Section 215 Of The Patriot Act Has Expired

As expected, Congress was not able to come to a consensus regarding renewing three provisions of the Patriot Act, which expired about 30 minutes ago.

The three provisions – bulk data collection of metadata of all phones calls in the U.S., roving wiretap warrants (warrants on people, rather than a particular phone number) and the ability to use certain tools to track lone wolf terrorists that that cannot be tied to a particular terrorist group all expired at midnight eastern time on May 31st.

Congress will now go through the process of potentially passing a new law to address these issues.  The USA Freedom Act, which makes changes to Section 215 but does not eliminate it, was passed by the House last week, but the Senate was not willing to go along with the House version.

CNN has reported on the story here; both sides have their version, which I will not subject you to in detail.

The President and the Department of Justice say they want the tool and it is valuable, but opponents say that it is an overreach and violates the 4th Amendment to the Constitution.  Some courts have agreed with those opponents.

Plan on hearing a lot noise from both sides;  I assume that Congress will eventually come up with some plan.  What that plan is, however, is unclear.

Some people say that the country is less safe now, but that is not completely clear. Several review boards have said that Section 215 was not essential to thwarting a single terror plot and the roving wiretap is only used about a hundred times a year.

We shall see what comes of this.


Uber Releases New Privacy Statement

Uber has released a new privacy statement which goes into effect July 15th.  If you use Uber after that date, you are consenting to their new policy.  While not outrageous, it is interesting.  And it does point out one difference between Uber and a taxi.  The taxi is much more anonymous.  At worst, the taxi knows where you were picked up and dropped off and your credit card information *IF* you choose to pay that way.

Here are some of the highlights of the Uber privacy policy.  There are different policies for customers and drivers, U.S. and outside the U.S.  I am focusing on the U.S. customer policy, which can be found here.

  • Using the driver’s app, not yours, they collect location information during the trip.  If your app is running in the foreground OR BACKGROUND, they also collect location information from your phone as well as location information from your IP address.  It says that they collect location information from your app if you allow it.  For iPhone users, you have the ability to specifically disallow that permission;  Android users won’t have that until Android M, the next version of the Android OS previewed this week.
  • If you allow it, they will access your address book “to facilitate social interactions”.  Again, the same iPhone/Android permissions statement holds as above, but assuming you do not take away the permission the app asks for, they have the right to rummage through your address book, it would appear, to spam your friends and business associates.  And, since no one ever stores anything sensitive in their address book – like maybe passwords – it is not clear if they will have access to that data as well.
  • Transaction information – date, time, type of service, promo codes, etc.  This seems normal.
  • Device information – model, operating system, version, software and file names and versions, unique identifier, advertising identifier, serial number, motion information and network information.  That’s pretty creepy.  This allows them to both understand their user community and track you as they aggregate data from other sources.
  • Call and SMS data  – this appears to only be for interactions between you and them, not call and SMS data in general.
  • If you log in with your social media account (Facebook), they will aggregate your social media information into your profile.  While this is easier for you to do (one less password), I do not recommend doing this for privacy reasons.

The policy also says what they will use the data for.

A couple of thoughts about their privacy policy –

The policy is actually pretty easy to read, aside from a few typos that their proofing didn’t catch.  I give them brownie points for that.

They definitely collect way more data than is required for them to provide the service to you.  They want to be able to profile you and spam your friends.  If you do not disallow the permissions they ask for, they have access to way more data than I would care to give them.

If you use your social media account to log in, they have even more information about you;  I would suggest not doing that.

So, if you are concerned about your privacy, a taxi may be a better way to go.

The Cost Of Not Baking In Security In At The Beginning

Wired is reporting a giant dark web scheme to sell counterfeit coupons costing the consumer packaged goods industry tens of millions of dollars.  The scam is simple because no one thought that anyone would try it.  So no one added any security into the coupon chain.  Later, they bolted on a blacklist, but that is easily bypassed.

When I started to read about it, I thought “what’s the big deal – so someone is duplicating the coupons that manufacturers put in the paper”.  That is not quite it.  These guys make their own coupons where no coupons exist and since there is no security in the system, the retailer scans in the bogus coupon and the manufacturer eats the loss because they don’t want to retailers to stop accepting their coupons.

On Thursday the feds indicted Beauregard Wattigney of Louisiana  on wire fraud and trademark counterfeiting.  It seems like even the law  hadn’t thought about this and counterfeiting coupons is not it’s own crime.

He is charged with making bogus coupons and selling them for everything you can imagine – alcohol, cigarettes, cleaning supplies, video games.  The FBI accused him of doing $1 million of damage, but Jane Beauchamp, president of a firm that tracks brand fraud estimates the damage at “tens of millions”.  In addition to selling packages of coupons, he is also accused of selling people classes to teach them how to do this themselves (and likely create their own, at home, business).  He is even accused of launching a service where people could generate the own coupons on demand.

