privacy

Insider threat: When a company data breach comes from within

There’s one kind of cybersecurity breach that's almost impossible to defend against, and that’s when the weak link is operating within the organization.  

Most breaches we hear about in the news pertain to external threats. International criminals hack into servers, hold data hostage, or release sensitive information to the public. These outside forces use tactics such as phishing to penetrate the organization with intent to do harm. 

But just as damaging: someone who — for whatever reason — decides to bring down a company from the inside. 

Data danger at Desjardins

On Thursday Desjardins Group in Quebec announced that a former employee publicly shared the personal info of 2.9 million members, including names, phone numbers, dates of birth, email addresses, social insurance numbers, banking habits — in short, everything and more that a criminal would need to commit identity theft. 

This breach is huge, affecting 40 per cent of Desjardins’ members. Desjardins is offering to pay for credit monitoring as well as a year’s worth of identity theft insurance for those affected, but it’s hard to know whether this will be enough to ensure no fraudsters take advantage of the situation. 

Manipulation based on trust

This kind of action is a bit like going undercover, except instead of doing so to investigate illegal activity as the police do, the goal is to commit crimes by building relationships and earning the trust of peers. The accused ex-employee, whose name has not been released, was a valued Desjardins employee who had access to the kinds of information needed to do major damage. According to Desjardins, the employee also convinced other employees to gain access to records he didn’t have the right to access using a technique known as social engineering. 

To “social engineer” is to manipulate people psychologically into performing actions or divulging private information. The former employee used social engineering for malevolent ends, ultimately betraying their employer in the worst way possible. This is so hard to prevent because human nature is to suspect strangers rather than friends or colleagues of wrongdoing.  

To avoid falling victim, companies should reinforce the importance of data privacy and ramp up cybersecurity training including talking about all the various ways that people use social engineering, by phone, by email, by text or in this case, in person. That way, it’s less likely they’ll be manipulated in the first place. 

How can individuals protect their privacy?

If you’re a Desjardins member whose data was compromised, and even if you’re not, here's how to protect yourself against identity fraud: 

  • Take advantage of credit monitoring offered by Desjardins and other credit monitoring services. This basically alerts you to changes in your credit report and indicates possible signs of identity fraud such as a new account being opened in your name. 

  • Lock down your digital identity and your accounts: this means you need to stop using the same passwords (create a new long one for every site, and store them in a password manager); make sure to enable two-factor authentication wherever possible; and be vigilant about emails you receive, particularly if they’re about the Desjardins breach itself, because phishers will be looking to exploit the fear surrounding this juicy news item 

  • Pay close attention to transactions not only on your Desjardins accounts, but any financial transactions, because SINs, birth dates, and banking habits were potentially exposed, and these are the keys to the kingdom when it comes to identity theft. 

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @info@beauceronsecurity.com or 1-877-516-9245. 

3 quick and easy ways to declutter your digital life

Unless you're living under a rock, you’re probably aware of dozens of recent data breaches involving huge — and therefore implicitly trusted — companies (*cough* Facebook) where your sensitive information was mishandled and put at risk. 

Privacy is a major issue these days, and the best way to prevent your data from being exposed in a breach is to start small, at home. 

1) Let’s get physical

Clean the digital clutter from your space. We hope you don’t leave sensitive data lying around in your home or workplace, but data that could be compromised in a physical breach could include anything on your computer or phone — think old PDFs containing medical information saved to your desktop, photos on your phone of your driver’s licence or passport — that you'd be better off trashing or saving to a more secure cloud service.   
 
Put yourself in a criminal’s mindset: if you were looking to commit fraud and you stole someone’s laptop or smartphone, what would you look for first? That’s the kind of info you should be deleting or securing.  

2) Delete old, out-of-use email accounts

Why are you hanging onto that embarrassing email address from high school? Unless you believe cutieblond91@hotmail.com could serve you in adult life, it’s best to give it the boot, because email accounts — even dated ones — are a hacker’s goldmine. Through an email, someone could gain access to almost any other piece of info about you — everything from logins to other accounts, to passwords, financial data, the information of all your contacts, your mother’s maiden name and the make of your first car.  
 
