Why Are You Getting This?

You signed up to receive the Tips or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Don’t Break Your Own Heart with Poor Privacy Awareness and Practices

This month runs rife with privacy scams to the lovelorn, and anyone with a romantic and/or loving heart. It also is a month within which many associations and international government agencies emphasize the need to be safe on the internet…where many romance scammers take advantage of unwitting internet users who are looking for love in all the wrong places, and falling victim to their scams. Continue reading for a wide variety of tips, and virtual loving hugs to entities and individuals who are providing some specific examples of heart-worthy privacy practices.

Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips.

We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions.  

Thank you for reading!

Rebecca

We would love to hear from you!

February Tips of the Month



• Monthly Awareness Activity
• Privacy & Security Questions and Tips 
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

Safer Internet Day is Tuesday, February 6. Safer Internet Day started in Europe in 2003. Now it is celebrated in more than 100 countries. Globally, it’s coordinated by the Brussels-based Insafe/INHOPE Network with the support of the European Commission. Since 2013 in the U.S., ConnectSafely has been the official U.S. host/coordinator. Here is the goal of Safer Internet Day, as explained by ConnectSafely:

“Safer Internet Day aims to create both a safer and a better internet, where everyone is empowered to use technology responsibly, respectfully, critically and creatively. The campaign aims to reach out to children and young people, parents and carers, teachers, educators and social workers, as well as industry, decision-makers and politicians, to encourage everyone to play their part in creating a better internet. By celebrating the positive power of the internet, the 2024 Safer Internet Day slogan of “Together for a better internet” encourages everyone to join the movement, to participate, and to make the most of the internet’s potential to bring people together. With a global, community-led approach, Safer Internet Day encourages everyone to come together and play their part.

There is a plethora of ideas for activities that have been published for this year’s Safer Internet Day. We’ll save you some time from looking for them! Here is where you can see many suggestions and use them to brainstorm your own unique ideas. Don’t have time to plan these for this year? No worries! You can either put them on your planning list for next year. Or, better yet, plan to do one or more of them anytime between now and then! Awareness activities should be provided on an ongoing basis anyway, to not only keep security and privacy at top of mind for everyone, but also to meet compliance with a growing number of legal requirements for ongoing security and privacy education.



• Connect Safely
• Safer Internet Day Website
• UK Safer Internet Centre for Safer Internet Day 2024
• Webwise.ie
• Australia eSafety Commissioner
• Wales Safer Internet Day: Tuesday 6 February 2024 – Hwb
• Childnet Digital Leaders Programme
• klicksafe German Awareness Centre of the European Union
• Northern Ireland Children and Young People’s Strategic Partnership (CYPSP)
• England National Centre for Computing Education
• Africa Child Online
• ChildFund India

Please let us know what you did for Safer Internet Day, or want to do next year, or in the coming months.

We continue to receive a wide variety of questions about security and privacy. We also are still receiving many questions about HIPAA and personal health data. Thank you for sending them in! We’ve included seven of the many questions we’ve received here and will answer the others elsewhere, or in upcoming Tips. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: I am surprised ANYONE still pays bills through the mail! It baffles me why someone would even want to do that. What provides more security; paying bills electronically (via ACH, credit cards and debit cards) or using physical checks sent through the postal service; "snail mail"?

A: Fabulous question! There are benefits and risks to both methods. In 2022 the U.S. Federal Reserve published a study showing the popularity of different payment methods from 2000 through 2021. It is quite interesting! While the use of ACH transfers has skyrocketed to being the most popular way to make bank-to-bank payments for both debit and credit transfers, the use of checks is still very popular. Checks are also significantly more common, based on total dollar values, than using debit and credit cards.

Here is a simplistic table showing a list of high-level risks and benefits for each category of payments. Basically, the largest difference is that the risks to physical check payments are almost all from physical access to the letters with the checks. There are significantly fewer people with physical access than those who typically are authorized to access digital payment information systems. The risks of vulnerabilities exploiting weaknesses in online payment methods also allow many more hackers to get access to such electronic payment data.

The occurrence of phishing messages masquerading as ACH payment approvals is skyrocketing. I received five of them just on one day, February 1! Here is a screenshot of one of them. Each of them impersonated a different bank as the sender.

Figure 1- One of 5 ACH phishing messages received on Feb 1 2024

Q: With the proliferation of mobile health apps, what HIPAA compliance considerations should developers and healthcare entities prioritize during the development and vetting process?

