Thursday, September 23, 2010

The economics of Identity Theft. When prices fall you have to make it up in volume.

I’ll Take 2 MasterCards and a Visa, Please

September 22, 2010 by admin

Brian Krebs writes:

When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with cutthroat competition and innovation among vendors — is conspiring to keep prices for stolen account numbers exceedingly low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.


Will we see mandatory encryption standards?

FTC Testifies on Data Security Legislation

September 22, 2010 by Dissent

The Federal Trade Commission today told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach.

In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations. “Requiring reasonable security policies and procedures of this broad array of entities is a goal that the Commission strongly supports.”

“The Commission believes that notification in appropriate circumstances can be beneficial,” the testimony notes. Many states have passed notification laws that have increased public awareness of the harm breaches can cause. “Breach notification at the federal level would extend notification nationwide and accomplish similar goals.”

The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted.

Source: FTC (full press release here)

Related: Text of the Commission Testimony

(Related) Update. Either argument is scary...

T-Mobile Claims Right to Censor Text Messages

T-Mobile told a federal judge Wednesday it may pick and choose which text messages to deliver on its network in a case weighing whether wireless carriers have the same “must carry” obligations as wire-line telephone providers.

The Bellevue, Washington-based wireless service is being sued by a texting service claiming T-Mobile stopped servicing its “short code” clients after it signed up a California medical marijuana dispensary. In a court filing, T-Mobile said it had the right to pre-approve EZ Texting’s clientele, which it said the New York-based texting service failed to submit for approval.

Security failures have long term implications.

Victims of ChoicePoint Data Breach to Receive Redress Checks

September 22, 2010 by admin

An administrator working for the Federal Trade Commission is mailing checks to 14,023 consumers who were victims of ChoicePoint’s alleged failure to implement a comprehensive information security program to protect consumers’ personal information, as required by a previous court order. As a result, in the spring of 2008, an unauthorized person accessed its database and conducted unauthorized searches.

In January 2006, ChoicePoint settled FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal law, an action relating to a 2005 data breach. As part of that settlement, ChoicePoint agreed to maintain procedures to ensure that sensitive consumer reports were provided only to legitimate businesses for lawful purposes, to maintain a comprehensive data security program, and to obtain independent assessments of its data security program every other year until 2026.

In October 2009, the company settled charges that it violated the 2006 settlement order and agreed to a modified court order that expanded its data security assessment and reporting duties and required the company to compensate affected consumers for the time they may have spent monitoring their credit or taking other steps in response.

Checks for $18.17 are being sent to consumers.

These consumer redress checks can be cashed directly by the recipients of the checks. The FTC never requires the payment of money up-front, or the provision of additional information, before consumers cash redress checks issued to them.

Source: FTC

Would it be closer to the mark to say you don't want entities who have your personal data to do things (including sharing that data) that you didn't agree to in the first place?

Privacy is about control, not anonymity

September 22, 2010 by Dissent

Dave Fleet writes:

Seth Godin says you don’t really care about privacy:

“If you cared about privacy you wouldn’t have a credit card, because, after all, they know everything you spend money on. And you wouldn’t use the phone, because somewhere, there’s a computer scanning what you say.

What most of us care about is being surprised. You don’t want the credit card company to track where you’re staying and whether you’re buying flowers for someone you’re not even married to–and then send you a free coupon for STD testing…”

I think Seth missed the mark with this one.


Solove's Post Regarding the Role of Harm in Privacy Litigation

Posted on September 22, 2010 by Andy Serwin

Dan Solove has written extensively on privacy theory as well as harm in the data breach context and recently posted on harm in the data breach context. Solove’s post discusses the issues plaintiff’s face in privacy litigation and offers alternative theories on harm. Solove raises some interesting points, including regarding the efficacy of litigation in protecting consumers rights, and one of his points raises interesting issues about the role of insurance. Solve notes the following regarding harm:

This is a problem. Danielle Citron’s thoughtful paper, Reservoirs of Danger, argued that those keeping data should be treated similarly to those engaging in hazardous activities. I agree. If you’re going to profit by using people’s data, you should at least be held responsible for compensating people when you fail to keep it secure.

No s@#t! They like do that c#@p 'cause it like makes them like seem like they are like f*&^%$#@#@ smart!

Today's Children Are Officially Potty Mouths

Posted by samzenpus on Wednesday September 22, @10:32AM

"When the Sociolinguistics Symposium met earlier this month swearing scholar Timothy Jay revealed that an increase in child swearing is directly related to an increase in adult swearing. It seems that vulgarity is increasing as pop culture continues to popularize vulgarities. The blame lies with media, public figures, politicians, but mostly ourselves. From the article: 'Children as young as two are now dropping f-bombs, with researchers reporting that more kids are using profanity — and at earlier ages — than has been recorded in at least three decades.'"

With schools securing their networks beyond reason, a portable device allows me to demonstrate tools and techniques I can't install on the classroom computers. NOTE: This is not simple or quick.

How To Create Groups Of Portable Applications Using Cameyo [Windows]

It would be nice if we could pack everything up in one portable app, so those apps will always be available whenever we need them – in any possible scenario. Mac users don’t have any problem with this particular issue because basically all Mac apps are portable. But things work differently in the Windows world. Luckily, there’s a portable applications creator called Cameyo.

No comments: