Tag Archives: cyber security

Breach Brief – T-Mobile

Mobile phone service provider T-Mobile has announced a data breach of its customer information.

According to a post on  the carrier’s website  the hack was discovered on August 20 by its cybersecurity team. The team shut down unauthorized access to certain information and T-Mobile quickly reported the incident to authorities. T-Mobile reported that the attackers did not get access to financial information, social security numbers, or passwords. However  the company did admit that some personal information may have been compromised including name, billing zip code, phone number, email address, account number and account type.

In a statement T-Mobile said, “Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information. We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”

T-Mobile did not report any exact number of customers affected by the breach.  But a spokesperson for the company told Motherboard that it impacted roughly  “3 percent” of its 77 million customers amounting to around two million people. “Fortunately not many,” the spokesperson said in a text message, adding she could not say the exact number, reported Motherboard.

T-Mobile is the third largest cell service provider in the U.S. with 77 million customers. The company has about half the customers of Verizon and AT&T  with 152 million and 147 million customers respectively.

Breach Brief – Panera Bread, Saks Fifth Avenue, Orbitz

Panera, a popular bakery-cafe has admitted its website was leaking a data. According to Brian Krebs of KrebsOnSecurity.com Panera allegedly failed to fix issues with its website it knew about for nearly eight months. Panera Bread has  has over 2,100 outlets nationwide. 

Cyber security researcher Dylan Houlihan notified the company of a data leak in early August 2017. Mike Gustavison, Panera director of information security was informed of the flaw and said the company “working on a resolution.” Despite this statement the flaw was not repaired. 

Data records that leaked out contain the names, email and physical addresses, birth dates and the last four digits of the credit card numbers of Panera customers. 

Only after Krebs spoke directly with Panera chief information officer John Meister was the site shut down briefly and the data secured.  The number of customers whose data may have been compromised is estimated at 37 million.

A statement from Panera Bread said; “Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

The company urges its customers to alert for any fraudulent activity in the bank or credit accounts.

Saks Fifth Avenue/Lord & Taylor

Saks Fifth Avenue and Lord & Taylor reported a data breach affecting millions of its customers.

According to the company “a well-known ring of cybercriminals” had stolen more than 5 million credit and debit card numbers from customers. According to the New York Times the cyber criminals were able to pull off this massive heist by implanting software into the cash register systems.

Although it is early in the investigation the the hack appears to have only affected card numbers and not social security or driver’s license numbers.

The majority of the affected credit cards appear to have been used at Saks and Lord & Taylor stores between May 2017 and March 2018 and only in the New York-New Jersey areas stores. 

Both Saks 5th Ave. and Lord & Taylor are owned by the Canadian company Hudson’s Bay. The company issued the following statement;“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America. We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Orbitz

The popular travel booking site Orbitz announced that its legacy site, Amextravel.com, was compromised due to a data breach.  Data of  880,000 customers was compromised from January 1, 2016 through December 22, 2017.

According to the company credit or debit card information was stolen along with personal information that includes the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender.  

Orbitz plans to notify all customers who’s information may have been compromised and  is providing potential victims a free year of credit monitoring services. Customers can contact Orbitz for the free service either online or by calling 855-828-3959 toll-free. 

 

National Cyber Security Awareness Month – Identity Theft

Identity theft is big business. And if you have been paying attention you probably know that data theft is exploding globally, especially so in the U.S. According to the Identity Theft and Resource Center and CyberScout  data breaches have hit  791 incidents in the first half of 2017 alone. Up 29 percent from last year.

Lets talk money. Last year over 15 million Americans were victims of identity theft. For the crooks that pulled in a staggering $16 billion. According to an Identity Fraud Study by Javelin Strategy & Research, since 2011 identity thieves have stolen $107 billion from U.S. consumers.

African-American consumers are as vulnerable as any other Americans to identity theft. But here is the problem. Many data breaches are not reported for days and even months sometimes. Is that against the law? Not exactly. Sometimes law enforcement will ask the company not to publicly disclose the breach as part of the investigation. So, as I always say, your cyber security is your responsibility.

