tag:theconversation.com,2011:/au/topics/identity-theft-22385/articlesIdentity theft – The Conversation2023-10-17T16:42:49Ztag:theconversation.com,2011:article/2144182023-10-17T16:42:49Z2023-10-17T16:42:49ZIs someone using your pictures to catfish? Your rights when it comes to fake profiles and social media stalking<figure><img src="https://images.theconversation.com/files/553065/original/file-20231010-28-n5rgo0.jpg?ixlib=rb-1.1.0&rect=140%2C20%2C6569%2C4446&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/sad-being-victim-cyber-bullying-online-2150852121">Ekateryna Zubal/Shutterstock</a></span></figcaption></figure><p>If you’ve ever used a dating app, you’ve probably experienced the disappointment of meeting someone who doesn’t look quite like their photos. You may have even been a victim of catfishing, where someone creates a fake identity to deceive or scam others online. But what if someone uses your photos to catfish someone else?</p>
<p>Setting up a social media account or dating profile is as easy as entering a name and email address. Platforms do very little to verify users’ identities, making it easy for someone to scam you, harass you – or pretend to be you.</p>
<p>There is <a href="https://policyreview.info/articles/analysis/fake-accounts-social-media-epistemic-uncertainty-and-need-independent-auditing">very little known</a> about how many online accounts are fake. What we do know is that many of these fake profiles use images from real people – often an unsuspecting third party’s public social media account. This, of course, can cause problems for the person whose photo is used. Their face is now <a href="https://www.vice.com/en/article/bvmqnm/photo-used-by-catfish-badge-of-honour">attached to online behaviour</a> that may be illegal, dishonest or just plain embarrassing.</p>
<hr>
<figure class="align-right ">
<img alt="Quarter life, a series by The Conversation" src="https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/451343/original/file-20220310-13-1bj6csd.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><em><strong><a href="https://theconversation.com/uk/topics/quarter-life-117947?utm_source=TCUK&utm_medium=linkback&utm_campaign=UK+YP2022&utm_content=InArticleTop">This article is part of Quarter Life</a></strong>, a series about issues affecting those of us in our twenties and thirties. From the challenges of beginning a career and taking care of our mental health, to the excitement of starting a family, adopting a pet or just making friends as an adult. The articles in this series explore the questions and bring answers as we navigate this turbulent period of life.</em></p>
<p><em>You may be interested in:</em></p>
<p><em><a href="https://theconversation.com/when-can-your-boss-fire-you-for-social-media-use-an-expert-on-the-law-explains-201804?utm_source=TCUK&utm_medium=linkback&utm_campaign=UK+YP2022&utm_content=InArticleTop">When can your boss fire you for social media use? An expert on the law explains</a></em></p>
<p><em><a href="https://theconversation.com/cosmetic-surgery-boosts-some-peoples-mental-health-but-for-others-it-makes-problems-worse-214517?utm_source=TCUK&utm_medium=linkback&utm_campaign=UK+YP2022&utm_content=InArticleTop">Cosmetic surgery boosts some people’s mental health – but for others it makes problems worse</a></em></p>
<p><em><a href="https://theconversation.com/should-i-post-photos-of-my-children-online-heres-what-new-parents-need-to-know-about-sharenting-190507?utm_source=TCUK&utm_medium=linkback&utm_campaign=UK+YP2022&utm_content=InArticleTop">Should I post photos of my children online? Here’s what new parents need to know about sharenting</a></em></p>
<hr>
<p>Fake profiles can also include the personal contact details of an innocent third party, a form of doxing (revealing identifying or personal information about someone online) that can lead to <a href="https://www.vox.com/first-person/2017/7/13/15960394/online-sexual-harassment-doxxing-craigslist">unwanted calls, texts, emails</a>, or even <a href="https://www.theguardian.com/uk-news/2014/aug/08/woman-jailed-tricking-strangers-raping-former-colleague">in-person visits and violent attacks</a>.</p>
<h2>Can the law help?</h2>
<p>Unfortunately, if a fake account is using your image or contact details, there are not always reliable legal protections to help you stop it.</p>
<p>There are some relevant criminal offences in the UK, but they can be difficult to investigate and prosecute. For example, if the profile is being used to carry out a financial scam, it might be <a href="https://www.legislation.gov.uk/ukpga/2006/35/contents">fraud</a>. Doxing that results in the target being bombarded with unwanted messages could be <a href="https://www.legislation.gov.uk/ukpga/1997/40/section/2A">stalking</a> or <a href="https://www.legislation.gov.uk/ukpga/1997/40/section/2">harassment</a>. </p>
<p>There is also a <a href="https://www.legislation.gov.uk/ukpga/2003/21/section/127">communications offence</a> that criminalises knowingly sending false messages or persistently using the internet to cause someone annoyance, irritation or needless anxiety. New online safety laws could make it harder to establish criminality for this, by requiring proof that the perpetrator intended to cause the target physical or “non-trivial” psychological harm. </p>
<p>Other legal options include suing whoever set up the fake account. There are potential civil claims in <a href="https://www.legislation.gov.uk/ukpga/1997/40/section/3">harassment</a>, <a href="https://www.legislation.gov.uk/ukpga/2013/26/contents/enacted">defamation</a> or <a href="https://www.legislation.gov.uk/ukpga/1988/48/contents">copyright</a> law. However, this is expensive, time-consuming and reliant on being able to identify the account holder, which is not straightforward. Perpetrators may be located in a different country, so outside of court jurisdiction – if they can be tracked down at all. </p>
<p>If you think that a crime has been committed, contact the police for their advice, particularly if you think that you know who is behind the account. Evidence is vital, so make sure you take screenshots before you do anything else. </p>
<h2>What platforms can do</h2>
<p>Asking the platforms to remove fake profiles may be your best option. If the account is using photographs that you took yourself, one of your most effective legal protections will be copyright law. Platforms are not generally liable for the content posted by users, but if you use their tools to report <a href="https://www.cambridge.org/core/journals/legal-studies/article/abs/using-ip-rights-to-protect-human-rights-copyright-for-revenge-porn-removal/2C1840AC0EB870FB2134CEE9586E76D6">copyright infringement</a>, they will take it seriously.</p>
<p>You can also <a href="https://reportharmfulcontent.com/advice/impersonation/">report fake accounts</a> using websites’ own tools. This can sometimes turn into a game of fake profile “whack-a-mole”, as new accounts spring up as soon as one is shut down. Additionally, platform responses to such reports <a href="https://refuge.org.uk/wp-content/uploads/2022/11/Marked-as-Unsafe-FINAL-November-2022.pdf%22%22">have not always been adequate</a>. </p>
<figure class="align-center ">
<img alt="Photo illustration showing a woman and a man in different scenes, but facing each other and both on computers. The man is a shadowy figure in a dark room, suggesting that he is scamming the woman he is chatting to" src="https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=430&fit=crop&dpr=1 600w, https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=430&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=430&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=541&fit=crop&dpr=1 754w, https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=541&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/553061/original/file-20231010-29-gbe9st.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=541&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Is your online date who they say they are?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/young-woman-having-online-date-fake-1194339238">Pixel-Shot/Shutterstock</a></span>
</figcaption>
</figure>
<p>A new law might help. <a href="https://www.bbc.co.uk/news/technology-66854618">Under the online safety bill</a>, which is awaiting royal assent, platforms must take steps to prevent users from encountering “priority illegal content” that amounts to certain criminal offences, including stalking and harassment. This legal obligation should make platforms more proactive about addressing these types of harms. </p>
<p>The new law will also require the largest and riskiest platforms (such as the main social media sites) to offer users a way to verify their identity. Verified users will also be able to <a href="https://carnegieuktrust.org.uk/blog-posts/strengthening-the-user-empowerment-tools-in-the-online-safety-bill/">block non-verified users</a> from seeing their content, reducing the risk of unknown users accessing their photographs and personal information. </p>
<h2>How to protect yourself</h2>
<p><strong>1. Make a report</strong></p>
<p>Use <a href="https://reportharmfulcontent.com/advice/impersonation/">platform reporting tools</a> to request that profiles are taken down. Speak to the police if you think a crime such as fraud, stalking or harassment has taken place, and take screenshots of messages or false accounts as evidence.</p>
<p><strong>2. Tell your networks</strong></p>
<p>Let your friends and family know that you have come across a fake profile using your information. If they know it is out there, they are less likely to think it’s you. Consider agreeing code words so that friends and family can check it is really you, and not a scammer, before sharing personal or financial information via messaging apps.</p>
<p><strong>3. Protect your images</strong></p>
<p>This is certainly not foolproof, but adding a watermark to photos, such as your social media handle, can reduce their appeal to fraudsters. </p>
<p><strong>4. Review your privacy settings</strong> </p>
<p>It is not always feasible or desirable to have a private account, but make sure you have made conscious choices about your online privacy, rather than relying on default settings.</p><img src="https://counter.theconversation.com/content/214418/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Depending on what the fake account is doing, the law may not be on your side.Rachel Maguire, Lecturer in Law, Royal Holloway University of LondonAislinn O'Connell, Senior Lecturer in Law, Royal Holloway University of LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2106632023-08-10T12:25:02Z2023-08-10T12:25:02ZAI threatens to add to the growing wave of fraud but is also helping tackle it<figure><img src="https://images.theconversation.com/files/541723/original/file-20230808-19-q8t3ng.jpg?ixlib=rb-1.1.0&rect=0%2C24%2C5452%2C3812&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The government, banks and other financial organisations are now dealing with fraud by using increasingly sophisticated detection methods.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/internet-fraud-darknet-data-thiefs-cybercrime-1716862513">Maksim Shmeljov/Shutterstock</a></span></figcaption></figure><p>There were <a href="https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/natureoffraudandcomputermisuseinenglandandwales/yearendingmarch2022">4.5 million</a> reported incidents of fraud in the UK in 2021/22, up 25% on the year before. It is a growing problem which costs billions of pounds every year. </p>
<p>The COVID pandemic and the cost of living crisis have created <a href="https://www.bbc.co.uk/news/business-55769991">ideal conditions</a> for fraudsters to exploit the vulnerability and desperation of many households and businesses. And with the use of AI increasing in general, we will likely see a further increase in <a href="https://www2.deloitte.com/uk/en/blog/auditandassurance/2023/generative-ai-and-fraud-what-are-the-risks-that-firms-face.html">new types of fraud</a> and is probably contributing to the increased frequency of fraud we are seeing today. </p>
<p>Already, the ability of AI to absorb personal data, such as emails, photographs, videos and <a href="https://www.cbsnews.com/news/scammers-ai-mimic-voices-loved-ones-in-distress/#:%7E:text=Artificial%20intelligence%20is%20making%20phone,mounting%20losses%20due%20to%20fraud.">voice recordings</a> to imitate people is proving to be a new and unprecedented challenge. </p>
<p>But there is also an upside. The government, banks and other financial organisations are now fighting back with increasingly sophisticated fraud-detection methods. AI and machine learning models could be a <a href="https://www.weforum.org/agenda/2023/04/as-generative-ai-gains-pace-industry-leaders-explain-how-to-make-it-a-force-for-good/">part of the solution</a> to deal with the increasing complexity, sophistication and prevalence of such scams.</p>
<p>The rising gap between prices and people’s incomes appears to have made people more <a href="https://www.citizensadvice.org.uk/about-us/about-us1/media/press-releases/over-40-million-targeted-by-scammers-as-the-cost-of-living-crisis-bites/">receptive</a> to scams which offer grants, rebates and support payments. </p>
<p>Fraudsters often target individuals by posing as genuine organisations. Examples include pretending to be your bank or posing as the government telling you that you are eligible for a lucrative scheme, in order to steal your identity details and then money. </p>
