If I have learned anything in 2016...

If I have learned anything in 2016, it's that many businesses, healthcare providers, and even government agencies remain reticent when it comes to discussing what steps they take to protect our privacy and personal data.

That's unfortunate in so many different ways.

Here are three examples why.  



First, it tells us that (customer, patient or taxpayer) privacy and personal data safety is not a priority with their executive management team.

Second, the cost and inconvenience of putting in place practices and procedures for allowing transparency and openness relating to consumer privacy and data protection most likely cost's too much.

Third, they probably have something to hide. Could be they are sharing (selling) consumer data with third parties!

Whatever the reason, there is also a good chance that those in charge falsely believe that consumer data protection along with identity fraud prevention is an irritating fad promoted by law enforcement officials, security consultants and bloggers who have too much spare time on their hands.

Further, that internal measures for protecting consumer data are adequate and that anyone asking about how their personal data is used and above all protected should be treated with suspicion.

After all, data breaches and hacker attacks only happen to ADP, Adobe, Blue Cross BlueShield, Facebook, Hilton Hotels, Home Depot, JP Morgan Chase, Target, the State of South Carolina  and Yahoo!  No one else!

Happy Holidays.

Paul

Happy Holidays From All The Businesses Watching You!

Nothing reveals more about you than your personal shopping habits and traits.

When and where you shop, what you shop for and how you pay for your purchases, is all "data treasure" to organizations which make it their business to collect and sell information on us all.

Collecting and selling data on American consumers is nothing new. But advances in technology have made it possible to gather vast amounts of personal information on every man, woman, and child living in America today from multiple sources and hold that information in perpetuity.

No matter your socio-economic status or background, there are hundreds, possibly thousands of databases out there actively seeking to collect and analyze information on you every day.

Most likely you have never heard of these organizations, let alone come into contact with them.  But they most definitely know who you are!

Who uses your collected data?

Primarily, collected data is still used for direct marketing and promotional purposes.  In other words, to sell you something.

Data Brokers: Know All About You!

But banks, government agencies (including law enforcement authorities) insurance companies, health care providers and law offices also now use this aggregated data for a variety of different purposes.

This includes identity and residence verification checks along with mode of living and lifestyle analysis.

How do they obtain your data?

For many years public record information along with completed product warranty cards, magazine subscriptions, and mail order purchases were the predominant source of information used to develop databases on us all.

Today, data from so-called 'contributors' which includes businesses prepared to betray the trust of their customers by sharing their personally identifiable information (name, address, telephone, etc.) with third party organizations known as data brokers or information brokers is common practice.

Interestingly, data brokers are described in privacy notices as business partners or affiliates.

Both privacy advocates and consultants who work in the consumer data field agree that privacy notices are open to interpretation and prone to ambiguous or worse intentionally misleading statements.

So consider this when you are shopping for gifts and goodies this holiday season, whether you're using a credit card or store loyalty card or both at the pharmacy,  supermarket or any other location which has the ability to identify you and most definitely online.

What you buy, where you purchase it from and how you pay for it will all be collected and stored for future analysis and most likely contribute to your "bucket profile."

Happy holidays from all the businesses and data brokers watching you this festive season!

The President Elect is a Victim Too!

Bank of America N.A.

The scourge of the banking and financial services industry is employees who share customer information with unauthorized third parties or worse, who operate illegal sideline businesses selling private and confidential customer data.

Recipients of this stolen data include disreputable attorneys, journalists, private investigators and of course scam artists, including identity thieves.

This is not a new problem.  In fact, over the decades, employees at some of America's biggest banks have been identified selling confidential customer information to persons who have absolutely no lawful purpose in acquiring it.

Data Breach Victim

A bank with a long history of employees abusing the privacy and personal data safety of customers is Bank of America.  Even the president-elect of the United States, Donald Trump, allegedly fell victim in the early 90's to executives at Bank of America (formerly National Westminister Bank USA) sharing specific details relating to his then troubled loan accounts with unauthorized third parties.

National Westminster Bank USA

National Westminster Bank USA was acquired by Fleet Financial in 1996 and in 2004, became part of what is today Bank of America.

Fleet Branch 

Some of the most egregious examples of bad behavior by employees at Bank of America over the past two decades included senior executives supporting (or at the very least turning a blind eye to) the use of identity fraud as a business tool to expedite debt collection operations.

In fact, loan officers and attorneys employed at the banks Managed Asset Divisions (also known as Corporate Services) located in Hartford, Connecticut, and Providence, Rhode Island, were allegedly  observed using the services of identity fraudsters to speed-up debt collection operations using a social engineering technique known as "pretexting."

Specific information sought often included customer data from competitor banks,  payroll records from employers and even on occasion taxpayer data from government agencies.

To be fair, the identity fraudsters did purport to be licensed investigators and debt collectors.  But surprisingly, no one at Bank of America ever bothered to check the validity of their credentials.

Meanwhile,  the same fraudsters were also stealing Bank of America customer data and selling it on to practically anyone willing to pay for it.

Norwalk Savings Society

They even managed to infiltrate a branch of the Norwalk Savings Society (acquired by Summit Bancorp in 1999 and later incorporated into Bank of America in 2004) located in Norwalk, Connecticut to facilitate a sophisticated checking account scam targeting both consumers and small businesses located in the Northeast.

