruled that Facebook is breaking the law.

A court in Belgium on Friday ordered Facebook to stop tracking and recording the browsing habits of non-users, “as it does not bring its practices in line with Belgian privacy legislation.”

The Belgium verdict follows a ruling against Facebook in Germany last Monday.  In the latter case, a Berlin judge ruled that eights clauses in Facebook’s terms of service are illegal and that Facebook’s default privacy settings do not give users adequate consent or allow them to easily opt-out.

“Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register,” an attorney with The Federation of German Consumer Organisations,  the organization that brought the lawsuit against Facebook,  said in a statement.

Facebook says they plan to appeal the Berlin court’s decision.

Facebook ordered to publicize judgment

In the Belgian verdict, judges ordered Facebook to destroy data that they determined was “illegally obtained” and publicize the court’s unflattering findings about itself.

The judges not only demanded that Facebook publish “the entire 84-page judgment on its website,” but also stipulated that Facebook publish a portion of the judgement in Dutch-language and French-language Belgian newspapers.  

Facebook, which has so far given no indication that it plans to follow the order, faces fines of 250,000 euros a day or a max-out of 100 million euros for not complying.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” Facebook’s public policy spokesman Richard Allan told TechCrunch in a statement.

“We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

Tracks non-users

Facebook’s use of tracking codes through social plug-ins, commonly known as “cookies,” allows the social media giant to sell targeted advertising. The cookies work by collecting the browsing habits of consumers, even those who do not use the social media site or who have cancelled their accounts.

“This does not only concern Facebook users, but almost all internet users in Belgium and Europe,” Belgium's Privacy Commission, the agency that filed suit against Facebook, explains on its website.

Belgian watchdogs have been fighting the practice since 2015 with a civil suit and subsequent judgement which orders Facebook to stop invisibly tracking consumers or face hefty fines. But Facebook fought the ruling  with the argument that the Belgian courts did not have jurisdiction over its business because Facebook’s Europe office is headquartered in Ireland.

Facebook’s appeals have been repeatedly shot down by the Belgian courts trying to crack down on the company. Much like the recent ruling in Germany, a report commissioned by the Belgian Privacy Commission in 2015 determined that Facebook’s privacy settings do not give users informed consent and that its terms of service violate European consumer privacy laws.

Higher European standards irk companies

While Facebook does allow users to opt-out of the tracking cookies, that this option is only available for people with a Facebook account,  not non--users. “The current practice does not meet the requirements for legally valid consent,” the Belgian Privacy Commission report said.

The European Union considers data protection to be a fundamental right and places broad regulations on the tech, financial, and advertising industries over how they handle data.

But tech giants have bristled at European attempts to regulate data collection and other aspects of their businesses. Last summer, European regulators fined Google a record 2.4 billion euros after finding it was manipulating search results in a manner that promotes its own shopping services over competitors. It was the largest antitrust fine implemented to date by the European Union.

Google responded by offering concessions, such as opening its “shopping” search results to competitors, but it also appealed the ruling in September.

In Europe, where consumers are protected by tougher privacy and data regulations than they are in the United States, judges have once again ruled that Face...
Read lessRead more

Forever 21 confirms 2017 data breach

Payment cards may have been compromised at some stores

Retailer Forever 21 has confirmed a payment card data breach it first raised as a possibility in mid-November.

The company said it received a report from a third party in mid-October suggesting there could have been unauthorized access to payment card data at certain stores. The investigation revealed that encryption technology, installed on point-of-sale (POS) devices in 2015, was not always activated at some stores.

Investigators then discovered signs of unauthorized network access and installation of malware on some POS devices. The malware searched for payment card data as it moved through the POS device.

No consistent pattern

Complicating the investigation is the fact that the encryption was not turned off in all stores; it was off for only a few days to several weeks in some stores; and it was off most of the time in other stores.

"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved," the company said in a statement. In nearly all cases, potentially compromised transactions occurred between March and October 2017.

Mark Cline, a vice president at Netsurion, a provider of managed security services for multi-location businesses, says there are important lessons to learn here for both consumers and retailers.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals," he told ConsumerAffairs. "They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit."

The costs for companies can be enormous. Cline says a retailer pays on average $172 per stolen record in "clean-up costs."

The challenge for retailers is to stay ahead of the hackers. Cline suggests companies first run a vulnerability scan on their internal networks and then update all operating system and software upgrades and patches immediately.

Consumers inconvenienced

The cost for consumers is mostly in convenience. If promptly reported, consumer liability for fraudulent use of a credit card is limited to $50, and in many cases there is no loss.

If debit card information is stolen, risks may be greater. Policies protecting consumers in these cases tend to vary bank to bank. Needless to say, a thief with a consumer's complete debit card information could clean out the account very quickly.

Consumers using a payment card at a POS terminal are safer paying with a credit card than a debit card. Paying with cash is safer still.

Forever 21 operates more than 815 stores in 57 countries with retailers in the United States and overseas. The company did not provide the number of its stores that may have been affected by the data breach.

Retailer Forever 21 has confirmed a payment card data breach it first raised as a possibility in mid-November.The company said it received a report fro...
Read lessRead more

Yahoo says 2013 data breach affected all three billion of its user accounts

The revision adds to what is already the largest data breach in history

Yahoo’s massive 2013 data breach, affecting more than one billion of its user accounts, reappeared this week with significantly worse numbers. 

The company announced Tuesday that all 3 billion of its accounts were, in fact, affected at that time–leaving additional billions of user accounts vulnerable in the interim.

The revelation follows Yahoo’s acquisition by Verizon, which paid $4.8 billion for the struggling company in hopes of combining it with AOL to create a new entity named Oath. New intelligence prompted a forensic analysis which subsequently led to Tuesday's revision.

“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement,” the announcement said in a statement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Verizon Chief Information Security Officer Chandra McMahon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Protecting stolen information

In an FAQ section of its security update web page, Yahoo says that stolen information involved in the 2013 breach may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and (in some cases) encrypted or unencrypted security questions and answers.

To counter the breach, Yahoo required potentially affected users to change their passwords and invalidated unencrypted security questions and answers last December.

However, in light of the recent revision, the company says that all users should change their passwords and security questions, review their accounts for any suspicious activity, and use an abundance of caution when clicking or downloading unsolicited messages, links, or attachments. The company also advises using its Yahoo Account Key authentication tool.

Users are also free to switch to a different email service, but continuing to monitor accounts and personal information will still be just as necessary either way. 

Largest breach to date

The latest announcement multiplies what was already the largest data breach in history, and will almost certainly mean more litigation for both Yahoo and Verizon.

In late August, U.S. Judge Lucy Koh ruled that class actions over the breach would be allowed to move forward. While she dismissed some parts of one particular case, she said that Yahoo’s actions “alleged risk of future identity theft” and “loss of value of [users’] personal identification information.”

Koh also said that plaintiffs would be well within their rights to pursue breach of contract and unfair competition charges against Yahoo because they would have been able close their accounts if they had known about the data breach earlier.

Yahoo’s massive 2013 data breach, affecting more than one billion of its user accounts, reappeared this week with significantly worse numbers. The comp...
Read lessRead more

Equifax provides few details on its credit-freezing tool

Consumers will be able to freeze and unfreeze credit without paying fees

Equifax says consumers concerned about the company's massive data breach will be able to freeze and unfreeze their credit at will and not pay a fee.

In his testimony before a House subcommittee Tuesday, former Equifax CEO Richard Smith listed the new tool among other free remediation tools the company is providing to consumers to help them protect their identity, but he did not elaborate on it.

A credit freeze prevents anyone from accessing a consumer's credit report, so an identity thief who has stolen the victim's Social Security number and other identifying information would be unable to open a fraudulent credit account because the lender would be unable to pull the credit file.

The credit file could only be unfrozen with the consumer's permission, making the credit freeze among the strongest identity theft prevention measures that can be taken. Normally, the consumer pays a fee to freeze the credit file and another fee when it is unfrozen.

Equifax has disclosed few details of the tool, other than to say it hopes to have it available by the end of January. In an email to ConsumerAffairs, a company spokespereson said additional details would be provided closer to the launch date.

Different opinions

Security and identity theft experts have different opinions about whether a simple, easy-to-use tool to freeze and unfreeze credit is a good idea. Some have backed the idea, saying that hackers will have a harder time stealing identities if more consumers are freezing their credit files.

But Eva Valasquez, CEO of the Identity Theft Resource Center (ITRC), thinks the process should not be so simple and quick that it becomes vulnerable to hacks.

"I hope that the solution that industry proposes is not more automated technology," Valasquez told ConsumerAffairs in an interview last month. "Because the process of establishing who you are goes through several steps, and we should appreciate that it's going to take a little longer."

Whatever form the freeze tool takes, it won't be a complete solution. That's because it will only freeze one credit file -- the one managed by Equifax. Consumers also have credit files with the two other credit bureaus, Experian and TransUnion.

There will still be fees to freeze and unfreeze those files. Valasquez says ITRC has launched an online petition urging Experian and TransUnion to also waive fees when consumers freeze and unfreeze their credit reports.

Equifax says consumers concerned about the company's massive data breach will be able to freeze and unfreeze their credit at will and not pay a fee.In...
Read lessRead more

FTC settles with lead generation company over misleading and illegal practices

Blue Global, LLC was fined $104 million for selling private information to third parties

The Federal Trade Commission (FTC) announced a $104 million settlement with a lead generation business on Wednesday over charges that it misled consumers and unlawfully shared and sold consumers’ private information.