<p>This follows a dramatic rise in recent years of fraudulent applications to government and regional support packages, mainly implemented in response to the pandemic. Here fraudsters often pose as fake businesses to secure multiple loans or grants. </p>
<p>One of the <a href="https://www.manchestereveningnews.co.uk/news/greater-manchester-news/man-who-pretended-greggs-bakery-27251086">most outlandish examples</a> of this was a Luton man who posed as a Greggs bakery to swindle three local authorities in England out of almost £200,000 worth of COVID small business grants.</p>
<p>The hurried roll out of such schemes for faster economic impact made it difficult for officials to effectively review applications. The UK government’s Department for Business and Trade now <a href="https://www.bbc.co.uk/news/business-59504943">estimates</a> that 11% of such loans, roughly £5 billion, were fraudulent. By March 2022 only £762 million <a href="https://www.gov.uk/government/publications/hmrc-issue-briefing-tackling-error-and-fraud-in-the-covid-19-support-schemes/tackling-error-and-fraud-in-the-covid-19-support-schemes">had been recovered</a>.</p>
<h2>Fraud detection</h2>
<p>Over the past few years, complex mathematical models combining traditional statistical techniques and machine learning analysis have shown promise in the <a href="https://onlinelibrary.wiley.com/doi/abs/10.1111/acfi.12742">early detection</a> of financial statement fraud. This is when companies typically misrepresent or deceive investors into believing they are more profitable than they really are.</p>
<p>One of the breakthroughs has been the incorporation of both financial and non-financial information into data analysis systems. For example, the risk of fraud decreases if there is <a href="https://onlinelibrary.wiley.com/doi/abs/10.1111/acfi.12742">better corporate governance</a> and a lower proportion of directors who are also executives. </p>
<p>In a small business context, we can think about this as promoting transparency and making sure that important positions do not have sole authority to make significant decisions. </p>
<p>Such data analytics models can be used to rank applications in terms of potential fraud risk, so that the riskiest applications get additional scrutiny by government officials. We are now starting to see implementations of such systems to tackle <a href="https://www.theguardian.com/society/2023/jul/11/use-of-artificial-intelligence-widened-to-assess-universal-credit-applications-and-tackle">universal credit</a> fraud, for example.</p>
<p><a href="https://www.ft.com/content/0dca8946-05c8-11e8-9e12-af73e8db3c71">Banks, financial services providers</a> and <a href="https://www.ft.com/content/d3bd46cb-75d4-40ff-a0cd-6d7f33d58d7f">insurers</a> are developing machine-learning models to detect financial fraud too. A Bank of England survey published in October 2022 <a href="https://www.bankofengland.co.uk/report/2022/machine-learning-in-uk-financial-services">revealed</a> that 72% of financial services firms are already testing and implementing them. </p>
<p>We are also seeing new collaborations in the industry, with the likes of Deutsche Bank partnering with chip maker Nvidia to <a href="https://www.db.com/news/detail/20221207-deutsche-bank-partners-with-nvidia-to-embed-ai-into-financial-services">embed AI</a> into their fraud detection systems.</p>
<h2>Risks of AI systems</h2>
<p>However, the advent of new automated AI systems bring with it worries of potential unintended biases within them. In a <a href="https://www.bbc.co.uk/news/uk-politics-66133665">recent trial</a> of a new AI fraud detection system by the Department of Work and Pensions, campaign groups were worried about potential biases. </p>
<p>A common issue that needs to be overcome with such systems is that they work for the majority of people, but are often biased against minority groups. This means if left unadjusted they are disproportionately more likely to flag applications from ethnic minorities as risky.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/scams-deepfake-porn-and-romance-bots-advanced-ai-is-exciting-but-incredibly-dangerous-in-criminals-hands-199004">Scams, deepfake porn and romance bots: advanced AI is exciting, but incredibly dangerous in criminals' hands</a>
</strong>
</em>
</p>
<hr>
<p>But AI systems should not be used as a fully automated process to detect and accuse fraud but rather <a href="https://www.ft.com/content/2df33fc5-981a-4952-8dc6-d4eee7343acc">as a tool</a> to assist assessors. They can help auditors and civil servants, for example, to identify cases where greater scrutiny is required and to reduce processing time.</p><img src="https://counter.theconversation.com/content/210663/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Adrian Gepp has received funding from the Accounting and Finance Association of Australia and New Zealand. He is also affiliated with the Association of Certified Fraud Examiners. </span></em></p><p class="fine-print"><em><span>Laurence Jones does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Fraud was up 25% in the UK in 2021/22.Laurence Jones, Lecturer in Finance, Bangor UniversityAdrian Gepp, Professor of Data Analytics, Bangor UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2068402023-06-20T13:40:12Z2023-06-20T13:40:12ZHow to protect yourself from drop account fraud – tips from our investigative unit<figure><img src="https://images.theconversation.com/files/532280/original/file-20230615-15-z17k8.png?ixlib=rb-1.1.0&rect=11%2C187%2C2546%2C1388&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Loot stolen from the U.S. Postal Service is displayed on the dark web.</span> <span class="attribution"><span class="source">Via Evidence-Based Cybersecurity Research Group</span></span></figcaption></figure><h2>The types of crimes that use drop accounts are multiplying rapidly, but there are ways to decrease your chances of becoming a victim.</h2>
<ul>
<li>Do not mail checks from anywhere but your local post office. Not even your own mailbox is safe. <a href="https://theconversation.com/how-cybercriminals-turn-paper-checks-stolen-from-mailboxes-into-bitcoin-173796">The best option? Pay bills and send money online</a>.</li>
</ul>
<h2>Protect your identity online by following these steps</h2>
<ul>
<li>Guard your Social Security number. Never use it on medical forms - if asked, write “available upon request” - for a job interview, when applying for a grocery store reward card or when booking travel. If you believe the number has been compromised, <a href="https://faq.ssa.gov/en-us/Topic/article/KA-02220">contact the Social Security Administration to get a new one</a>.</li>
<li>Use only one credit card for online shopping, and never use a debit card.</li>
<li><a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">Strengthen your online and mobile phone passwords</a>.</li>
<li>If you don’t expect to apply for a credit card or loan soon, <a href="https://www.consumerfinance.gov/ask-cfpb/what-does-it-mean-to-put-a-security-freeze-on-my-credit-report-en-1341/">freeze your credit with all three credit rating agencies</a>.</li>
<li><a href="https://theconversation.com/your-credit-report-is-a-key-part-of-your-privacy-heres-how-to-find-and-check-it-116999">Check your credit reports</a>.</li>
<li>Do not respond to preapproved credit card or loan offers delivered by mail, and, to reduce offers, consider <a href="https://www.optoutprescreen.com/">opting out of receiving these mailings</a>.</li>
<li>Shred your financial information; don’t simply throw it out.</li>
<li>Never give out personal information to anyone contacting you through unsolicited phone calls or emails. </li>
</ul>
<h2>To prevent fraud involving a tax return refund or any other tax issue</h2>
<ul>
<li>Complete and send in your tax return as early as possible, which makes it more difficult for someone to steal your refund. </li>
<li><a href="https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin">Establish an identity protection PIN with the IRS</a>, which only you and the agency will know. </li>
<li>If the IRS rejects your attempt to file your tax return, or if you receive any unusual mail from the agency such as a tax transcript you didn’t request, or it notifies you of suspicious activity, contact the agency at the number <a href="https://www.irs.gov/individuals/understanding-your-cp01c-notice">listed here</a> to report possible identity theft. </li>
<li>Pay any <a href="https://www.irs.gov/payments">taxes owed online</a>, not by check.</li>
</ul>
<h2>To prevent losses through business email compromise scams</h2>
<ul>
<li>Learn and teach employees basic email safety techniques. </li>
<li>Confirm urgent emails from supervisors or vendors demanding immediate wire transfers. In fact, urgent requests are the most suspicious.</li>
<li>Assure employees that double-checking whether these purportedly urgent emails came from the listed sender will not result in criticism or punishment. </li>
<li>Never purchase a gift card requested by a supervisor through email or text.</li>
<li>Human resources officials should never change bank accounts for direct deposit if employees ask by email or text. Always call to double-check that the request is real.</li>
</ul>
<hr>
<p></p><div style="float:right;width:205px;">
<a href="https://theconversation.com/us/investigations/mailbox-robberies-drop-accounts-checkwashing-fraud-gangs-of-fullz"><img alt="Graphic showing a masked criminal on a stamp and saying 'Heists worth billions'" class="ls-is-cached lazyloaded" data-src="https://images.theconversation.com/files/532510/original/file-20230618-28-hh0pox.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=200&fit=clip" src="https://images.theconversation.com/files/532510/original/file-20230618-28-hh0pox.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=200&fit=clip"></a></div>
<em>This article accompanies <strong><a href="https://theconversation.com/us/investigations/mailbox-robberies-drop-accounts-checkwashing-fraud-gangs-of-fullz">Heists Worth Billions</a></strong>, an investigation from The Conversation that found criminal gangs using sham bank accounts and secret online marketplaces to steal from almost anyone – and uncovered just how little being done to combat the fraud.</em><p></p>
<ul>
<li><p><strong><a href="https://theconversation.com/behind-the-scenes-of-the-investigation-heists-worth-billions-207158">Behind the scenes of the investigation</a></strong></p></li>
<li><p><strong><a href="https://theconversation.com/announcing-the-conversations-new-investigative-unit-were-looking-for-collaborators-in-academia-207394">Announcing The Conversation’s new investigative unit</a></strong></p></li>
</ul><img src="https://counter.theconversation.com/content/206840/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Kurt Eichenwald does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cyber bank fraud is on the rise. Here are some important ways to protect yourself.Kurt Eichenwald, Senior Investigative Editor, The ConversationLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2006922023-03-08T13:40:55Z2023-03-08T13:40:55ZShould you pay for Meta’s and Twitter’s verified identity subscriptions? A social media researcher explains how the choice you face affects everyone else<figure><img src="https://images.theconversation.com/files/513996/original/file-20230307-172-u720z6.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5582%2C3710&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">If you want to use two-factor authentication via text message on Twitter, you'll have to pay for it.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/twitter-verified-seen-on-mobile-with-a-stock-graph-on-news-photo/1246403941">NurPhoto via Getty Images</a></span></figcaption></figure><p>Social media services have generally been free of charge for users, but now, with ad revenues slowing down, social media companies are <a href="https://www.wsj.com/articles/would-you-pay-for-social-media-meta-twitter-and-snap-want-to-find-out-856524f8">looking for new revenue streams</a> beyond targeted ads. Now, Twitter is charging for its blue check verification, and Meta and Twitter both charge for identity protection.</p>
<p>Users benefit from “free” services such as social media platforms. According to <a href="https://doi.org/10.1073/pnas.1815663116">one study</a>, in the U.S., Facebook users say they would have to be paid <a href="https://mitsloan.mit.edu/ideas-made-to-matter/how-much-are-search-engines-worth-to-you">in the range of $40 to $50</a> to leave the social networking service for one month. If you value Facebook highly enough that you’d need to get paid to take a break, why not pay for these new services if you can afford them? </p>
<p>Meta plans to offer <a href="https://www.theverge.com/2023/2/20/23607106/twitter-facebook-instagram-meta-security-subscription">paid customer support and account monitoring</a> on Facebook and Instagram to guard against impersonators for <a href="https://www.theverge.com/2023/2/19/23606268/meta-instagram-facebook-test-paid-verification">US$11.99 a month on the web and $14.99 a month on iOS devices</a>. Twitter’s proposed changes make two-factor authentication via text messaging <a href="https://www.theverge.com/2023/2/20/23607106/twitter-facebook-instagram-meta-security-subscription">a premium feature for paid users</a>. Twitter Blue costs $8 a month on Android devices and $11 a month on iOS devices.</p>
<p>As a researcher who <a href="https://scholar.google.com/citations?user=JpFHYKcAAAAJ">studies social media and artificial intelligence</a>, I see three problems with the rollout of these features. </p>
<h2>The collective action problem</h2>