How do you know if your identity has been stolen?

The answer to that question is, it’s hard to tell without constant vigilance. The bottom line is that you have to be on the lookout for not only the obvious signs but subtle clues as well. Again, you are responsible for your cyber security and your money. Don’t expect banks or credit card companies to do all the work. Yeah, they have algorithms that can spot unusual transactions but they are not perfect by any means. Here are some clues you need to be alert for.

  1. Monitor your mail. Are your bills and other mail failing to arrive as usual? This maybe an indication that your identity has been compromised and the thief has changed your mailing address. Cyber crooks are smarter than you think. You maybe getting some mail but the crook has re-directed items like your bank statement or credit card bills.  If bills are late follow up with creditors as soon as possible.
  2. You’re turned down for credit. If you apply for credit and denied or you try to increase your credit limit and are rejected without good reason you need to be suspicious.  Especially if you have excellent credit. Being denied credit or being offered credit with a high-interest rate is a sign your identity may have been compromised. Take the time to contact the creditor to discuss what the problem is.
  3. Mysterious bills for items you didn’t purchase. This is a good sign that your identity has been compromised. Especially bills that come from collection agencies.  You should contact the creditor immediately and inform them that you have been a victim of identity theft and it is not your debt. Report the situation to the police and your legitimate creditors and all three credit agencies as soon as possible. Also place a freeze on your credit to protect yourself from further damage. Some creditors will persist with collection efforts and even place negative information on your credit report. Write letters and keep good records. You need to establish communication and a paper trail to protect yourself.
  4. Monitor accounts for fraudulent transactions. Regularly check all your credit accounts for fraud. This includes brokerage accounts. Immediately challenge any charges or changes you cannot identify as yours.  Look for test charges. Thieves will charge a dollar or two on a credit card or debit card to see it if it will go through. Don’t ignore these if you find them. File a police report and demand that the fraudulent activity be stopped and the institution reimburse you for any losses.  As a victim of identity theft you have rights. Check IdentityTheft.gov to learn more.
  5. Your taxes. You need to be especially alert in this area.  Millions of African-Americans file their tax returns electronically every year. If your tax return is rejected act immediately! Your return was probably rejected because the thief has filed a tax return in your name and stolen your refund.   Also, be alert for a tax refund you were not expecting or do not qualify for. This is another red flag. Has a tax transcript arrived in the mail you did not request? It’s possible that a cyber criminal was attempting to download your tax information and failed a security test. The IRS then mailed the transcript to you believing you requested it. Anytime your taxes are concerned you need to be alarmed.
  6. Someone files for unemployment using your name and Social Security Number. If a hacker gets a hold of your Social Security number and the name of your current employer they may attempt to collect unemployment benefits in your name. You may get a call from your company HR depart that something is amiss. Social media, Facebook, is a good place for thief to look to see if you recently changed jobs or quit. Using this information they file for unemployment benefits. You are clueless until you get a nasty letter from your former employer or the unemployment agency.
  7. Your credit score goes up. Strangely this could be a clue that something is happening with your identity. Check your credit reports frequently for new accounts you didn’t open or credit inquiries which could reveal that cyber thieves are trying to get credit in your name.
  8. Direct mail and phone solicitations. Are you suddenly getting catalogs and offers from companies you never do business with. Or phone calls from marketers? You could have ended up on that mailing or phone list because someone is shopping with your credit card at expensive stores.You may get calls from car dealers, calls for loans and home improvement, or high end retail catalogs. You may be the victim of a high priced shopping spree on one or more of your credit accounts.

Now you know.

National Cyber Security Awareness Month – Beware of Skimmers!

Lets face it; technology is everywhere in our daily lives. So much so that we have gotten to the point where we use it without a thought. Hackers and thieves depend on a certain level of laziness to victimize people using card skimmers.

Everyday millions of Africans-Americans pull out their debit or credit card and swipe it. We swipe it for gas, food, clothes, medicine, every conceivable purchase. But are we aware of how vulnerable your money, and even your financial life, is when you swipe your card?

