How Data Brokers Sell Your Identity

Read Time:6 Minute, 24 Second

Our personal and professional lives are becoming increasingly intertwined with the online world. Regular internet usage has made us all prone to cyber-security risks. You leave a digital footprint every time you use the internet, which is a trace of all your online activities.  

When you create new accounts or subscribe to different websites, you give them explicit (or implicit, through their family of apps or subsidiary websites) access to your personal and credit card information. In other cases, websites might track basic information without your knowledge, such as your location and search history. 

There is an industry of data brokers specifically dedicated to keeping track of user data, packaging it, and supplying it to tech companies who use it to run targeted ads and enhance on-platform user experience. Given the widespread use of the internet and exponential improvements in technology, data has become a valuable commodity — creating a need for the sale and purchase of user data.  

This article discusses how data brokers sell your personal information and how you can minimize risk. 

What are data brokers?

Data brokers are companies that aggregate user information from various sources on the internet. They collect, collate, package, and sometimes even analyze this data to create a holistic and coherent version of you online. This data is then supplied to tech companies to fuel their third-party advertising-centered business models.  

Companies interested in buying data include but are not limited to: 

 

Tech platforms 
Banks 
Insurance companies 
Political consultancies 
Marketing firms 
Retailers 
Crime-fighting bureaus 
Investigation bureaus 
Video streaming service providers 
Any other businesses involved in sales  

These companies and social media platforms use your data to better understand target demographics and the content with which they interact. While the practice isn’t unethical in and of itself (personalizing user experiences and creating more convenient UIs are usually cited as the primary reasons for it), it does make your data vulnerable to malicious attacks targeted toward big-tech servers. 

How do data brokers get your information?

Most of your online activities are related. Devices like your phone, laptop, tablets, and even fitness watches are linked to each other. Moreover, you might use one email ID for various accounts and subscriptions. This online interconnectedness makes it easier for data brokers to create a cohesive user profile.  

Mobile phone apps are the most common way for data brokerage firms to collect your data. You might have countless apps for various purposes, such as financial transactions, health and fitness, or social media 

A number of these apps usually fall under the umbrella of the same or subsidiary family of apps, all of which work toward collecting and supplying data to big tech platforms. Programs like Google’s AdSense make it easier for developers to monetize their apps in exchange for the user information they collect.  

Data brokers also collect data points like your home address, full name, Social Security number, phone number, and date of birth. They have automated scraping tools to quickly collect relevant information from public profiles.[Text Wrapping Break] 

Lastly, data brokers can gather data from other third parties that track your cookies or even place trackers or cookies on your browsers. Cookies are small data files that track your online activities when visiting different websites. They track your IP address and browsing history, which third parties can exploit. Cookies are also the reason you see personalized ads and products. 

How data brokers sell your identity 

Data brokers collate your private information into one package and sell it to “people search” websites like Spokeo or TruePeopleSearch. You or a tech business can use these websites to search for people and get extensive consumer data. People search sites also contain public records like voter registration information, marriage records, and birth certificates. This data is used for consumer research and large-scale data analysis.  

Next, marketing and sales firms are some of data brokers’ biggest clients. These companies purchase massive data sets from data brokers to research your data profile. They have advanced algorithms to segregate users into various consumer groups and target you specifically. Their predictive algorithms can suggest personalized ads and products to generate higher lead generation and conversation percentages for their clients.  

Are data brokers legal?

We tend to accept the terms and conditions that various apps ask us to accept without thinking twice or reading the fine print. You probably cannot proceed without letting the app track certain data or giving your personal information. To a certain extent, we trade some of our privacy for convenience. This becomes public information, and apps and data brokers collect, track, and use our data however they please while still complying with the law.  

There is no comprehensive privacy law in the U.S. on a federal level. This allows data brokers to collect personal information and condense it into marketing insights. While not all methods of gathering private data are legal, it is difficult to track the activities of data brokers online (especially on the dark web). As technology advances, there are also easier ways to harvest and exploit data.  

Vermont and California have already enacted laws to regulate the data brokerage industry. In 2018, Vermont passed the country’s first data broker legislation. This requires data brokers to register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and data breaches 

California has passed similar laws to make data brokering a more transparent industry. For risk mitigation of data brokerage, the Federal Trade Commission (FTC) has published reports and provided recommendations to Congress to reduce the engagement of data broker firms. Giving individuals the right to opt-out of the sale of their personal data is a step toward a more rigorous law regarding data privacy 

Can you remove yourself from data broker websites?