Before deleting an email account, go through it and download any data you may want, and double-check to make sure there are no other services you use currently that are still connected with the old email, like Spotify, PC points, you credit card, Netflix, et cetera. Search out any subject lines associated with account creation, go into the security settings and check for any third-party apps with account access. 
 
If you don’t want to get rid of the email altogether, you should at the very least change its password to be long and strong.  

3) Get rid of app accounts you don’t need anymore

Remember when you downloaded Runkeeper last January and used it to track your one New Year’s resolution workout? Well, it really doesn’t need to be on your phone if it’s not in regular use. Apps like this track far more than calories burned — they also track your location (among many other prized informational nuggets), even when turned off.  
 
Companies store data they’re given long after you delete their apps, so going forward, don’t download apps or create accounts online for no reason. The more of your data that’s out there, the tougher it is to manage. 

Decluttering digitally is about being proactive with your privacy — it's about paring down the amount of your personal data available to only what you need and use, so it doesn’t fall into the wrong hands. 

To get the right information at the right time, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

 

On Tinder? Russia may swipe right on your personal data

Russian intelligence agencies are asking Tinder, one of the most popular dating and hookup apps worldwide, to hand over user data so they can monitor citizens, purportedly in the interest of national security.  

This is unquestionably scary for Russian citizens — this is a country with a long history of prosecuting gay people, for one thing, so for individuals to have their sexual preferences and habits on display at a national level is disturbing to say the least.  

If the aim of Russian spy agencies is to find ways to compromise individuals for state interests, then dating data could be some of the most damning info about people out there. 

What data does a dating app collect on you?

Tons! You may not “super like” it, but Tinder acquires info including (but not limited to): your Facebook likes; links to your Instagram photos; your education; your age; the age range of people you’re interested in; how many Facebook friends you have; your locations; when and where every conversation happened with every single user you’ve ever messaged on the app — and those conversations in their entirety. It’s tough to access your own data, and even tougher to delete it.  

Not limited to Russia

The reverberations of this can be felt internationally: it’s not just Russian citizens’ data the app could be compelled to surrender.  

Tinder is one of 145 apps and sites from which Russia’s internet and censorship authorities can demand data. By Russian law, Tinder could be pressured to relinquish the private information of any of the 50 million users across the planet. 

Swiping left on privacy

It remains to be seen whether Tinder will comply, but if Russia is a big enough part of Tinder’s business, there’s no reason to assume the app will uphold user privacy agreements.  

This is a concern for anyone who’s ever used Tinder, not just Russian citizens or people who may want to visit the country, but anyone involved in politics or corporations; if the Russian government can find something on you, they could conceivably use it against you.  

Our own government has similar power

Western democracies aren’t innocent of this kind of behaviour — and Canadian or U.S. authorities could use existing laws to the same ends. Our governments at home could request private info from social media sites and there would be very little that an individual could do about it.  

In theory, though, accountability and due process are embedded into our laws, whereas in Russia, human rights are beside the point.  

As if you needed another reason to ditch the dating apps…

As always, be careful about what you do and say online, because there’s no way to guarantee that private message to your match is truly private. 

Here are a few steps to make dating online safer: 

  • Only share what you need to, even in supposedly private messages 

  • Move off the platform as soon as you’re comfortable; consider talking to your crush using a more secure method 

  • Check the terms of service of apps you’re using, and choose apps that limit data retention. If you can delete your own data, do that too! 

  • If you stop using an app, contact the company to have your profile removed 

  • Lobby for better privacy protections from your government — if you don’t make it an issue, they won’t either! 

To get the right information at the right time, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

Protecting your digital identity in the era of mass surveillance – before it’s too late

San Francisco has just become the first U.S. city to ban facial recognition technology, to prevent discrimination and the inevitable curtailing of civil liberties that attends this type of artificial intelligence used by municipal agencies. Other cities are following suit, but despite this progress, the tech’s use is growing.   

If you frequent airports, sports stadiums, malls or grocery stores, facial recognition technology may soon be a big part of your life — whether you like it or not.   

Rather than check individual tickets, some airports are now using A.I. to scan faces as people pass the gates; if you’re paid up and your identity checks out, you’re allowed to board your flight.  Convenient, right?  

However, when the private sector uses our biometric data to discriminate their marketing tactics, we enter dangerous territory when it comes to the protection of your digital identity.  