One of the most prolific, and easiest,  cyber crimes is the use of skimmers. A skimmer is a small device that is almost invisible to the naked eye. It is placed inside credit card readers. When you swipe your card through the reader the device records the information on your credit/debit card and transmits it to criminals. These skimmers can be found anywhere you use a credit card. The gas station, a convenience store or even an ATM. As I said already, spotting these little devices is very difficult. Sometimes the thieves will mount a skimmer over a card scanner. Sometimes they can gain access to the machine and mount the device inside. These cyber criminals are so good that they can even build skimmers with key pads that record your PIN and you would never know you were using it.

Newer credit and debit cards have what’s known as the EMV or chip and PIN cards. These are much more secure because they transmit transaction data encrypted. But those are not 100% secure either.

After they get your information they may decide to empty your bank account or max out your credit card on a  shopping spree. Its calledcard not present fraud.”

So how do you detect a card skimmer?

If you investigate the device you can sometimes spot a skimmer. Here are a few tips.

  1. Look for tampering. Check the device for any sign that it has been tampered with. Check top, bottom and both sides of an ATM. Check the card reader and the keyboard.
  2. Does it look right? Do you recognize it? If it is your bank ATM does it look different, such as a different color or material, graphics that aren’t quite correct or anything else that doesn’t look right. Be alert and paranoid about any machine. 
  3. If you’re at the bank and there is more than one ATM compare them. Look for obvious differences between the two? They should be identical.  If not alert the bank and police immediately.
  4. Check that  keyboard. Is it too thick? Is it loose or just does not look like it fits right? There may be a PIN-snatching overlay. Don’t use it.

    Fake ATM keypad

    5. Push, pull, jiggle everything. ATM’s are pretty sturdy so it should feel solid. Card skimmers and fake key pads are installed quickly and if you pull on one it may come off in your hand.

6. Another good practice is to hide your hand when entering your PIN. Some hackers use tiny cameras mounted above the ATM to record your PIN. Use one hand to cover the other when entering your PIN.

A card skimmer can be anywhere. You need to be alert and look for any signs that something is wrong. Be aware of gas pumps that might have been tampered with. This is a favorite hacker target. Why? Because they have a high volume of traffic and are not closely monitored. A good crook can install a card skimmer in seconds and come back for it in a few minutes having collected data from several cards. He may do this at several gas stations in a single day.

But the criminal may not come back for the skimmer at all. In the past skimmers had memory chips that required criminals to come back and retrieve the device. No more. The newest skimmers can transmit the information via Bluetooth or text message to the criminals computer. They can install the skimmer and record for hours. And you don’t have to build these devices. You can easily buy these devices on the web where they are sold openly.

But you can fight back. Your smartphone can detect these Bluetooth skimmers. When you arrive at a gas pump or any location using a self-serve card machine whip out your smartphone and  go to settings. Turn on the Bluetooth and have it search for sources. If a you see a string of suspicious numbers come up do not swipe your card in that pump or ATM. Report it to the police and store management immediately.

There are also apps that can detect skimmers. Skimmer Scanner is currently available for Android phones and it can detect the presence of a skimmer on a card swipe machine. The Skimmer Scanner app checks for nearby Bluetooth transmissions and alerts you when one is detected.

Now you know.

World Password Day and Your Cyber Security

password dayWorld Password Day was yesterday. Ok, so we are a little late. But lets understand that a simple password that is easy to remember is also easy to break. Black people continue to be the least educated in the area of cyber security and the AACR is working to change that.

You will eventually have to kiss your money and/or identity goodbye if you are using an easy to guess passwords. Now, for the record, let me show you how easy it is to guess your password. If you use your middle name, your dog, cat or pet’s name, the model or make of your pimped out ride, your mother or father’s name, your child’s name, your husband’s name, one of their birthday’s, your address, zip code or phone number your password is probably ripe for hacking. Why? Because a good hacker can get all that information from your Facebook page, your LinkedIn account, your Instagram account and your Twitter account. Its all there! Bottom line is if your password is stupid eventually it will cost you.