Some data brokers let you remove your information from their websites. There are also extensive guides available online that list the method by which you can opt-out of some of the biggest data brokering firms. For example, a guide by Griffin Boyce, the systems administrator at Harvard University’s Berkman Klein Center for Internet and Society, provides detailed information on how to opt-out of a long list of data broker companies. 

Acxiom, LLC is one of the largest data brokering firms and has collected data for approximately 68% of people who have an online presence. You can opt-out of their data collection either through their website or by calling them directly. 

Epsilon Data Management is another big player in the data broker industry that operates as a marketing service and marketing analytics company. You can opt-out of their website through various methods such as by email, phone, and mail. Credit rating agencies like Experian and Equifax are also notorious for collecting your data. Similarly, you can opt-out through their websites or by calling them. 

Keep your personal information secure online with McAfee Total Protection

McAfee is a pioneer in providing online and offline data protection to its customers. We offer numerous cybersecurity services for keeping your information private and secure.  

With regard to data brokers, we enable users to do a personal data clean-up. Cleaning up your personal data online may be a difficult task, as it requires you to reach out to multiple data brokers and opt out. Instead, sign up for McAfee’s Personal Data Cleanup feature to do a convenient and thorough personal data clean-up. We will search for traces of your personal data and assist in getting it removed.  

The post How Data Brokers Sell Your Identity appeared first on McAfee Blog.

Read More

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

Read Time:25 Second

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

Read More

Getting Your Kids Ready for School—And Their Smartphones Too

Read Time:7 Minute, 46 Second

If you’re the parent of a tween or teen, chances are they’re not the only ones going back to school. Their smartphones are going back too.

Our recent global research showed just how many tweens and teens use a smartphone. Plenty. Depending on the age band, that figure ranges anywhere from 76% to 93%, with some noteworthy variations between countries.

One of the top reasons parents give their child a phone is to stay in touch, so it likely follows that those phones will likely make their way into the classroom. Whether or not that’s the case for your child, back-to-school time is still a great time to help your child stay safer on their phone—and keep their phones safer too in the event of loss or theft.

Seven steps for keeping your child’s phone safer

Install protection on their phone

Comprehensive online protection software can protect your phone in the same way that it protects your laptops and computers. Unfortunately, while many people use it on their laptops and computers, far fewer people use it on their phones—only about 42% of tweens and teens worldwide use it on their smartphones according to our most recent research.

Installing it can protect their privacy, keep them safe from attacks on public Wi-Fi, and automatically block unsafe websites and links, just to name a few things it can do. You can find our smartphone apps in both Google Play and the Apple App Store.

Set their apps to automatically update

Updates do all kinds of great things for gaming, streaming, and chatting apps, such as adding more features and functionality over time. Updates do something else—they make those apps more secure. Hackers will hammer away at apps to find or create vulnerabilities, which can steal personal info or compromise the device itself. Updates will often include security improvements, in addition to performance improvements.

iPhones update apps automatically by default, yet you can learn how to turn them back on here if they’ve been set to manual updates. For Android phones, this article can help you set apps to auto-update if they aren’t set that way already.

Much the same goes for the operating system on smartphones too. Updates can bring more features and more security. iOS users can learn how to update their phones automatically in this article. Likewise, Android users can refer to this article about automatic updates for their phones.

Use a lock screen with a passcode, PIN, facial recognition, or pattern key

Another finding from our latest global research is just how few people use a lock screen on their phones. Only 56% of parents said that they protect their smartphone with a password or passcode, and only 42% said they do the same for their child’s smartphone—a further 14% drop between parents and kids.

The issue here is clear. If an unlocked phone gets lost or stolen, all the information on it is an open book to a potential hacker, scammer, or thief. Enabling a lock screen if you haven’t already. It’s a simple feature found in both iOS and Android devices.

Learn how to remotely lock or wipe a smartphone

Preventing the actual theft of your phone is important too, as some hacks happen simply because a phone falls into the wrong hands. This is a good case for password or PIN protecting your phone, as well as turning on device tracking so that you can locate your phone or even wipe it remotely if you need to. Apple provides iOS users with a step-by-step guide for remotely wiping devices, and Google offers up a guide for Android users as well.

Use a password manager

Strong, unique passwords offer another primary line of defense. Yet with all the accounts we have floating around, juggling dozens of strong and unique passwords can feel like a task—thus the temptation to use (and re-use) simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well. Comprehensive security software will include one, and McAfee also offers a free service with True Key.

Have your kids steer clear of third-party app stores

Google Play and Apple’s App Store have measures in place to review and vet apps to help ensure that they are safe and secure. Third-party sites may not have that process in place. In fact, some third-party sites may intentionally host malicious apps as part of a broader scam. Granted, cybercriminals have found ways to work around Google and Apple’s review process, yet the chances of downloading a safe app from them are far greater than anywhere else. Furthermore, both Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer.