Here is the core problem:

GS1, the global standards organization that companies as diverse a Coke and Mattel support, defined a bar code standard without considering security.  Likely the standard was developed years ago, when no one considered the possibility of bar code fraud and certainly before the Internet.  In any case, according to Wired, the first 6 characters of the bar code are a company code, which you can copy from any coupon the company ever created, the next 6 digits are an offer code, which for the purposes of a fake coupon, can be a random number and the remaining digits are the discount in cents and the number of items you have to buy to get the discount.

Wattigney is accused of selling these on Silk Road and Silk Road 2 and the feds caught on to him when they took down Silk Road.

Apparently, the retailers do not have a way to check with the manufacturers at the time of coupon acceptance. I am sure that 50 years ago when couponing started and you could get 10 cents off a box of cereal, the cost of creating such an exchange was mind boggling.  Now, it would not be a big deal.  But that 10 cents off idea has morphed and Beauchamp said that these coupons were giving people $7 off one product, $9 off a different one and costing the manufacturers $2 million each on just those two coupons.

Wattigney is not the first guy to try this and now that Wired spilled the beans, it could become more common, forcing stores to do something about it.  Two years ago, Lucas Henderson was sentenced to three years supervised release and forced to pay $900,000 in restitution.  Henderson was a Lubbock, Texas college student.

According to expert Beauchamp, stores like Target and Walmart rely on a industry group, Coupon Information Center, which maintains a blacklist of known bogus coupons.  If a fraudster creates a new coupon, it won’t be on the blacklist and as long as it looks OK to the cashier, the user gets their discount.  If it is caught by the system, the customer just makes up some excuse like a friend gave it to me and walks off.

Coupon Information Center president Bud Miller says they have other security measures but wouldn’t say what they are.  Given that Wattigney cost the brands millions, I would say that whatever those measures are, they are not working.

One interesting part of this is that the two prosecutions described above are Americans in America.  What if bogus coupons become the next Chinese import.  Miller says that prosecution is one of the measures, but prosecuting fraudsters from less than friendly countries is not likely.

And all because security was  not baked in.




Another Health Care Provider Hacked

DC based Blue Cross affiliate CareFirst announced last week that, like other Blues, they had been breached.  Information on 1.1 million customers  was compromised.  The good news is that this breach did not include health information or credit card numbers.  CareFirst is the 3rd Blue Cross affiliate to announce they have been hacked recently (the others are Anthem and Premera).  (see articles here and here).

Like many other firms, they hired the forensics firm FireEye to assess the damage.

However, CareFirst may be a little different than the other Blues.  In June 2014, almost a year ago, they discovered a breach.

Unfortunately, like forest fires in Colorado, you may think that you have put them out when there are still embers left.  CareFirst thought that they had eliminated the malware.

CareFirst did not do a complete assessment of their entire environment after the first breach.  In fact, it was not until after the Anthem breach that they undertook that investigation and that is when they found that they had not really eradicated the bad guys from their systems.  This decision will likely come back to haunt them as the witch hunts begin.

The healthcare industry has made the bad miscalculation that hackers are after credit card numbers and not personal health information.  Unfortunately, for over a hundred million Americans, that assumption has proved to be inaccurate.

In fact, health care information is selling on the black market for 4 to 10 times what credit card information is selling for ($20-$60 vs. $5).  There are probably several reasons for this, but two main ones are that credit cards can be killed very quickly to stem the bleeding, thereby decreasing their value and healthcare information can be used for many purposes over many years.

The BIG healthcare organizations are beginning to understand this and make investments, but they are years behind.  The small healthcare providers have a much bigger challenge because there are a hundred or a thousand times more of them than the biggies and they cannot afford the resources of the biggies.

This cat and mouse game will not end any time soon.


The IRS Breach – Where Convenience Trumps Security

The NY Times is reporting that the IRS finally admitted that their tax transcript service is great for identity thieves and shut it down.  In 2013, thieves used it and other techniques to get over $5 billion in bogus tax refunds – costing the U.S. government (AKA you and me) a lot of money and costing taxpayers time and delayed refunds (see article).

The AP is calling this a breach and, I guess after looking up the definition in the dictionary (an act of breaking or failing to observe a law), it is technically, but it is not what we usually consider a breach.

Hackers did not break into the IRS’ computers and steal your data.  The IRS left it out on the front doorstep, so to speak, for hackers to come pick up at their convenience.

So what is the story?  Citizens on occasion need to get a copy of an old tax return.  The IRS, in attempting to be customer focused, created a service that allowed you to request that copy.  The problem comes from two things – how do you identify someone on the Internet and customer convenience.