Malls have been caught using facial recognition cameras to guess your age, gender and even mood to advertise accordingly, luring you to certain stores or kiosks where you’re likely to spend money.   

Even grocery stores can identify you in the aisles by your age and gender, displaying products on screens based on your marketing demographic. 

What is biometric data?

Biometric data — fingerprints, retinal scans, gait recognition (the way you walk), voice recognition, DNA, facial scans — are unique to the person, and aim to quickly confirm your identity.   

For individuals, the main benefits of using biometric data such as facial recognition are speed and convenience. You can avoid rummaging in your pockets for your concert or game tickets at a stadium. You can skip the lines, and just walk past scanning tech that can do the work instantly.   

For corporations, the benefits are more to do with the ability to sway purchasing behaviour. And for governments, they get to monitor and control populations by combining biometric and other surveillance data with artificial intelligence. 

Privacy concerns amid surveillance

The convenience of these technologies comes at a steep cost, especially regarding privacy. The most extreme example is China, where the government is known for abusing biometric data collection: they publicly shame people who jaywalk; they can capture facial scans and recognize citizens’ gaits to prevent those with a low social score from flying or from purchasing real estate; they can track anyone’s location at any time, often unfairly targeting ethnic or religious minorities.   

Closer to home, Toronto has been piloting the Sidewalk Labs project, a data-driven smart city initiative that facilitates things like snow removal and traffic planning, and can curb crime by way of sophisticated security cameras. But because Sidewalk Labs have refused to de-identify people, privacy expert Dr. Ann Cavoukian and others have denounced it as little more than a data mine that could cause harm if that data is leaked or abused.  

Glaring flaws in biometrics

Beyond surveillance, biometric identification has a major flaw: you can replace a compromised credit card, but if there’s a breach of your biometric data, you can’t change your face. Not easily, anyway!   

There’s a big possibility of false positives, too. In London last year, the Metropolitan Police misidentified and fingerprinted a 14-year-old black boy, and figures reveal this kind of mistake is no anomaly; in fact, facial recognition software wrongly identified members of the public as criminals 96% of the time.  

In its current iteration, facial scanning can also be racist and sexist; these technologies are prone to error when it comes to recognizing women and people of colour.  

Yet another issue: It can be used to advertise to you without your permission in malls and grocery stores, even in taxis. And with all facial recognition in the public sphere, the individual can never be sure when or how their sensitive data is being used, or whether or where it’s being stored.

The cost of convenience

While there are obvious pros to facial recognition — such as increasing border security and facilitating police efforts to track down dangerous criminals — as a society we need to ask how much of our personal data we’re willing to sacrifice in the name of safety and convenience. If it’s becoming too much, we need to call on legislators to stand up for citizens’ privacy before we become even more accepting of surveillance tech and all the risks that go along with it.   

Awareness training is the first step towards protecting your digital identity. Reach out to the Beauceron team to get informed on how our learning content can support your organization, info@beauceronsecurity.com

Are you being stalked through your phone?

Tech and science publication Motherboard has been trying for weeks to warn a certain stalkerware company that they’ve been hacked. The app’s services are not secured, so hackers are sitting on a gold mine of exposed pictures, videos, messages and more.  

Motherboard has called out spyware providers for their deplorable security practices many times before, but these companies are all about invading privacy, so naturally they don’t care about the privacy of hacking victims.  

Stalking apps are especially vulnerable because their goal is to operate cheaply, not securely; there are hundreds vying for a slice of this business. And their customers are in no position to complain about their data being leaked – more often than not, they're using the software to commit crimes.  

What is stalkerware?

Stalkerware is what it sounds like: apps and services designed to let you track, without a user’s knowledge, things on their laptop or smartphone such as photos, messages, emails, browsing histories and GPS co-ordinates.  

Stalking apps are scarily salable. According to a study from Cornell University, there are roughly 300 apps on the market for android and iPhone.  

They’re also becoming popular with parents who want to know what their kids are up to online, but stalkerware is still mainly used by people who want to track their significant others – to find out whether a partner is cheating. And they’re commonly used by abusive ex-partners who can stalk their victims with relative anonymity. It’s invasive and creepy, and the data tracked is easy to exploit. 