Teach your kids about the hazards of public Wi-Fi and how to use a VPN

One way that crooks can hack their way into your phone is via public Wi-Fi, such as at coffee shops, libraries, and other places on the go. These networks are public, meaning that your activities are exposed to others on the network—your banking, your password usage, all of it. One way to make a public network private is with a VPN, which can keep you and all you do protect from others on that Wi-Fi hotspot. Note that our VPN can turn on automatically for public Wi-Fi, protecting account credentials, search habits, and other activities online. ​

A quick word about desktops and laptops too

The same advice applies for these devices as well—strong online protection software, password management, VPN usage, and so on. What’s good for a smartphone is good for laptops and desktops too.

For laptops in particular, you can track these devices as well, just like a smartphone. The process differs from smartphones, yet it’s still quite straightforward. Windows and Mac users can enable the following settings—and you can click the links below for complete instructions from the source:

Windows: Enable in Settings > Update & Security > Find my device
macOS: Enable via Settings > Your Name > iCloud > Find My Mac

Putting these same protections in place on your laptops and desktops will help make your child, and your whole family, safer than before.

Note that on school-issued devices, your school district will likely have technology teams who manage them. As part of that, they typically have policies and restrictions in place to help keep them running safe and sound. If you have any questions about what kind of protections are in place on these school-issued devices, contact your school district.

Protecting your child

While we’ve largely focused on protecting the phone itself, there’s also the importance of protecting the person who’s using it. In this case, your child—what they see, do, and experience on the internet. Device security is only part of the equation there.

Parents of tweens and teens know the concerns that come along with smartphone usage, ranging anywhere from cyberbullying, too much screen time, and simply wanting to know what their child is up to on their phone.

As you can imagine, each of these topics deserves its own treatment. The “Family Safety” section of our blog offers parents and their kids alike plenty of resources, and the list below can get you started on a few of the most pressing issues:

Cyberbullying on social media
Know the signs of cyberbullying
Sketchy apps and how to avoid them
Parental controls for keeping tabs on your child’s time online
A parent’s guide to TikTok

Smartphone ownership—a device full of teaching moments

Without a doubt, while a child may get their first smartphone to “keep in touch,” that ownership blossoms into something far greater. And quite quickly. As they dive into the world of apps, social media, messaging, and gaming, take an interest, take it as an opportunity to spend time talking about their day and what it was like online.

By asking if they grabbed any cool pictures, what their favorite games are, and how their friends are when your child is texting them, questions like these can open a look into a world that would otherwise remain closed. This way, talking about the phone and what they’re doing on it becomes part of normal, everyday conversation. This can reap benefits down the road when your child encounters the inevitable bumps along the way, whether they’re dealing with a technical issue or something as difficult as cyberbullying or harassment. Talking about their life online on a regular basis may make them more apt to come forward when there’s a problem than they otherwise might.

In all, think of the smartphone as a fast pass into adulthood, thanks to how it puts the entirety of the internet right in your child’s hand. Protecting the device and the kid who’s using it will help ensure they get the absolute best out of all that potential.

The post Getting Your Kids Ready for School—And Their Smartphones Too appeared first on McAfee Blog.

Read More

Surveillance of Your Car

Read Time:24 Second

TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it.

The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its sale or use.

While many of these companies stress they are using aggregated or anonymized data, the unique nature of location and movement data increases the potential for violations of user privacy.

Read More

The dos and don’ts of startup security: How to develop a security plan

Read Time:4 Minute, 41 Second

This is the third part of a three-blog series on startup security. Please have a look at part one and part two.

New companies often struggle with the question of when to start investing in information security. A commonly heard security mantra is that security should be involved since the very beginning and at every step along the way. While this is obviously true, it is quite detached from reality and provides little practical guidance.

Frameworks such as NIST CSF and CMMI ratings help an organization evaluate the current state of their security program, but they are heavy on policy and not worthwhile for a startup where a security program does not yet exist. So when should a company run its first vulnerability scan, perform its first risk assessment, have its first penetration test done, integrate static analysis tools into its CI/CD pipeline, deploy its first IDS, write its first security policy, hire its first CISO, stand up a security operations center, etc.?

A common flawed approach is to put off answering these questions until a future date when the company hopefully has the time and money to start thinking about security. This approach is never properly executed because new priorities and expenses will inevitably continue to displace security.