This necessitated bank employees retrieving and covertly forwarding on to the identity fraudsters sensitive overnight data received from the Federal Reserve every morning.

In return, the bank's employees allegedly received various forms of compensation which included candy and flowers when a 'scammed victim' showed up at the branch asking some awkward questions or worse causing a scene.

For those victims (which included Bank of America customers)  who did manage to identify and report this widespread unlawful conduct to the authorities, the retribution was often swift at the hands of both the corrupt bank employees and contractors.

The punishment meted out often included harassing phone calls day and night, repeated threats of physical violence, blackmail and intimidation along with the victim's personal credit being hijacked and systematically trashed over an extended period.

Bank of America Regulator

But perhaps most surprising of all, was the fact that local and state law enforcement authorities were allegedly kept off the case by highly protective bank regulators.

Allegedly this included the Office of the Comptroller of the Currency (OCC) who reportedly cited 'federal preemption' laws when intentionally shielding corrupt Bank of America's employees and contractors from possible prosecution by local jurisdictions.

To paraphrase two OCC officials who spoke 'on the record' in 1998 and 2010, "the function of the Comptroller's Office is to ensure the safety and security of the banks it supervises and not necessarily the interests of the American public."

How deeply troubling is that?

Cybercrime Is A Plague That Is Not Likely To Be Eradicated Anytime Soon

The head of the National Security Administration (NSA) and U.S. Cyber Command Admiral Michael Rogers spoke at a conference hosted by the Wall Street Journal this week were he urged business leaders to work with the government in fighting the “scourge of cybercrime.”

He further went on to say that the number of hackers out there is “so large and diverse” that it is difficult for the government to identify the perpetrators.

Adm. Rogers also said that roughly two-thirds of hackers are criminals looking to make money by stealing (consumer) information from private databases, and the remaining third are state-sponsored hackers seeking to steal business and government secrets for a variety of illicit purposes.

Clearly, the NSA  now believe that open cooperation between the business community and the government is essential in order to combat cybercrime.

But while reaching out to the business community in the spirit of cooperation makes sense,  the reality is, that very few companies (and especially those in the consumer data and tech industry) are likely to openly partner with the NSA for fear of raising concerns over the safety and integrity of their products and services in the minds of the general public, both at home and abroad.

In fact, based on our research both large and small businesses that have been the subject of cyber attacks in the past are more reluctant to report identified hacks and data breaches to the government in the future, let alone work with them on countermeasures.

Clearly, cybercrime is a plague that is not likely to be eradicated anytime soon.

Stay safe!



 

Using Big Data to Find Undocumented Immigrants

President-elect Trump

The deportation of millions of undocumented immigrants here in the United States appears to be a priority for President-elect Trump.

Critics, however, point out that the cost alone will be a prohibitive factor in tracking down millions of immigrants, many of whom have continued to remain in the United States after their Visa's expired or who managed to cross the border undetected.

While it is true that the government will have to hire thousands of new federal immigration agents to carry out the deportations, identifying and locating undocumented persons may not be as difficult or costly as one might think.

In fact "big data" could play a key role in both identifying and locating undocumented immigrants through the use of highly sophisticated computer programs capable of performing multiple in-depth background checks on every man, woman, and child living in America today, with the sole purpose of determining who should, and who should not be here.

Using a process of elimination, supercomputers would be capable of identifying and determining the status of all US  residents by accessing both public record and non-public record data held on them. This includes birth and naturalization certificates, drivers license records, education, employment, credit history, property ownership along with many other data points.

Consequently, if someone is unlawfully working in America today (even paying taxes) using a fake or stolen Social Security number, they would almost certainly be identified. Further, if someone rents a home and has opened up accounts with local utility companies under a false name or stolen identity, they too would be identified.

In fact, anyone whose data (or lack of data) falls into the category of suspicious is likely to find themselves the subject of scrutiny or even possibly a criminal investigation.

Of course, while supercomputers can search and locate information on people, it still requires a living person to analyze the data and physically locate them.  That can be expensive!

Privacy and the Internet of Things

Dyn Inc, map of DDoS attack on 10/21/2016 

For those people who still don't think that going to the trouble of creating a unique and above all secure password for all online accounts and electronic devices is necessary, here is a little food for thought.  

Last week, Dynamic Network Services Inc., (Dyn Inc) a computer services company based in New Hampshire which provides online infrastructure support to amongst others: Amazon.com, Etsy.com and Twitter.com was the subject of a Distributed Denial of Service (DDoS) attack. This resulted in legitimate visitors to those popular websites being effectively denied access in certain parts of the country.

The attack was launched using an open-source piece of malware called Mirai which scans the Internet for routers, cameras, digital video recorders and other home devices which are unfortunately are all too often only protected by the manufacturer's installed default password.     
Once the malware has infected a device, it can be used to flood a targeted website with spurious traffic which along with tens of millions of similarly infected devices, can literally shut a website server down due to the massive overload of illegitimate visitors. 

To put it in simple terms, your computer, fridge or home alarm system could potentially be hijacked by criminals and used to inflict a botnet attack on a business, government agency or any other entity or group.

While it is unclear what the legal ramifications are (if any) if you allow one of your electronic devices (or appliances) to be hijacked and used in a DDoS attack, surely going to the trouble of changing the default factory password when you install or set-up the device has got to be the way to go.