A: Apps of any kind inherently bring significant risks to the devices, digital products and network environments within which they are used. In healthcare, generally all those mobile computing devices, online healthcare portals, and internet of things (IoT) products are using apps in some way, opening up CEs and BAs to many risks that are often overlooked. These many risks will be issues that will be identified as findings in risk assessments, and by the HHS OCR when they perform audits and post-incident investigations.

The following are four key capabilities that are often not provided by apps, but that need to be engineered into health apps. CEs and BAs using them need to ensure the following (not listed in any particular order) are specifically provided:

• Strong authentication. Most apps use notoriously weak, single-factor authentication, and many still don’t even use authentication at all.  Do not use apps that insist on using your social media login credentials; this is one of the most risky authentication practices. Also, ensure account locking after unsuccessful attempts is used.
• Strong encryption. This is another capability that all apps, including a majority of health apps, do not have implemented. Make sure the encryption is a vetted encryption method, and is not simply scrambling the data or using a proprietary method created by the app creator, which are notoriously easy to break and usually aren’t even true encryption.
• Limiting access to the minimum necessary. Most apps do not have the ability to limit access to specific types of protected health information (PHI). In fact, there are often many, in some cases hundreds, of third parties that are given wholesale access to data collected, derived, processed, and found anywhere throughout the app components.
• Activity logging. CEs need to know when entities not involved in treatment, payment and operations (TPO) activities are accessing PHI to meet HIPAA accounting of disclosures requirements. Some state level laws can be interpreted to require this for CEs and their BAs as well. And, such data is also very valuable when investigating security incidents and PHI breaches. Most apps have no, or insufficient, logging for such activities.

In addition to these must-haves, there is also a technology that should not be used in any situation; online tracking tools (e.g., Meta Pixels, cookies, Conversion APIs, etc.) that, simply put, follow PHI. Do not use or create health apps that use online tracking technologies. These are becoming more common. As are the associated fines and other penalties from the HHS for using them. Add to these risks a quickly increasing number of lawsuits against organizations using them. For example, it seems that every week there are new lawsuits filed for using Meta Pixels, and similar types of tracking pixels, such as within online patient portals and for medical devices, that apps connect to, control, and otherwise access.

These are the bare minimums of considerations for all CEs and BAs. There are many more capabilities that need to considered and implemented, and actions that need to be taken, based upon the goals and use of each app, and the associated context within which the app will be used.

Q: So…did you succeed in having the Iowa Governor to officially proclaim January 28 as Iowa Data Privacy Day…for the 15^th year in a row?

A: I was worried for several days that I would not since I had not heard anything as of January 25, so I called at 2:30pm. No answer. So, I left a voicemail asking for a return call. Called again on January 26; again, no answer so I left a voicemail. No return call, so on January 29, I called and someone answered! They took a message and said someone would call. On January 30 I was getting ready to call again, when my phone rang. It was the governor’s office! They explained that they had mailed the official Proclamation to my home as they had done in the 14 previous years. Or so they thought. They had transposed part of my address and it went to someone else’s location and they returned it. But, it was damaged. So, they printed a new copy and mailed it to me. I just received it on February 1. So…yes! For the 15^th year in a row it has been officially proclaimed that January 28 was Iowa Data Privacy Day. Here is an image. It is written on parchment paper, with the gold seal of Iowa (same as the previous 14 years. I have them all). It will be interesting to see what new privacy risks, concerns and/or issues we will be motivated to incorporate next year.  

Q: My checking account was hacked and the thieves managed to wire transfer almost $2K from my account. I switched my auto-payments to my credit card but I don't want to rack up fees in 2024 (although I love the airline miles)! Can I still take payments from my checking account or use my debit card in stores and restaurants? Is there any way to do it safely?

A: I’m so sorry to hear cybercrooks got into your account!

Here are steps to take to avoid further losses. You may have already done some of these, but for the benefit of all Tips readers, here is a full list of steps to take when your checking account had been hacked:

1.    Reset your login password, PIN, and security question/answer. Remember, you need to provide an answer you will remember, not that is factual. For example, when I am asked to provide my mother’s maiden name as a security answer, I never provide what the answer actually is; I provide an answer that I will remember to use if I’m ever asked for identity verification. Since this type of information have been breached thousands of times, many others have the actual answer. Instead, establish an answer that you will remember, but is not the actual answer.

