STE WILLIAMS

The rise of mobile banking and payment services has sparked widespread adoption, making a focus on risk essential.

As banks race to accelerate their digital transformation efforts to accommodate emerging payment types and consumer preferences as well as to compete or partner with rising financial technology (fintech) upstarts, they must accelerate their efforts around risk management maturity.

In the last two years, mobile banking and payment apps have seen remarkable growth in popularity and usage worldwide. Banks are investing heavily in developing mobile and web-based services for personal and business accounts, including money transfers, investments and peer-to-peer transactions. The goal is to make the customer experience as seamless as possible, increase growth in the customer and deposit base, and to capture a larger portion of each account holder’s financial activities.

The stunning rise of mobile banking and payment services has sparked widespread adoption and major changes such as the growth of cross-border global e-commerce. Financial institutions can’t afford to delay efforts to ensure their operations, software systems, and apps are secure and in compliance. Fintech firms are under especially intense scrutiny as they await federal decisions about licensing and regulatory oversight.

App Annie’s State of Mobile 2019 report highlights that finance apps downloads in 2018 were up 75% over 2016 worldwide. Even the US, which has had online banking longer than many of the other countries assessed, saw 50% growth in downloads over the same period. The number of times users checked their account through an app, the most common use, is up 35% from 2016. With 4 billion mobile devices in use around the world, mobile payments and banking promise to open unprecedented access to the “unbanked” — those not served by a bank or similar financial institution. These are opportunities that even the biggest global players are only beginning to leverage.

Of course, digital transformation must align with the goals of the financial institution. These new customer-facing channels can negatively affect the business in ways the IT team never managed before. Mobile app risk management is more than just managing IT risk. Financial institutions must measure how the projects deliver on expected reduction in teller and call center needs, manage monetized API integrations, ensure fintech compliance, and handle other risks not previously managed by the bank. Manual and siloed approaches can’t keep pace with rapidly evolving businesses and digital transformation. They often can’t provide the bigger risk picture and don’t foster business users to have full picture of risk required to successfully identify and manage risk. Financial firms and the third parties that develop their mobile apps must work diligently to clearly document the goals and benefits of the applications as well as identify, understand, measure, and integrate their enterprise-wide risk management and compliance practices.

Central to their risk management efforts, banks and fintech firms must focus on the security aspects of their mobile apps’ development and improvement, whether those actions are done in-house or by a third party. The basics of this should include:

• Creating stronger security requirements from the beginning
• Conducting various types of vulnerability assessments including vulnerability scanning and configuration assessments
• Continuously auditing the assets and networks that process data and overseeing thorough risk assessments of fintech partners and other third parties.

These proficiencies are central to meeting regulatory obligations from multiple standpoints. An immediate example is the New York Department of Financial Services’ March 1 deadline for compliance with the final phase of 23 NYCRR 500. Phase 4 implementation focuses on assessments, policies, and procedures for controlling third-party risks. Other examples include obligations under GDPR, PSD2, PCI-DSS, IRS mandates, state-level legislation, and the usual OCC, FDIC, and Federal Reserve regulations must be addressed and documented as well.

More responsibilities are being brought to the forefront with fewer resources available to complete the project. This puts pressure on bankers to get new products to market and therefore application developers to publish their code faster, which can lead to misconfigurations and a poor-quality product.

Technologies exist today to collect the risk-related metrics necessary to measure and monitor different aspects of risk. Many of these technologies were developed by IT teams for IT teams but do not meet the reporting and communications needs for the growing number of teams that are now responsible for risk management. Measuring risk data, especially IT risk data, once a month cannot provide the oversight and decision-making capabilities required today. New technologies are emerging that continuously collect risk information, and other technologies are maturing to report on this risk information in real time to deliver the information in the context of business objectives. 

Financial institutions with more advanced risk management capabilities find that the massive influx of data (especially when they collect real-time data) itself becomes an issue if they are not using other technologies to manage the information to support their decision-makers with up-to-date insights and elements they need to make the right decisions. These institutions are leveraging and instantly linking data not just from IT sources but also from the business objectives they are supporting, internal controls, and compliance objectives in order to understand when any type of risk is affecting the goal of better servicing current customers and attracting new ones.

Banks and fintech firms have long led the way in cybersecurity and risk management. The recent surge in competition, payment innovations, and online services is pushing the most risk mature of these organizations to manage risk across the organization in an integrated manner  — it’s more than just managing cybersecurity and IT risk.

