Policies: Security and Privacy

This week, we have been studying policies. One of our assignments was to create a home computer use policy governing the use of our networks at home. This led me to the thought of researching security and privacy and how they relate in policies. So, how does security and privacy factor into policies?

I found Google's policy information concerning its Business Apps offering. It actually breaks the frequently asked questions (FAQ) into the two parts: privacy and security. First of all, let's look at privacy. Many people are concerned with posting or sharing information on the Internet, because they feel that the provider would then own the data. Google makes it clear this is not the case with them. They also make it clear that they respect the organization's privacy by not accessing it unless granted access by the domain administrator. Additionally, in light of recent developments with security and law enforcement, it appears as though Google will typically entertain requests to remove content. However, I do not see anything about mentioning providing government access to your data. So, you can rest assured that Google may have your back if the NSA comes knocking!

Security also plays a factor at Google. They have received satisfactory SSAE 16 and ISAE 3402 Type II audits. What does this mean for you? Essentially, Google has passed tests for securing your data with respect to data security, privacy, and the security of its Data Centers. This should give users of its Business Apps peace of mind that any data the entrust to Google will not make it into the wrong hands. Google also reassures its users that they are safe against hackers and miscellaneous threats through a security team used to test its controls and enhance the security of data. Lastly, Google uses encryption through HTTPS to ensure data transmitted to and from its servers is secure and free from prying eyes. To me, it sounds like Google is a safe, secure, and private area to conduct business.

It's nice to know that privacy and security policies are in place, but what can you do if you feel yours have been violated? That is a fair question and one I wanted to look up. In the event you feel that a business has violated the security and/or privacy policies put in place to protect you, you should contact the Federal Trade Commission (FTC). According to its website, the FTC had brought 32 legal actions against companies for violating their policies regarding security and privacy. In such cases, companies are in violation of Section 5 of the FTC Act. What does that mean? Essentially, it protects you against deceptive practices. A company can provide a policy, gaining your trust, and then violate it by not abiding by its own policies. Therefore, they can be punished and you will have protection. That is good information to know, should you ever encounter this type of practice. Thankfully, I have never had that issue with any companies.

As you can see, companies have policies in place to protect both themselves and you, their clients. Without these policies in place, there could be tremendous harm to either you or the company. Private information made available to others could hurt you or your company, leading to lawsuits against your provider. You certainly do not want your information freely available and the companies who host your data, like Google, do not want to lose valuable monetary resources because of negligence. Most of us, myself included, tend to just breeze through the policies. Next time, take a few minutes to read through those privacy and security policies to see how you are protected. You might find a plethora of useful information at your fingertips!

Referenced Sites

Enforcing Privacy Promises. (n.d.). Retrieved September 28, 2014, from http://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises

Your security and privacy. (n.d.). Retrieved September 27, 2014, from https://support.google.com/a/answer/60762?hl=en

Liability and Security

I have been researching and talking about private data, security, and the compromise of our private data. With that, I began to wonder about liability. Who is liable in the event that my data is compromised? The answer, in reality, is that it depends on what data was compromised and how it was compromised. So, let's look at a couple of different aspects: self-disclosure and data breaches.

Self-disclosure is just as it sounds. You have willingly provided your data to someone, whether or not it is the person you thought you were providing it to. It is simply the act of providing information, such as a password, on behalf of yourself. You might think that you are fully liable in this case, but you do have some recourse. As the msnbc.com article indicates, if you act within two days, Federal law states you are only liable for $50. After that, you become liable for $500 out to 60 days. If, after 60 days, you have not reported the potential fraud to the bank, the liability is unlimited. It's good to know you have some rights if you are duped out of information in a phishing scam. So, what happens in the event of a data breach, such as with Target and Home Depot?

Both Target and Home Depot finally revealed their data breaches. In the case of Target, they set up a site online to provide valuable information to consumers. Home Depot did not set up a specific site, but they did publish a frequently asked questions (FAQ) document to answer questions consumers may have. In any rate, the retailers both provided consumer protection due to the fact that consumer payment cards were compromised. Both retailers offered consumers one free year of fraud protection, which seems to ease the tension, but does it really?

In my opinion, providing free fraud protection is a good move to try easing my mind; however, does it really help? If I used my debit card at Target or Home Depot, what is to prevent anyone from using my information to drain my account of funds? This is where I feel that liability switches over from the retailer to the consumer. The retailers are providing you protection because of their mistake out of good faith. In return, it is important for we consumers to take action and contact our banks as soon as we are notified of the breach. This does not mean that your account will definitely be affected; but, keeping a proactive mindset will keep you above the game. In the end, you can be mad at the retailers for losing your information all you want. However, the best thing to do is accept their offer and take the proper actions to protect yourself. At some point, the liability falls on you.