The original complaint alleged that Blue Global, LLC had consumers fill out loan applications that it then sold to other entities as “leads.” FTC officials said that CEO Christopher Kay ran dozens of websites that operated in this manner and gave no consideration to where the information ultimately ended up.

“Defendants shared loan applications with and sold them to other entities without regard to loan terms, whether the other entity was a lender, or whether the other entity secured the application data in any fashion,” the complaint said.

Selling private information

The FTC further alleged that Blue Global made several false promises to consumers who filled out loan applications. According to the complaint, consumers were told that the information in their loan application would help the company find a loan with the lowest interest rate and other favorable terms, as well as help match applicants to a lender selected from a network of 100 or more loan providers.

Additionally, Blue Global allegedly told applicants that they were “very likely” to receive a loan by completing the online application and that the information they provided would “always be safe and secure” because it was only shared with “trusted lending partners.”

However, the FTC alleged that the company provided the sensitive information to any potential buyer without the knowledge or consent of the applicant. The complaint also says that Kay and his company did nothing to investigate or take preventative actions when confronted by affected consumers.

Settlement terms

Under the terms of the settlement, the defendants are barred from misrepresenting that they can assist consumers with getting favorable loan rates or terms. They must also ensure that personal information collected from consumers is protected and secured in the future.

The defendants must also investigate and verify the identity of businesses that they give consumer information to and obtain consent from consumers before doing so. The $104 million judgment against Blue Global will be suspended based on its inability to pay.

The Federal Trade Commission (FTC) announced a $104 million settlement with a lead generation business on Wednesday over charges that it misled consumers a...
Read lessRead more

Republican data leak exposes records of nearly 200 million Americans

The data was left unprotected on a public server for 12 days

A massive data leak has exposed extensive information on nearly 200 million Americans, everything from birthdates and phone numbers to analyses of feelings about such hot-button issues as gun control and abortion.

The data was stored on a publicly accessed Amazon Web Services server by Deep Root Analytics, a contractor to the Republican National Committee. The firm gathers information that is used for political advertising and targeted appeals to potential voters.

Security experts quoted by Gizmodo say that more than a terabyte of data was stored on the cloud server. It was not protected by a password and could have been accessed by anyone who stumbled across the URL. 

The files were gathered from numerous outside data firms and super PACs. All told, the data contained highly personal information on 198 million Americans, about 61 percent of the total population.

Besides individuals, the files contained information on rival political organizations, including the Democratic Senatorial Campaign Committee, Planned Parenthood, and the American Civil Liberties Union, Gizmodo said.

“We take full responsibility for this situation,” said Deep Root founder Alex Lundry. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.”

He said the data was only unprotected for 12 days and, as far as is known, no one happened onto it.

A massive data leak has exposed extensive information on nearly 200 million Americans, everything from birthdates and phone numbers to analyses of feelings...
Read lessRead more

VIZIO settles with regulators over deceptive data collection charges

Officials alleged that the company collected data from consumers and sold it to third parties

The Federal Trade Commission (FTC) and the New Jersey Attorney General’s office have reached a $2.2 million settlement with smart TV manufacturer VIZIO, resolving a complaint that the company collected viewing data on 11 million consumers without their consent.

The complaint states that, as early as February 2014, VIZIO and one of its affiliates manufactured smart TVs that captured screen information and demographic data about consumers, including information on age, sex, income, and a variety of other metrics. Officials allege that VIZIO then took that information and sold it to third parties who used it to create targeted ads that reached consumers across their devices.

“[VIZIO] provided this viewing data to third parties, which used it to track and target advertising to individual consumers across devices. [It] engaged in these practices through a medium that consumers would not expect to be used for tracking, without consumers’ consent,” the complaint stated.

"Egregious invasion of privacy"

The complaint goes on to explain that the data tracking practices were unfair, deceptive, and in violation of the FTC Act and New Jersey protection laws, something that New Jersey Attorney General Christopher Porrino expounded on.

“New Jersey residents enjoying television in the privacy of their own homes had no idea that every show they watched, every movie they rented, every commercial they muted was being secretly tracked by the defendants who then exploited that personal information for corporate profit,” he said. “This kind of allegedly deceptive behavior is not only against the law; it is an egregious invasion of privacy that won’t be tolerated.”

The settlement requires VIZIO to pay $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs, $300,000 of which has been suspended. The stipulated federal court order requires VIZIO to prominently disclose and obtain consent for its data collection and sharing practices, and stipulates that the company must delete all data collected before March 1, 2016.

The order expressly forbids the company from making future misrepresentations about the privacy, security, or confidentiality of any consumer information it collects. VIZIO has also agreed to implement a data privacy program, which will be evaluated biennially.

“This settlement not only holds the defendants accountable for their alleged deceptive practices, it requires them to destroy the data they gathered without consumers’ consent, and to revise their business practices to protect consumers from future privacy breaches,” said Porrino.

For more information, consumers can visit the FTC’s site here.

The Federal Trade Commission (FTC) and the New Jersey Attorney General’s office have reached a $2.2 million settlement with smart TV manufacturer VIZIO, re...
Read lessRead more

Consumers see cash as defense against holiday hackers

But survey shows plastic remains the payment of choice

If more consumers doing last minute Christmas shopping are paying with cash, it could mean they are trying to stick to their budget in the final shopping frenzy.

Or, it could be a defensive move, an effort to prevent getting caught up in a retailer's data breach.

Thales, an IT and cybersecurity firm, reports most consumers would change their shopping behavior in some ways if they knew a particular retailer had suffered a system hack. While 20% of consumers in a Thales survey said they would avoid shopping at the store, the majority – 55% – said they would continue shopping at the retailer but would pay using cash.

The return to old fashioned currency bucks the recent trend of electronic payments that has caused some to speculate on the eventual demise of cash. But the Thales survey makes clear that consumers view cash as a firewall against their data being compromised.

Still using plastic

That's not to say that consumers have abandoned electronic payments. Far from it. The survey found that more than 90% of holiday shoppers will use a credit card, debit card, or mobile wallet to pay for at least some of their purchases.

And while mobile wallet use is on the rise, it has a long way to go to catch up with plastic, and even cash. Only 16% of shoppers said they planned to pay with their smartphones this holiday season.

In a promising sign for consumers' financial health, the survey found more shoppers plan to use debit cards and cash over credit cards. Since debit card purchases come directly out of a consumer's bank account, it suggests there could be less of a shopping hangover when credit card bills arrive in January.

Cash is still an important tool

Cash might not be king, but Jose Diaz, director of payment strategy at Thales e-Security, says it remains an important tool for consumers, not only for budgeting but in protecting against theft.

"These survey results offer a stark reminder that a serious data breach could stop many consumers from shopping at a merchant's store or at the very least move them back to cash payments," Diaz said.

As for the future, Diaz predicts greater use of mobile for both browsing and buying during the holidays. In the next five years, he also sees a sharp rise in the use of mobile wallets.

If more consumers doing last minute Christmas shopping are paying with cash, it could mean they are trying to stick to their budget in the final shopping f...
Read lessRead more

Symantec acquiring LifeLock for $2.3 billion

Deal helps Symantec expand beyond computer software products

A major software security firm is buying a leading identify theft prevention service. Symantec, which produces Norton anti-virus software, is acquiring LifeLock in a deal valued at $2.3 billion.

The boards of directors of both companies have already signed off but LifeLock shareholders will have the final say. Assuming they approve and other customary closing conditions are met, the deal should close in the first quarter of next year.

The acquisition marks the continued expansion of Symantec beyond the traditional anti-virus software products that fueled its initial growth. In an interview with Reuters, Symantec CEO Greg Clark said sales of Norton products have faced headwinds in recent years because of a decline in the number of personal computers in homes and offices.

Symantec said its acquisition of LifeLock will combine a leader in consumer security with a leading provider of identity protection and remediation services. It says the result will be the world’s largest consumer security business, providing a wide ranges of services and earning over $2.3 billion a year in estimated revenue.

New dimension to protection

“People’s identity and data are prime targets of cybercrime. The security industry must step up and defend through innovation and vigilance,” said Dan Schulman, Symantec Chairman. “With the acquisition of LifeLock, Symantec adds a new dimension to its protection capabilities to address the expanding needs of the consumer marketplace.”

There's little question that protecting against cyber crime is a growth industry. An estimated one-third of U.S. consumer have been victims of some sort of hack. As consumer concern about the threat grows, the industry has expanded its services.

LifeLock offers identify theft services, checking clients' credit for new account openings and credit applications. It also offers services to help consumers recover from an identity theft.

In the previous decade some of its marketing practices ran afoul of federal regulators. As recently as last year the Federal Trade Commission charged that Lifelock violated a 2010 settlement in which it agreed to stop making deceptive claims about its identity theft protection service.

For its part, LifeLock sees a merger with one of the largest computer security firms as a win-win for both companies. LifeLock CEO Hilary Schneider says the combined companies can deploy enhanced technology and analytics to improve services to consumers.

A major software security firm is buying a leading identify theft prevention service. Symantec, which produces Norton anti-virus software, is acquiring Lif...
Read lessRead more

How to protect your devices from hackers

In the age of the 'Internet of Things,' security is a top priority

Late last month, a massive denial-of-service (DoS) attack shut down access to many popular sites like Netflix, Amazon, and Twitter. The way that hackers made the attack happen was by using millions of internet-connected devices to request access at the same time, effectively overloading the system.