2.    Verify your contact details for your account. Your address, phone number, etc. Make sure they have not been changed by the hacker. If they have, then correct them immediately, and contact your bank.

3.    Contact your bank to report the hack. If possible, speak with the department with responsibility for data breaches.

a.    Describe the situation and describe the actions you’ve taken.

b.    Review all transactions with them that occurred before you identified the wire transfer (or, for other situations, whatever the cybercrime was). Identify any transactions you did not make yourself.

c.     Freeze/block your bank credit/debit card.

d.    With many banks, if you take actions within 24-hours of the date/time of any fraudulent actions the cybercrooks take, you will often be able to recover that money.

4.    Think back to actions that occurred a short time prior to the hack and wire transfer. If your bank account was hacked soon after you did an online transaction involving the account, there are two common ways in which that data could have been compromised:

a.    You may have some malware or spyware on your computer.

b.    The business where you used the account information may have been breached.

5.    Scan and clean your PC with latest anti-virus scanner. This is to get rid of any rootkit or key logger that may have been installed on the PC and which would have compromised your login details and sent it to the hacker.

6.    Report a fraud to local police station.

Now, regarding your specific questions…

After you take the actions described, yes, typically you can safely make ACH, debit card and other types of direct payments from your account. It would be good to ask your bank to confirm, though, that they have everything they need with regard to activities logs, and any other types of digital evidence, before you do so. You’ll need to unfreeze/unblock your account prior to such activities, and then you can refreeze afterwards. Doublecheck with the bank to see if they have other procedures in place.

The security of your data at your bank depends upon the following key factors:

1. The activities you take to secure your account and protect your privacy and secure your data.
2. The bank’s activities to secure all their accounts and protect the privacy of all their customers’ privacy.
3. The activities of the contracted third parties that the bank uses that bank entrusts with any kind of access to their customers’ data. 

Q: I’ve been seeing a lot of messages on social media sites claiming that if you are being robbed at an ATM machine, that you should enter your PIN backwards, and that it will automatically signal the police that you are the victim of a robbery. Is this true?

A: This claim started circulating online since as far back as at least 2018. No, it is not true. No known ATM in the United States has this feature. If people believe this, and actually are at an ATM machine and try this, it could result in the robber hurting or killing them, because the police will not show up, and the robber may very well harm the victim if money is not provided to them.

Here is the widely republished claim (remember, it is NOT true):

“If a thief forces you to take money out of an ATM, do not argue or resist. What you do is punch in your pin # backwards. EX: If its 1234, you’ll type 4321. When you do that, the money will come out but will be stuck in the slot. The machine will immediately alert the local police without the robbers knowledge & begin taking photos of the suspect. Every ATM has this feature. Stay safe.”

But this is completely false. It is a purely fantastical claim. In many situations, from a systems and mechanical engineering point of view, this would be impractical to build.

For example, what if the PIN is 4224? What is this number backwards? Yep. It is the PIN. How will the ATM system know you’re typing it backwards? And, what realistic mechanisms would be necessary to build into ATMs to make the money become “stuck in the slot” when a PIN was entered backwards?

This claim is fiction being perpetuated by folks who may sincerely think they are helping people to be more safe, but they are actually creating more dangerous situations for those who actually believe it.

Always remember there are MANY false claims online; especially on social media from folks who think they know more than they actually do, “influencers” who have no expertise, training or education in the topics that they are giving advice for, and from those who are hoping to cause problems or havoc in some way. Check out such claims with authoritative sources before trying them out yourself and sharing them with others.

Q: There have been several compromises of access control data in healthcare, financial and retail sales industries in the past year, based on what members of my local ISACA chapter have been discussing. I’m curious to know, what safeguards do you recommend to prevent unauthorized access to, and exfiltration of, access control data?

A: I’ve also seen this as a hot topic over the past year, throughout the world. In those industries, and others as well. In fact, Larry Anderson, at Security Informed, contacted me late last year and asked me to provide a few thoughts and recommendations about this for an article he was putting together as a compilation of short suggestions from several security and privacy experts. The article, “What Safeguards Can Avoid Unauthorized Retrieval Of Access Control Data?” by Larry Anderson was published on January 22, 2024. Check it out for a few of my suggestions, and suggestions from others.