Here are few tip for securing your password.

  • Complicate your passwordsLike I said; don’t use words like your pet’s name or anything that can be found on your Facebook page or Twitter account. Create random pass phrases. A pass phrase may start out like this “jimmyloveschocolateicecream”. But using numbers and special characters, you know like, $ @#%^&, etc., and it ends up looking like this “j1mmYloV3schocol@TeIcecre@m.”
  • Use a password manager We all have the aggravating problem of trying to remember multiple passwords. So to solve that problem use a password manager like LastPass and 1Password. You can find free password managers here. But to be honest password managers are not always totally secure. LastPass was acquired by LogMeIn. Unfortunately hackers stole the hints to users’ main passwords and the scrambled versions of those passwords. But a password manager is still safer than trying to  remember your passwords on your own.
  • Different accounts means different passwords Hackers love lazy people. They know that if they can steal one of your passwords its probably the same for all your accounts. So don’t get robbed because your bank account password is the same as your Twitter account. Use a password manager and mix it up.
  • Change your passwords every 90 days– Ok, maybe twice a year if you are lazy but change them. If you have had the same password for more than a year you are vulnerable.
  • Make use of two factor authentication – Two factor log in systems allows you to make double sure your password is safe. Two factor log in means that you use one password for the site and then another password is generated and sent to you usually via a text message. Consider it a double lock for your accounts.

Now lets talk about a little cyber spring cleaning.  Try to remember to treat you computer and Internet connection like you treat your home (1,2,3). Keep it clean, keep it safe and keep it secure. What does that mean?

Keep your computer clean by making sure you delete old software you no longer use, that includes games. Old software is a security vulnerability and hackers can use it against you. Make sure the software you are using is regularly updated. Most software can do their own automatic updates or remind you when they need updates.

Like the doors and windows of your home keep your computer and online accounts secure. Use secure pass phrases, change those pass phrases often and lock out strangers from your social media accounts. Remember don’t friend the friend of a friend. Hackers use that technique to get access to your Facebook page and personal information.  If you don’t know them then don’t let them into your cyber world.

Keep your system safe by using a good anti-virus program. Make sure you don’t click on links or attachments that you are uncertain of. Make sure your home network and router is secure. Have you changed the password on your router? The default password that comes with the device can be found online and hackers know this and now so do you.

 

National Cyber Security Awareness Month – Ransomware

Cyber Security Awareness MonthOctober is National Cyber Security Awareness Month. The African-American Cyber Report is dedicated to bringing the latest most relevant cyber security news and information to black people.

Cyber security has become the single most urgent topic of our age. More people fear having their identity stolen than being robbed at gunpoint or murdered.

In order to combat that fear and protect yourself and family members you need to understand what is hapening in the cyber world and how it affects you. When it comes to Internet related news the African-American Cyber Report answers the question for black people when they ask; “What does that mean to me?”

As part of National Cyber Security Awareness Month the AACR is revealing the top cyber security threats of 2015 and the coming new year and how black people should respond.

Ransomware

First what is ransomware? Ransomware is a dangerous type of malware, which completely blocks access to a computer system. In other words if you get infected with ransomeware your computer will be locked up until you pay the hacker to release your computer and all its files. They often demand payment in bitcoins and if you don’t pay it is unlikely you will ever use that computer or see the data in it ever again. Yes, there are some ways to defeat ransomeware once you get hit but nothing is gauranteed.

Ransomware is expected to become more refined in its targets and methods. Cyber security experts predict that the variants of ransomware may target cloud based data storage such as Google Drive, Dropbox, OneDrive and many more. Once the cloud storage site is detected ransomware will exploit the stored personal credentials of the logged-in user and will even infect the website where the data is backed up. McAfee has warned that ransomware attackers will try as many ways possible to extort ransom payments from victims.