Experts have warned that similar attacks could easily be repeated, and that shoring up security on products in the vast “Internet of Things” (IOT) should be a primary objective. While doing so will continue to be an on-going and massive undertaking, there are some things that consumers can do to make their devices secure so that hackers can’t get a hold of them.

The Washington Post has reported that knowing which devices are vulnerable and how you can protect them can keep your private information safe and prevent future large-scale attacks.

How to spot an IoT device

The first step to protecting yourself from hacking attempts is knowing which of your devices are susceptible to them. Unfortunately, from a security standpoint, the number of IoT devices is increasing at a dramatic pace; some experts estimate that there will be as many as 30 billion connected devices by the year 2020.

The simple way to identify an IoT device is to see if it can connect to the internet or shares information over a wireless network. Right away, consumers may easily be able to recognize devices like computers and smartphones, but other less obvious devices like security cameras, DVR’s, and even smart home technologies like thermostats can apply.

Protecting your devices

Unless these devices are protected by a secure password, a saavy hacker can take control of it and use it for nefarious purposes. So, to prevent that, always make sure to change the default password on any device that connects to the internet; you can look in the user manual to do this for many devices.

If that option isn’t available, try doing a web search for “default [product name] log-in and password.” Once you have the credentials, you can log in and change the password.

Another path that consumers might take is choosing not to buy certain products with online connectivity. While it may be useful for certain electronic gadgets, is it really all that important to have a refrigerator that can go online? If that answer for you is no, and you can’t password protect it, then maybe consider buying a different product.

If you are worried about the connectivity of any of your devices, you can always contact the manufacturer for more information. The Homeland Security Department also releases public alerts on security issues, vulnerabilities, and exploits through its website here.

Late last month, a massive denial-of-service (DoS) attack shut down access to many popular sites like Netflix, Amazon, and Twitter. The way that hackers ma...
Read lessRead more

Adult Friend Finder data breach may be largest on record

More than 400 million adult website accounts may have been compromised

People who have had accounts on a number of adult websites over the last 20 years could be in for a bit of an embarrassment.

LeakedSource.com reports the Friend Finder Network, which operates AdultFriendFinder.com, a self-described “sex and swinger” match service, has suffered a massive data breach.

It reports AdultFriendFinder.com, by itself, suffered a hack of 339 million accounts, including 15 million that had been deleted. Accounts were also compromised on Cams.com, Stripshow.com, iCams.com, and Penthouse.com.

'Biggest we've ever seen'

Leaked Source reports the hack occurred last month and is “by far the largest data breach we have ever seen.” It also says 99% of account passwords were not encrypted, but visible in plain text.

The potential for social disruption is high, since this is exactly what happened when the cheating website Ashley Madison was hacked last year. Perhaps with that experience in mind, the staff at Leaked Source said it has decided not to make the leaked data from the latest batch of adult sites searchable.

In the case of the Ashley Madison hack, the attackers purposefully singled out the site because it promoted extra-marital affairs. The hackers also said they wanted to expose what they said was a lie, claiming the site did not delete accounts, even though consumers paid extra to have their information removed.

Deleted accounts weren't deleted

Leaked Source said it found something similar among the hacked Friend Finder data. It said there were more than 15 million accounts with an email in the format of email@address.com@deleted1.com.

“We've seen this situation many times before and it likely means these were users who tried to delete their account but the data is obviously still kept around because you know, we're looking at it,” Leaked Source writes.

Leaked Source raises the possibility that the emails were modified by Friend Finder personnel, to prevent their removal. The company said the breach of over 400 million accounts makes it the largest on record, even beating the MySpace breach, which compromised 360 million accounts. It also says it's the second Friend Finder breach in two years, with the first occurring in May 2015.

People who have had accounts on a number of adult websites over the last 20 years could be in for a bit of an embarrassment.LeakedSource.com reports th...
Read lessRead more

Adobe settles 2013 data breach with 15 states

Nearly three million consumers were affected

Hackers were able to break into servers operated by Adobe Systems and get access to the personal information of nearly three million consumers in 2013.

Now, the software company has reached a settlement with 15 states that brought actions on behalf of residents. The states claimed that Adobe did not take “reasonable security measures” to protect the data. It was similar to the charges leveled by other large companies that suffered data breaches in the past.

The settlement requires Adobe to pay $1 million, to be divided among the 15 states. It also requires the company to adopt stronger security protocols, if it has not already done so.

"Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access," said Connecticut Attorney General George Jepsen.

Jepson praised Adobe for working in good faith with the states bringing the action and for that, he says, it deserves credit.

“Companies have a responsibility to consumers to protect their personal information, and this settlement will ensure Adobe establishes stronger safeguards in the future,” said Illinois Attorney General Lisa Madigan.

How the breach occured

In September 2013, Adobe learned the hard drive for one of its application servers was closing in on its capacity. After getting an alert, Adobe learned that an unauthorized attempt was being made to crack encrypted customer payment card numbers residing on the server.

Adobe was able to stop the decryption process and disconnected the server from the network. However, it found the attacker had compromised a public-facing Web server and used it to access other servers on Adobe’s network. In the end, the hacker was able to make off with encrypted payment card numbers and expiration dates, names, addresses, telephone numbers, e-mail addresses, and usernames, as well as other data.

“This case is yet another example of the importance of protecting your personal and financial information,” said Indiana Attorney General Greg Zoeller. “I continue to be an advocate for Indiana’s credit freeze protections and encourage all Hoosiers to place credit freezes with the major credit bureaus.”

States participating in the settlement include Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont.

Hackers were able to break into servers operated by Adobe Systems and get access to the personal information of nearly three million consumers in 2013....
Read lessRead more

Privacy groups generally pleased with new broadband rules

Now they'd like to see the rules expanded to other areas of the internet

The Federal Communications Commission (FCC) has gotten mostly praise from privacy and consumer groups for its new rules giving internet users more control over how their internet service provider (ISP) uses their personal information.

On one hand, they say the rules are a huge improvement over the status quo. On the other hand, they say the protections could have been more extensive.

There are three main provisions that give consumers the power to determine whether, and to what extent, their ISP may profit from the information it collects about them.

What the rules do

First, consumers must specifically agree, by “opting in,” to allow their sensitive information to be shared with anyone else. The rule specifies what categories of information are considered sensitive. These include your location, financial data, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications.

ISPs would be allowed to use customers' non-sensitive data unless the customer specifically opts out. Non-sensitive information might include email addresses or service tier information.

ISPs do not need permission to use customer data to bill and collect for services. For consumers, no action is required to block ISPs from profiting from personal information. Consumers must take the step of “opting out” if they want to block ISPs from using non-sensitive information.

Reaction

Privacy advocates generally hailed the move. Guarav Laroia, policy counsel for Free Press, said the new rules aren't perfect but make big strides forward.

“That’s because under any sensible interpretation of the communications laws that govern the FCC, the companies that carry all of our speech online have no business profiting from all the information they gather without our consent,” he said in an email to ConsumerAfffairs. “Today’s rules simply give people more choice when it comes to safeguarding their most private conversations and decisions online.”

Consumer Watchdog also welcomed the new policy, but said it would like to see these rules extended to cover the rest of the internet.

"Today's FCC action gives broadband users significant control over their information. It's a major step forward in protecting consumers' privacy," said John M. Simpson, Consumer Watchdog privacy project director. "But the FCC action only covers ISPs.”

Simpson said the rules should also cover the so-called internet edge providers like Google, Facebook, Twitter, and Amazon. He held out the possibility that extension could take place through legislative action.

Even parts of the industry found things to like in the rules. The Wireless Internet Service Providers Association (WISPA) said the final rules are much better than the FCC's original draft, and praised the agency's “sensitivity” to the concerns of small, mostly rural wireless ISPs.

But the group said it remains concerned that certain uses of non-sensitive customer information will be subject to opt-in consent.

The Federal Communications Commission (FCC) has gotten mostly praise from privacy and consumer groups for its new rules giving internet users more control...
Read lessRead more

Verizon executive says the company needs more information on the Yahoo data breach

What they find out could affect how much they pay for their acquisition

It’s been a little over a month since Yahoo confirmed details of its massive data breach, which compromised information on roughly 500 million user accounts. When the news broke, many people speculated whether it would affect Verizon’s acquisition of the company – a deal that had been struck in July for around $4.8 billion.

Those rumors began heating up at the beginning of the month when reports suggested that Verizon was pushing for a $1 billion discount because Yahoo had not disclosed information about the breach. And now, only a couple of weeks later, talk will be swirling about what Verizon actually intends to pay.

According to a report from Reuters, a Verizon executive stated at a tech conference that buying up Yahoo still made good business sense. However, she said that Verizon still needed more information about the breach, which will ultimately affect how much the company plans to pay.

“I’ve got an obligation to make sure that we protect our shareholders and our investors, so we’re not going to jump off a cliff blindly,” said Marni Walden, president of Product Innovation and New Businesses at Verizon.

Uncertain future

As we reported previously, the Yahoo acquisition gives Verizon a lot of advantages. The company acquired AOL back in 2015, and combining it with Yahoo would give the company a strong competitive rival to the likes of Google and Facebook in the digital advertising market.