<p>Information goods, such as those provided by social media platforms, are characterized by the problem of collective action, and information security is no exception. Collective action problems, which economists describe <a href="https://personal.utdallas.edu/%7Eliebowit/palgrave/network.html">as network externalities</a>, result when the actions of one participant in a market affect other participants’ outcomes. </p>
<p>Some people might pay Facebook for improved security, but overall, collective well-being depends on having a very large group of users investing in better security for all. Picture a medieval city under siege from an invader where <a href="https://doi.org/10.1126/science.1130992">each family would be responsible for a stretch of the wall</a>. Collectively, the community is only as strong as the weakest link. Will Twitter and Meta still deliver the promised and paid-for results if not enough users sign up for these services?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a screenshot with large and small text and a white checkmark inside a 12-point star" src="https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Meta is beginning to roll out a paid identity protection service for Facebook and Instagram users.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/this-photo-illustration-taken-in-melbourne-on-february-24-news-photo/1247430814">William West/AFP via Getty Images</a></span>
</figcaption>
</figure>
<p>While large platforms such as Facebook and Twitter could benefit from lock in, meaning having users who are dependent on or at least heavily invested in them, it’s not clear how many users will pay for these features. This is an area where the platforms’ profit motive is in conflict with the overall goal of the platform, which is to have a large enough community that people will continue using the platform because all of their social or business connections are there. </p>
<h2>Economics of information security</h2>
<p>Charging for identity protection raises the question of how much each person values privacy or security online. Markets for privacy have posed a similar conundrum. For digital products in particular, consumers are not fully informed about how their data is collected, for what purposes and with what consequences. </p>
<p>Scammers can find many ways to breach security and exploit vulnerabilities in large platforms such as Facebook. But valuing security or privacy is complicated because social media users do not know exactly how much Meta or Twitter invests in keeping everyone safe. When users of digital platforms do not understand how platforms safeguard their information, the resulting lack of trust could limit the number of people willing to pay for features such as security and identity verification.</p>
<p>Social media users in particular face <a href="https://doi.org/10.1257/jel.54.2.442">imperfect or asymmetric information</a> about their data, so they do not know how to correctly value features such as security. In the standard economic logic, markets assign prices based on buyers’ willingness to pay and sellers’ lowest acceptable bids, or <a href="https://www.investopedia.com/terms/r/reserve-price.asp">reservation prices</a>. However, digital platforms such as Meta benefit from individuals’ data by virtue of their size – they have such a large amount of personal data. There is no market for individual data rights, even though there have been a few policy proposals such as California governor Gavin Newsom’s <a href="https://www.cnbc.com/2019/02/12/california-gov-newsom-calls-for-new-data-dividend-for-consumers.html">call for a data dividend</a>. </p>
<p>Some cybersecurity experts have already pointed out the <a href="https://www.washingtonpost.com/politics/2023/02/21/paid-security-features-twitter-meta-spark-cybersecurity-concerns/">downsides to monetizing security features</a>. In particular, in giving a very rushed timeline, one month from announcement to implementation, to pay for a more secure option, there is a real risk that many users will <a href="https://www.theverge.com/2023/2/20/23607106/twitter-facebook-instagram-meta-security-subscription">turn off two-factor authentication altogether</a>. Further, security, user authentication and identity verification <a href="https://time.com/6257711/facebook-instagram-twitter-paid-verification/">are issues that concern everyone</a>, not just content creators or those who can afford to pay. </p>
<p>In the first three months of 2022 alone, nearly one-fifth of teens and adults in the U.S. <a href="https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/connectivity-and-mobile-trends.html">reported their social media accounts getting hacked</a>. The same survey found that 24% of consumers reported being overwhelmed by devices and subscriptions, indicating significant fatigue and cognitive overload in having to manage their virtual experiences. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1626760590629933057"}"></div></p>
<p>It is also the case that social media platforms are not really free. The old adage is <a href="https://quoteinvestigator.com/2017/07/16/product/">if you are not paying, then you are the product</a>. Digital platforms such as Meta and Twitter monetize the enormous tracts of data they have about users through a <a href="https://theconversation.com/why-bad-ads-appear-on-good-websites-a-computer-scientist-explains-178268">complex online advertising-driven ecosystem</a>. The system makes use of very granular individual user data and predictive analytics <a href="https://doi.org/10.1257/jep.23.3.37">to help companies microtarget online ads</a> and <a href="https://doi.org/10.1007/s11151-013-9399-3">track and compare advertising views with outcomes</a>. There are <a href="https://theconversation.com/facebook-begins-to-shift-from-being-a-free-and-open-platform-into-a-responsible-public-utility-101577">hidden costs</a> associated with people’s loss of privacy and control over their personal information, including loss of trust and vulnerability to identity theft. </p>
<h2>Social media and online harms</h2>
<p>The other problem is how these moves to monetize security options increase online harms for vulnerable users without identity protection provisions. Not everyone can afford to pay Meta or Twitter to keep their personal information safe. Social bots have become <a href="https://doi.org/10.1007/978-3-030-91779-1_11">increasingly more sophisticated</a>. <a href="https://www.cnbc.com/2023/02/23/biggest-benefits-risks-in-meta-twitter-verification-subscriptions.html">Scams increased by almost 288%</a> from 2021 to 2022, according to one report. Scammers and phishers have found it easy enough to <a href="https://www.washingtonpost.com/technology/2023/02/23/facebook-instagram-fee/">gain access to people’s personal information and impersonate others</a>. </p>
<p>For those who are scammed, the process of account recovery is frustrating and time-consuming. Such moves might hurt the most vulnerable, such as those who need Meta to find access to job information, or the elderly and infirm who use social media to learn about what is happening in their communities. Communities that have invested resources in building a shared online space using platforms such as Twitter and Facebook may be harmed by monetization efforts. </p>
<p>People are tired of having to navigate numerous subscriptions and having security and privacy concerns that persist. At the same time, it’s an open question whether enough users will pay for these services to boost collective security. Ultimately, the service a social media platform offers is the opportunity to connect with others. Will users pay for the ability to maintain social connections the way they pay for content, such as entertainment or news? Social media giants may have a difficult path ahead.</p><img src="https://counter.theconversation.com/content/200692/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Anjana Susarla receives funding from the National Institute of Health.</span></em></p>Twitter and Meta are looking to make money from protecting users’ identities. This raises questions about collective security, people understanding what they’re paying for and who remains vulnerable.Anjana Susarla, Professor of Information Systems, Michigan State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1935062022-12-02T13:42:26Z2022-12-02T13:42:26ZDarknet markets generate millions in revenue selling stolen personal data, supply chain study finds<figure><img src="https://images.theconversation.com/files/498313/original/file-20221130-16-bror1p.jpg?ixlib=rb-1.1.0&rect=13%2C0%2C9142%2C3840&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Hackers are just one part of a supply chain in a multimillion-dollar black market for stolen data.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/internet-security-protection-from-hacker-attacking-royalty-free-image/1372448103">Peach_iStock via Getty Images</a></span></figcaption></figure><p>It is common to hear news reports about large data breaches, but what happens once your personal data is stolen? Our research shows that, like most legal commodities, stolen data products flow through a supply chain consisting of producers, wholesalers and consumers. But this supply chain involves the <a href="https://doi.org/10.1093/bjc/azab116">interconnection of multiple criminal organizations</a> operating in illicit underground marketplaces. </p>
<p>The stolen data supply chain begins with producers – hackers who exploit vulnerable systems and steal sensitive information such as credit card numbers, bank account information and Social Security numbers. Next, the stolen data is advertised by wholesalers and distributors who sell the data. Finally, the data is purchased by consumers who use it to commit <a href="https://theconversation.com/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it-158934">various forms of fraud</a>, including fraudulent credit card transactions, identity theft and phishing attacks.</p>
<p>This trafficking of stolen data between producers, wholesalers and consumers is enabled by darknet markets, which are websites that resemble ordinary e-commerce websites but are accessible only using special browsers or authorization codes.</p>
<p>We found <a href="https://doi.org/10.1093/bjc/azab116">several thousand vendors selling tens of thousands of stolen data products</a> on 30 darknet markets. These vendors had more than US$140 million in revenue over an eight-month period.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Horizontal left-to-right flowchart with four segments" src="https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=114&fit=crop&dpr=1 600w, https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=114&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=114&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=143&fit=crop&dpr=1 754w, https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=143&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/494283/original/file-20221108-26-c267j3.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=143&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The stolen data supply chain, from data theft to fraud.</span>
<span class="attribution"><span class="source">Christian Jordan Howell</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>Darknet markets</h2>
<p>Just like traditional e-commerce sites, darknet markets provide a platform for vendors to connect with potential buyers to facilitate transactions. Darknet markets, though, are notorious for the sale of illicit products. Another key distinction is that access to darknet markets requires the use of special software such as <a href="https://www.torproject.org/">the Onion Router</a>, or TOR, which provides security and anonymity.</p>
<p><a href="https://news.law.fordham.edu/jcfl/2018/02/21/silk-road-the-dark-side-of-cryptocurrency/">Silk Road</a>, which emerged in 2011, combined TOR and bitcoin to become the first known darknet market. The market was eventually seized in 2013, and the founder, <a href="https://www.theguardian.com/technology/2015/may/29/silk-road-ross-ulbricht-sentenced">Ross Ulbricht, was sentenced</a> to two life sentences plus 40 years without the possibility of parole. Ulbricht’s hefty prison sentence did not appear to have the intended deterrent effect. Multiple markets emerged to fill the void and, in doing so, created a thriving ecosystem profiting from stolen personal data. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Screenshot of a webpage showing a product for sale" src="https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=341&fit=crop&dpr=1 600w, https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=341&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=341&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=429&fit=crop&dpr=1 754w, https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=429&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/494890/original/file-20221111-17-itqfbs.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=429&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Example of a stolen data ‘product’ sold on a darknet market.</span>
<span class="attribution"><span class="source">Screenshot by Christian Jordan Howell</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>Stolen data ecosystem</h2>
<p>Recognizing the role of darknet markets in trafficking stolen data, we conducted the largest systematic examination of stolen data markets that we are aware of to better understand the size and scope of this illicit online ecosystem. To do this, we first identified 30 darknet markets advertising stolen data products. </p>