Note: The author’s company is among a number of companies offering a governance, risk, and compliance platform.

Related Content:

• 7 Steps to Start Your Risk Assessment
• 4 Reasons to Take an ‘Inside Out’ View of Security
• Stay Ahead of the Curve by Using AI in Compliance
• Privacy Ops: The New Nexus for CISOs DPOs

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Sam Abadir has over 20 years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Early in Sam’s career, he worked directly with financial institutions and manufacturing companies to help them … View Full Bio

Article source: https://www.darkreading.com/risk/in-the-race-toward-mobile-banking-dont-forget-risk-management-/a/d-id/1334254?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Roundup Last week we saw someone admit hoarding NSA documents, a Huawei patch bungle, and an axe looming for DXC security employees.

Now, here’s some extra bits and bytes to start this week and month.

VMware rings the klaxon over service provider vulnerability

If you’re running a server hosting VMware’s Service Provider portal, you will want to make sure all your software is up to date immediately. That’s because the virtualization giant recently put out an advisory for a remote hijacking bug.

“VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals,” VMware says. “Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.”

Discovery of the flaw was credited to Tyler Flaagan, Eric Holm, Andrew Kramer, and Logan Stratton from Dakota State University.

Meanwhile, VMware ESXi, Workstation and Fusion need to be patched to close a guest-to-host hypervisor escape.

“VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface),” said VMware. “Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.”

The Fluoroacetate team of Amat Cama and Richard Zhu were thanked for finding the flaw, reported via this year’s Pwn2Own competition.

Celeb hacker pleads guilty

A 27-year-old man from the US state of Georgia has agreed to two felony counts over a hacking spree that targeted professional athletes and rappers.

Kwamaine Ford pleaded guilty to aggravated identity theft and computer fraud in connection with a massive hacking campaign that saw him lift the credit card numbers of “dozens” of NBA basketball players, NFL football players, and rappers (none were named).

Prosecutors said Ford had posed as Apple support and sent emails to the targets asking them to reset their accounts. When the marks went to the phishing page and entered the information, Ford was then able to access their accounts and get their credit card numbers.

Old Cisco flaw resurfaces in exploits

If you haven’t updated your Cisco WebEx software in a while, here’s a good reason to consider patching ASAP.

Switchzilla warned this week that an in-the-wild exploit has been targeting CVE-2017-3823, a vulnerability that allows remote hijacking via the WebEx browser plugin.

“An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability.”

Given that the flaw is more than two years old, there’s a good chance you already have the fix for this one, but it’s a good idea to check your plugin and get the most recent version just in case.

Planet Hollywood owner barfs up customer payment card info

It appears we have yet another major chain falling victim to point-of-sale malware.

This time, it’s restaurant chain Earl Enterprises, who own and operate chains like Planet Hollywood, Buca di Beppo, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria.

The eatery conglomerate was relieved of card information including numbers, expiration date, and the names of some cardholders.

“Although the dates of potentially affected transactions vary by location, guests that used their payment cards at potentially affected locations between May 23, 2018 and March 18, 2019 may have been affected by this incident,” Earl says.

Forget cashless shops, we think the next generation of secure eateries should avoid this whole mess and go cash only.

Man overturns child abuse image charge thanks to his own lousy opsec

Professor Orin Kerr shared a court ruling in the US that overturned someone’s conviction of possessing child sex abuse images because the evidence against him was collected from a laptop that wasn’t password protected and in part of his home shared with housemates.

The New Hampshire circuit court of appeals ruled that the conviction of a man accused of downloading child pornography from a P2P network had to be vacated over lack of evidence, after it was found that prosecutors could not prove exactly who fetched the vile imagery.

In this case, the defendant shared his home with a number of roommates and left his computer in a common area with no password. Because anyone in the house could have in theory sat down at the PC and gone online to get the images, the court found it could not be proven beyond a reasonable doubt that the defendant was the one that had downloaded the illegal content.

In case you needed yet another reason to lock down your machine, do it lest your roommates be allegedly secretly committing crimes.

Asus MAC addresses surface

Earlier last month, the news broke that up to a million or so Asus machines had been bugged with spyware thanks to a compromised update server. At the same time, we learned from Kaspersky Lab that of those one million infected, about 600 were specifically targeted, selected by their network adapter’s MAC address from a list hardcoded in the malware.