At the conference, Walden showed her enthusiasm for the prospective combination, pointing out that the deal could allow Verizon to cater more to brands, since Google and Facebook focus more on social media and search, respectively. “We can help other brands build inside of a very open, friendly marketplace,” she said.

However, not having all the information on Yahoo’s data breach could be a sticking point. When asked if Verizon could potentially back out of its acquisition deal, Walden was non-committal, simply asking for the next question. Leaving the door open in this way certainly won’t make the folks over at Yahoo sleep any easier.

It’s been a little over a month since Yahoo confirmed details of its massive data breach, which compromised information on roughly 500 million user account...
Read lessRead more

Experian reports many organizations still open to cyber attack

Many have developed plans but fewer have updated them

As a consumer, you trust your personal information to countless businesses and organizations.

You trust your doctor to keep your health records private, your mortgage company to protect your financial information, and your bank to secure your money from cyber attack.

However, a new report from Experian Data Breach Resolution presents a mixed picture on whether that trust is misplaced.

On one hand, the report found the number of organizations that have prepared a plan to deal with and prevent data breaches rose from 61% in 2013 to 86% this year. But it also found only 38% have fixed procedures and timelines for reviews and updates.

In fact, 29% of organizations haven't conducted a review or update since the plan was put in place.

No substitute for being prepared

"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," said Michael Bruemmer, vice president at Experian Data Breach Resolution.

Bruemmer said it seems some organizations are simply “checking the box” when it comes to cyber security. He says developing a plan is only the first step in an ongoing process that unfortunately, must evolve to keep current with threats.

Of all the threats out there, ransomware appears to be growing fastest, posing the greatest risk to organizations. Successful hackers who are able to find the weakest link in a corporate network can encrypt all files on the network, making them inaccessible until a ransom is paid.

725 breaches so far this year

The Identity Theft Resource Center (ITRC) keeps a running count of reported data breaches in the U.S. As of early October, it had counted 725 successful breaches, with nearly half involving health care records.

These records, which usually include extensive personal history, including Social Security numbers, make it easy for hackers to steal identities.

The Experian report is not all bad news. For example, it shows 58% of organizations have increased their level of preparedness. But Bruemmer says that number needs to be higher to ensure the safety of U.S. consumers.

"Investing in breach preparedness is like planning for a natural disaster,” he said. “You hope it will never happen, but just in case, you invest time and resources in a response plan so your company can survive the storm."  

As a consumer, you trust your personal information to countless businesses and organizations.You trust your doctor to keep your health records private,...
Read lessRead more

Debt collection companies sued for $10 million over robocalls

Prosecutors say that consumers were harassed even if they didn't owe any money

Debt collection company iQor, along with its subsidiary Allied Interstate LLC, have been sued for $10 million by four district attorneys in California. The state officials said that the companies violated a number of consumer protection acts when they used automatic dialing systems to harass consumers with robocalls.

The complaint states that consumers were hounded by these calls for months, even when they owed no money. Prosecutors say that one consumer from San Jose received 126 calls in less than a month, while another man from Sunnyvale received 88 calls over a three-month period until he finally blocked the number.

iQor has defended its actions, and the actions of its subsidiaries, saying that the district attorneys were too quick to “suspend productive dialogue” centered around Allied’s “long-retired debt collection practices in favor of protracted litigation.”

“Allied enjoys an A-plus rating from the Better Business Bureau, is currently under no material regulatory restrictions at the federal or state level and is committed to consumer protection both within the state of California as well as the rest of the country,” said iQor officials in a statement. “Allied looks forward to defending this matter and continuing to improve its collection practices as industry expectations evolve.”

Violations

The charges do not look favorable for either of the companies, though. Prosecutors say that both firms violated a number of provisions from California’s Rosenthal Act, the state’s constitutional right to privacy, and the federal Telephone Consumer Protection Act – which forbids companies from using automatic dialing systems to call consumer cell phone numbers without consent.

The district attorneys also charged that the companies violated established consumer protections by calling before 8 a.m. and after 9 p.m. The companies also allegedly tried to collect debts that had previously been discharged during bankruptcy.

It isn’t the first time that Allied has faced regulatory scrutiny. From 2004 to 2011, the company was embroiled in several legal battles with state agencies across the country, including cases in Minnesota, Arizona, West Virginia, Maryland, Oregon, California, Florida, and Ohio. The company also paid $1.75 million to the FTC in 2010 for harassing consumers and trying to collect debts from the wrong people.

Debt collection company iQor, along with its subsidiary Allied Interstate LLC, have been sued for $10 million by four district attorneys in California. The...
Read lessRead more

Banks increasingly coming under cyberattack

Four in 10 consumers say their accounts have been compromised

Banks and other financial institutions spend billions of dollars on information and data security, mainly because they are such lucrative targets for cybercriminals.

Yet despite this spending and proactive defense, more than one-third of consumers say their personal bank accounts have been compromised. Almost 80% of financial institutions admit hackers have penetrated their defenses within the last two years.

These facts turned up in a new study by KMPG, which says banks can turn this negative into a positive.

"Financial institutions have a real opportunity to solidify trust with their customers by demonstrating that security is a strategic imperative, and that they are taking every possible precaution to protect consumers," said KMPG's Jitendra Sharma. "Consumers have a lot of options in this environment, so companies must get it right as the battle for customers is fierce."

Holding banks to a high standard

Indeed, consumers hold banks to a high standard. The survey showed that 37% said they would switch banks if their current financial institution did not cover their losses from a cyberattack. Nearly as many would leave if the bank didn't get out in front of the incident and acknowledge it in a timely manner.

In spite of the high-frequency attacks, the survey found the financial sector is the most proactive when it comes to defending against cyberattacks. About two-thirds of the financial sector executives polled for the study said their companies had invested in data security in the past year.

Not even the Federal Reserve has been exempt from cyberattack. A CNN report in June said the Fed has been under “constant” cyber-attack since at least 2011. The network listed at least 50 reported incidents it labeled as “unauthorized access” or “information disclosure.”

How consumers can help

The American Bankers Association (ABA), meanwhile, says there are steps consumers can take to make their banking transactions more secure. Its most basic tip is to create highly complicated and random passwords, avoiding pet names and other predictable combinations.

It says consumers should also monitor their accounts on a regular basis. Don't just do it when the monthly statement arrives.

Also, make sure computers and mobile devices are protected from viruses and malware. Don't give out your personal financial information in response to an unsolicited email, no matter how official it may seem. The ABA says your bank will never contact you by email asking for your password, PIN, or account information.  

Banks and other financial institutions spend billions of dollars on information and data security, mainly because they are such lucrative targets for cyber...
Read lessRead more

Eddie Bauer reports data breach

It's the second retail intrusion report this week

If you recently used a debit or credit card at Eddie Bauer, your card information could be compromised.

The company reports its point of sale systems at its stores were infected with malware, giving hackers access to payment card data. If you used a card to make an online purchase at eddiebauer.com, no worries – the online portal was not affected.

According to the investigation, in-store payments between January 2 and July 17 may have been compromised. “May have been,” because the company says not all cardholder transactions during this time were affected. The problem is, there is no way to know which ones were and which ones weren't.

“The security of our customers’ information is a top priority for Eddie Bauer,” said CEO Mike Egeck, Chief Executive Officer of Eddie Bauer.

Egeck says Eddie Bauer has already beefed up its cyber-security and no customers will be responsible for any fraudulent charges to their accounts.

Getting to be a common occurrence

This is just the latest in a string of data breaches in which hackers have targeted large retail operations. Security experts say these targets are more attractive than individual consumers because the payoff is potentially much greater.

In recent years, major retailers like Michael's, Target, and TJ Maxx have been victims of point of sale data intrusions. Earlier this week, a major hotel chain announced it had become a victim.

On Monday, HEI Hotels & Resorts, which operates Hyatt, Sheraton, Marriott, and Westin hotels, revealed that hackers had penetrated the company's point-of-sale systems. Consumers who used a card at the bar or to pay for a room may have been compromised, the company said.

HEI reported malware in its system at 20 hotels across the country and says that data collection may have started as early as March, 2015.

What do you do now?

Eddie Bauer says not all transactions at its stores were affected, but it is still offering identity protection services to everyone who used a card to make a purchase during the period of the breach. The company said it has contracted with Kroll to provide free service for 12 months.

Additionally, consumers who used a debit or credit card at Eddie Bauer during the affected period should notify their card issuer and ask for a new card.

It is also a good idea to go back and review account statements beginning in January to look for unauthorized charges that might have been overlooked.

If you recently used a debit or credit card at Eddie Bauer, your card information could be compromised.The company reports its point of sale systems at...
Read lessRead more

Google loses a round in Gmail wiretap case

A class action suit charges that Google wrongfully intercepts emails to inject ads

It has come to seem pretty ordinary that California-based Google scans your Gmail before delivering it, then inserts advertisements that seem to correspond to the subject being discussed.

But a class action lawsuit argues that the action is not only unordinary but is a violation of the California Wiretap Act, which prohibits interceptions except when they are part of the "ordinary course of business." 

U.S. District Court Judge Lucy Koh handed a round to the plaintiffs last Friday, rejecting Google's claim that the practice is an ordinary part of how emails are delivered, Courthouse News Service reports.

In a 38-page ruling, Koh said intercepting emails to inject ads into them is not necessary or intrinsic to the email process and is done only so that Google can use the data it intercepts to display ads.