<p>Next, we extracted information about stolen data products from the markets on a weekly basis for eight months, from Sept. 1, 2020, through April 30, 2021. We then used this information to determine the number of vendors selling stolen data products, the number of stolen data products advertised, the number of products sold and the amount of revenue generated. </p>
<p>In total, there were 2,158 vendors who advertised at least one of the 96,672 product listings across the 30 marketplaces. Vendors and product listings were not distributed equally across markets. On average, marketplaces had 109 unique vendor aliases and 3,222 product listings related to stolen data products. Marketplaces recorded 632,207 sales across these markets, which generated $140,337,999 in total revenue. Again, there is high variation across the markets. On average, marketplaces had 26,342 sales and generated $5,847,417 in revenue. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Graphic with a silhouette representing a person and a dollar sign" src="https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=340&fit=crop&dpr=1 600w, https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=340&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=340&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=427&fit=crop&dpr=1 754w, https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=427&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/494894/original/file-20221111-12-fi0o5r.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=427&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The size and scope of the stolen data ecosystem over an eight-month period.</span>
<span class="attribution"><span class="source">Christian Jordan Howell</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>After assessing the aggregate characteristics of the ecosystem, we analyzed each of the markets individually. In doing so, we found that a handful of markets were responsible for trafficking most of the stolen data products. The three largest markets – Apollon, WhiteHouse and Agartha – contained 58% of all vendors. The number of listings ranged from 38 to 16,296, and the total number of sales ranged from 0 to 237,512. The total revenue of markets also varied substantially during the 35-week period: It ranged from $0 to $91,582,216 for the most successful market, Agartha.</p>
<p>For comparison, most midsize companies operating in the U.S. earn between $10 million and $1 billion annually. Both Agartha and Cartel earned enough revenue within the 35-week period we tracked them to be characterized as midsize companies, earning $91.6 million and $32.3 million, respectively. Other markets like Aurora, DeepMart and WhiteHouse were also on track to reach the revenue of a midsize company if given a full year to earn.</p>
<p><iframe id="gsUr3" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/gsUr3/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>Our research details a thriving underground economy and illicit supply chain enabled by darknet markets. As long as data is routinely stolen, there are likely to be marketplaces for the stolen information.</p>
<p>These darknet markets are difficult to disrupt directly, but efforts to thwart customers of stolen data from using it offers some hope. We believe that advances in artificial intelligence can provide law enforcement agencies, financial institutions and others with information needed to prevent stolen data from being used to commit fraud. This could stop the flow of stolen data through the supply chain and disrupt the underground economy that profits from your personal data.</p><img src="https://counter.theconversation.com/content/193506/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Maimon receives funding from NSF and DHS. He is affiliated with Vidocq group. </span></em></p><p class="fine-print"><em><span>Christian Jordan Howell does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The hacker who steals your data is just one part of an illicit supply chain featuring producers, wholesalers, distributors and consumers – a black-market industry worth millions of dollars.Christian Jordan Howell, Assistant Professor in Cybercrime, University of South FloridaDavid Maimon, Professor of Criminal Justice and Criminology, Georgia State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1935372022-11-02T19:01:53Z2022-11-02T19:01:53ZIn the wake of recent data breaches, here’s why you need to check your credit score. It could even help track down criminals<figure><img src="https://images.theconversation.com/files/492938/original/file-20221102-32126-n31er.jpg?ixlib=rb-1.1.0&rect=13%2C2092%2C4459%2C2481&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Nathan Dumlao / Unsplash</span></span></figcaption></figure><p>Millions of Australians have had their privacy breached in <a href="https://7news.com.au/news/cyber-security/millions-of-people-have-had-their-data-exposed-in-recent-hacks-heres-why-it-keeps-happening-c-8640820">recent cyber attacks</a> against Optus, Medibank and other companies. </p>
<p>Cybercriminals stole sensitive health and financial data that can be used for ransom, blackmail or fraud. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-are-there-so-many-data-breaches-a-growing-industry-of-criminals-is-brokering-in-stolen-data-193015">Why are there so many data breaches? A growing industry of criminals is brokering in stolen data</a>
</strong>
</em>
</p>
<hr>
<p>Law enforcement agencies are still investigating the origin of these attacks, but as experts in cyber and national security we can say two things are already clear.</p>
<p>First, anyone affected should <a href="https://moneysmart.gov.au/managing-debt/credit-scores-and-credit-reports">check their credit record</a>. Second, Australia’s <a href="https://www.internationalcybertech.gov.au/sites/default/files/2020-11/The%20Strategy.pdf">international cyber engagement strategy</a> – which sets the terms for how we work with other countries to maintain national cybersecurity – is desperately in need of an update.</p>
<h2>How to turn data into credit</h2>
<p>Cybercrime is most often motivated by making money, as the return on investment can be enormous. One <a href="https://www.csoonline.com/article/3340049/how-much-does-it-cost-to-launch-a-cyberattack.html">recent estimate</a> suggested a low-end attack costing US$34 could bring in US$25,000, while spending a few thousand dollars on a more sophisticated attack could bring in up to US$1 million.</p>
<p>Hackers might <a href="https://www.theguardian.com/business/2022/sep/24/afp-investigates-1m-ransom-demand-posted-online-for-allegedly-hacked-optus-data">demand a ransom</a> in return for the stolen information. Failing that, they can make money from it in other ways.</p>
<p>In the September Optus attack, for example, data <a href="https://asic.gov.au/about-asic/news-centre/news-items/guidance-for-consumers-impacted-by-the-optus-data-breach/">including</a> names, birth dates, email addresses, driver’s licence numbers, and Medicare and passport details were taken.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/optus-data-breach-regulatory-changes-announced-but-legislative-reform-still-needed-192009">Optus data breach: regulatory changes announced, but legislative reform still needed</a>
</strong>
</em>
</p>
<hr>
<p>One quick way to turn these data into money is to use them to apply for credit cards. Many credit card providers, eager for new customers, have very simple and streamlined processes to check identity.</p>
<p>Alongside stolen data such as a name, address and driver’s licence details, cybercriminals will need an email address, a phone number and payslips.</p>
<p>Phone numbers and email addresses used for communication and authentication are easy enough to provide, and fake payslips can be generated using <a href="https://paysliper.com/payslip-generator">free websites</a>.</p>
<p>In some cases, cyber criminals can start using the credit cards instantly if approved. The victim will have no idea about the existence of this credit card unless the credit report is checked as part of a subsequent mortgage or credit application.</p>
<h2>How to track cybercriminals</h2>
<p>Cybercriminals naturally take steps to remain anonymous. However, applying for a credit card does leave traces that can be used to track them down in the following ways:</p>
<ul>
<li>the phone number used for the credit card application can be tracked, with a court order and the help of the telecommunication service provider </li>
</ul>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Zcj7Yd1ByKo?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">How to track someone’s location with just a phone number.</span></figcaption>
</figure>
<ul>
<li><p>activity on the credit card obtained with the stolen data can also be tracked, as can email correspondence, with the help of the credit card provider</p></li>
<li><p>any suspicious IP address associated with the credit card can lead to further intelligence on the cybercriminals, and the internet service providers (ISPs) or virtual private network (VPN) providers may assist in tracking down the criminals.</p></li>
</ul>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A screenshot from a website showing details of an IP address including its location on a map." src="https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=346&fit=crop&dpr=1 600w, https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=346&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=346&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=435&fit=crop&dpr=1 754w, https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=435&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/492926/original/file-20221102-26-g5hh6p.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=435&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">IP addresses can be traced to real-world locations.</span>
<span class="attribution"><span class="source">iplogger.org</span></span>
</figcaption>
</figure>
<h2>A national security issue</h2>
<p>The Optus and Medibank hacks have caused significant problems for individuals. They have had to apply for new identity documents, and the final costs are likely to total <a href="https://www.afr.com/chanticleer/the-optus-hack-will-cost-millions-and-not-just-in-payouts-20220923-p5bkkm">hundreds of millions of dollars</a>.</p>
<p>But preventing cyber attacks can also be a matter of national security, as a recent ransomware attack on an <a href="https://www.afr.com/politics/federal/defence-it-contractor-hit-by-ransomware-attack-20221031-p5buc1">Australian Defence Force contractor</a> has shown.</p>
<p>The data affected in such attacks may easily extend beyond identity theft to include data relevant to national defence, business and society. The risk of these attacks has been <a href="https://defence.gov.au/ADC/publications/AJDSS/volume4-number1/ransomware2-0.asp">recognised</a> in Australia’s cyber security strategy, but more must be done to prevent them.</p>
<h2>Stronger rules for data protection</h2>
<p>National cyber defence requires a “whole of government” approach, but it needs to go further. The commercial and civilian sectors must be included as well. </p>
<p>Private companies store huge amounts of private data. What they store and how they store it needs to be much better regulated.</p>
<p>The Optus hack, for example, revealed the company was keeping data not only from current customers but also past customers. Given how often customers change telecom providers, practices like this can lead to companies storing huge amounts of unnecessary personal data. </p>
<p>Current penalties for failing to protect customer data are also inadequate. At present, <a href="https://www.france24.com/en/live-news/20221026-australia-admits-cyber-defences-inadequate-as-medical-hack-hits-millions">fines of up to A$2.2 million</a> are the only enforceable safeguards available. </p>
<p>These penalties are too small to act as an effective deterrent, and they apply only after a breach has occurred. What we need are strict and enforceable rules regarding the storage of current consumer data and the deletion of past customer data. </p>
<p>Without new regulations, we will <a href="https://www.abc.net.au/news/2022-11-02/hackers-could-see-australia-as-weak-target-after-optus-medibank/101599524">continue</a> to see sophisticated cyber attacks targeting the private sector. </p>
<h2>Borderless cybercrime</h2>
<p>In many cases the cybercriminals are from other countries, which means we need international co-operation to track them down. This is when <a href="https://www.internationalcybertech.gov.au/sites/default/files/2020-11/The%20Strategy.pdf">Australia’s International Cyber Engagement Strategy</a> comes into play. </p>
<p>The strategy, published in 2017, aims to foster increased international attention to cyber threats. It calls for greater co-operation in the region and beyond to mitigate cyber risks. </p>
<p>Australia’s international cyber engagement is distinct from domestic cyber security efforts, which are undertaken under the auspices of the <a href="https://www.cyber.gov.au">Australian Cyber Security Centre</a>. </p>
<p>Cyber attacks of foreign origin are <a href="https://securitybrief.com.au/story/aussie-businesses-warned-of-impending-cyber-attack-amid-international-tensions">on the rise</a> as a result of current international tensions. The current strategy may no longer be sufficient to address the international nature of cyber threats. </p>
