Heed the 'Storm' Warnings
As we enter the stormy season here in Midwest U.S.A., I'm thinking about the terrific progress that's been made to our severe weather warning systems.
Whereas citizens were once beholden to the way the sky looked off in the distance, we now have everything from radio broadcasts to smartphone alarms to give us the heads up we need. Often the warnings we get are extremely detailed, letting us know down to the minute when and where storms will be the worst.
While the red flags that signify data security and privacy 'storms' are not quite as accurate, they are still much more sophisticated than in the past. The trouble is, people have to heed the warnings for them to be effective.
How much attention are you paying to data security and privacy warnings? Reading this month's Tips message is a good indicator you are doing pretty well. Keep up the good work; heads-up awareness is one of the best things you can do to prevent a data security and privacy storm from destroying your life.
|
|
Data Security & Privacy Beacons
|
People and places making a difference**
MIT researcher Joy Buolamwini voiced her concerns about the limitations of facial recognition software used by law enforcement to identify suspects. After studying the platform, she learned it
badly misidentified darker-hued women. In speaking out, Ms. Buolamwini went up against a very big company you may have heard of -- Amazon. Why isn't speaking up the norm? It certainly should be, but people who do are often faced with "hostile reactions."
Thank you for speaking up, Joy Buolamwini!
Princeton University created a very cool tool that identifies Internet of Things (IoT) devices in a particular area. Called the
Princeton IoT Inspector, the tool allows users to see
a list of all IoT devices on a home network, as well as when they
exchange data with an external server. Importantly, it tells users when that communication is and is not encrypted. This is a fantastic example of an organization arming consumers with the tools they need to interact smartly with the connected devices around them.
Sidewalk Labs, a Google sister company, has created
street and other public space signs to notify people they are being watched and tracked. The signs are a representation of the privacy policies currently being drafted around the data collection technology. We'll certainly keep an eye out for those policies, but this is a nice first step. (Thank you for the pointer to this beacon,
Dr. Katina Michael!)
Illinois lawmakers have passed a bill that seeks to ban internet device manufacturers from collecting audio from internet-connected devices without consumers' consent. It's good to see lawmakers taking action to require strong security and privacy controls. The requirement for device makers to notify consumers when their devices are recording audio in the vicinity is long overdue.
New York lawmakers are asking citizens to share their privacy concerns via a data privacy survey. It's refreshing to see a government agency take explicit steps to gather consumer opinions about activities that are privacy invasive. We'll see what ends up actually being done with the insights they uncover through the survey.
**P
rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
|
|
Real-Life ATM Skimmer Story
|
|
Hackers invest very little to reap big rewards
|
|
|
The actual device Jim N. removed from the ATM. |
When my Facebook friend Jim N. posted photos of the ATM skimmer he ran across, I was reminded how prevalent these devices are becoming.
The reason they are so popular among the criminal element is because they are cheap and effective.
Jim found and removed the device by pulling on an unusual black tab he saw shoved into the ATM's card slot.
"My card was way too tight as I pushed it in the ATM," he posted on Facebook. "I pulled on the black tab and the skimmer came right out."
Notice you can see the data transmitting device (It's the tiny black square in the pictures). Don't worry; Jim's card was not compromised.
How to Spot a Skimmer
If you detect any of the below red flags while using an ATM or gas pump, do not use the machine and call the bank or station that operates it to report what you experienced.
- The part where you insert or slide your card can be wiggled easily.
- There are unusual gaps or spaces around the terminal's front-facing components.
- A small hole for a tiny camera appears near the receipt slot.
- Something looks suspiciously different from the last time you used the terminal.
- Inserting or removing the card is difficult.
|
|
Impersonator uses urgency as ploy
A common tactics in the phishing scammer's playbook is to create a sense of urgency. Among other things, it can force the recipient to stop thinking clearly. Because the sender (who is often posing as a boss or supervisor) appears to be in a rush, the recipient can feel pressured to do as the scammer asks.
Fortunately, in the real-life case I was alerted to below, the recipients were security aware and did not fall into the popular trap.
RED FLAG WARNING:
As you can see in the screenshot below, the person posing as me was not using my real email address. That is a huge red flag.
Keep in mind that anyone can associate any name to any email they send. The person who is being spoofed has virtually no control over this. I've had many people with good intentions contact me over the years to say, "You've been hacked! You need to change your password!" However, a spoofed message has nothing to do with a compromised password. It's nothing I, nor anyone else who has gotten impersonated, could have prevented.
Never rely on the name; always verify the email address. If you're unsure, contact the sender to check as my friend did here. Better safe than sorry!
|
|
Actual employees may hear your medical conversations.
In addition to checking a bank balance, ordering a pizza or creating a shopping list, Alexa will now allow users to perform a variety of healthcare tasks. So long as their provider has enabled the Alexa skill (Amazon's term for "app"), patients can
make an appointment and even manage prescriptions.