Now, someone’s compiled those addresses into a public list for sysadmins to check against their Asus laptop inventory for possible infections.

A post on GitHub gives a list that looks to be all of the machines whose addresses were infected via the malicious software update. It goes without saying that if you find your Asus computer (or a machine you administer) on the list you will want to get in touch with law enforcement as well as scrub the machine of the software nasty, check network logs for data exfiltration, and reset login credentials.

If these hackers went through the effort of infecting so many machines to get at a few hundred, they must have had very strong motivation to obtain and siphon off your data.

Zscaler warns of malware spreading through common HTTPS directory

Researchers with Zscaler say that a recent malware outbreak has been hiding in plain sight on a number of WordPress sites.

Mohd Sadique explained how vulnerable versions of the content management system were compromised and loaded with phishing pages that hid themselves within a specific directory used to handle SSL certificates. These directories are used to check and validate certs, and for the most part administrators don’t even know they exist.

“The attackers use these locations to hide malware and phishing pages from the administrators,” Sadique explained.

“The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site.”

Junked Teslas betray driver info

If you total your brand new Tesla and it needs to be hauled off to the junkyard, you may want to check the console first is wiped clean of personal data.

That’s because researchers have found that junked cars may still contain unencrypted information about you, including all of the contact information from your paired phone.

This isn’t much of a privacy issue specific to Tesla, as other researchers have pointed out that the same sort of information often gets left in rental cars and other shared vehicles. In other words, think of your modern car as a tablet on wheels, and make sure it’s wiped clean before letting go of it.

Fatal swatter gets 20 years in clink

We’ve previously covered the story of how an alleged feud between three gamers in the US got an innocent man from Kansas killed by police shortly after Christmas 2017.

There were new developments in the case last month when a Wichita judge sentenced Tyler Barriss, the man who made the “swatting” call that led to police shooting dead 28-year-old Andrew Finch, to 20 years behind bars.

Barriss had previously pleaded guilty to 51 federal charges relating to that and other fake calls he had made to police over the years. The men whose online feud lead to Barriss making the swatting call, Casey Viner of Ohio and Shae Gaskill of Kansas, are awaiting trial for their roles after denying any wrongdoing. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/01/security_roundup_290319/

Promo With cyber-attacks on the rise and constantly taking new forms, organisations rely more than ever on skilled IT security staff who can detect and deal with vulnerabilities in their systems.

If you are a cybersecurity professional, you can deepen your knowledge and catch up with the latest security developments at the SANS Institute training event taking place in Stockholm, Sweden, from 13-18 May.

Five intensive courses will sharpen the skills you need to defend your organisation against data breaches and prevent them happening in the future. SANS courses are written and taught by the best in the industry, their real world experiences are brought into the classroom and shared with the students.

They also offer the chance to prepare for GIAC Certifications, and SANS pledges that you will be ready to apply your skills on returning to work.

The courses on offer are:

Network penetration testing and ethical hacking

Covering tools and techniques, this course gives you a grounding in conducting penetration testing projects end to end.

With more than 30 challenging hands-on labs, it reveals dozens of methods for targeting systems to gain access and measure business risk

Start with planning, scoping and recon, then delve into scanning, target exploitation, password attacks and web app manipulation. You will study a target’s infrastructure by mining blogs, search engines and social networking sites.

Automating information security with Python

Python is a simple, user-friendly language designed to make it easy to automate security tasks. Whether you are a beginner or have been coding for years, the course will enable you to create programs that lighten your workload.

Windows forensic analysis

Whether you know it or not, Windows is recording a vast amount of data about you and your users. The course helps you make sense of that data by focusing on in-depth knowledge of Microsoft Windows.

Learn how to recover and analyse forensic data, track user activity on your network, and organise your findings for incident response, internal investigations and litigation.

Cyber threat intelligence

The course aims to enable practitioners from across the security spectrum to develop analysis skills, synthesise complex scenarios, create intelligence through threat modelling, and understand threat intelligence.

You will learn the various sources of adversary data and how to exploit it, how to validate information received externally, and how to use formats such as YARA and STIX.

ICS/SCADA security essentials

A foundational course for security professionals and control system engineers charged with defending national critical infrastructure.

Topics covered include controlling attack surfaces, network defence architectures, responding to incidents in an industrial environment, and governance models and resources.