Now, how do you avoid getting hit by ransomware? First of all never, ever click on a link or open an attachment in an email from someone you do not know. And even if you do know the sender if you are not expecting the email pick up the phone and call them. Ask what have you sent me? Did you send it?  Remember, many viruses have the capability to email themselves to other computers. If the sender did not send the email then delete the email immediately. Ransomware is mostly found on suspicious websites, and arrives either via adrive-by download”, stealth download or through a user clicking on an infected advertisement or pop-up. Other actions you need to perform include;

  • Have security (anti-virus, anti-malware) software installed and up to date with a current subscription. Thousands of new malware variants  land on the Internet every day.  Outdated virus and malware definitions is almost as bad has having no protection at all.
  • Perform regular updates on all you computer software.  This includes the operating system, the browser and all of the plug-ins that a modern browser typically uses. The most common openings for malware and virus infections is through a software vulnerability or zero day exploits. Keeping software up to date helps minimize the likelihood you get caught up.
  • Make sure you are leveraging the full set of protection features delivered in your security product. Symantec and Norton products include five distinct layers of protection: Network (Intrusion Prevention), File (traditional AntiVirus, Reputation (Insight), Behavioral (SONAR) and Repair (ERASER and Norton Power Eraser).

Now you know. Tommorow, Public WiFi.

 

 

Hackers Hit OPM Again!

OPM LogoUncle Sam’s Office of Personnel Management has suffered a major data breach.  The personnel records of as many as 4 million current and former federal employees may have been compromised.

According to a press release from the OPM the agency identified a cyber security incident involving personally identifiable information (PII) of federal employees. OPM says it is working with the Department of Homeland Security’s Computer Emergency Readiness Team or CERT and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel. The OPM manages security clearances and employee records for every federal agency.

The federal government is the nation’s largest employer with over  4.3 million people on the payroll. According to the OPM in 2012 the federal government employed a total of 332,850 African-Americans.

This is the second data breach for the OPM. The agency admitted to a previous breach in March of 2014.  The OPM claims it has implemented improved security since that breach and this new breach came before those new standards put in place. The previous breach has been blamed on Chinese hackers and according to the Washington Post, this attack is also believed to have originated in China.

In response China said today that allegations that it is involved in breaking into U.S. government computers are irresponsible.

During a regular news briefing Chinese Foreign Ministry spokesman Hong Lei said that Beijing hopes the U.S. would be “less suspicious and stop making any unverified allegations, but show more trust and participate more in cooperation.”

Because this is OPM’s second breach within a year many experts and elected officials have legitimate questions about security practices within the agency. U.S. Sen. Mark R. Warner (D-VA) said, “Today’s reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees, the second major breach in a year. Cyberattacks present a critical threat to our national security and our economy. We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”

This intrusion was discovered by an internal network monitoring systems. It is still unclear whether the attackers exploited any residual effects from the earlier attack. There is the potential that hackers have installed a back door in OPM’s computer systems allowing them to enter at will and take what they wish. A major concern because of this data breach is that America’s intelligence operatives may be exposed. A topic few in the government are speaking about.

OPM’s chief information officer told The Washington Post.“OPM has undertaken an aggressive effort to update our cyber security posture, adding numerous tools and capabilities to our networks. As a result of adding these tools, we were able to detect this intrusion into our networks.”

Because of the incident, OPM is sending notifications to approximately 4 million past and current federal employees whose PII may have been compromised.  OPM stated that the investigation is on-going and additional PII data loss could be discovered. OPM will conduct additional notifications as necessary. OPM is offering a package of identity protection services including credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID, a company that specializes in these services.

 

 

 

Credit card data may be compromised

ALERT! Sally Beauty Breached Again ALERT!

Credit card data may be compromisedThe African American Cyber Report reported in March of 2014 of a data breach at Sally Beauty Supply stores. So here we go again!

One year later Sally Beauty Supply is again revealing that a network intrusion exposed customer payment card data and is now investigating fresh breach reports. Sally Beauty has over 4,800 U.S. stores reporting 2014 revenue of $3.6 billion.