<p>The strategy contains high-level promises of collaboration around strategic interests, but this is only a beginning. To create a comprehensive international cyber defence approach, we will need more detailed working arrangements with <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/our-partners">overseas partners</a>.</p><img src="https://counter.theconversation.com/content/193537/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sascha-Dominik (Dov) Bachmann received funding from the Australian Department of Defence for research regarding grey zone and information operations targeting Australia.</span></em></p><p class="fine-print"><em><span>Mohiuddin Ahmed does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Credit checks and international co-operation are crucial when it comes to tracking down cybercriminals.Sascha-Dominik (Dov) Bachmann, Professor in Law and Co-Convener National Security Hub (University of Canberra) and Research Fellow (adjunct) - The Security Institute for Governance and Leadership in Africa, Faculty of Military Science, Stellenbosch University- NATO Fellow Asia-Pacific, University of CanberraMohiuddin Ahmed, Senior Lecturer in Cyber Security, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1915752022-09-29T07:09:58Z2022-09-29T07:09:58ZI’ve given out my Medicare number. How worried should I be about the latest Optus data breach?<p>Medicare card numbers are the latest personal details to be exposed as part of the <a href="https://www.theguardian.com/business/2022/sep/29/optus-data-breach-everything-we-know-so-far-about-what-happened">Optus data breach</a>.</p>
<p>Optus <a href="https://www.optus.com.au/support/cyberattack/medicare-card-number-information">has confirmed</a> this affects 14,900 valid Medicare numbers that have not expired, and a further 22,000 expired card numbers.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1574939769947459584"}"></div></p>
<p>But this isn’t the first time Australians’ Medicare numbers have been exposed. And some privacy and cybersecurity experts have <a href="https://theconversation.com/after-the-medicare-breach-we-should-be-cautious-about-moving-our-health-records-online-80472">long been concerned</a> about the security of our health data.</p>
<p>Here’s what you can do if you’re concerned about the latest Medicare breach, and what needs to happen next.</p>
<h2>What’s the big deal?</h2>
<p>Your Medicare number gives you access to subsidised services across Australia’s health system. Most Australians have a number, whether or not they use these services.</p>
<p>Your Medicare card (as a plastic card or digitally, on your phone) is an official identifier. So alongside a driver’s licence, tax file number, birth certificate and passport, it can also be used as “proof of identity”. You may have supplied your Medicare number when opening a bank account, or signing up for a phone plan.</p>
<p>The idea is to minimise the chance people are using fake identities to wrongfully gain benefits from governments and business, including taking part in criminal activities such as money laundering.</p>
<p>Businesses and agencies are not meant to match your Medicare number with other data (eroding your privacy) other than in <a href="https://www.health.gov.au/sites/default/files/documents/2021/08/data-matching-notice.pdf">exceptional</a> circumstances. </p>
<p>But they commonly accept sight of the physical/digital card bearing the number as proof of who you claim to be and risk data breaches by retaining copies of what they saw. Optus was such a business.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-optus-hacker-claims-theyve-deleted-the-data-heres-what-experts-want-you-to-know-191494">The 'Optus hacker' claims they've deleted the data. Here's what experts want you to know</a>
</strong>
</em>
</p>
<hr>
<h2>What should happen to protect your Medicare number?</h2>
<p>In theory, your Medicare number is protected by a number of different types of legislation – both national and at the state/territory level.</p>
<p>There are <a href="https://www.servicesaustralia.gov.au/your-right-to-privacy?context=1">privacy laws</a>. These are meant to prevent businesses and government agencies from <a href="https://www.oaic.gov.au/privacy/other-legislation">unauthorised</a> use of Medicare and other official identifiers for profiling people. These laws are also meant to prevent undisclosed sharing with other entities, such as individuals or businesses.</p>
<p>Then there are <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/strengthening-australias-cyber-security-regulations-and-incentives">cybersecurity</a> and other <a href="http://www.austlii.edu.au/cgi-bin/viewdoc/au/legis/cth/consol_act/cca1995115/sch1.html">criminal laws</a>. These also aim to prevent unauthorised access, sale and sharing of your <a href="https://www.sciencedirect.com/science/article/pii/S1045235421001155#b0160">Medicare</a> number and other data (known as <a href="https://eprints.qut.edu.au/101958/">metadata</a>) stored by telecommunication providers.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-should-australian-companies-be-doing-right-now-to-protect-our-privacy-85247">What should Australian companies be doing right now to protect our privacy</a>
</strong>
</em>
</p>
<hr>
<h2>Has this happened before?</h2>
<p>Medicare numbers have been breached before, <a href="https://theconversation.com/after-the-medicare-breach-we-should-be-cautious-about-moving-our-health-records-online-80472">in 2017</a>. An official <a href="https://www.servicesaustralia.gov.au/sites/default/files/2017/10/final-report.pdf">inquiry</a> noted trade in stolen Medicare numbers on the dark web. </p>
<p>The 2017 breach was apparently much larger, but the Optus numbers may grow as the investigation continues.</p>
<p>Experts have also <a href="https://pursuit.unimelb.edu.au/articles/the-simple-process-of-re-identifying-patients-in-public-health-records">raised concern</a> about the government’s authorised release in 2016 of apparently de-identified health data. In fact, patient details could be identified, using a number of simple steps. </p>
<p>These two earlier examples should have meant both health agencies and businesses have taken extra care about their obligations to safeguard health data.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/after-the-medicare-breach-we-should-be-cautious-about-moving-our-health-records-online-80472">After the Medicare breach, we should be cautious about moving our health records online</a>
</strong>
</em>
</p>
<hr>
<h2>What if your Medicare number has been exposed?</h2>
<p>Unauthorised use of a Medicare number doesn’t necessarily result in large-scale identity crime.</p>
<p>For instance, Minister for Government Services Bill Shorten <a href="https://twitter.com/billshortenmp/status/1574688878510100480">has said</a> a Medicare number alone cannot unlock access to someone’s myGov account (and therefore access to someone’s welfare or tax details).</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1574688878510100480"}"></div></p>
<p>However, the Optus data breach – and future data breaches in the public and private sector – does provide Australian and overseas criminals with a set of identifiers (including passport and driver’s licence numbers), that can be used for a range of identity crimes, such as impersonating someone else.</p>
<p>Optus is <a href="https://www.optus.com.au/support/cyberattack/medicare-card-number-information">advising affected customers</a> to replace their Medicare card, at no cost, via their Medicare online account at myGov, the Express Plus Medicare mobile app, or by calling Medicare on 132 011.</p>
<p>Further details are available via <a href="https://www.servicesaustralia.gov.au/what-to-do-if-youve-been-affected-recent-optus-data-breach">Services Australia</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide</a>
</strong>
</em>
</p>
<hr>
<h2>What else needs to happen?</h2>
<p>As with many data breaches, details about what happened at Optus, how and who is affected are only slowly trickling out.</p>
<p>The <a href="https://www.oaic.gov.au">Office of the Australian Information Commission</a> – the national privacy regulator – needs to run a rigorous and detailed investigation and release its findings publicly.</p>
<p>This needs to be accompanied by a hard-hitting independent inquiry of what happened at Optus. This requires IT expertise, which the Office of the Australian Information Commission may not have. Such an inquiry would also demonstrate Optus’ commitment to learn from any failures.</p>
<p>As we have seen before, businesses and government agencies cannot assume a data breach “won’t happen to them”. We need to find out what happened at Optus to ensure the future privacy of some of our most personal data.</p><img src="https://counter.theconversation.com/content/191575/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dr Arnold is currently finalising a monograph on identity crime. He is a former director of the Australian Privacy Foundation</span></em></p>This isn’t the first time Australians’ Medicare numbers have been exposed.Bruce Baer Arnold, Associate Professor, School of Law, University of CanberraLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1914942022-09-28T01:58:26Z2022-09-28T01:58:26ZThe ‘Optus hacker’ claims they’ve deleted the data. Here’s what experts want you to know<figure><img src="https://images.theconversation.com/files/486966/original/file-20220928-12-cw5kk.jpg?ixlib=rb-1.1.0&rect=23%2C23%2C3970%2C2041&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">T. Schneider/Shutterstock</span></span></figcaption></figure><p>Shortly after Australian telecommunications company Optus announced the identity data of millions of customers had been stolen, a person claiming to be the hacker announced they would delete the data for US$1 million.</p>
<p>When Optus didn’t pay, the purported hacker published 10,000 stolen records and threatened to release ten thousand more every day until the ransom deadline. These leaked records contained identity information such as driver’s license, passport and Medicare numbers, as well as <a href="https://www.theguardian.com/business/2022/sep/27/police-all-over-dark-web-ransom-threat-to-release-10000-customer-records-a-day-optus-ceo-says">parliamentary and defense contact information</a>.</p>
<p>A few hours after the data drop, the purported hacker <a href="https://www.abc.net.au/news/2022-09-27/optus-data-breach-cyber-attack-hacker-ransom-sorry/101476316">unexpectedly apologised</a> and claimed to have deleted the data due to “too many eyes”, suggesting fear of being caught. Optus confirms they <a href="https://www.theguardian.com/business/2022/sep/27/alleged-optus-hacker-apologises-for-data-breach-and-drops-ransom-threat">did not pay the ransom</a>.</p>
<h2>They’ve said they deleted the data – now what? Is it over?</h2>
<p>Communication from the person claiming to be the hacker and the release of 10,200 records have all occurred on a website dedicated to buying and selling stolen data.</p>
<p>The data they released are now easily available and appear to be legitimate data stolen from Optus (their legitimacy has not been verified by Optus or the Australian Federal Police; the FBI in the United States <a href="https://www.afr.com/companies/telecommunications/more-optus-data-details-dumped-online-overnight-20220927-p5bl7s">has now been called in</a> to help the investigation).</p>
<p>The question then is – why would the hacker express remorse and claim to delete the data?</p>
<p>Unfortunately, while the purported hacker did appear to possess the legitimate data, there is no way to verify the deletion. We have to ask: what would the hacker gain from claiming to delete them?</p>
<p>It is likely a copy still remains, and it’s even possible the post is a ploy to convince victims not to worry about their security – to increase the likelihood of successful attacks using the data. There is also no guarantee the data were not already sold to a third party. </p>
<h2>What next?</h2>
<p>Whatever the motivations of the person claiming to be the hacker, their actions suggest we should continue to expect all records stolen from Optus do remain in malicious hands.</p>
<p>Despite the developments, <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">recommendations still stand</a> – you should still be taking proactive action to protect yourself. These actions are good cyber hygiene practices no matter the circumstances.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide</a>
</strong>
</em>
</p>
<hr>
<p>An extra measure offered recently is <a href="https://www.theguardian.com/australia-news/2022/sep/27/optus-data-breach-australians-will-be-able-to-change-their-drivers-licence-with-telco-to-pay">changing your driver’s license number</a>, <a href="https://www.passports.gov.au/optus-data-breach">ordering a new passport</a> and <a href="https://www.servicesaustralia.gov.au/what-to-do-if-youve-been-affected-recent-optus-data-breach">Medicare card</a>.</p>
<p>However it is unclear at this early stage whether free options to change these documents will be made to all data breach victims, or only a subset of victims.</p>
<h2>Can I find out whether my data were part of the 10,200 leaked records?</h2>
<p>Reports of <a href="https://eftm.com/2022/09/scammers-already-targeting-optus-customers-exposed-in-million-dollar-ransom-demand-227627">people being contacted by scammers</a> suggest they are already being used.</p>