Full details on the course and how to register can be found right here

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/29/cybersecurity_sans_stockholm_2019/

The Brit who ran the BuildFeed website of Windows leaks has been handed a suspended prison sentence – along with a former Malwarebytes bod who hacked into Microsoft’s internal OS development networks.

Thomas Hounsell, 26, of Station Road, Sleaford, Lincolnshire, and former Malwarebytes researcher Zammis Clark, 24, of Agar Crescent, Bracknell, Berkshire, were convicted of computer misuse offences yesterday.

As reported by The Verge, Clark “gained access to a Microsoft server on January 24th, 2017 using an internal username and password he had acquired. Once inside the corporate network he achieved persistence through the use of a web shell and then helped himself to what was described as ‘43,000 files’.”

Those files came from Microsoft’s Windows flighting servers. Clark “targeted unique build numbers to gain information on pre-release versions of Windows”.

Many wondered why Hounsell abruptly shut down Buildfeed in January after posting a rambling statement on the site which said, among other things: “The truth is that were it not for my failings, this day would not have come; and were it not for the persistent activities by third parties to force us offline, this day would not have come either.”

The Register can reveal that Hounsell killed off Buildfeed, which tracked Windows leaks and releases, about a week before his and Clark’s crown court hearing began this year, the two having entered pleas in September 2018. The Verge added that Hounsell used Clark’s illicit access inside Microsoft “to conduct more than 1,000 searches for products, codenames, and build numbers over a 17-day period”.

In the Buildfeed shutdown statement, Hounsell also claimed not to have been involved in the “day to day running” of Buildfeed for “over two years now”. In mid-2017, British police from the South East Regional Organised Crime Unit (SEROCU) arrested “a 22-year-old from Lincolnshire” on suspicion of “gaining unauthorised access to a computer”, in connection with what was alleged at the time to be a conspiracy to break into Microsoft’s internal networks.

While out on unconditional bail over the Microsoft hacking, Clark then went on to gain access to Nintendo’s game development servers.

Microsoft veep Tom Burt told The Register in a statement: “This action by the courts in the UK represents an important step. Stronger internet security not only requires strong technical capability but the willingness to acknowledge issues publicly and refer them to law enforcement. No company is immune from cybercrime. No customer data was accessed, and we’re confident in the integrity of our software and systems. We have comprehensive measures in place to prevent, detect, and respond to attacks.”

Malwarebytes ignored The Register‘s invitation to comment on what their man Clark had been up to. While the police investigation into the Microsoft breach was active, Clark had been blogging for the company, and his last contribution was made in May 2017 – a month before SEROCU’s first arrests.

Sitting at Blackfriars Crown Court yesterday afternoon, His Honour Judge Alexander Milne QC handed Clark a 15-month prison sentence suspended for 18 months, along with a 25-day rehabilitation activity requirement order, a serious crime prevention order lasting five years and a £140 victim surcharge tax. Clark pleaded guilty to three charges under the Computer Misuse Act 1990.

Hounsell pleaded guilty to a single charge under CMA90 and was sentenced to six months’ imprisonment, suspended for 18 months, along with a 100-hour unpaid work order and a £115 victim surcharge tax. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/29/buildfeed_malwarebytes_guilty_hacking_microsoft_nintendo/

This latest list of Internet of Things miscreants doesn’t limit itself to botnets, like Mirai.

Don’t you hate it when one loud co-worker at the office takes all the credit and keeps the rest of the team out of management’s eye? Welcome to the world of Internet of Things (IoT) malware, where several families do their malicious worst — only to hear IT professionals droning on about Mirai, Mirai, Mirai.

Don’t be misled: Mirai is still out there recruiting low-power IoT devices into botnets, but it’s certainly not the only piece of malware you should be aware of. Mirai wasn’t even the first of the big-name IoT baddies — that distinction goes to Stuxnet — but the sheer size of the attacks launched using the Mirai botnet and the malware’s dogged persistence on devices around the world have made it the anti-hero poster child of IoT security.

Mirai has continued to grow through variations that make it a malware family rather than a single stream of malware. And it’s not alone: Malware programmers are much like their legitimate software development counterparts in their programming practices and disciplines, making code reuse and modular development commonplace. Each of these can make it tricky to say whether a bit of malware is new or just a variant. Regardless, security professionals have to stop all of them.

This latest list of IoT miscreants doesn’t limit itself to botnets. You’ll also find data wipers, cryptominers, and data capture clients. And if there’s one thing cybersecurity professionals can count on, it’s that malware authors will continue to apply their creativity and programming skills to new forms of criminal code that will be unleashed on the IoT.