Sally Beauty first began to receive warnings of a possible breach during the week of April 27th . In a May 4th announcement store executives admitted to investigating “unusual” card activity linked to payment cards used at some of its U.S. stores. 

“Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts, while working to ensure our customers are protected. Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident; but we will continue to work vigilantly to address any potential issues that may affect our customers.”

The beauty supplier vowed to provide additional updates “in the coming days” via its website and directly to affected customers. “We will be providing notifications to any affected consumers and others, as appropriate, as the facts develop and we learn more.” The chain also requested that any customer who discovers fraudulent activity that they believe relates to Sally Beauty should contact its customer service hotline after alerting their card issuer or bank.

Cyber security experts point out the suspecious timing of the second data breach. George Rice, senior director of payments for data-encryption firm HP Security Voltage pointed out, “Sally Beauty experienced two breaches within a short period of time. It is entirely possible that Sally Beauty never fully eradicated the malware on their POS from the first time.” 

John Buzzard, head of card-alert service at analytics software company FICO, agrees stating “We are all really perplexed when we see breaches that appear to the naked eye to be a repeat situation.” Buzzard continues, “As Sally’s story line evolves, we may learn that the level of customization in the malware that allegedly affected them in 2014 was so complex that it was able to evade a stringent mitigation process. I can’t ascertain if lightning did, indeed, strike twice here; so it’s just a waiting game to see how this can be explained.”

A Sally Beauty spokesman told the Information Security Media Group that “it would be premature to speculate” about whether the 2014 and 2015 breach reports might be linked, and declined to detail which digital forensics investigation firm it brought in to investigate the latest breach reports. The 2014 breach was investigated by Verizon .

The question most customers have is; why did this happen again? In the company’s 2014 annual report, released in November, Sally executives noted the company had a number of information security defenses in place. “We have physical, technical and procedural safeguards in place that are designed to protect information and protect against security and data breaches as well as fraudulent transactions and other activities,” it said. “Despite these safeguards and our other security processes and protections, we have been a victim of cyber-attacks and data security breaches, including a breach that resulted in the unauthorized installation of malware on our information technology systems that may have illegally accessed and removed a portion of payment card data for certain transactions.”

Tripwire senior security analyst Ken Westin says there are steps all retailers need to take, not just ones that have suffered a Point-Of-Sale malware attacks. These steps will allow retailers to safeguard themselves against online attacks, as well as to rapidly detect unfolding breaches. Those include keeping a close eye on all data regulated by the Payment Card Industry Data Security Standard. “Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches,” he says. “These include configuration changes, unauthorized processes and credit card data appearing on the file systems, RAM or anywhere outside the PCI environment.”

 

Obama Pushes Consumer Privacy Bill

AP_barack_obama_press_conference_sk_131220_16x9_992President Obama has introduced draft legislation intended to ease the burden on consumers who wish to view or delete personal information that companies collect and keep. The White House announced the release of the draft based on the principles of the Consumer Privacy Bill of Rights originally released in 2012.

Consumer privacy is another Internet related issue that Obama promised to address in his State of the Union address. The president previously released a fact sheet outlining both this and other proposed changes. President Obama has made significant efforts in addressing national cyber security and other consumer Internet related issues including connectivity and broadband, public private information sharing and data breach notification legislation.

The Consumer Privacy Bill of Rights Act of 2015 addresses the staggering volume of personal data that corporations collect from consumers regularly. This data is the raw material used internally, analyzed by advertisers, or sold to a third-party aggregator as the final product of the information industry. The bill introduced by the president would require corporations to explain how they use this data in “concise and easily understandable” language. The bill also requires options for consumers to review, correct, or delete information.

Data covered by this bill includes names, addresses, social security or passport numbers, fingerprints, or credit card numbers. Excluded information includes “de-anonymized” data that theoretically cannot be traced back to a specific person. Information used to identify a cyber security related problem is also excluded as long as companies make “reasonable efforts” to remove any personally identifiable information. The bill requires companies to be specific about what information is collected, who it will be shared with, when and if it will be destroyed, how it’s kept secure, and how customers can see or remove it.