Too early

Google had moved for dismissal of plaintiff Daniel Matera's suit, arguing that it could not provide free email service without the targeted ads. But Judge Koh said it was too early to introduce the argument that intercepting email is part of the ordinary course of business, as Google had contended.

Matera's suit argues that Google is intercepting consumers' mail for commercial purpose, in violation of the state's Wiretap Act.

Matera has claimed that he is not a Google customer and thus does not benefit from Google's free email service. Nevertheless, he said, his emails to and from Google customers have been intercepted. He also argues that Google sells some of the data it intercepts.

Similar cases are pending, including one filed by a group of universities who say that Google wrongfully mines students' data.

It has come to seem pretty ordinary that California-based Google scans your Gmail before delivering it, then inserts advertisements that seem to correspond...
Read lessRead more

Fertility apps present privacy issues women may not have considered

The apps may be helpful but they could also reveal more than users expect

There are apps that will track just about everything, including women's menstrual cycles. The goal is to get more precise fertility information, but an unwanted side effect could be leakage of very personal information.

Consumer Reports recently took a careful look at Glow, one of the more popular fertility apps, and found that security was not what it might be. In fact, the magazine said, anyone who knew a user's email address could potentially access that person's data and find such information as the last time they had sex, what kind of sex it was, how many drinks they'd had, and other information most people wouldn't knowingly disclose to the world, not to mention to stalkers and abusive spouses and exes.

Glow was quick to fix the problem after Consumer Reports pointed it out, but the episode illustrated the risks users of similar apps face, the Washington Post reported

Glow has said that it has helped more than 150,000 couples conceive and claims that women who carefully track their ovulation cycles in the app were 40 percent more likely to become pregnant than more casual users.

Gray zone

The magazine, published by non-profit Consumers Union, noted that Glow and similar apps fall into a regulatory gray zone -- many of them are not covered by HIPAA, the federal health privacy law that protects information shared with healthcare providers.

While the Glow vulnerabilities have been addressed, health and privacy advocates are concerned about the thousands of other apps and forums that women are using to reveal highly personal information without fully considering the possible consequences. 

Besides the risk of any individual's data being revealed, there is also the question of how data gathered by the apps are treated in the aggregate. Is the data used for medical research, marketing research, or for behaviorally targeted advertising? Is it sold to third-party "big data" bundlers? Some apps' privacy policies may have answered these questions, but others may consist of indecipherable legalese.

While medicines and medical devices undergo stringent testing before being approved for use on patients, there are no such restrictions on apps and online tools. 

Women who ask their doctors for advice are likely to find that the doctor knows no more than the patient about the vulnerabilities of any specific app, which means that it is once again buyer -- or perhaps user -- beware. 

There are apps that will track just about everything, including women's menstrual cycles. The goal is to get more precise fertility information, but an unw...
Read lessRead more

Why using your bank's ATM could be dangerous

Kaspersky Lab says cybercriminals can plant malware in ATMs

Consumers have been warned that using debit cards is inherently more dangerous than credit cards. If thieves manage to steal your debit card information, they can clean out your bank account.

There have been numerous accounts of identity thieves planting “skimmer” devices on ATMs and gasoline pumps. These fake keypads usually fit over the real key pad and record PINs as they steal account information.

But these skimmers are now old fashioned, and consumers have been cautioned to inspect key pads before they punch in their PINs. So some thieves have become more clever and diabolical. They hijack the ATM itself, turning it into one big skimmer.

Security company Kaspersky Lab says one of its teams recently made the discovery while investigating an incident report at an unnamed bank. The team found traces of Skimer malware on one of the bank's ATMs. The cybercriminals had planted it sometime earlier, but had not activated it.

Backdoor.Win32.Skimer

The Kaspersky team believes the thieves gained access to the bank's ATM system, either physically or by hacking into the bank's network. After that, they installed Backdoor.Win32.Skimer, malware that infects the core of the ATM, which controls the ATM's interaction with the banking infrastructure, including cash processing and credit cards.

Even though the cybercriminals have full control over the compromised ATMs, Kaspersky says they move slowly and deliberately, not wanting to raise suspicions. They no longer need the fake card readers that are getting easier to spot. Instead, when they throw the switch, they turn the entire ATM into a skimmer.

The malware allows the thieves to withdraw all the money in the ATM, or to intercept data from all debit cards used at the machine, which will continue to work perfectly.

Obvious problem

The problem is fairly obvious. There is no way for a consumer to tell whether the machine they're using to withdraw money is stealing their card's data.

The security firm says most cybercriminals successfully breaching an ATM won't steal money directly. Rather, they'll use the software to steal debit card data, because they can do it for months before their scheme is uncovered.

They make duplicate cards using the stolen data and use those cards in uninfected ATMs to withdraw large amounts of cash.

Countering the threat isn't easy, but Kaspersky recommends banks undertake regular AV scans and upgrade security systems and policies. The company said its investigation is ongoing, and that it is sharing intelligence with the banking industry.

Financial losses due to skimming continue to mount. A year ago FICO Card Alert Service reported a 173% year-over-year increase in card and PIN skimming points at bank-owned ATMs. At the same time, it said compromised merchant debit card transaction points had declined sharply.

Consumers have been warned that using debit cards is inherently more dangerous than credit cards. If thieves manage to steal your debit card information, t...
Read lessRead more

Supreme Court casts doubt on privacy class-action cases

The issue boils down to the "concreteness" of the damage allegedly suffered by consumers

The U.S. Supreme Court today dealt a blow to privacy class-action cases that do not clearly establish that plaintiffs have been harmed, but it side-stepped setting any major precedents. The case involved information published by Spokeo, a "white pages" website that claims to provide accurate information about individuals.

Plaintiff Thomas Robins charged in the suit that Spokeo's site contained information about him that was incorrect and said that this had resulted in damage to his reputation and job prospects. He alleged that this constituted a violation of the federal Fair Credit Reporting Act (FCRA) of 1970.

But in a 7-2 decision written by Justice Samuel Alito, the high court vacated a February 2014 ruling by the Ninth Circuit Court of Appeals, which had held in Robins' favor.  

The trial court had originally dismissed Robins' case, saying he had not proven injury, but the Ninth Circuit disagreed and reinstated the case. Spokeo subsequently appealed, leading to today's Supreme Court ruling which split various hairs having to do with Robins' injury. It stated that while the harm was "tangible," it may not have been sufficiently "concrete" to warrant a trial.

Legal experts said the issue remains far from settled. 

Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP and chair of its privacy group, called it "a bit of a lateral pass back to the appellate court."

"Not surprisingly, the Court was focused on whether there was a concrete enough injury to allow standing. It concluded that this issue wasn’t given proper attention by the appellate court, and sent it back on those grounds,” Newman said.

FCRA requirements

The suit alleged that by setting itself up as a "people search engine," Spokeo had fallen under the requirements of FCRA, which apply primarily to consumer credit reporting agencies.

FCRA requires consumer reporting agencies to follow certain procedures to ensure the accuracy of their reports, limits the use of reports for employment purposes, and requires posting a toll-free number for consumers to request reports.

Robins, 29, alleged that his Spokeo profile "states that he is married, has children, is in his 50’s, has a job, is relatively affluent, and holds a graduate degree" yet, according to Robins’ complaint, all of this information is incorrect. 

The high court did not definitively rule on whether Robins' injuries were sufficient to warrant legal action, merely returning the case to lower courts for adjudication.

It also dodged ruling on whether a mere statutory violation is sufficient grounds for consumers to bring suit. 

Newman noted, however, that both Justices Ruth Bader Ginsburg and Sonya Sotomayor dissented from the ruling, saying they "concluded that misinformation about a consumer, such as educational information, family circumstances and economic status, was enough to satisfy the concreteness threshold that this sort of information – at the beginning of a lawsuit – could cause the plaintiff actual harm."

"So there are two votes in favor of allowing the case to move forward,” Newman said.

The U.S. Supreme Court today dealt a blow to privacy class-action cases that do not clearly establish that plaintiffs have been harmed, but it side-stepped...
Read lessRead more

Protecting yourself from credit card fraud

Fraud becoming more common, but not more costly for consumers

Having someone steal your credit card information and use it to run up unauthorized purchases can be an unnerving experience. But in reality, it's not a costly one. At least not for the victims.

A new report by MagnifyMoney shows most consumers who experience credit card fraud do not suffer a financial loss. The survey finds credit card companies are living up to promises of $0 liability in case of fraud.

Of course, it's a little easier for credit card issuers to do that now, since now the liability for fraud falls on the merchant. But even before that transition took place last October, Magnify Money found that 96% of credit card fraud victims never had to pay a dime.

While 22.1% of consumers have reported credit card fraud, 93% of those incidents involved a criminal compromising a card, not the cardholder's identity. There is a very clear distinction.

Difference between account and identity fraud

When someone gains access to your credit card information, he or she can use it to buy things, at least until the issuer finds out and blocks further transactions. But if a criminal opens a new credit card account in your name, because he or she has stolen your identity, that's a much more dangerous event, since it could be months before the fraud is discovered.

Nick Clements, the co-founder of MagnifyMoney, says consumers need to realize that some type of fraud will probably affect them at some point, and preventing it is probably going to be a difficult task. That said, he notes consumers can play a big role in reducing its effects.

“Our effort should be focused on early detection and rapid reporting of any credit card fraud,” Clements said.