What kind of malware are you dreading most? And what kind do you think will all but disappear in the coming years? Share your thoughts with the Dark Reading community in the Comments section, below.

(Image: peshkov VIA Adobe Stock)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/iot/7-malware-families-ready-to-ruin-your-iots-day/d/d-id/1334246?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Read more here. 

Article source: https://www.darkreading.com/attacks-breaches/toyota-customer-information-exposed-in-data-breach/d/d-id/1334291?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The new program focuses on training university-level educators in cybersecurity.

Solutions to the cybersecurity skills shortage tend to focus on those who need training, but a new program from North Dakota State University tackles the issue from a different direction: it offers a focus on cybersecurity education within its computer science Ph.D. program.

The goal of the program, according to a university statement, is to produce more university-level instructors qualified to teach courses in bachelor’s and master’s degree programs. The university states, “Students get a strong background in core computing concepts – software development, databases, algorithms and artificial intelligence – as well as completing coursework in key cybersecurity areas and educational methods and research.”

Dissertations in the program can be based on research in cybersecurity, cybersecurity education technology, and cybersecurity education research.

The first student has already been admitted to the program. In addition to the Ph.D., students are also able to complete a Graduate College Teaching Certificate at NDSU with classes that contribute toward the Ph.D.

For more, read here.

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/ndsu-offers-nations-first-phd-in-cybersecurity-education/d/d-id/1334292?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Australia’s controversial anti-encryption laws came under independent scrutiny this week as tech leaders, including Microsoft’s Brad Smith, continued to criticize the legislation.

The country’s Parliamentary Joint Committee on Intelligence and Security (PJCIS) has referred the Telecommunication Other Legislation Amendment (Assistance Access) Act of 2018 (TOLA) to the Independent National Security Legislation Monitor (INSLM).

The legislation, passed by a parliamentary vote in December, enables the government to coerce technology companies into decrypting user communications. It would allow the government to gain access to encrypted communications sent via messaging apps, for example.

Under the legislation, the government can first ask the technology companies for help. If they don’t want to help, it can force them to. If they are unable to help, then the government can force them to change their systems, making it possible for them to provide the necessary support.

INSLM is an independent position established by legislation. It has access to all relevant material, regardless of national security classification, can force anyone to answer its questions, and holds both public and private hearings.

The current INSLM, Dr. James Renwick, will review whether the legislation properly safeguards individual rights and whether it remains proportional to the threat to national security, said a statement from the PJCIS. Committee chair Andrew Hastie MP and deputy chair Anthony Byrne MP added:

In our view, the INSLM provides a valuable, independent perspective on the balance between necessary security measures and the protection of civil liberties. As such, the INSLM is an important and valued component of Australia’s national security architecture.

Companies will go elsewhere, warns Microsoft

The move follows strong complaints from the technology sector about its scope and perceived lack of clarity.

In February, the Mozilla Corporation and FastMail both wrote to the PJCIS, complaining that the wording of the legislation was too vague, and could be used to directly force individual employees to tinker with technology systems without telling anyone. Mozilla argued that it effectively forced it to treat Australian employees as insider threats.

The latest technology luminary to speak out against the laws was Microsoft president and chief legal officer Brad Smith. Speaking in Canberra, he warned that given the vagueness of the legislation, people’s privacy was at risk:

… I think people will worry and we will be among those who will worry because we do feel it is vitally important we protect our customer’s privacy.

He warned that the legislation could turn companies away from storing their data in Australia. Companies in other countries were already asking it to build more data centers outside Australia, he said, adding:

If I were an Australian who wanted to advance the Australian technology economy, I would want to address that and put the minds of other like-minded governments at ease.

Scott Farquhar, co-founder and co-chief executive of collaboration and security software company Atlassian, criticised the legislation for putting Australian jobs at risk.

Speaking at the Safe Encryption Australian forum this week, he warned that the Act created uncertainty for the company’s staff and customers.

Dr Renwick must submit his report to the PJCIS by 1 March 2020, which will factor the findings into its own review of the legislation, due later that year.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/png3MO5Bs7Y/

Some of us may think that an appropriate penalty for robocallers is to stuff them with burner phones and roast them up for Sunday dinner, in which case some of us are going to be underwhelmed with the news that the FCC has basically slapped some hands and tsk-tsk-ed them into promising to never, ever do it again.