Data collectors will also be required to take “reasonable steps” to mitigate privacy risks and make these efforts clear to users. The  Federal Trade Commission (FTC) will be tasked with establishing rules for privacy reviews. Any company violating the terms of the act is subject to FTC lawsuits, as well as user and states attorney general action. The president’s bill allows exemptions for small businesses, including businesses that process data for 10,000 people a year or less or have no more than five employees.

California’s “Shine the Light” law already makes it possible to find out what information companies have collected. The California law requires companies to reveal what information they’ve sold to third-party marketing companies. Facebook, one of the largest data collectors in the world has already attempted to make their privacy policies more transparent considering the tremendous amount of information it holds.

Center on Privacy and Technology director Alvaro Bedoya at Georgetown’s law school worries that Obama’s bill could actually preempt state laws allowing companies to collect what they want as long as they maintain some level of transparency. Bedoya cites rules in Illinois and Texas that ban companies from collecting biometric information without permission. “This bill would erase those protections without offering any clear replacement.” He added that it “seems to assume a world where all of our data is collected about us, all of the time.”

Bedoya is not alone in his thinking. Nonprofit Consumer Watchdog labeled the bill as “full of loopholes” saying it “envisions a process where industry will dominate in developing codes of conduct.”

The Center for Digital Democracy says it relies too much on companies’ judgment to decide whether information is sensitive and how it should be managed. This limits the FTC’s power.

In a written statement the Center for Digital Democracy said “Although the president’s Privacy Bill of Rights promised transparency and control, it creates a labyrinth-like process that consumers must navigate before they can actually access and correct their own data records held by companies.”

The Center for Democracy and Technology says it “falls short on the privacy protections needed in today’s digital world.”

Bedoya hopes the bill that reaches Congress provides more specific and clear lines of authority, opening the door to meaningful reform. President Obama continues to push on other fronts.  This month he introduced another cybersecurity executive orderAnother attempt to create rules governing breaches like last year’s Sony hack.

Breaking It Down

As a black consumer you need to be aware of the level of data collection that is going on. Because the more corporations know about you the more likely they are to tailor offerings, sales, and information just for black people and that is not always a good thing. Not at all.

But before I get into the dangers of information collection let me explain a simple scary fact to you. Everything you buy is recorded somewhere with your name on it. You sell more information about yourself than you can imagine. What you don’t sell you give away or the major corporation figures out a way to steal it or buy it from someone else. Is this information about you true? Is it accurate and up to date? You don’t know and the information industry won’t let you see it. Major corporations are now collecting every bit of information they can about you. No matter where you are or who you are or what that information is. There is nothing to stop them. President Obama is trying to change that.

Now welcome to the age of digital discrimination. Corporations use the information they collect from black consumers to guide them to choices just for them. Sound familiar? Your information is used to direct you away from homes you can’t buy. That’s called red lining. your information is used to hide jobs you can’t have. Employment discrimination. Your information is used to decide what medical treatment you get and what you pay for prescriptions. Your information is used to determine what price you pay for merchandise and it is not always cheaper. Your information is used to decide what banks you can do business with, what loans you can get and what advertisements you see. Corporations claim its the machines doing it. Do we believe that?

The purpose of the Consumer Bill of Rights is to allow you some control over this information. But it is not going to solve the problem of digital discrimination.  I don’t know what will.

Fake Websites and Phony Trust

www.keepcalm-o-matic.co.uk

If you follow the African-American Cyber Report you know there are certain rules that we preach constantly. You can find these rules on the homepage. But I need to point out two of those rules that come into play here. Rule #1 “The only rules on the Internet are the ones you impose and enforce.” And rule #10, “Everything on the Internet is real; just not always true.”