That can be aided, he says, by using available tools to detect fraud early and avoid financial loss.

Doubts about chip card

The new chip and signature cards are supposed to bring credit card fraud to a halt, but Clements expresses some doubts. He says chip cards may help reduce some fraud at physical locations, but won't provide additional security in online and mobile transactions.

Additionally, many retailers – and even law enforcement – have said someone with a stolen credit card can easily forge a signature. Without requiring a PIN to complete the transaction, they say the new cards are less secure.

Many retail locations that have installed the new chip card readers still are not using them. Clements says there have been many complaints about transaction times. The survey showed that 20% of respondents complained that the chip cards are “painfully slow.”

What to do

The Federal Trade Commission (FTC) has some advice to project yourself against credit card fraud. It starts with keeping you card in a secure place at all times. It also suggests making a list – on paper, not electronically – of all your credit card numbers and contact information, so you can quickly report any suspicious activity.

Other tips include:

  • Don't give your credit card information to anyone over the phone unless you initiated the call
  • During a transaction, try not to let your card get out of your sight
  • Check your bills for unauthorized activity as soon as they are available
Having someone steal your credit card information and use it to run up unauthorized purchases can be an unnerving experience. But in reality, it's not a co...
Read lessRead more

ATM scams surged in 2015

Number of compromised cash machines rose over 500%

Automated Teller Machines (ATM) have become so common that there is an entire generation that can't remember going inside the bank to cash a check. Most of us trust these machines without giving them a second thought.

New research from FICO, an analytic software firm, suggests that this trust could be misplaced. It reports the number of ATMs compromised by criminals rose 546% in 2015. The total number of compromised ATMs was the highest ever recorded.

ATMs can become compromised when a criminal installs a “skimmer” over the machine's key pad. When a consumer keys in his or her PIN, the skimmer captures the number, giving the criminal access to the consumer's bank account.

The scammer might also install a tiny camera that can record the debit card number and PIN.

Quick hits

While the number of compromises rose sharply last year, the research found that the compromises didn't last as long, either because they were discovered, or more likely, because criminals reduced the time spent harvesting card data in an effort to reduce risk. T.J. Horan, vice president of fraud solutions at FICO, said it appears criminals are taking a “quick-hit” approach to ATM theft.

“They are moving faster to make it harder for banks to react and shut down the compromises,” Horan said in a statement. “They are targeting non-bank ATMs, which are more vulnerable — in 2015, non-bank ATMs accounted for 60% of all compromises, up from 39% in 2014."

A non-bank ATM is one you might find at a convenience store or public place, like a sports stadium.

In the past, FICO says ATM compromises tended to be concentrated in urban areas. That changed last year, with the scam showing up in small towns and rural areas, spread across the U.S. Horan says ATM operators need to be more aware of tampering but so do consumers.

What to do

"To protect themselves from this kind of fraud, cardholders should be more vigilant," he said.

Consumers should inspect an ATM before using it. If it looks strange, or has a very different interface than experienced in the past, it is prudent to go to another location. If you complete a transaction and suspect it has been compromised, be sure to contact your card issuer.

Check bank transactions regularly to look for unauthorized withdrawals. If your bank offers text or email alerts for suspicious activity, make sure you sign up for it.

ATMs for the most part are reliable and secure ways to get cash, but that safety and security shouldn't be taken for granted.

Automated Teller Machines (ATM) have become so common that there is an entire generation that can't remember going inside the bank to cash a check. Most of...
Read lessRead more

Choosing a home security camera -- local or cloud-based storage?

Each method has its benefits and drawbacks

Ensuring that privacy and security can be maintained in their homes is important to many consumers. But no matter where you live, there is always the chance that a break-in or other wrongdoing may occur.

To combat this problem, many people look to home security solutions like alarms – but perhaps one of the best things that a homeowner can install is a set of security cameras. But if you, like many others, don’t know the first thing about security cameras, then where do you start? To narrow down the choices, you may want to think about how you want your video stored.

According to a recent CNET article, you have two primary choices when it comes to storing video – either by local storage or cloud storage. While each offers a different set of benefits, choosing which one works best for you will depend on your security priorities.

Local storage

Local storage saves your security video clips just like it sounds – locally. Cameras that support local storage usually come with a slot where you can insert a microSD card, usually ranging from 16GB worth of storage to 128GB. Depending on the brand of camera you buy, you may have to go out and pick up a microSD card separately.

As is the case with many security systems, there are some options you can choose from in terms of what your camera will record. For those who want to make sure every second is recorded, the cameras can be set in continuous recording mode. If you’re less scrupulous, you can also set your camera to event-based recording mode. In this setting, the camera will only record when it detects motion, allowing you to get a little more out of your microSD card before you run out of space.

No matter what your preference is, when your card is finally full you can elect to overwrite the information and keep recording or take the card out and assess the footage. If you want to save any video that was picked up on the card, but want to continue using it, you can buy a card reader and card adapter to convert the information.

Cloud storage

For those who don’t want to buy any extra equipment, like the microSD cards, card reader, or adapter, cloud storage can provide an alternative that is a little more hands-off. Instead of physically having to manage a microSD card, cameras that operate using cloud storage save footage in – you guessed it – the cloud.

Depending on the service you use, your footage is sent to a remote server that is managed by a company. You will have to pay a fee to use the company’s service, which can vary in price. Currently, cloud-based security storage offered by Alphabet/Google costs $10 per month for 10 hours of continuous recording.

Which should you choose?

Local storage and cloud-based storage come with their own set of benefits, but choosing which one really comes down to personal preference. Local storage is preferred by many consumers because it gives you the greatest amount of access to your video, but if you want to save your video then you will have to buy extra equipment to do that. Also, managing the microSD cards manually could become tiresome after a while.

Cloud-based storage is much more hands-off in this regard, and you don’t have to worry as much about overwriting data. However, you will have to pay a monthly fee to access your video footage and technical problems with the company hosting the servers could lead to you not being able to access it in some cases. Also, since the information is hosted on a server, hackers could potentially get hold of your videos – making privacy a concern.

Of course, video storage is not the only consideration when it comes to buying security cameras – it’s just a good starting point for narrowing down choices. Be sure to do your research before committing to any one course of action so that you can get the best home security that works for you.

Ensuring that privacy and security can be maintained in their homes is important to many consumers. But no matter where you live, there is always the chanc...
Read lessRead more

New privacy rules proposed for Internet service providers

Consumers would get more control over how their data is used

The Federal Communication Commission (FCC) will consider new rules for Internet service providers (ISP) that would limit their ability to use consumer's browsing habits to narrowly target ads.

Currently, when consumers browse online, looking at cars, furniture or books, ads for those kinds of products follow them around the Internet, popping up on other websites they visit. That's because consumers' browsing habits are a product, sold to marketers who want to make their ads more effective.

FCC Chairman Tom Wheeler has released a Notice of Proposed Rulemaking (NPRM) to give consumers tools to determine how that information about them is used and shared by their ISPs.

New privacy requirement

Under the proposal, the privacy requirements of the Communications Act would apply to the Internet. The proposal will be voted on by the full Commission at the March 31 Open Meeting. Assuming it is adopted, it will be subject to a comment period.

The proposed rule would allow ISPs to continue to use customer data for marketing and other communications-related services by their affiliates unless the customer opted out. If the ISP wanted to continue selling customer data to third-party marketers, it would have to get the customer's permission through an opt-in process first.

Wheeler also says the rule would place stronger security requirements on ISPs, noting that security protections are crucial to protecting consumers’ data from breaches.

Privacy group input

A number of privacy advocates have urged the FCC to implement stronger Internet privacy safeguards. In a recent letter to the agency, the Electronic Privacy Information Center (EPIC) lobbied for opt-in consent for the use of all customer data for marketing purposes. It said an opt-in framework would better protect individuals’ rights, and is consistent with most United States privacy laws.

The letter noted that the Family Educational Rights and Privacy Act, Cable Communications Policy Act, Electronic Communications Privacy Act, Video Privacy Protection Act, Driver’s Privacy Protection Act, and Children’s Online Privacy Protection Act all require individual consent before gathered information can be used for any secondary purpose.

Verizon Wireless settlement

Earlier this week the FCC reached a settlement with Verizon Wireless over its use of customer data and so-called “super cookies.” The settlement contained some of the same features contained in the proposed new rule.

Verizon Wireless agreed to allow customers to opt-out of its internal use of gathered customer data. It also agreed to an opt-in feature, saying it would not sell that information to third parties without a customer's consent.

The Federal Communication Commission (FCC) will consider new rules for Internet service providers (ISP) that would limit their ability to use consumer's br...
Read lessRead more

Online payment portal Dwolla dinged for its security practices

Feds say consumers were deceived about the data security risks of using the online system

Regulators are serving notice a fast-growing online money-transfer business, stating that they must safeguard consumers' private data and live up to the promises they make about their security procedures.

The Consumer Financial Protection Bureau has ordered Dwolla to pay a $100,000 penalty for misleading consumers about its data security practices and instructed the company to fix its security practices.

Dwolla, based in Des Moines, Iowa, said the procedures questioned by the CFPB had taken place in earlier years and said it has improved its practices since then.

Dwolla, like others in the online payments business, takes much of the grunt work out of moving money online by simplifying the automated clearing house (ACH) process.