On Tuesday, the Federal Trade Commission (FTC) announced that it’s shut down four operations responsible for billions of unwanted calls, some of which had tossed some particularly loathsome fraud into the mix.

One of the shyster scams was Veterans of America, aka Vehicles for Veterans LLC, aka Saving Our Soldiers, aka Donate Your Car, aka Donate That Car LLC, aka Act of Valor, aka Medal of Honor.

Red, white and blue-painted bilge

That’s a lot of names for a load of flag-waving fraud. The operator of the fake charity, Travis Deloy Peterson, allegedly sent millions of robocalls to donors and collected money and property – automobiles, watercraft, real estate, and timeshares – illegally, claiming the donations were going to veterans’ charities (they weren’t) and that they were tax-deductible (nope).

The FTC stresses that lots of charities are doing good work supporting veterans. Then there are those who pretend to be charities, squeeze victims’ hearts, and line their pockets with whatever they can get. Here’s a video the FTC put together, about how to avoid getting scammed by a “donate your car! … it’s for a VETERAN!” bottomfeeder:

So how, exactly, did the FTC shut down this operator? By getting him to promise not to do it anymore. From its release:

The FTC stopped him in his tracks, and now he can’t send or help others send robocalls anymore.

Why not fine their robo-ears off?

Devin Coldewey over at TechCrunch was struck by the surprisingly paltry fines – or none at all, in three out of the four cases – handed out to this handful of robocallers. Besides Veterans of America, the FTC shut down these three other operations:

Point Break Media. These guys allegedly specialized in screwing small businesses by pretending to be associated with Google and threatening to delist their victim companies from Google search results unless they paid up.

In exchange for fees that started between $300 and $700 (for purportedly “claiming and verifying” their Google listing, lest they get marked as “permanently closed” by Google) and went up to one-time fees of $949.99 and recurring monthly payments of $169.99 or $99.99, those small businesses most certainly did not get Top! Ranking! in Google search, according to FTC allegations.

According to the FTC, the Point Break defendants had no relationship whatsoever with Google. Three defendants in the case against the operator agreed to a robocall ban, and a ban on helping others send robocalls.

There was no fine assessed.

Higher Goals Marketing. In this one, seven defendants agreed to swear off telemarketing for good. Some of them were recidivists: they operated a credit card debt-relief scheme, which they started just weeks after the FTC closed a similar operation in the Life Management Services case. Several of the defendants had previously worked there, the FTC said.

In the Life Management Services case, there had actually been a serious fine: the FTC’s order imposed a non-suspended judgment of $23,099,878 against Kevin W. Guice, for restitution to the consumers he bilked. He also was forced to give up his 55-foot yacht and his luxury-watch collection.

Finally, the one case announced on Tuesday that entailed a fine:

NetDotSolutions. The FTC considers this a double win. Not only did three of the defendants provide autodialers used to place billions of illegal robocalls, but they also allegedly supplied the autodialing technology used by robocallers in at least eight prior FTC cases.

They allegedly pitched everything from auto warranties to home security systems and supposed debt-relief services, the FTC alleged, placing billions of calls to pester people, regardless of whether their phone numbers were on the National Do Not Call (DNC) Registry.

They got through by illegally spoofing caller IDs to make it look like the calls were coming from neighbors, as in, people calling from the same area code as that of the victims.

The three defendants have been banned from supplying autodialers to telemarketers. They’ll also be paying a fine of $1.35 million.

You can’t get what isn’t there

Here’s the thing, TechCrunch says: even though the fines (when there were any) look big, as in, millions of dollars, they don’t amount to bupkus. Here’s Coldewey:

Although the cases resulted in judgments totaling some 24 million dollars, the actual amount the scammers will end up paying will end up closer to $3-4 million. One scammer whose judgments totaled more than $5 million will be suspended when he pays just $18,332 – and whatever comes from the sale of his shiny new Mercedes.

Why the meager fines imposed on incorrigible robocallers? …as in, the scofflaws who blithely aggravate and scam people, unhampered by the telephone service providers – those who Federal Communications Chairman (FCC) Ajit Pai has fumed at for their lousy efforts on blocking robocalls?

Coldewey called the FTC about it. A spokesperson told him that the judgment amounts in these cases are a ceiling defined by how much consumer harm was done. You can put as many zeros on those amounts as you want, but if the defendants don’t have it, you aren’t going to get it.