<p>Troy Hunt, the Australian cyber security professional who maintains <a href="https://haveibeenpwned.com/">HaveIBeenPwned</a> – a website you can use to check whether your data are part of a known breach – has announced he will <a href="https://twitter.com/troyhunt/status/1574582128385224705">not add the leaked data to the site</a> at this stage. So this method will not be available.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1574582132969656320"}"></div></p>
<p>The best course of action in this case is to assume your data may have been released until <a href="https://www.linkedin.com/posts/victordominello_digital-cybersecurity-activity-6980423491669946368-UWWj">Optus notifies people in the coming week</a>.</p>
<h2>Are the released data already being used?</h2>
<p>The least technically sophisticated method of targeting Optus customers is to use the details to make direct contact and ask for a ransom. There are reports blackmailers are <a href="https://www.theguardian.com/business/2022/sep/27/alleged-optus-hacker-apologises-for-data-breach-and-drops-ransom-threat">already targeting breach victims</a> via text message, claiming to have the data and threatening to post it on the dark web unless the victim pays.</p>
<p>The data have already leaked and claims about deleting the data are untrue. Paying anyone who makes these claims will not increase the security of your information.</p>
<p>Data recovery scams – where scammers target victims offering help to remove their data from the dark web or recover any money lost for a fee – <a href="https://7news.com.au/technology/optus/cyber-criminals-using-optus-hack-to-target-anxious-australian-customers-with-new-scams-c-8371154">have also become prominent</a>. Instead of helping, they steal money or obtain more information from the victim. Anyone who claims to be able to scrub the data from the dark web is claiming to put toothpaste back in the tube. It isn’t possible.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1574614032858124288"}"></div></p>
<p>The data could also be used to identify family members to make the “<a href="https://www.accc.gov.au/media-release/accc-warning-of-suspicious-messages-as-%E2%80%9Chi-mum%E2%80%9D-scams-spike">Hi Mum</a>” or family impersonation scam more convincing. This involves scammers posing as a family member or friend from a new phone number, often using WhatsApp, in need of urgent financial help. Anyone receiving this kind of text message should make every effort to contact their family member or friend by other means.</p>
<h2>What else can my data be used for?</h2>
<p>The scams involved with these data will only grow in the coming days and weeks and may not be confined to the digital world.</p>
<p>Other possible uses involve activities like attempting to take over valuable online accounts or your SIM card, or setting up new financial services and SIM cards in your name. The advice we provided in <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">our previous article</a> applies to these.</p>
<p>Additionally, anyone with reason to be concerned about physical safety if their location is known (for example domestic abuse survivors) should consider the possibility that their names, telephone numbers and address may have leaked or may in the future.</p>
<p>If you have been the victim of fraud or identity theft as a result of this breach or any others, you can contact <a href="https://www.idcare.org">IDCare</a> for additional aid and <a href="https://www.cyber.gov.au/acsc/report">Cyber Report</a> to report the crime.</p><img src="https://counter.theconversation.com/content/191494/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>If you’ve been affected by the Optus data breach, the danger is far from over – no matter what the purported hacker is claiming.Jennifer J. Williams, PhD Candidate, Macquarie UniversityJeffrey Foster, Associate Professor in Cyber Security Studies, Macquarie UniversityTamara Watson, Associate Professor in Psychological Science, Western Sydney UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1913322022-09-26T05:18:56Z2022-09-26T05:18:56ZWhat does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide<p>Optus, Australia’s second largest telecommunications company, <a href="https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack">announced on September 22</a> that identifying details of up to 9.8 million customers were stolen from their customer database.</p>
<p>The details, dating back to 2017, include names, birth dates, phone numbers, email addresses, and – for some customers – addresses and driver’s licence or passport numbers.</p>
<p>According to the <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-retention-obligations">Australian law</a>, telecommunications providers are required to hold your data while you are their customer and for an additional two years, but may keep the data for longer for their own business purposes.</p>
<p>This means that if you are a previous customer of Optus, your data may also be involved - although it remains unclear how long the details of past customers have been held. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A snippet of an email received by a former Optus customer" src="https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=519&fit=crop&dpr=1 600w, https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=519&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=519&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=653&fit=crop&dpr=1 754w, https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=653&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/486443/original/file-20220926-56614-iltczp.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=653&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Optus has been contacting former and current customers to notify them of the data breach.</span>
<span class="attribution"><span class="source">The Conversation</span></span>
</figcaption>
</figure>
<p>The stolen data constitutes an almost complete suite of identity information about a significant number of Australians. Optus states they have notified those affected, but there are plenty of questions remaining. </p>
<p>What happens with your data next, and what can the average Australian do to protect against the threats caused by this unprecedented data breach?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-not-to-tell-customers-their-data-is-at-risk-the-optus-approach-191258">How not to tell customers their data is at risk: the Optus approach</a>
</strong>
</em>
</p>
<hr>
<h2>What will happen to the data?</h2>
<p>Late last week, an anonymous poster on a dark web forum posted a sample of data ostensibly from the breach, <a href="https://www.theguardian.com/business/2022/sep/24/afp-investigates-1m-ransom-demand-posted-online-for-allegedly-hacked-optus-data">with an offer not to sell the data if Optus pays a US$1 million ransom</a>. While its legitimacy has not yet been verified, it is unlikely the attackers will delete the data and move on.</p>
<p>More likely, the data will be distributed across the dark net (sold at first, but eventually available for free). Cyber criminals use these data to commit identity theft and fraudulent credit applications, or use the personal information to gain your trust in phishing attacks.</p>
<p>Below, we outline several steps you can take to <em>proactively</em> defend yourself, and how to detect and respond to malicious uses of your data and identity.</p>
<h2>What should I do if I’ve been affected?</h2>
<p><strong>Step 1: Identify your most vulnerable accounts and secure them</strong></p>
<p>Make a list of your most vulnerable accounts. What bank accounts do you hold? What about superannuation or brokerage accounts? Do you have important medical information on any services that thieves may use against you? What accounts are your credit card details saved to? Amazon and eBay are common targets as people often keep credit card details saved to those accounts.</p>
<p>Next, check how a password reset is done on these accounts. Does it merely require access to your text messages or email account? If so, you need to protect those accounts as well. Consider updating your password to a new – never before used – password for each account as a precaution.</p>
<p>Many accounts allow multi-factor authentication. This adds an extra layer for criminals to break through, for example by requesting an additional code to type in. Activate multi-factor authentication on your sensitive accounts, such as banks, superannuation and brokerage accounts.</p>
<p>Ideally, use an application like <a href="https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid">Google Authenticator</a> or <a href="https://www.microsoft.com/en-us/security/mobile-authenticator-app">Microsoft Authenticator</a> if the service allows, or an email that is not listed with Optus. Avoid having codes sent to your Optus phone number, as it’s at higher risk of being stolen.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/there-are-systems-guarding-your-data-in-cyberspace-but-who-is-guarding-the-guards-183041">There are systems 'guarding' your data in cyberspace – but who is guarding the guards?</a>
</strong>
</em>
</p>
<hr>
<p><strong>Step 2: Lock your SIM card and credit card if possible</strong></p>
<p>One of the most immediate concerns will be using the leaked data to compromise your phone number, which is what many people use for their multi-factor authentication. <a href="https://blog.mozilla.org/en/internet-culture/mozilla-explains/mozilla-explains-sim-swapping/">SIM jacking</a> – getting a mobile phone provider to give access to a phone number they don’t own – will be a serious threat.</p>
<p>Most carriers allow you to add a verbal PIN as the second verification step, to prevent SIM jacking. While Optus has locked SIM cards temporarily, that lock is unlikely to last. Call your provider and ask for a verbal PIN to be added to your account. If you suddenly lose all mobile service in unusual circumstances, contact your provider to make sure you haven’t been SIM jacked.</p>
<p>To prevent identity theft, you can place a short-term freeze (or credit ban) on your credit checks. These can help stop criminals taking out credit in your name, but it makes applying for credit yourself difficult during the freeze. The three major credit report companies, <a href="https://www.experian.com/freeze/center.html">Experian</a>, <a href="https://www.illion.com.au/illion-au-ban-request-application-form/">Illion</a>, and <a href="https://www.equifax.com/personal/credit-report-services/credit-freeze/">Equifax</a> offer this service.</p>
<p>If you can’t freeze your credit because you need access yourself, Equifax offers a <a href="https://www.equifax.com/personal/products/credit/monitoring-and-reports/">paid credit alert service</a> to notify you of credit checks on your identity. If you get a suspicious credit alert, you can halt the process quickly by contacting the service that requested the report.</p>
<figure class="align-center ">
<img alt="A notebook with several versions of fake passwords written down" src="https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/486441/original/file-20220926-30101-ahay14.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Safeguarding your data online involves looking after your passwords properly.</span>
<span class="attribution"><span class="source">Vitalii Vodolazskyi/Shutterstock</span></span>
</figcaption>
</figure>
<p><strong>Step 3: Improve your cyber hygiene</strong></p>
<p>These breaches don’t exist in a vacuum. The personal information stolen from Optus may be used with other information cyber criminals find about you online; social media, your employer’s website, discussion forums and previous breaches provide additional information. </p>
<p>Many people have unknowingly been victims of cyber breaches in the past. You should check what information about you is available to cyber criminals by checking <a href="https://HaveIBeenPwned.com">HaveIBeenPwned</a>. HaveIBeenPwned is operated by Australian security professional Troy Hunt, who maintains a database of known leaked data.</p>
<p>You can search your email accounts on the site to get a list of what breaches they have been involved in. Consider what passwords those accounts used. Are you using those passwords anywhere else?</p>
<p>Take extra care in verifying emails and text messages. Scammers use leaked information to make phishing attempts more credible and targeted. Never click links sent via text or email. Don’t assume someone calling from a company is legitimate, get the customer support number from their website, and call them on that number.</p>
<p>Creating unique and secure passwords for every service is the best defence you have. It is made easier using a password manager – many free apps are available – to manage your passwords. Don’t reuse passwords across multiple services, since they can be used to access other accounts.</p>
<p>If you aren’t using a password manager, you should at least keep unique passwords on your most vulnerable accounts, and avoid keeping digital records of them in email or in computer files while keeping any written passwords in a safe, secure, location. </p>
<h2>I’ve been hacked, now what?</h2>
<p>Sometimes you can do everything right, and still become a victim of a breach, so how do you know if you’ve been hacked and what can you do about it?</p>
<p>If you receive phone calls, emails or letters from financial institutions regarding a loan or service you know nothing about, call the institution and clarify the situation.</p>