It used to be that if you wanted a tax transcript, you had to fill out an IRS form (Form 4506) and mail it in to the IRS, wait a few weeks and they would mail the transcript back to you.  Not terribly secure, but more secure than today.  And if you got a hundred requests to be mailed to the same address for different taxpayers, you could get suspicious.

Today (or more accurately last week since they shut the service down) you go to the IRS web site, enter anyone’s social security number, their date of birth, tax filing status and street address.  The user then was asked some questions from one of the credit bureau’s public information services like “what was your high school mascot?”.

The problem is that in the day of the Internet, information is available and in trying to be customer focused, the identity verification is pretty weak.  Could someone find out where I went to high school and then Google my high school mascot.  Probably.  Like in maybe 15 seconds.  That is not secure.  But it is convenient.

And, if people are honest, then this is probably secure enough.

But, we are talking about money – billions of dollars in 2013.  The IRS CLAIMS that they have mostly shut down the business of bogus tax returns, but I am less than convinced.  Here’s how this works.

The hacker obtains copies of your old tax returns, courtesy of the IRS’ convenient tax transcript service and uses that data to create bogus W2s for the current year.  They then file a current year tax return  saying that they are owed a refund, but have it mailed to the hacker’s address, or, better yet, sent to a hard to trace debit card.  The IRS, being customer focused, pays the refund – even though these bogus W2s don’t match a real W2 sent in by an employer (remember, the IRS is trying to be taxpayer friendly).  To add insult to injury, when you file your real tax return to get your real refund (or pay taxes), the IRS says sorry, we already have a tax return from you, go away.

Then you have to go through a process of trying to convince the IRS that THEY were scammed (you can probably imagine that this is not a quick or simple thing to do) in order for you to get your refund or pay your taxes.  Expect this process to take 9-12 months, on average.

And, in reality, there is not a lot you can do (see one of Brian Krebs’ stories on the subject here).  Supposedly you can sign up for an account at IRS.Gov, you I don’t think that is really terribly effective (call me a skeptic).

The IRS tax transcript service and filing of false tax refund requests have been used by the fraud community for many, many years.  It is just that now with the Internet, it is much easier to scale up.

The problem comes from two facts that I started with before, plus one more.

1. How do I REALLY know who you are on the Internet – and don’t tell me by your userid and password?

2. Convenience trumps security – almost everywhere.  Not so much in the Department of Defense or the Intelligence Community, but even in one of the supposedly most secure place in the world, the NSA, Edward Snowden walked off with millions of highly classified documents.

3. All these data breaches that some people laugh off as irrelevant give the hackers more data about you than you have, so answering the questions becomes a query into the hacker’s information – they don’t even have to reach out to Google.

Oh, yeah, now that IRS has gotten SOME control over this, the hackers have moved on to the 50 states + U.S. Possessions.  The only ones that don’t have to worry about that are the states that don’t have an income tax.  The hacker community is sharing among themselves which states are easy to con and which ones are not. SIGH!

Unfortunately, this is not likely to change any time soon, so you just need to be a vigilant as you can and hang on for the ride.

Also remember, the IRS just happens to be this week’s poster child – they are not alone – just one of many.

Sorry to be a Debbie Downer.



Banks Vote Down Target-Mastercard Settlement

Mastercard and Target concocted an agreement where Target would pay a fine of $19 million to settle all of the bank’s claims against Target as a result of the 2013-14 breach.  This would be separate from an agreement with Visa.  Mastercard was not able to get enough banks to agree to it,  so the lawsuits will continue against Target, who no doubt was hoping to put at least one lawsuit behind them.

As I wrote about before (see post), the deal was that in exchange for $19 million, the banks would drop their lawsuits against Target and Mastercard would dole out the money based on how many cards each bank had to reissue.  The banks had complained that this was not enough to cover their costs and had petitioned the judge to kill the deal (see post).  The judge said that he agreed, but was powerless to do anything about it.

The way the deal was constructed, if banks representing 90 percent of the cards that had to be reissued agreed to the deal, the deal was done.  If that  happened, the banks that objected could have pulled out of the deal, not shared in the $19 Mil and sued Target on their own.

Visa, which is separately trying to work a deal with Target, read the handwriting on the wall and agreed to up the per card payment to banks, with small banks now getting almost three times as much as they were getting (see post).

Well, today, Reuters is reporting that the deal fell apart and that the 90% requirement was not met (see article).  What this means is the banks which are party to this suit, who claim that they lost $160 million, evenly split between card reissue costs and fraud, will continue their lawsuit.  For Target, this means that either this will go to trial or they  will need to come up with more bucks to sweeten the pot.

Stay tuned.