"Our ACH transfer platform securely verifies and connects your customers to their bank or credit union accounts for safe and quick transactions," the company says on its website, saying it offers "a fast, lightweight onboarding experience."

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

Dwolla said it has more than 650,000 users and moves as much as $5 million per day. It noted it has not been hacked or experienced any known loss of consumer data. 

"Dwolla is glad to have come to a resolution with the CFPB regarding its investigation," Dwolla said in a blog posting. "The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012. Dwolla understands the Bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards.
"The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices."

Safe and secure?

From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. But the CFPB said that, rather than setting “a new precedent for the payments industry,” Dwolla’s data security practices fell far short of its claims.

Regulators are serving notice a fast-growing online money-transfer business, stating that they must safeguard consumers' private data and live up to the pr...
Read lessRead more

Mail carrier a key player in identity theft ring

Alabama postal worker stole customers' identities for use in phony tax returns

Identity theft seems like a high-tech crime, carried out by hacking into databases, harvesting purloined emails, and using phishing expeditions to trick consumers into revealing their private data.

But sometimes it's as simple as reading the name on your mail. That's what prosecutors say postal carrier Elizabeth Grant did. The Seale, Alabama, woman worked for years delivering mail. On the side, she stole the names and addresses of the people on her mail route and provided them to her co-conspirators.

Her accomplices prepared phony tax returns and when the government mailed out refund checks, Grant stole them and turned the checks over to her partners in crime, trial testimony indicated.

The scheme resulted in more than 700 false returns being filed and more than $1.5 million in tax refunds being stolen.

Grant pleaded guilty and was sentenced to more than five years in prison yesterday by a federal judge in Alabama. Several of her collaborators were sentenced earlier.

Identity theft seems like a high-tech crime, carried out by hacking into databases, harvesting purloined emails, and using phishing expeditions to trick co...
Read lessRead more

Cybercrime is big business and getting bigger

Researchers calculate the massive returns hackers get on stolen credit cards

In the last decade, hackers have shifted their primary targets from consumers' PCs to corporations' networks.

The payoff from breaking into your computer might not be so much. Getting into Target, on the other hand, could be huge.

Just how huge hasn't been widely appreciated, but researchers at Michigan State University recently calculated that even small-scale hacking operations are making millions of dollars in profits by targeting corporate databases and stealing credit and debit card data.

"In the past two years there have been hundreds of data breaches involving customer information, some very serious like the Target breach in 2013," Thomas J. Holt, Michigan State University criminologist and lead investigator of the study, said in a release. "It's happening so often that average consumers are just getting into this mindset of, 'Well, my bank will just re-issue the card, it's not a problem.' But this is more than a hassle or inconvenience. It's a real economic phenomenon that has real economic impact and consequences."

Black market in plain sight

Holt and his fellow researchers found online forums in English and Russian where criminals who stole personal information auctioned it off in batches of 50 or 100. Someone who buys the data can then try to access the victims' bank accounts or buy goods or services with the stolen cards.

Holt says, on average, a batch of 50 stolen credit or debit cards can bring between $250,000 and $1 million on the black market. Buyers consider it a reasonable price, since they, on average, can use those 50 credit or so debit cards to pull in between $2 million and $8 million.

Coordinated approach

Holt says there needs to be a more intensive, coordinated approach by law enforcement agencies around the world to crack down on cybercrime. He says consumers also need to understand the stakes.

"My goal is make people cognizant of just how much their personal information means, how much value there is," Holt said. "If we don't understand the scope of this problem, if we just treat it as a nuisance, then we're going to enable and embolden this as a form of crime that won't stop."

Consumer Security company Mcafee estimates the annual cost to the economy of cybercrime activity is more than $400 billion.

In the last decade, hackers have shifted their primary targets from consumers' PCs to corporations' networks.The payoff from breaking into your compute...
Read lessRead more

Fitness trackers aren't all that private, study finds

Canadian study finds all but the Apple Watch leak data

If you wear a popular fitness tracker to keep up with steps taken, miles walked, and calories burned, chances are you find it highly motivating. Some users have called it a personal trainer on their wrist.

But researchers at the University of Toronto say there is something consumers should know. Like any electronic device that connects via WiFi, the data collected by most of these fitness trackers might not always be private.

In a study, researchers say they found there are major security and privacy issues in trackers made by Basis, Fitbit, Garmin, Jawbone, Mio, Withings, and Xiaomi. The researchers reached their conclusion after analyzing data transmissions between the Internet and apps for the fitness trackers.

The seven trackers communicate with smartphone apps through Bluetooth. The researchers say that Bluetooth leaks personal data, and that anyone near a device could track a user’s location over time.

They also report certain devices by Garmin and Withings transmit information without encryption. Someone would have to know how to intercept the data, they say, but if they had the knowledge, it could be done.

Apple Watch the exception

The only device that did not leak data in the study was the Apple Watch.

Andrew Hilts, one of the report’s authors, says the security issue exists because each device has a unique identifier that is constantly sent out via Bluetooth. It's there even when you think it is turned off.

Hilts says the issue is easily resolved if device manufacturers implement an existing Bluetooth privacy standard. Until they do, he says, users will be vulnerable to location-based surveillance.

“We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products,” Hilts said in a release.

If you wear a popular fitness tracker to keep up with steps taken, miles walked, and calories burned, chances are you find it highly motivating. Some users...
Read lessRead more

2016 likely to hold more dangerous data breaches

Consumers could be collateral damage in cyber war

This year has been marked by a series of serious data breaches, exposing the personal information of millions of U.S. consumers.

One of the most serious was reported in October, when hackers broke into an Experian system and gained access to confidential information about 15 million consumers who had applied for credit at T-Mobile.

Experian Data Breach Resolution has surveyed the landscape and offered predictions for what 2016 holds in terms of keeping consumer data secure. While some current issues remain relevant, there are a few emerging areas that organizations should watch out for to be better prepared.

Making major mistakes

"We saw different types of breaches this year, and one of the major mistakes companies often make is taking a one-size-fits-all approach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately, the reality is that no data breach is the same, and a wide variety of unique circumstances need to be considered in a data breach response plan."

One of the trends Experian foresees is the escalation of cyber-attacks among nations. When that happens, consumers and businesses tend to become collateral damage.

As nation-states continue to move their conflicts and espionage efforts to the digital world, the company predicts there will be more incidents aimed at stealing corporate and government secrets or disrupting military operations.

When that happens, one of the risks is exposure of information about millions of individuals. On the other hand, business data might be compromised more in 2016, or we could see an increase in large public-sector data breaches that expose millions of personal records.

New-age warfare

"This is new-age warfare and, as individuals, we need to pick up the pieces if we have been affected and our personal information has been exposed," said Bruemmer. "The public should not be complacent about identity protection. It's important to practice good security habits on an ongoing basis and monitor accounts frequently to catch fraud early."

Experian Data Breach Resolution also predicts hackers with a political or ideological agenda will become more active, trying to damage the repuation of a company or cause. There have already been a few over the last couple of years.

These hackers aren't in it for the money, meaning companies must revise their response plans and consider all possible scenarios.

"This was the new twist to the data breach landscape in 2015, with thieves leveraging stolen data to embarrass or harm companies," said Bruemmer. "Unfortunately, consumers are the pawns in the game, and they are victimized in the process.”

Personal harm or embarrassment

Being associated with the organization under attack, consumers may also suffer personal harm or embarrassment if their information is exposed. If an organization has a polarizing or controversial mission, it should consider this scenario and how it will take care of its constituency should a breach occur, Bruemmer said.

And that leads us to the 2016 presidential race. Bruemmer says political campaigns are likely to be tempting hacking targets.

"For a fame-hungry criminal or motivated detractor, this is an attractive platform,” Bruemmer said.

Bruemmer says all candidates, parties, and organizations had better be prepared by securing their systems and having incident response plans in place.

This year has been marked by a series of serious data breaches, exposing the personal information of millions of U.S. consumers.One of the most serious...
Read lessRead more

Cyber Monday safety tips

This is good advice to heed throughout the rest of the holiday shopping season

Shoppers who braved the malls on Black Friday might have risked some pushing and shoving but not a lot more.

Those taking part in Cyber Monday run the risk of having their identity stolen. The risk is greater because they are making their purchases online, where a data breach or one-on-one hacking can expose shoppers' financial information.

Nearly 13 million U.S. consumers were victims of some type identity theft last year, so it's a good bet that identity thieves will be out in full force this year, not just on Cyber Monday but for the rest of the shopping season.

Safety tips

Most consumers have heard the advice more than once, but it probably bears repeating. Here are some tips for keeping your identity safe:

  • Be savvy about Wi-Fi hotspots –Make sure you don't share personal or financial information over an unsecured Wi-Fi network. You'll know it's not secure if you can access it without a user name and password.
  • Make sure the site is legitimate – Before entering any credit card or personal information, look for a closed padlock on your web browser or a URL address that begins with http or https.
  • Protect your personal information – Make sure the information requested is only that needed to complete the transaction. Check the website's privacy policy to understand how the information will be used.
  • Keep a clean machine – Smartphones or other devices used for shopping should have up-to-date software.
  • Keep a paper trail – Save records of online transactions and check credit card statements as soon as they arrive. Immediately report any discrepancies.

Homeowner's policy may help

"An identity theft or fraud can have a major impact on a consumer, often leaving them to deal with the mess created by cyber criminals," said Richard W. Lavey, president, personal lines and chief marketing officer at The Hanover. "Many consumers may not realize their homeowners insurance policies may help provide protection against the burdens of dealing with identity fraud."