<p>You should also contact <a href="https://www.idcare.org">IDCare</a>, a not-for-profit organisation designed to assist victims of cyber-attacks and identity theft, for further guidance. You can also report cyber crimes – including identity theft – through <a href="https://www.cyber.gov.au/acsc/report">CyberReport</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-vulnerable-is-your-personal-information-4-essential-reads-172203">How vulnerable is your personal information? 4 essential reads</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/191332/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Up to 9.8 million Australians have been affected. Here’s what you can do to proactively defend yourself.Jennifer J. Williams, PhD Candidate, Macquarie UniversityJeffrey Foster, Associate Professor in Cyber Security Studies, Macquarie UniversityTamara Watson, Associate Professor in Psychological Science, Western Sydney UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1863802022-07-06T19:55:47Z2022-07-06T19:55:47Z5 big trends in Australians getting scammed<figure><img src="https://images.theconversation.com/files/472737/original/file-20220706-16-4kib7q.jpg?ixlib=rb-1.1.0&rect=600%2C413%2C3987%2C1959&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Greed, desire, wishful thinking and naivety are lucrative markets for scam artists – and their age-old hustles are increasingly being supplemented by digital chicanery.</p>
<p>In 2021 Australians lost an estimated $2 billion to fraudsters, more than double that of 2020, according to the Australian Competition and Consumer Commission.</p>
<p>The consumer watchdog’s latest <a href="https://www.accc.gov.au/publications/targeting-scams-report-on-scam-activity/targeting-scams-report-of-the-accc-on-scams-activity-2021">scam report</a> details more than 20 different scam types, primarily based on reports made to its <a href="https://www.scamwatch.gov.au/">Scamwatch</a> agency. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australians-lost-2b-to-fraud-in-2021-this-figure-should-sound-alarm-bells-for-the-future-186459">Australians lost $2b to fraud in 2021. This figure should sound alarm bells for the future</a>
</strong>
</em>
</p>
<hr>
<p>Some scams are perennials. Topping Scamwatch’s list are investment scams, dating and romance scams, false billing, remote access scams (convincing you to allow access to your computer or phone), and threats or blackmail.</p>
<hr>
<p><iframe id="FiF12" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/FiF12/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<hr>
<p>This article is going to focus on the five scam types that have grown most in value from 2020. </p>
<p>These aren’t necessarily the scams anyone (including you) is most likely to fall for. But they provide a useful snapshot of how scam techniques that rely on human nature are increasingly being executed via technology.</p>
<h2>1. Ransomware and malware</h2>
<p>This type of scam has been on the wane due to the use of anti-malware protection. But in 2021 it roared back with a 1,482% rise in reported losses over 2020. </p>
<p>This was mostly due to 2020 numbers being much lower than 2019, but the reported costs per incident (about $21,704) are still worrying given how easily such scams can be spread.</p>
<p>They typically involve installing malicious software on your computer or phone to make files inaccessible or lock the device. This is done by sending a bogus email, text message or voicemail with an enticing message directing you to a link that automatically installs the malicious software when you open it. The scammer then demands a payment to “unlock” the system. </p>
<figure class="align-center ">
<img alt="Messages about deliveries are a common way to spread malware." src="https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=370&fit=crop&dpr=1 600w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=370&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=370&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=465&fit=crop&dpr=1 754w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=465&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=465&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Messages about deliveries are a common way to spread malware.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>Contributing to ransomware’s resurgence was the Flubot scam, in which tens of thousands of Australians with Android phones received scam text messages about missed calls or deliveries. The malware could harvest banking details as well as use contact lists to spread to other devices. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/is-australia-a-sitting-duck-for-ransomware-attacks-yes-and-the-danger-has-been-growing-for-30-years-161818">Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years</a>
</strong>
</em>
</p>
<hr>
<h2>2. Pyramid schemes</h2>
<p>The pyramid scheme promises you riches by recruiting others to the scheme. While such recruitment is also a feature of multi-level marketing (also known as referral selling schemes), in an illegal pyramid scheme financial returns are entirely or substantially reliant on convincing other people to join.</p>
<p>In 2021 reported losses from pyramid schemes were 368% higher than in 2020. This was due, as with malware, to losses in 2020 being abnormally low. But even though the total number of reported cases was quite low (fewer than 500) the percentage of of those reports involving people losing money was one of the highest (44%), with an average loss of $6,239. </p>
<p>This suggests pyramid scams remain quite alluring to some people. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/1QkZcdCDJJg?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Pyramid and ponzi schemes explained in one minute.</span></figcaption>
</figure>
<h2>3. Identity theft</h2>
<p>Identity theft – using your personal information to steal money from you or someone else – is one of the most challenging scams to deal with. It may involve stealing money from your own account or using your identity for credit purchases, which you then have to untangle. </p>
<p>This is a true growth area. In 2021 there 22,354 identity theft reports, up from 20,939 in 2020. While only 951 of these cases (about 4%) reported losses, average losses more than doubled to about $10,683. The total losses ($10,159,930) were 230% higher than in 2020. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-cybercriminals-turn-paper-checks-stolen-from-mailboxes-into-bitcoin-173796">How cybercriminals turn paper checks stolen from mailboxes into bitcoin</a>
</strong>
</em>
</p>
<hr>
<h2>4. Investment scams</h2>
<p>Investment scams tempt victims with promises of large profits from share deals and crypto-currency opportunities. In 2021, 4,068 Australians reported losing more than $177 million on such scams – an average loss of about $45,350.</p>
<p>While investment scams come in many varieties, the Scamwatch report itemises three main types. Cryptocurrency scams accounted for $99 million of reported losses. The selling of fake high-yield corporate or government bonds accounted for $16 million. Ponzi schemes, which create the charade of investment success by paying dividends from the money of new victims, accounted for $8 million. </p>
<p>Ponzi schemes are named after Charles Ponzi, who in the 1920s promised to double people’s money in 45 days. One such scheme doing the rounds in 2021 was the <a href="https://www.abc.net.au/news/2021-08-26/qld-hope-business-investment-app-scam-pyramid-scheme/100396922">Hope Business</a> app, which promised windfall returns simply by paying money into an account. </p>
<p>Interestingly the consumer watchdog’s report says men were almost twice as likely to be victims of investment scams and reported double the losses of female victims.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/scams-and-cryptocurrency-can-go-hand-in-hand-heres-how-they-work-and-what-to-watch-out-for-182033">Scams and cryptocurrency can go hand in hand – here's how they work and what to watch out for</a>
</strong>
</em>
</p>
<hr>
<h2>5. Phishing</h2>
<p>Phishing, closely linked to identity theft, was the most reported scam in 2021 – with 71,308 cases, compared to 44,079 in 2020 and 25,168 in 2019. </p>
<p>These scams are usually seeking to obtain our credentials (passwords) to various services including email, online banking and government services such as MyGov.</p>
<p>That just 861 cases reported a direct financial loss suggests this is one of the most recognised scams. We’ve all had emails or SMS messages asking us to confirm our details or click a link to listen to a voicemail or receive a parcel.</p>
<p>Even so, a total of $4.3 million was reported lost from phishing scams in 2021 – 156% more than in 2020. The average loss was slightly more than $5,000. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/your-digital-footprints-are-more-than-a-privacy-risk-they-could-help-hackers-infiltrate-computer-networks-177123">Your digital footprints are more than a privacy risk – they could help hackers infiltrate computer networks</a>
</strong>
</em>
</p>
<hr>
<h2>How to avoid being scammed</h2>
<p>If something seems too good to be true, it probably is. If you have any inkling you may be being scammed, the best advice is to stop and think. </p>
<p>If you are being asked to move money, make an unexpected payment or send personal information to someone, stop. </p>
<p>If you are being asked to provide information or take some action, contact the organisation involved using a number you already have (bank statement, credit card etc) or find the number yourself.</p><img src="https://counter.theconversation.com/content/186380/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Scam techniques that rely on human nature are increasingly being executed via technology. Here are five that recorded big increases in 2021.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1758172022-02-01T13:16:12Z2022-02-01T13:16:12ZGovernment agencies are tapping a facial recognition company to prove you’re you – here’s why that raises concerns about privacy, accuracy and fairness<figure><img src="https://images.theconversation.com/files/443239/original/file-20220128-19-ghy893.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C8000%2C5317&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Beginning this summer, you might need to upload a selfie and a photo ID to a private company, ID.me, if you want to file your taxes online.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/young-woman-using-smartphone-while-working-with-royalty-free-image/1224140562">Oscar Wong/Moment via Getty Images</a></span></figcaption></figure><p>The U.S. Internal Revenue Service is planning to <a href="https://www.irs.gov/newsroom/irs-unveils-new-online-identity-verification-process-for-accessing-self-help-tools">require citizens to create accounts</a> with a private facial recognition company in order to file taxes online. The IRS is joining a growing number of federal and state agencies that have contracted with <a href="https://www.id.me/">ID.me</a> to authenticate the identities of people accessing services.</p>
<p>The IRS’s move is aimed at cutting down on identity theft, a crime that <a href="https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf">affects millions of Americans</a>. The IRS, in particular, has reported a number of tax filings from people claiming to be others, and <a href="https://www.cnbc.com/2021/12/21/criminals-have-stolen-nearly-100-billion-in-covid-relief-funds-secret-service.html">fraud in many of the programs</a> that were administered as part of the <a href="https://www.whitehouse.gov/american-rescue-plan/">American Relief Plan</a> has been a major concern to the government.</p>
<p>The IRS decision has prompted a backlash, in part over concerns about requiring citizens to use facial recognition technology and in part over difficulties some people have had in using the system, particularly with some state agencies that provide unemployment benefits. The reaction has prompted the IRS to <a href="https://www.bloomberg.com/news/articles/2022-01-28/treasury-weighing-id-me-alternatives-over-privacy-concerns?sref=Hjm5biAW">revisit its decision</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a webpage with the IRS logo in the top left corner and buttons for creating or logging into an account" src="https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=309&fit=crop&dpr=1 600w, https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=309&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=309&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=388&fit=crop&dpr=1 754w, https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=388&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/443053/original/file-20220127-9782-2f0nex.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=388&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Here’s what greets you when you click the link to sign into your IRS account. If current plans remain in place, the blue button will go away in the summer of 2022.</span>
<span class="attribution"><a class="source" href="https://sa.www4.irs.gov/secureaccess/ui/?TYPE=33554433&REALMOID=06-0006b18e-628e-1187-a229-7c2b0ad00000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-u0ktItgVFneUJDzkQ7tjvLYXyclDooCJJ7%2bjXGjg3YC5id2x9riHE98hoVgd1BBv&TARGET=-SM-http%3a%2f%2fsa%2ewww4%2eirs%2egov%2fola%2f">Screenshot, IRS sign-in webpage</a></span>
</figcaption>
</figure>