Besides, some founders need a fully functioning product with a growing userbase to raise any funding in the first place – At this point it is already too late to start addressing security. Another common practice is to reactively implement security whenever its necessity becomes apparent due to business requirements, regulatory requirements, or in the worst case, a breach.

COVID-19 caused a sudden surge in the use of remote collaboration tools, some of which gained millions of users practically overnight. Some of these products were unprepared for the influx of users and, consequently, attackers, and were caught off guard by a barrage of security issues ranging from privacy concerns to ineffective access controls.

The best way to ensure a better approach to security is to always have an evolving security plan with set milestones. The plan need not be complicated or fully developed but should contain commitments to be kept. On day one of a new company, the plan might be to reach out to a friend who works in infosec to have a conversation about developing further plans within the first month. At first, the security plan will consist largely of steps required to develop the plan itself. It will take time before the plan resembles a working roadmap or documented policy.

The following is a basic example of how a security plan might develop over time for a new software company: 

Day One:

Before the end of the month, reach out to a friend who works in infosec to discuss security planning.
Locate some resources to better educate the team about application security before completion of POC.
Identify any compliance regulations applicable to the business.

One Month in (Design and Initial Proof of Concept):

Research and implement IDE linters for security.
Research and implement static analysis tools for CI/CD pipeline.
Determine security requirements related to user data collected and handled in the application.
Determine industry standard practices for mature companies in the sector.
Create a list of security tasks that must be completed before initial release.
Create a regulatory checklist for compliance.

Leading up to Initial Release:

Establish a process for periodic code reviews.
Remediate all important findings from static code analysis.
Determine and create necessary security documentation for external consumption.
Draft a security roadmap which addresses policy creation and third-party security services/products.
Complete all required items on the regulatory checklist.

This is simply an example that might apply to a software company, but it is important for a company to understand its own risks and priorities. Other companies may be more heavily focused on device and infrastructure security, while others may be more compliance-driven at first. There are many security checklists or templates online that offer several worthwhile security controls for startups, but it is important to understand how they apply to your organization to ensure that the right controls are effectively implemented.

The tasks in these example plans can be carried out by most development teams in a day or two and can be tracked on a Kanban board along with other priorities. They also contain tasks to continuously evaluate and evolve the plan as the company moves forward. In performing these tasks, the team will undoubtedly become better educated in the security concerns that affect their startup.

As the company progresses, however, it will hit a point where the security tasks and associated risks become too much for the existing team. At this point, the company must hire security-focused leadership and staff, and the knowledge gained from the initial phase of addressing security internally will surely help in ensuring that the right team is brought onboard.

Perhaps the most important factor determining the effectiveness of a company’s security controls is its culture surrounding information security. This crucial part of company culture begins at the earliest stages with the founding team and can be very difficult to change once set. By incorporating security responsibilities into its processes early on, founders can take an active role in promoting security consciousness throughout their team and better position the company to avoid costly security issues going forward.

This article is part 3 of a 3-part series on startup security. Parts 1 and 2 focused on how startup culture affects software security and the anatomy of a software vulnerability. Part one and part two have been published.

Read More

How OpenSSF Scorecards can help to evaluate open-source software risks

Read Time:35 Second

Everyone knows the phrase “software is eating the world” by Marc Andreessen from over a decade ago. Software powers and touches nearly every aspect of modern society, both personally and professionally, and is critical to the modern economy and national security.

It can also be said that open-source software (OSS) has eaten the software industry. The Linux Foundation and other groups have estimated that free and open-source software (FOSS) constitutes 70% to 90% of any modern software product. Not only is modern software largely composed of OSS components, but IT leaders are more likely to work with vendors who also contribute to the OSS community.

To read this article in full, please click here

Read More

Why UnionDigital Bank invests in an AI-driven approach to cybersecurity

Read Time:52 Second

The data-reliance of digital banking means an AI-driven approach to cybersecurity and risk management is integral to success, UnionDigital Bank CISO Dominic Grunden tells CSO. For him and his team, this took on greater significance given the speed at which UnionDigital Bank was created to empower the Philippines’ digital economy. The bank enables the Filipino people, communities, businesses, problem solvers, and regulators to leverage digital banking, fintech, blockchain, and open-finance technologies. It was established in just five months, a timescale unheard of in the banking industry, Grunden says.

From the get-go, Grunden recognized the need to adopt an AI-first security policy to keep pace with both the unprecedented growth of the company and the complexities of the digital banking sphere. Key to achieving this has been a seamless relationship with the firm’s Chief Data Officer (CDO), Dr. David R. Hardoon. Working together, the two used autonomous technology to instill a “truly holistic” AI-enhanced security and risk management strategy.

To read this article in full, please click here

Read More