I encourage black people not to trust anything you see on the Internet simply because its all suspect until you verify it. That is the case with all those seals of approval you find on the Internet websites. They could be worthless because the are so easily copied and used by scammers and malicious actors online. Those badges or seals are known as “trust seals” but really they are just images, pixels, on your screens. Anyone could copy and paste these images on any webpage. Yeah it might look fancy and official but that means nothing. Check rule #10 again. Whenever you are about to buy something online or download some app or software you need to first verify that you are indeed dealing with a reputable party. You need to do your homework.

African-Americans are warned to impose their own standards on everything they do online and protect yourself from the bad actors you are bound to come across on the wild world web. Check rule #1.

You might be ready to buy software or a game or movie online or download an app and see this;  “CNET gave our software a 5-star editor’s choice rating,” or “We are a BBB accredited business with an A+ rating.” Suspicion of these statements would serve you well.

Any malware author or phisher could copy and paste a logo, seal or statement on a  malicious website in a few seconds. Someone that copies those seals or statement to mislead people would be violating copyright law but how many people are going to lose money before that person is caught and shut down?

 

And if you did not know there are literally thousands of phony, duplicate or replica websites on the Internet. You can easily get caught up in a scam or get stuck with malware, ramsomware or a virus if you are not careful. Do you home work and study how to spot phony websites.

When you see those seals or badges on a website you should be able to click on it and be taken directly to the website that provided the seal of approval. Once there the seal-provider’s website will verify whether the original website you were on is actually a recipient of the seal.

Ok, that’s how it is supposed to work. But does it really? In reality even if the site is legitimate clicking on that badge may not work. This where you have to do your homework. Take the time to go to the seal providers website and investigate to see if the software is really a “PCWorld editor’s choice” or accredited by the Better Business Bureau. Listen to me when I tell you that those seals, badges and quotes don’t mean a damn thing by themselves. You need to protect yourself. No one is going to do it for you.  Check rule #1 yet again!

In some cases doing the research may not be a easy task. Microsoft doesn’t offer an easy-to-find “certified partners” list but we found it here in case you need it. However, some seals you can click,  but again, you could be transferred to a phony replica website.  Investigate the web address closely look for misspellings that could look like the web address but is not.  This trick is called typosquatting or URL hijacking. Here is an example; www.google.com is the real website. the fake could look like this www.gooooogle.com or www.goggle.com. Look carefully at the differences.

Another problem you need to be aware of is that those seals and logos don’t always mean what you think they mean.  For example, that “Norton Secured” seal only means that the website is scanned daily for malware and other vulnerabilities. That is not considered the ultimate level of security or privacy. The BBB Accredited badge means the website’s company is registered with the Better Business Bureau. It is not an indication of the level of satisfaction of its customers. That 5-star rating from a software download site just means a reviewer at some point in the past gave that program a good rating, or the scammer gave themselves five stars. And that “Microsoft Certified Partner” badge has its own issues. It doesn’t seem to mean much at all except maybe the software works with Windows computers.

 “Be paranoid when you are online. It’s a great defense mechanism.” 

I understand all this can be confusing and even frustrating. You need to use that fear and frustration as fuel to protect yourself. But there are a few things you can trust when online. Look for the green bar on your URL window. That’s the window where you type the web address of the website you want to go to. When you see that green name next to your address bar that is a definite confirmation that the website has had its identity verified. Read more about these “Extended Validation” certificates and how they’re more trustworthy than typical SSL certificates.

The above image reveals the real PayPal website and a phony site. Notice the green in the address bar.

Lets be real about this. You will find legitimate websites displaying a fake seal. And eventually they will get caught and be forced to remove it. But how legitimate is a website that fakes its trustworthiness? What you should worry about are the pop up sites that are here today and gone today. These are the site that distribute malware, launch phishing scams and steal data. Its those websites that get the most benefit from stealing these seals. They are breaking the law anyway so faking a seal-provider’s logo or seal is really no big deal for them. Be most cautious when it come to financial websites like your bank. A fake website like www.wellsfago.com is waiting for you to log on thinking its www.wellsfargo.com.

Its the Internet; trust no one.

Now you know