Lavey suggests reviewing your insurance coverage. He says the better insurance policies now offer expense reimbursement, proactive and restoration services, document replacement assistance, and credit card fraud coverage.

Already been victimized? The sooner you act, the better. The Federal Trade Commission explains what you should do.

Shoppers who braved the malls on Black Friday might have risked some pushing and shoving but not a lot more.Those taking part in Cyber Monday run the r...
Read lessRead more

FTC loses cybersecurity case against medical lab

Judge finds no evidence anyone was harmed, questions credibility of witness

The Federal Trade Commission routinely holds companies responsible for data breaches that expose consumers' private data to intruders. But the commission's recent loss in the case of LabMD raises questions about its ability to prevail in other consumer cybersecurity cases.

The agency had sought to hold the medical testing lab responsible for a data breach that exposed the records of 9,000 patients. But LabMD fought back, refusing to sign a consent order and arguing that there was no proof any consumer had suffered any actual harm as a result of the breach.

Late last week, FTC Chief Administrative Law Judge Michael Chappell agreed and dismissed the commission’s complaint.

"FTC spent millions of taxpayer dollars to pursue its baseless case against LabMD, an innovative and successful provider of cancer diagnostics," said Daniel Epstein of Cause of Action Institute, which defended LabMD. "Although FTC’s ostensible justification for this boondoggle was 'data security,' it produced no evidence that even a single patient was harmed by LabMD’s alleged inadequacies."

Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said the agency is considering an appeal. “Commission staff is disappointed in the ruling issued by the administrative law judge in this case," she said. 

The judge's ruling was a pyrrhic victory for LabMD, which went out of business in 2014, at least partly because of the long struggle with the FTC, according to former CEO Michael Daugherty.

“Yeah we won, but what did we win?  We’re dead,” he said, according to a Wall Street Journal report.  The experience turned Daugherty into a crusader against what he considers government abuse. He wrote a book, "The Devil Inside the Beltway," later made into a TV series.  

Supposed whistleblower

The FTC's case was based on information it received from Tiversa, a for-profit company that provides data security services to clients. Tiversa had found a 1,718-page document on the LabMD servers containing patient data and had then tried to sell its security services to LabMD.

When LabMD declined to pay up, Tiversa reported it to the FTC, claiming LabMD had mishandled sensitive patient data. But Judge Chappell, in a lengthy decision, said the FTC had not proven that allegation and that there was inadequate evidence that any patients had been harmed by the potential data exposure.

In fact, the judge said, there was no evidence that anyone other than Tiversa had accessed the data. He said the FTC had not "identified even one consumer that suffered any harm" as a result of inadequate LabMD security.

The judge said it was problematic for the FTC to rely on a for-profit company that acted as a whistleblower only after its sales overtures were rejected and said that Tiversa CEO Robert Boback was "not a credible witness."

“At best, Complaint Counsel has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm." Judge Chappell wrote.

"Facts never mattered"

Cause of Action's Epstein said the "facts never mattered to the FTC" and said the "purpose of this case was to intimidate other businesses that might consider standing up for their rights, and to make LabMD pay for speaking out against the government."

For its part, Tiversa said in a statement that it had acted "appropriately and legally."

The Federal Trade Commission routinely holds companies responsible for data breaches that exp...
Read lessRead more

"Spear phishing" attacks exploit consumers' email habits

Phishing victims exceeded the U.S. population last year

Here's a number that might take a second or two to digest: in 2014 there were about 400 million successful cyber-attacks in the U.S.

That's more than the U.S. population, estimated to be nearly 319 million last year.

“That means everyone in the country may have been breached,” said Arun Vishwanath, an associate professor in the Department of Communication at the University at Buffalo and an expert in cyber deception. “Everyone. Including me and you.”

What is particularly dangerous is something he calls “spear phishing.” That's a tightly targeted, malware-carrying attack that sends links or attachments in what often appear to be genuine-looking email messages.

Spear phishing

These messages bear the imprint of a known or trusted organization. Maybe your bank, the electric company, or government agency.

When a recipient clicks on a link or attachment, he or she launches the malware – intrusive software that runs programs in the background that can cause all sorts of mischief.

A great deal of time and effort has gone into educating consumers about phishing threats, and why they shouldn't click on links in suspicious emails. Yet, consumers continue to do it.

Vishwanath says this training ignores users’ habits and instead focuses exclusively on how users process information. He's compiled a research report that examines these email habits and phishing outcomes.

“The findings point to a joint operation of habits and information processing, something that most social scientists have ignored,” Vishwanath said. “We can’t just focus on one aspect of that use, yet that’s what we’re doing and it explains why phishing is successful.”

Taking advantage of habits

Hackers have figured it out, Vishwanath says. Their phishing schemes work because the perpetrators take advantage of people who are habitual in the way they respond.

He says email systems, especially when accessed on mobile devices, are built around user habits.

"They encourage users to repeatedly check for messages, establishing routines that turn their devices into a casino game, with users opening emails like reckless gamblers habitually pulling the arms of slot machines without thinking of the long-term consequences," Vishwanath said.

In the meantime, spear phishing is successful 17% to 35% of the time, which is highly damaging when you consider how many phishing emails go out each day.

Example

Being able to recognize a phishing email is a first step to avoiding this scam. Microsoft has some advice and has dissected an example. But in the end, this might be enough.

Vishwanath says his research suggests that the training, which teaches people to recognize suspicious emails, is based on the presumption that the phishing problem can be accounted for by information processing.

It can't, he says.

Here's a number that might take a second or two to digest: in 2014 there were about 400 million successful cyber-attacks in the U.S.That's more than th...
Read lessRead more

Why all consumers should place a freeze on their credit

Consumer group says purchasing credit monitoring provides little protection

Nearly every time there is a high-profile data breach, the compromised organization responds by providing victims with credit monitoring for a one or two-year period.

It's a nice gesture, but a report by the U.S. PIRG Education Fund questions the value of that remedy, saying it does nothing to prevent identity theft, the major threat when a person's personal data is compromised.

The report says most credit monitoring services only detect certain types of fraud, after it has occurred.

A better step, the organization says, is for affected consumers to immediately place a freeze on their credit.

“Only the security freeze can prevent someone from opening a new credit account in your name,” said Mike Litt of U.S. PIRG. “Credit monitoring services may tell you but only after you’ve already been victimized.”

Worse, he says, credit monitoring is usually offered after simple retail credit number breaches, even though they offer no help against unauthorized use of your existing accounts. He says that's the fraud most likely to occur from that type of breach.

How a freeze is different

Here's how a security freeze is different. It prevents a fraudster from opening an account in your name. Even if the identity thief has your Social Security number and other personal data, he will be blocked because the freeze does not allow any bank or business from accessing your credit report.

Without checking your credit, no bank or business will extend credit in your name without verifying that the applicant is really you. When you want to apply for credit, you can temporarily “unfreeze” your credit file.

“Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze, not the often-offered credit monitoring services, which only alert you after a new account has been applied for or opened,” said Litt. “For this kind of ID theft, only a security freeze offers peace of mind.”

What to do

To place a freeze on your credit, you'll need to contact each of the three credit reporting agencies. Click the links below for instructions:

According to the Federal Trade Commission (FTC), an extended fraud alert is free but primarily intended for victims of identity theft and those who believe they are at risk. Today, however, that covers just about everyone.

If you have reason to believe that any of your personal data has been compromised – if your credit card was one of the 40 million exposed in the Target breach, for example – you may be justified in asking for an extended fraud alert on your account. Anyone is eligible for a 90-day fraud alert, which can be renewed.

Nearly every time there is a high-profile data breach, the compromised organization responds by providing victims with credit monitoring for a one or two-y...
Read lessRead more

Tax preparers increasingly become identity theft targets

Scammers use those identities to file multiple bogus returns

With the end of the year fast approaching, consumers are starting to gather their 2015 tax information.

Tax preparers are getting ready for the start of the busy tax-filing season in January.

The Internal Revenue Service (IRS) warns they had better get ready for something else – identity thieves looking for information to use on fraudulent tax returns.

Preparers more lucrative targets

If a scammer impersonates a single taxpayer, he only gets a single fraudulent refund. But if he steals the identity of a tax preparer, he can file for hundreds of bogus refunds, each possibly worth several thousand dollars.

As a defense, the IRS recommends tax preparers have a security plan in place. It should include:

  • High-quality security software that includes a firewall, anti-malware, and anti-virus programs
  • An education program for all employees to ensure they understand the dangers of phishing emails and other threats to taxpayer data.
  • Strong passwords that are changed periodically; consider having different levels of password protection.
  • Secure wireless connection. If Wi-Fi is used, protect taxpayer data by making sure it is password protected. Be sure to use encrypted email programs to exchange PII information with taxpayers.

Secure data

While it is recommended that tax preparers back up taxpayer data on a regular basis, the IRS says media containing this data should be put in a secure location with limited access.

Tax preparers should also access IRS e-services weekly during the filing season and several times during the year to check the number of returns filed using the preparer’s EFIN against the actual number. If there is a discrepancy, preparers are urged to contact the IRS e-Help Desk for e-Services immediately.

With the end of the year fast approaching, consumers are starting to gather their 2015 tax information.Tax preparers are getting ready for the start of...
Read lessRead more