Referenced Sites

Data breach FAQ. (n.d.). Retrieved September 22, 2014, from https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ

FAQs. (2014, January 1). Retrieved September 22, 2014, from https://corporate.homedepot.com/MediaCenter/Documents/FAQs.pdf

Sullivan, B. (2005, August 12). Know Your Rights on Bank Account Fraud. Retrieved September 21, 2014, from http://www.nbcnews.com/id/8915217/ns/technology_and_science-security/t/know-your-rights-bank-account-fraud

Security and Your Bank Account

Last week, I touched on account security and phishing. The need to protect our information is critical to keep those with malicious intent from accessing our data. We need to play a vital role in protecting our information; however, we do entrust other critical data to others in the form of payment information. Data we once felt was safe is alarmingly becoming more and more susceptible.

How many of you shop with a credit or debit card?  I am guilty of it. I seldom carry cash because, if I do, it gets spent.  I am less likely to spend if I have to use my debit card.  Additionally, when I go to the grocery store, out to dine, or shop at local retailers, I use plastic. It is fast, safe, and convenient, right?  In light of the recent revelation that Home Depot has had their payment information hacked and the same type of criminal activity affecting Target last year, it makes you wonder.

The Target ordeal involved around 40 million customers who had shopped at the retailer from November 27, 2013 to December 15, 2013. The hackers, more or less thieves at this point, were able to obtain the names, card numbers, expiration dates, and card verification value (CVV) from transactions that occurred during that period. This is alarming because, if you think about it, that really is a majority of the information you need to make a transaction online. The only piece of information missing is your billing address. If you are thinking, "Well, good! They don't have everything!", it would only take a quick stop at whitepages.com to remedy that.  

The Target breach was huge, with members of our government calling for intensive investigations and placing blame on the retailer for not having proper security measures in place; but, they did! Target had installed malware prevention on its systems to prevent such an incident.  The hackers had made preparations to route data throughout the U.S. to hide their trail and, when the Target team was alerted of suspicious activity, they failed to react. A review of the security logs even showed notifications in November and early December of malicious activity. So, there certainly is blame on the retailer for not protecting our data we had entrusted them with. As Target has begun to cool down a bit in the news, another retailer, Home Depot, is at ground zero.

The Home Depot attack, which came to light in the last couple of weeks, actually occurred back in April. From the reports I have seen, it is a different style of attack than the one which hit Target. Rather than the thieves routing data as a "middle man," the Home Depot attack used software at the took the transactions right at the register. The malware was designed to disguise itself as anti-virus software, thus being overlooked as a threat. The fact I find intriguing is that Home Depot's IT team could have potentially discarded the software, which identifies itself as McAfee, even if the did not use McAfee products. So, while the software may have looked legitimate, where were the warning flags that software was installed that they did not use? It leaves one to wonder why it was not dealt with immediately. Those consumers who dealt with the Target ordeal may take heed to the Home Depot attack, as it is a bit more in-depth.

While the thieves in the Target attack were only able to gather names, card numbers, expiration dates, and CVV data from those transactions, the Home Depot thieves were able to garner more information.  In fact, they were able to obtain the card holders full name, city, state, and zip code for the store where the card was used. Why is that important? They now have nearly enough information to reset your personal identification number (PIN) on your debit card. All that is needed, with the way most banks work now, is your social security number (SSN); and, they only really need the last four. Why, you might ask? Banks allow users to reset their PIN numbers through automated systems which typically require only the last four of your SSN to verify your identity. As you can see, this is a very serious threat to those who shopped at Home Depot, including myself!

As of right now, there is no information regarding the number of those affected by the Home Depot attack. I can honestly say that I have not panicked yet; but, I am on the verge of requesting new debit cards from my bank as a precautionary measure. It will be interesting to follow this story over the next few months to see how many people were affected and how Home Depot deals with the breach. One thing I do know, my data is not as secure as I once thought it was. It also brings to light the questions, how safe is my data? Can I really trust the retailers I shop at? As our reliance on information and data continues to grow, securing that data is going to continue being at the forefront, both professionally and personally.

References

D'Innocenzio, A. (2014, September 11). 4 Reasons Shoppers Will Shrug off Home Depot Hack. Retrieved September 13, 2014, from http://abcnews.go.com/Business/wireStory/reasons-home-depots-breach-matter-25432058

Krebs, B. (2014, September 8). In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud. Retrieved September 14, 2014, from http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/

Lawrence, D., & Riley, M. (2014, September 11). Home Depot Malware Hints at Different Hackers Than Target's. Retrieved September 13, 2014, from http://www.businessweek.com/articles/2014-09-11/home-depot-hack-malware-points-to-different-hackers-than-targets

Pagliery, J. (2014, September 8). Home Depot confirms hack, maybe since April. Retrieved September 13, 2014, from http://money.cnn.com/2014/09/08/technology/security/home-depot-breach/