While this kind of access and connectivity has great potential to improve healthcare services and engagement, there are a few data security and privacy caveats we must all consider.
My advice to those considering using Alexa for healthcare (or any) purpose is two-fold:
- Make sure all the Alexa-enabled device's security and privacy controls are set to the highest level (Never rely on default settings to protect you.).
- Fully turn off the device when you don't want the possibility of anything you say or anything that's going on in the environment to be heard (Mute is not good enough.).
THIS JUST IN:
A recent report by CBS News found computers, algorithms and artificial intelligence robots aren't the only ones that hear what's going on around Alexa devices. In fact, there is an entire group of Amazon employees who listen to Alexa recordings, as many as 1,000 per day, transcribing and annotating them to then feed into Amazon's machine learning and voice recognition platforms.
|
|
On the Facebook Front
|
Privacy news from the world's most powerful social media company
Facebook never ceases to raise data security and privacy concerns. They give us something new to talk about seemingly every day. Here's a few eyebrow-raising moments from recent months.
Instagram passwords not protected: Facebook, which owns Instagram, admitted
millions of Instagram passwords were stored in plain text on its servers, making them accessible to employees. There are several things you can do to protect yourself. Check out my advice in a recent Bustle article.
No more Moments: Any Facebook users who may have been relying on the Moments feature to archive their histories will soon be out of luck. This is an excellent reminder to never rely on any one feature, technology, device or provider to maintain your memories. If you print photos, print doubles and store them in a second location. If you only have digital copies, have back ups, also stored in separate locations.
Why am I seeing this post? A new feature from Facebook will allow users to view a list of variables that explain how their past interactions on the site lead to News Feed's prioritizing some posts over others. This is a decent first step towards more transparency from Facebook as to how it uses behavioral data. That said, it will be interesting to see how much they actually disclose when this is put into practice.
|
|
READER QUESTION
|
|
Should I really download this app?
I finally got around to opening a holiday gift that arrived late from China. It was an angel nightlight that could also play music from a nearby Bluetooth device.
In the package was a USB cord and instructions (written in Chinese only) to plug the nightlight into a laptop computer. However, to turn the light on, you needed to have an app, which the instructions directed me to download using a QR code.
Against my better judgement (curiosity got the better of me), I scanned the QR code, got the URL and then typed the URL into my phone's browser. It took me to a Chinese-language website that Google wouldn't translate.
I got a bad feeling and stopped. Did I do the right thing, or do you think chances are good it would have been safe for me to download the app and plug in the nightlight?
First, great job NOT connecting a device you didn't trust into your computer. More people need to listen to that gut instinct.
Second, your concerns around the technology's country of origin are understandable, given all the media attention around the topic. And, it's great to know you are aware of the risks in general.
The details you shared are definite red flags, and you did the right thing. One other step you may consider next time is checking the URL's safety by entering it into a URL security checker before visiting the actual site. A couple of good ones are safeweb.norton.com and zulu.zscaler.com, both of which will tell you if the URL is safe, based on their analytics, before you visit.
Overall, great job heeding the warning sides and erring on the safe side. A nightlight is certainly not worth the potential risks to your personal data and privacy.
I'd like to ask a question of my own relevant to the above...
To my readers in China, what do you think about the concerns around technology originating from your country? Are the growing global perceptions around Chinese technology accurate? Please share your perspective by emailing me at
[email protected].
|
|
Where to Find the Privacy Professor
|
|
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet,
please get it touch
.
On the air...
HAVE YOU LISTENED YET?
I'm so excited to be hosting the radio show
Data Security & Privacy with The Privacy Professor on the
VoiceAmerica Business network
. All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites.
Hear the perspectives of incredible guests as they talk through a wide range of hot topics.
Some of the many topics we've addressed...
SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.
In the news...
Bustle
Careers Info Security
Healthcare Info Security
Kellogg Midwest Federal Credit Union
Recent awards / honors
Calligo
|
|
3 Ways to Show Some Love
The
Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...
1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.
3) Share the content. All of the info in this e
mail is sharable (I'd just ask that you follow
|
|
|
Funnel cloud forming right over our home last spring |
When witnessed from a safe distance, storms can actually be quite magnificent, sometimes even beautiful to watch. If we are far from the impact, we can have a hard time sensing the real danger.
Threats to our data and privacy can be experienced in much the same way. There's a tendency to let apathy or a false sense of security take over. This month, find ways to engage in the threat mitigation. Read more articles, ask more questions, and when possible, take action.
If you ever have questions about what you can do in your neck of the woods to make a difference, certainly get in touch. I'm always happy to brainstorm ideas with this wonderful community.
Have a beautiful and safe May,
Rebecca
|
|
|