Q: Can you suggest a bachelor thesis topic for a Cybersecurity Engineering course?

A: How exciting to be planning for your bachelor’s degree thesis! Here are a few for you to consider, and to get your brainstorming started.

• How to engineer cybersecurity controls and privacy protections into internet of things (IoT) products.
• How to protect drivers, passengers, and pedestrians on smart roads by engineering security and privacy protections within them.
• Where is encryption necessary within industrial internet of things (IIoT) products? And what are the best encryption algorithms to use for such an ecosystem, and why?
• How can human interactions with networks improve cybersecurity and privacy, and reduce associated risks? How can engineers support improving these human interactions?
• What are the cybersecurity and privacy risks of using AI within corporate networks? Where and how can those risks be mitigated within the network components?
• How could the 2015 Russian attack of the Ukrainian electric grid (or choose any other real-life security and/or privacy incident) have been prevented through cybersecurity engineering?

To make your thesis interesting, you should pick a topic that you are interested in! Your writing will then be that much more interesting and detail-rich. What topic within cybersecurity do you find exceptionally interesting, that you would like to work within if you had a chance? If none of the topics above truly excite and interest you, use those suggestions to brainstorm in your areas of interest.

We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

• Cybersecurity and Infrastructure Security Agency (CISA). Did you know they publish weekly cybersecurity vulnerability summaries? Well, they do! They are very informative. Sign up to receive them in your email inbox here.

• World Economic Forum Global Risk Report 2024. It is striking to see the mix of cybersecurity and privacy at the top of concerns alongside severe weather. AI-generated misinformation and disinformation impacts privacy and harms people in many different ways. Cybersecurity and privacy are also factors for the 3^rd, 4^th and 5^th risks shown in the summary image, which also have real-life impacts. Among other insights in the report, the risks highlight how cybersecurity and privacy risks are not risks that impact data and technology. They impact and harm real-life physical situations.

• the_josemonkey. He is on TikTok, YouTube, and other online social media sites. People send him videos and images and ask him to use what he can see within the images to determine their location. He provides some great explanations of the indicators shown. His location-finding-descriptions provide some great awareness-raising lessons about how risky it is to post images of yourself, children, and others online; it could lead to targeting them if they are regularly within those locations, or if they are posting the images for where they are currently located. He also has posted videos with some privacy tips for posting online. Have you asked josemonkey to find a location for you? Let us know! We’d love to know if he found the location of the image you provided.

• FBI IC3. For their public service announcement warning about a devastating in-person crime, "Phantom Hacker" Scams Target Senior Citizens and Result in Victims Losing their Life Savings.” They provided a nice infographic to describe step-by-step how this crime works, and also provided some great tips to protect against being a victim.

Figure 2- Source: FBI IC3

• AARP for their How to Get Good Tech Support tips. Of course, at Privacy & Security Brainiacs we are also happy to help you; just drop us a line.

• Law Enforcement for using social media for alerting the public about current scams. In this case, on NextDoor here in my area, to warn about crooks impersonating personnel from the sheriff’s office. Using Social Media for Raising Awareness of Scams.

Figure 3- NextDoor Post from a Des Moines, IA Neighborhood, Jan 30 2024.

• KQ2 ABC St. Joseph, MO, and their Project Safe Family freebie. A free downloadable child safety coloring book.

• Apple’s Stolen Device Protection in iOS 17.3. Turn on this new iPhone setting to protect your money and photos. It can protect your iPhone if it gets stolen along with your passcode.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Check It Out!

We have published the first three episodes of our new “2-Minute Warning” security and privacy videos.

PSB 2-Minute Warning Episode 1: HIPAA Penalties & a Penalty First

PSB 2-Minute Warning Episode 2: Protect Against Identity Theft with Security & Privacy Tools

PSB 2-Minute Warning Episode 3: Data Privacy Day...Week...Month!

What topics would you like to see us cover? Let us know!

We would be remiss in February to not also encourage you to watch out for the growing number of romance scams! Listen to the following episodes of Data Security and Privacy with the Privacy Professor to hear about two very damaging, and very different, types of real-life romance scams:



• A Romance Scammer Took All My Dying Mother's Money with Kathy Waters and April Helm
• “Romance Scammers Have Used My Photos Since 2016” with Kathy Waters and Bryan Denny 

Have questions about our education offerings? Contact us!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. February 2024 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.