This is the Shared Security Weekly Blaze for March 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.
This is your Shared Security Weekly Blaze for March 5th 2018…with your host…Tom Eston
In this week’s episode: Facebook Face Recognition, Private Web Browsing and Credit Card Fraud
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @securid, @WiFI_NY and @drheleno_ca on Twitter as well as Itincloud and thelaurajeans on Instagram and Tom, Lauretta, Jason, Shawn and William on Facebook. A special shout out this week also goes out to sweepa36 who left us a five star review on iTunes. Thanks to all of you for supporting the show!
If you’ve been on Facebook recently you may have seen a message in your news feed about a new feature called “Face Recognition”. This feature will analyze faces to automatically tag you in photos and videos that are posted to Facebook. Facebook says that this “feature” will find photos that you’re in but haven’t been tagged, help protect you from others using your photo and to help people with visual impairments who may be in your photo or video. You can opt out of this feature by turning it off in your Facebook privacy settings. Note, some people have reported that this feature was already set to “on” so it’s a good idea to check out your privacy settings to see if this feature is enabled or not. Check out our show notes for information on where to find this setting.
Not to be overly suspicious but you know as well as I do that this feature will eventually be used to target more ads to you or to allow Facebook more ways to gather data about your activities and monetize your personal information. What I also find ironic is that just this past week a federal judge in Illinois made a ruling about an ongoing class-action case that Facebook “must face claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent”. This decision means that Facebook could be liable for fines under Illinois law from $1,000 to $5,000 dollars each time a person’s image is used without permission. Of course Facebook is fighting this ruling but I’m sure this is not the end of more legal troubles for Facebook since the social network continues to push technology like Facial Recognition to its user base.
Did you know that when you use “private browsing” or “incognito mode” in your web browser, your browsing activities may not be so private after all? Hopefully, you’re aware that the sites you visit can be monitored and logged through your ISP, VPN provider or employer. It’s also important to know that data from a private browsing session can also be retrieved through common computer forensic techniques once someone has physical access to your computer.
Recently a group of MIT and Harvard researchers developed a solution called Veil which allows web developers to implement technology to protect data while it’s stored and processed within a private browsing session. To do this Veil uses “blinding servers” which are located in the cloud to encrypt and protect data on a website. That data then gets retrieved by your private browsing session. Essentially, this would make any data stored within your browsing session (or within computer memory) useless from a forensic perspective.
What I like about this technology is that it can add an additional layer of privacy for people, like journalists or human rights defenders, that might have their browsing history or computers targeted by say a state-sponsored government or dedicated adversary. Veil might also be the kick start of other technologies that further support protecting our private information while we browse the web. We’ll be closely following this project for sure to see how it evolves in the future.
Visa released new statistics that show there has been a 70% drop in counterfeit credit card fraud during the period from December 2015 to September 2017. Other data of note is that over 2.7 million merchant locations are now accepting chip cards which equates to 96% of all credit card transactions in the US. You may remember that chip cards started being implemented back in 2015 to replace the ancient “magnetic stripe” technology that has been used for credit cards since the 1970’s. The move to chip cards was magnified because of the massive Target data breach which happened in 2013.
While a 70% drop in counterfeit credit card fraud is impressive. There is still a huge problem with what is called “card-not-present” fraud. Card not present fraud happens when your credit card information is compromised typically through phishing, corrupt employees that work at an establishment where your card was used, online data breaches or through a phone call or other manual transaction that involved speaking or writing down your credit card number. Anytime you enter in your credit card without using a physical chip reader is called a “card not present” transaction.
One topic about credit cards that is always confusing is the difference between “chip and PIN” and “chip and signature” credit card transactions. Let’s break this down so you understand what this means to you. First, you need to understand the difference between a “credit” card transaction and a “debit” card transaction. A credit card transaction is charged against your credit card account (aka a line of credit) while a debit card transaction draws money from your banking account. Using a chip and PIN card you have to enter a PIN code to authorize a purchase. With a chip and signature card you simply sign for the purchase. This is the most common type of transaction that we see in the United States.
Now here is where the confusion lies. In the US most credit cards are “chip and signature” and most debit cards are “chip and PIN”. Debit cards can also be used “as a credit card” skipping the PIN entry altogether. What type of debit transaction is used at the merchants you shop at depend on the merchant because of the fees associated with using a credit or debit card. This is why one store you may shop at requires a signature for using your debit card and others require a PIN.
To make matters more confusing Apple, Samsung, and Google have added contactless payment options through your mobile phone in recent years. These type of transactions are much more secure as they use something called tokenization to protect your entire transaction which significantly reduces credit card fraud.
So as a good consumer, what can you do to prevent your credit card from being compromised? First, use a credit card where ever possible because you have no liability for fraudulent transactions on your card. If you use a debit card and its compromised you lose that money from your bank account and it could take weeks to get that money back. Secondly, check your credit and debit card statements on a regular basis, and set up text alerts whenever a transaction happens on your card. While banks and credit card companies say they have great fraud detection, unfortunately, it doesn’t always work. Finally, use more secure methods of payment like Apple or Samsung Pay on your mobile device, especially for online transactions if the merchant supports it. Otherwise, your best secure payment option is using the old standby…cash.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe to the podcast on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.