But why don’t the kingpins have money, given the lucrative scams they allegedly pull off? It has to do with an interesting twist in the money game.

Have you ever noticed that many of these robocalling kingpins are located in Florida? As the FTC tells it, the state’s Homestead rule protects their houses from being seized in these proceedings.

Court cases can drag on for years, leaving the robocallers free to keep plaguing people and innovating the technology to do so. Hence, the FTC takes the quicker path to keeping them away from harming consumers even more: namely, these agreements to drop out of the business.

Perhaps Floridians might have alternative solutions to the burgeoning robocall hell we currently live in. Perhaps, say, trained alligators?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ddZmUP4CMa4/

A Chinese gaming company is reportedly looking to offload the gay dating site Grindr due to US government concerns over its ownership, according to Reuters.

Sources familiar with the matter told the news service that Beijing Kunlun Tech Co Ltd., which picked up Grindr in 2016, is looking to sell it after a US national security panel raised concerns about its Chinese ownership.

Two sources told Reuters that the Committee on Foreign Investment in the United States (CFIUS) informed Kunlun that its ownership of Grindr, which is based in California, constitutes a national security risk.

Protecting users’ data

Reuters didn’t manage to glean CFIUS’s specific concerns or whether any attempts were made to mitigate them.

What we do know is that questions about the safety of Grindr users’ data in the hands of a Chinese company bubbled up in August 2018. That was when Kunlun announced it was planning an initial public offering for this, the world’s largest gay social networking app.

The IPO gave rise to questions such as whether Grindr users’ data would be transferred to China, and whether Chinese authorities would get their hands on it.

Grindr’s privacy policy notes that user data may be shared with a parent company. If a new owner comes on board, that owner gets the personal data:

We may share your Personal Data with our parent company, any subsidiaries, joint ventures, or other companies under common control. If another company acquires our company, business, or our assets, that company will possess the Personal Data collected by us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Policy.

And an article in The Conversation explains that personal user data may be transferred to China:

Coupled with the Chinese trend towards data localisation requirements, which dictate that data should be processed within China itself, this provision means it may be possible for Grindr users’ personal data to be transferred to China.

Even without the very real prospect of user data shifting to China and out of US legal jurisdiction, Grindr has had a troubled history of protecting user privacy.

As of September, anybody could still use third-party apps that exploited Grindr’s API to obtain exact locations of millions of cruising men, in spite of what Grindr claimed in April 2018.

This would be far from the first time that US national security officials have stepped in when they’ve perceived threats from foreign technology companies. In May 2018, for example, the Pentagon ordered military exchanges to pull Chinese smartphones due to security concerns.

The cloud never forgets

Personal data collected by Grindr includes a user’s location, messages, sexual orientation, as well as, on an opt-in basis, their HIV status or last-tested date, according to its privacy policy.

Given how sensitive the information is that gets entrusted to mobile dating apps such as Grindr, it might be a good idea to abstain from sharing too much… or maybe not sharing anything intimate at all. After all, whatever the cloud gets, the cloud keeps, as pointed out by Naked Security’s own Paul Ducklin:

This very public disagreement over cloud data is a good reminder of the maxim, ‘If in doubt, don’t give it out.’ By all means, use Grindr – or any other dating site or social network – if you like, but make sure you take the time to ask yourself first whether data about very personal matters like sexuality is something you really want to entrust to the elephantine memory of the cloud.

The fact that these dating apps can get sold suggests that we should also think ahead when voluntarily giving away data, Paul says:

How much control are you likely to have if there’s a change of ownership of the company holding your data, especially when ownership moves between two very different jurisdictions and legal systems?

The potential for dating apps to be snapped up by other countries – some of which may prosecute or harass people on the basis of HIV status or sexuality – is one thing. It’s also wise to bear in mind that dating apps have a history of spilling highly personal data. Besides Grindr’s own history, recent cases of leaky dating sites have included…

Jack’d: In February, the gay/bi-/curious dating/hook-up app Jack’d was publicly sharing, without permission, photos that users thought they were sharing privately. As in, anyone with a web browser who knew where to look could access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app.

Nor were there any limits in place: anyone could have downloaded the entire image database for whatever mischief they wanted to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.

DonaldDaters: The dating app for Donald Trump supporters is another recent case in point: it was exposing users’ data from the very day it launched in October 2018.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qSpHU2T5k88/