Part of a bigger stalking issue

These apps and services are part of a major problem in this country, which is stalking in general. 

In just the last five years, data from StatsCan show about two million people have reported being the victims of stalking. Of those victims, only two in five report it to the police, and only a quarter of those reports ever result in charges being laid. Part of the reason for under-reporting is that more stalking is happening online, so it’s harder for police to investigate. 

Parental controls and spyware are not the same thing

Stalkerware and parental controls are very different means to the same end, which is keeping your kids safe online. Parental controls restrict the use of devices to safe situations, and block age-inappropriate websites. Stalkerware, by contrast, violates your kids’ trust by outright spying on them. 

The simplest solution is often the best

Never install stalkerware on your kids’ phones. If you’re tempted to do so, think about what that might be teaching them about what’s acceptable from authorities – it’s a slippery slope leading to an indifference about surveillance. 

 And never, ever stalk your boyfriend or girlfriend! If you care about your partner, don’t put their sensitive data in jeopardy by using these insecure apps. 

Combating the stalkerware industry

On a less personal level, payment processors such as PayPal and credit card companies should stop providing services to stalkerware firms. If they’re fined for accepting money from these apps – especially the ones that track cheating spouses – the offenses would be much harder to commit. When the cash is cut off, so is the crime.  

Services such as Find My Friends on Apple iOS devices should be updated to provide reminders to individuals on a daily, weekly or month basis if that feature is enabled on their device and whenever it is being used. GPS trackers built into modern cars should also provide audio and visual cues when they’re being tracked.

In wake of scandal and tragedy, Facebook privacy crackdown needed

It’s been a year – long enough to have forgotten the details of that Cambridge Analytica story that was all over the news last March.  

A refresher: In early 2018, Canadian-born Christopher Wylie went public with allegations that the British consulting firm Cambridge Analytica harvested private information from more than 50 million Facebook users, and shaped that data into social media strategies to support Trump’s 2016 presidential campaign. The scandal was among the first privacy issues involving Facebook, but it certainly hasn’t been the last. 

A+ for promises, D- for action

Though we have seen some efforts from Facebook to promote transparency – such as a new app to be rolled out in June that will show who paid for political ads and whom they’re targeting – Facebook is well known for making big promises about user privacy and keeping none of them. Remember when they promised a “delete your history” button in May 2018, after the backlash from Cambridge Analytica? It’s still nowhere to be seen. And that lack of follow-through is oh-so typical of Facebook. 

A wasted year

In the last year, legislators in the States have at least started to have serious conversations about what a national privacy law might look like. The American focus is on trying to rein in the power of big tech. But fast-forward 12 months and Canadian politicians have failed to create anything resembling a national data strategy. Probably because they’re more focused on winning the upcoming election than on protecting citizens’ privacy.  

What politicians should do is take Europe’s General Data Protection Regulation and Canadianize it, effectively cracking down on rule-breakers like Facebook with major fines that would have a real impact on their practices.  

Tragedy broadcast on social media

A horrific tragedy unfolded in New Zealand last week, where a terrorist attacked a mosque in Christchurch. Because Facebook is still basically a free-for-all of information dissemination, videos of the deadly shooting were live-streamed millions of times – almost instantly – on social media.  

Once digital data is created and replicated, it’s nearly impossible to control; people have created more data in the last couple of years than in all human history, and criminals are swimming in a sea of personal information that can be easily exploited.  

Who’s accountable?

New Zealand internet service providers actually blocked areas of the internet that continued to host these reprehensible materials. This was one of the most aggressive actions taken by ISPs worldwide, and it raises some thought-provoking questions regarding who should be accountable for data that’s shared online: the platform, or the internet service providers, or solely the individuals sharing it? Is there such a thing as regulated free speech? 

And while we’re on the topic: Is it really necessary for every human being to have the capability to instantly broadcast anything with zero vetting? Facebook should restrict this live-streaming capability to verified news media and individuals, so this kind of thing can’t happen in the future. 

An encouraging reaction

It was heartening to see the numbers of people across the world who refused to watch or share these violent images, in a sort of moral protest. If we really want change, though, we should be pushing our legislators to create laws that crack down on big firms that handle and distribute data.