CIPP Information Privacy & Security News

This summer, spammers suddenly happened onto URL shortening services as a prime weapon of choice. The popularity of URL shortening services has increased in recent years - particularly with the rapid adoption of sites like Twitter, where users have a character limit placed on their messages. There are many different URL shortening sites in operation around the globe. Most allow users to post a long URL into a field and get back a short URL within their domain name. Little in the way of security - such as Captcha puzzles - is built into such sites. This makes them a valuable tool for spammers, as they can introduce e-mail recipients or individuals on peer networking sites to predatory URLs that don't appear malicious. "The attraction from the spammers is not only is it easy to set up in advance using a number of different services for perhaps the same long URL, that will give a number of different domains that they can then use in their spam messages, and they don't have to break any Captcha in order to do that," said Paul Wood, senior analyst at MessageLabs Intelligence. MessageLabs started seeing slight spam use of URL shortening services in April. By late June and early July, the company saw three significant spikes in such usage. On July 9, 6.2 percent of all spam was observed using URL shortening services - 9 billion messages in one day alone.

LifeLock Inc., the identity-theft protection company that boasts 1.5 million customers, is embroiled in legal battles with critics who say its key service breaks the law and its advertising defrauds consumers. A federal judge has ruled that the Tempe-based company's practice of setting fraud alerts for consumers with the three main credit bureaus - a major part of its $10-a-month service - is illegal. LifeLock filed a motion challenging the decision. If the court sides with LifeLock's opponents, the decision could stunt the growth of one of the shining stars of Arizona's startup community, forcing the company to permanently alter its practices.

Everywhere you look (even here at Ars), there are articles about people making poor decisions about what kinds of info and how much to share on sites like Facebook. The Internet is no longer a place where you can hide out easily-friends, family, and employers are all lurking, reading your embarrassing status updates and checking up on those drunken pictures from last week. And that's just the beginning-the world of social networking is a feeding ground for identity thieves and stalkers, too. But it doesn't have to be that way. Many users are aware that Facebook has numerous privacy controls, for example, but even the most experienced Facebook users often don't know just how much they can control who sees what. For instance, did you know that you can specify...

Photos, addresses, family ties, court documents, details from MySpace profiles -- the moment information is published online, it can be copied and re-posted, and often is.

It's become the familiar refrain this year. Each time we see a major data breach related to payment card data, the breached entity says 'Gee, well we were told we were PCI compliant - how could this happen?' The PCI marketing machinery then gets into motion, reminding us all that PCI compliance is but a snapshot in time - not a warrantee against future breaches. Meanwhile, tens of thousands of consumers have their personal information exposed to potential compromise. They probably don't know or care what PCI is. They just want to know 'Why wasn't I protected?' Fair question, and it deserves an answer.

Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The "Red Flags and Address Discrepancy Rules," which implement sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC). The rules require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy. The agencies' staff have jointly developed answers to these FAQs to provide guidance on numerous aspects of the rules, including which types of entities and accounts are covered; establishment and administration of an Identity Theft Prevention Program; address validation requirements applicable to card issuers; and the obligations of users of consumer reports upon receiving a notice of address discrepancy.

There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert. Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach. The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions: * Which accounts are more at risk to identity theft? * Which red flags represent higher risk? * Which detection and response procedures are commensurate with the risks? * Which service providers pose greater risk? * What controls exist to mitigate the risks? The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions. "They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."

A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is using IRC, but botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick.

With mounting concerns over online privacy and information gathering by search engines, Google has come up with a solution, Opt-out village, a 22-acre remote mountain enclave for those obsessed with privacy. According to trusted news network, ONN, access to the new privacy feature is simple. Just click the opt-out button on the Google home page. Within minutes, a van will arrive to sweep you away to Opt-Out Village nestled in the Pacific NorthWest. A team of privacy experts will eliminate your personal identifiers and guarantee that your name and address will not appear on Google local searches.

The federal GLBA, HIPAA, FACTA and its Red Flags and Disposal Rules, state data Breach Notification Laws and many other federal and state laws and industry regulations like PCI-DSS are intended to protect the privacy and security of consumer's personally identifiable and financial information entrusted to businesses and other organizations. Many suchidentity theft, id theft, government security, government privacy regulations aim to prevent identity theft and privacy violations. While some businesses have been negligent in securing information, other businesses have been victimized by black hat hackers or "crackers" who operate ahead of the cybersecurity technology curve. Cybersecurity is an ongoing challenge for businesses and for government as discussed in the President's Cyberspace Policy Review. In the four-year period ending in 2008, 23% of all data breaches reported were attributed to hackers. For those data breaches involving more than one million profiles, hacking was identified as the cause in 66% of the breaches according to a recent research report on data breach risk factors.

