Capital One

4 ways to fix digital privacy in Canada

We see a lot of headlines every day about the growing impact of cybercrime.  

Our CEO, David, is often in the media providing explanation and context. While the news isn’t good, there is hope and a way for a more secure digital future for Canadians and people around the world.  

With stories of recent major data breaches like Desjardins and Capital One hurting Canadians’ trust, their wallets, and even their identities, it's time for the country to crack down on cybercrime.  

Sounds like an insurmountable task, but there are tangible steps we can take in the short- and long-term future that could majorly cut down criminal activity online.  

1) Require multi-factor authentication

Any organization that handles sensitive financial info should be required by law to use multi-factor authentication — meaning an additional layer of security beyond the username and password.  

There’s a simple reason Canadian companies including banks, telecommunications providers and more haven’t done this: they’re afraid of introducing it and making it a requirement, assuming it will cost them customers who would move to a competitor that doesn’t ask for this advanced security. 

But if every firm with sensitive personal or financial information were doing it, MFA would quickly become the norm and raise our overall standard for digital safety.  

The Canadian government could get the ball rolling by applying this to federally regulated industries which include telecommunications, banking, transportation — some of the most important parts of a modern society.  

2) Pass new privacy laws with real teeth

This is a medium-term goal. Europe is doing privacy right; with the General Data Protection Regulation implemented in 2018, the E.U. is putting power over personal data in the hands of individuals, and fining companies that fail to protect it. We could essentially copy and paste the GDPR legislation into a Canadian framework to start taking privacy seriously.  

If our laws had real teeth, Capital One could be fined $1.2 billion for the breach that impacted six million Canadians. Right now, though, we’re toothless. 

3) Replace the SIN

We’re talking long-term ambitions, here, but the social insurance number has run its course as the primary digital identifier of Canadians. This dated approach to our digital economy is inadequate in today’s world. Reinventing it is not unrealistic — if tiny countries like Estonia can figure it out, so can we.  

The Canadian Banking Association has been urging the government to do this for a while now, in order to finally stop ID fraud. 

A proper, secure Digital ID is the foundation on which we can build an identity-fraud safer world. 

4) Radically rethink the internet

A longshot ambition, perhaps, but thinking big is how societies advance. 

Picture your digital identity as your driver’s licence. Currently, companies copy and store your licence and in doing so, risk losing that info to others who can then impersonate you online.   

new model, proposed by Tim Berners-Lee, the creator of the World Wide Web, would be more like showing your licence when you need to, but otherwise keeping it in your possession. Instead of having our personal info collected and stored by thousands of companies at their discretion, each person would control one “master copy” of their personal data and have the tools to secure it themselves. No more corporations copying and keeping sensitive info without consent, in other words.  

Part of the problem is the view that digital privacy issues have spiralled beyond our control, but if we tackle it piecemeal, we can make cybercrime a thing of the past.  

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245 and check out our blog on 7 Reasons to Start Using a Password Manager Today! 

5 questions journalists should be asking about the Capital One breach

Countless Capital One customers were left reeling this week upon learning that a huge data breach exposed their private information including credit scores, balances, and social insurance numbers. Just days ago the institution revealed that the personal data for more than 100 million credit applications and cards — including six million from Canada — were laid bare.   

Paige Thompson — who goes by the name “erratic” online — is alleged to have exploited a vulnerability in Capital One’s online credit card application, for apparently no reason other than to show that she could. Based on the evidence presented by the FBI in court documents, Thompson does not appear to be an experienced hacker, and even seemed to want to get caught, leaving her digital footprint and evidence everywhere. 

Reporters have come at this story from many angles, but here are a few questions the media haven’t yet addressed: 

1) How long has this vulnerability existed?

The focus of this breach has been on the hacker herself — who she is and how she operated — but we don’t know how long this security hole was open, and who else may have taken advantage of it, with what malicious intent. If a more sophisticated hacker had wanted to get their mitts on this data, they could easily have done so. Thompson is less the problem, and more a symptom.

2) Why are banks holding onto this decade-old data in the first place?

“Zombie data” — old data that’s considered dead to the company but that still lurks somewhere, waiting to be revived — is dangerous, and the data involved in this hack has been hanging around since possibly about 2005. There’s no good reason for a financial institution to hang onto years-old credit card applications after they’ve been approved or denied. Why was this info even there to be exploited?

3) Who knew what, and when?

The FBI documents say Capital One was notified July 17 of the breach, but the bank claims it only became aware of the breach on July 19. Why the discrepancy? Is it plausible that no one checked their email for a full two days? Beyond that, Capital One didn’t disclose the breach to customers until July 29 — well after their July 18 second-quarter meeting. What happened during that week and a half? Based on the FBI documents, this doesn’t seem like it took terribly long to figure out what went wrong and who did it.

4) What kind of fine are they facing in Canada?

When the notorious Equifax breach came to light, Canada gave them little more than a slap on the wrist, instead of imposing tough penalties that would force other institutions to take notice and action. According to our country’s new Digital Privacy Act, fines for this type of privacy breach can be up to $100,000. We still don’t know whether the fine will be applied or the government will dole out another freebie.

5) Why aren’t banks required to provide better security tools to their customers?

Multi-factor authentication, for example. The government should regulate banks’ safety tools to remove the option of choosing convenience for the customer over security. If every bank has the same privacy measures in place, our national cybersecurity will see real improvements, so why are governments not acting on this? Requiring banks to offer more advanced security — in a similar, standardized way with a defined date — will end the standoff that exists where the banks are too afraid of losing customers to another institution due to the perceived inconvenience of things such as MFA.

While these breaches are scary — and becoming more common all the time — if we push for legal change and aim to protect our personal data, we can stop hackers in their tracks.  

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245.