Ravenscraft, E. (2014, September 8). Home Depot Hacked By Same Group That Hacked Target [Updated]. Retrieved September 14, 2014, from http://lifehacker.com/home-depot-reportedly-hacked-by-same-group-that-hacked-1631973172

Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Retrieved September 14, 2014, from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

Wallace, G., Pepitone, J., O'Toole, J., Isadore, C., Pagliery, J., & Johns, J. (2013, December 19). Target: 40 million credit cards compromised. Retrieved September 13, 2014, from http://money.cnn.com/2013/12/18/news/companies/target-credit-card/

Wallace, G. (2013, December 23). Target credit card hack: What you need to know. Retrieved September 14, 2014, from http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/

How Secure Do You Really Feel?

We spend a lot of time online, whether it is taking classes, reading the news, watching television, visiting social websites, or posting pictures.  There are a lot of ways to pass the time in the inter-webs.  We also store lots of information.  I, myself, have four terabytes of storage on my server computer.  I am not using it all, but I have plenty for when I need it.  I store financial documents, homework, pictures, and music, just to hit the basics.  However, a lot of people have moved to cloud-based storage.  One such service, iCloud, was recently hacked.  

With the iCloud hack, some very personal photos of celebrities were leaked onto the internet.  Information that was supposed to be safe and secure was compromised.  How, you might ask?  It appears, while reading Smith's article, as though security vulnerabilities outside of Apple's control were to blame; at least, that is what Apple wants you to believe.  In fact, reading through the articles by Reed and Leyden, I am led to believe it was a phishing scam that led to the vulnerabilities.  This brought the question to my mind, how safe and secure do you really feel?

Phishing scams abound.  It is the process by which a third party tries to gain access to your account by posing as the actual company you have an account with.  As Leyden puts it, the iCloud case involves an SMS scam where users are sent a text message indicating there was an unauthorized attempt to gain access to their accounts.  They must provide their ID and password or risk being locked completely out.  Once you do that, it is too late; and, before you know it, your iCloud account is in the hands of mischievous bandits.  You have just opened the door for the enemy.

Many would like to blame the companies for our blunder.  After all, the email was from "them," wasn't it?  However, most companies I have ever dealt with specifically state in their terms and/or frequently asked questions that they will never ask you for your user ID or password.  If you ever receive a message stating you should provide it, look very, very carefully to ensure it is legitimate.  It is not the company's fault that you let your guard down, momentarily, and allowed the enemy through the gates.  So, how can you combat these false requests for information?

There are several things you can do to help protect yourself and your information online.  For sites that require a password, as Schneier states, you can use a password manager.  I use Google Chrome as my browser of choice and I love the fact that it has a built-in password manager.  It even auto-fills the usernames and passwords for me when I return to sites.  While Schneier discusses his password manager and how auto-fill prevents inadvertently entering a phony site, I would argue that Google Chrome's manager will only auto-fill the information if the domain is the same.  Visiting PayPal.com will load my username and password; however, if I were to visit MyPayPal.com, it would not.  You should look at this address on your browser when you visit it.  If the URL does not look like the one tied to the company, LEAVE!  Many phishing links arrive via email.  An easy way to determine if the link is legitimate is to hover over it.  The text of the link may say PayPal, but the link may take you to mypaypal.com, not the legitimate site.

In the end, companies can only do so much to protect you and your information.  You should feel secure in the online environment and trust that companies will hold up their end of the bargain.  However, they are relying on your just as much to keep your information safe and secure.  The next time you get a strange email or text message, do a little investigation of your own.  It might just be the next attempt at phishing information from consumers.

References

Leyden, John. "Something Smells PHISHY: It's the Celeb Nudie ICloud PERV Trap..." The Register. The Register, 04 Sept. 2014. Web. 07 Sept. 2014. <http://www.theregister.co.uk/2014/09/04/icloud_privacy_flap_phishing_warning/>.

Reed, Brad. "Apple Provides Key New Details on the Massive ICloud Hack of Nude Celebrity Pics." BGR. BGR Media, 02 Sept. 2014. Web. 07 Sept. 2014. <https://bgr.com/2014/09/02/apple-icloud-nude-celebrity-pictures-hack/>.

Schneier, Bruce. "Schneier on Security." Schneier on Security. Bruce Schneier, 05 Sept. 2014. Web. 07 Sept. 2014. <https://www.schneier.com/blog/archives/2014/09/security_of_pas.html>.

Smith, Chris. "Tim Cook Vows to Improve ICloud Security, Prevent Future ‘nudegates’." Yahoo! News. Yahoo!, 05 Sept. 2014. Web. 07 Sept. 2014. <http://news.yahoo.com/tim-cook-vows-improve-icloud-security-prevent-future-153310951.html>.