Consumers, who become victims of identity theft through access to public records, do not have a clue as to how they became a victim. They cannot know unless the fraudster who "legally accessed" the public information is caught and confesses that they used or sold the information for identity theft. Most often end users of stolen identities are caught, not the kingpins. Illegal immigrants who purchase identities on the street sometimes for hundreds of dollars do not know the source. * What can an identity thief do with a name and SSN? Here is a short list. * Make a fake Social Security Card (see image below) * Make a fake Medicare Card and get medical treatment and Medicare benefits * Use the fake Social Security Card to get a driver's license or passport * Get a job and government benefits. * Get credit and open new financial accounts * Get housing, utilities and phone service * Get insurance * Thieves use fake ID to elude law enforcement by pretending they are you.

Some American Express card members' accounts may have been compromised by an employee's recent theft of data, the company said Thursday. American Express Co. spokeswoman Susan Korchak said a "relatively small portion" of card members was involved, but declined to be more specific. The former employee has been arrested and the company is investigating how the data was obtained, she said. The company is in the process of notifying affected card members by letter. In one such letter sent last week, American Express Privacy Officer Alfred Silipigni said he was informing the member of "an unfortunate issue" concerning his card. "We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company," he wrote. "The former employee has been arrested, and we are cooperating with law enforcement authorities with their ongoing investigation." American Express declined to disclose any more details about the incident beyond what was in the letter. The company has put additional fraud monitoring and protection controls on the accounts at issue, Korchak said. American Express has about 39 million corporate, small business and consumer cards in force in the United States.

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

DESPITE SIGNIFICANT IMPROVEMENTS since the U.S. Sarbanes-Oxley Act of 2002 became effective, the continuing cost of compliance with the act's Section 404 requirements remains a concern for board members and management. A periodic operational audit of the Section 404 program can provide valuable information to executive management and the audit committee, and potentially identify areas where significant costsavings can be realized. Whether the Section 404 program is managed by the finance department, internal auditing, or another organization, it's an excellent candidate for this type of review, particularly if the focus remains on program efficiency. Several questions, based on The IIA's publication Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, can be used as the basis for the audit. The questions cover issues ranging from ensuring that operating management takes ownership of its processes, to achieving fewer and more effective key controls, to determining whether the external auditor's reliance on management testing has been optimized.

Has your management team asked the following four questions about your organization's internal controls? 1) Have we identified the meaningful risks to our objectives? 2) Which controls are "key controls" that will best support a conclusion regarding the effectiveness of internal control in a particular process? 3) What information will be persuasive in assessing whether the controls are continuing to operate effectively? 4) Are we presently performing effective monitoring that is not unnecessary and costly testing? These questions appear in a white paper, "Effective Internal Control Systems for Rapidly Changing Markets: A New Opportunity," packed with answers for GRC professionals wondering if there is a better way to operate. The paper, authored by the GRC experts at advisory firm SMART Group, clearly lays out how controls monitoring processes can and should align with the "Guidance on Monitoring" COSO published earlier this year to help organizations strengthen the effectiveness and efficiency of their internal controls frameworks. Among other useful how-to information, the 12-page paper includes a five-step "Implementation Guide" for creating a better controls-monitoring program.

As I mentioned two weeks ago, a recent survey indicates that more than half of large companies have limited knowledge of which systems or applications their employees have access to. This marks a system access problem, and a growing risk during a period of frequent and large layoffs. If a company needs to turn off access manually (which is often the case), it may miss several user accounts that they don't realize exist. This leaves the door open for past employees, and others, to access important data, including financial information and customer information. To learn more about these open-door system risks, I asked Courion vice president Kurt Johnson about his firm's research.

Wharton School professor Andrea Matwyshyn has attended Defcon for the past five years. This year, her radar is pointing to corporate disclosure of computer security threats. Most consumers, she says, find out about them primarily through news reports and after-the-fact data breach notifications. Big business, Matwyshyn says, needs to do a much better job of keeping customers abreast of how they're dealing with big security threats. "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing," she told Forbes.

On a side table in his Washington offices, Federal Trade Commission Chairman Jon Leibowitz keeps a framed image of Arnold Schwarzenegger from the 1984 film The Terminator. It was given to Leibowitz a couple of years ago by one of the FTC's regional offices, an homage to his crackdown on spyware that surreptitiously gathers information on Web users' surfing habits. Now, Leibowitz wants to terminate-or at least rein in-a different practice he finds no less harmful to consumers: delivering ads to individuals based on the Web pages they visit and searches they carry out. Appointed by President Barack Obama in February to run the country's top consumer watchdog, Leibowitz has made so-called behavioral targeting a top priority. How far he goes in regulating the practice could have big implications for a host of companies that depend on Web advertising and engage in some form of targeting. These include Google (GOOG), Facebook, and Microsoft (MSFT), which on July 29 announced a plan to partner with Yahoo! (YHOO) in the area of Internet search. It would also affect the way legions of companies and advertisers craft marketing campaigns. Behavioral targeting has become more prevalent as it gets easier and cheaper to use software to track online behavior and then use the data to pitch Web users related goods and services. These ads are more likely to induce a customer to make a purchase or otherwise respond to a pitch, researchers say.

For all the concern and uproar over online privacy, marketers and data companies have always known much more about consumers' offline lives, like income, credit score, home ownership, even what car they drive and whether they have a hunting license. Recently, some of these companies have started connecting this mountain of information to consumers' browsers.

A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.