<p>As a <a href="https://scholar.google.com/citations?user=JNPbTdIAAAAJ&hl=en">computer science researcher</a> and the chair of the <a href="https://www.acm.org/public-policy/tpc">Global Technology Policy Council of the Association for Computing Machinery</a>, I have been involved in exploring some of the issues with government use of facial recognition technology, both its use and its potential flaws. There have been a great number of concerns raised over the general <a href="https://theconversation.com/feds-are-increasing-use-of-facial-recognition-systems-despite-calls-for-a-moratorium-145913">use of this technology in policing and other government functions</a>, often focused on whether the accuracy of these algorithms can have discriminatory affects. In the case of ID.me, there are other issues involved as well.</p>
<h2>ID dot who?</h2>
<p>ID.me is a private company that <a href="https://www.bloomberg.com/news/features/2022-01-20/cybersecurity-company-id-me-is-becoming-government-s-digital-gatekeeper?sref=Hjm5biAW">formed as TroopSwap</a>, a site that offered retail discounts to members of the armed forces. As part of that effort, the company created an ID service so that military staff who qualified for discounts at various companies could prove they were, indeed, service members. In 2013, the company renamed itself ID.me and started to market its ID service more broadly. The U.S. Department of Veterans Affairs began using the technology in 2016, the company’s first government use.</p>
<p>To use ID.me, a user loads a mobile phone app and takes a selfie – a photo of their own face. ID.me then compares that image to various IDs that it obtains either through open records or through information that applicants provide through the app. If it finds a match, it creates an account and uses image recognition for ID. If it cannot perform a match, users can contact a “trusted referee” and have a video call to fix the problem.</p>
<p>A number of companies and <a href="https://www.usnews.com/news/technology/articles/2021-07-22/factbox-states-using-idme-rival-identity-check-tools-for-jobless-claims">states</a> have been using ID.me for several years. News reports have documented <a href="https://www.cpr.org/2021/05/10/unemployment-payouts-have-dropped-40-percent-is-id-me-stopping-scams-or-blocking-benefits/">problems people have had with ID.me</a> failing to authenticate them, and with the company’s customer support in resolving those problems. Also, the system’s technology requirements <a href="https://www.usnews.com/news/best-states/colorado/articles/2021-05-02/system-for-unemployment-benefits-exposes-digital-divide">could widen the digital divide</a>, making it harder for many of the people who need government services the most to access them. </p>
<p>But much of the concern about the IRS and other federal agencies using ID.me revolves around its use of facial recognition technology and collection of biometric data.</p>
<h2>Accuracy and bias</h2>
<p>To start with, there are a number of general concerns about the accuracy of facial recognition technologies and whether there are <a href="https://theconversation.com/ai-technologies-like-police-facial-recognition-discriminate-against-people-of-colour-143227">discriminatory biases</a> in their accuracy. These have led the Association for Computing Machinery, among other organizations, to <a href="https://theconversation.com/feds-are-increasing-use-of-facial-recognition-systems-despite-calls-for-a-moratorium-145913">call for a moratorium on government use</a> of facial recognition technology. </p>
<p>A study of commercial and academic facial recognition algorithms by the National Institute of Standards and Technology found that U.S. facial-matching algorithms generally have <a href="https://www.nist.gov/news-events/news/2019/12/nist-study-evaluates-effects-race-age-sex-face-recognition-software">higher false positive rates for Asian and Black faces</a> than for white faces, although recent results have improved. ID.me claims that there is <a href="https://insights.id.me/viewpoint/no-identity-left-behind-american-increased-access-online-services/">no racial bias</a> in its face-matching verification process. </p>
<p>There are many other conditions that can also cause inaccuracy – physical changes caused by illness or an accident, hair loss due to chemotherapy, color change due to aging, gender conversions and others. How any company, including ID.me, handles such situations is unclear, and this is one issue that has raised concerns. Imagine having a disfiguring accident and not being able to log into your medical insurance company’s website because of damage to your face.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/BqQT4sIOYA0?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Facial recognition technology is spreading fast. Is the technology – and society – ready?</span></figcaption>
</figure>
<h2>Data privacy</h2>
<p>There are other issues that go beyond the question of just how well the algorithm works. As part of its process, ID.me collects a very large amount of personal information. It has a very long and difficult-to-read privacy policy, but essentially while ID.me doesn’t share most of the personal information, it does share various information about internet use and website visits with other partners. The nature of these exchanges is not immediately apparent. </p>
<p>So one question that arises is what level of information the company shares with the government, and whether the information can be used in tracking U.S. citizens between regulated boundaries that apply to government agencies. Privacy advocates on both the left and right have long opposed any form of a mandatory uniform government identification card. Does handing off the identification to a private company allow the government to essentially achieve this through subterfuge? It’s not difficult to imagine that some states – and maybe eventually the federal government – could insist on an identification from ID.me or one of its competitors to access government services, get medical coverage and even to vote. </p>
<p>As Joy Buolamwini, an MIT AI researcher and founder of the <a href="https://www.ajl.org/">Algorithmic Justice League</a>, argued, beyond accuracy and bias issues is the question of <a href="https://www.theatlantic.com/ideas/archive/2022/01/irs-should-stop-using-facial-recognition/621386/">the right not to use biometric technology</a>. “Government pressure on citizens to share their biometric data with the government affects all of us — no matter your race, gender, or political affiliations,” she wrote.</p>
<h2>Too many unknowns for comfort</h2>
<p>Another issue is who audits ID.me for the security of its applications? While no one is accusing ID.me of bad practices, security researchers are worried about how the company may protect the incredible level of personal information it will end up with. Imagine a security breach that released the IRS information for millions of taxpayers. In the fast-changing world of cybersecurity, with threats ranging from individual hacking to international criminal activities, experts would like assurance that a company provided with so much personal information is using state-of-the-art security and keeping it up to date. </p>
<p>[<em>Over 140,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-140ksignup">Sign up today</a>.]</p>
<p>Much of the questioning of the IRS decision comes because these are early days for government use of private companies to provide biometric security, and some of the details are still not fully explained. Even if you grant that the IRS use of the technology is appropriately limited, this is potentially the start of what could quickly snowball to many government agencies using commercial facial recognition companies to get around regulations that were put in place specifically to rein in government powers. </p>
<p>The U.S. stands at the edge of a slippery slope, and while that doesn’t mean facial recognition technology shouldn’t be used at all, I believe it does mean that the government should put a lot more care and due diligence into exploring the terrain ahead before taking those critical first steps.</p><img src="https://counter.theconversation.com/content/175817/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>James Hendler receives funding from IBM, DARPA, and the NSF. He is a Professor at Rensselaer Polytechnic Institute, affiliated with the Association for Computing Machinery (ACM) and consults or has consulted for a number of government agencies. The opinions expressed in this piece are solely those of the author and do not necessarily represent the opinions of the ACM or any of the other organizations with which he is affiliated.</span></em></p>Federal and state governments are turning to a facial recognition company to ensure that people accessing services are who they say they are. The move promises to cut down on fraud, but at what cost?James Hendler, Professor of Computer, Web and Cognitive Sciences, Rensselaer Polytechnic InstituteLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1751362022-01-26T14:56:04Z2022-01-26T14:56:04ZWe are facing a settler colonial crisis, not an Indigenous identity crisis<figure><img src="https://images.theconversation.com/files/441346/original/file-20220118-16047-18mdd0c.png?ixlib=rb-1.1.0&rect=130%2C0%2C2372%2C1061&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Johnny Depp played Tonto in The Lone Ranger (2013). Depp has claimed some Native American heritage in the past. </span> <span class="attribution"><span class="source">(Disney)</span></span></figcaption></figure><iframe style="width: 100%; height: 175px; border: none; position: relative; z-index: 1;" allowtransparency="" src="https://narrations.ad-auris.com/widget/the-conversation-canada/we-are-facing-a-settler-colonial-crisis--not-an-indigenous-identity-crisis" width="100%" height="400"></iframe>
<p>It wasn’t until very recently that I heard the term <a href="https://www.thewhig.com/2016/08/23/students-to-explore-indigeneity">“re-indigenization” used in academic spaces</a>. </p>
<p>I’m familiar with <a href="https://doi.org/10.1017/S0008423917001032">Indigenous resurgence</a> and how it’s connected to the restoration and reparation happening within Indigenous communities — work that often focuses on healing intergenerational divides <a href="https://bc.ctvnews.ca/i-ben-miljure-am-an-indigenous-man-kamloops-tragedy-a-moment-of-truth-for-ctv-news-journalist-1.5465241">caused by Indian Residential Schools</a> <a href="https://apihtawikosisan.com/2012/04/the-stolen-generations/">and the 60s Scoop</a> — but this idea of “re-indigenization” was different. </p>
<p>It appeared to justify the idea that any person who discovers they have a “root Indigenous ancestor” from anywhere between 150 to 400 years ago must claim an Indigenous identity and proudly take up spaces deemed to require Indigenous perspectives and voices. </p>
<p>Part of this process appeared to involve attaching and embedding oneself, not within the particular Indigenous community or Nation where their long-ago “Indigenous” ancestor hailed from, but within internal institutional Indigenous communities or organizations that fronted as “Indigenous communities” for the purpose of institutional or “urban” legitimacy.</p>
<p>This is a problem.</p>
<p>As a citizen of the Anishinaabeg Nation and community member of Nezaadiikaang (Lac des Mille Lacs First Nation), I am the Queen’s National Scholar in Indigenous Studies and an associate professor at Queen’s University, Ontario. I have been in academia for a decade now, and previously worked in various capacities serving Indigenous communities. My first full-time job after undergrad was in the political office of former Grand Chief of Nishnawbe Aski Nation Stan Beardy. </p>
<p>Given that my own family members have continuously held political appointments, I have been listening to Anishinaabeg articulate concepts of self-determination, nationhood and sovereignty for many years. </p>
<h2>Indigeneity through self-indigenization</h2>
<p>I want to address the inherent problems with indigeneity through self-indigenization or re-indigenization. </p>
<p>There is a connection between self-indigenization based on ancestry, and <a href="https://doi.org/10.1080/14623528.2021.1885571">settler colonial violence</a> that is conveniently <a href="https://www.cbc.ca/news/canada/ottawa/queens-university-anonymous-report-indigenous-allegations-1.6063274">being ignored in our public institutions</a>. </p>
<p>“Mining” the archive for <a href="https://www.cbc.ca/radio/the180/least-important-election-the-case-to-stop-changing-the-clocks-and-the-problem-of-dna-as-proof-of-culture-1.3834912/sorry-that-dna-test-doesn-t-make-you-indigenous-1.3835210">biological trace(s) of “nativeness”</a> follows the same settler colonial, possessive and extractivist logic of mining Indigenous lands. </p>
<p>Both Indigenous lands and identities are positioned as resources that people are entitled to claim and own. Dakota scholar Kim Tall Bear has shown us how this practice is <a href="https://www.taylorfrancis.com/chapters/edit/10.4324/9780429440229-40/identity-poor-substitute-relating-kim-tallbear">linked to Eurocentric concepts of “identity”</a> that privilege individualism and inherited property. </p>
<figure class="align-center ">
<img alt="A picture of a 23andMe DNA test kit." src="https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/441189/original/file-20220117-20992-cwn8bg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">That DNA test doesn’t make you Indigenous.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>Within <a href="https://www.dukeupress.edu/colonial-lives-of-property">settler colonial concepts of property rights</a>, identity becomes something that can be claimed, owned and put to use. It is interesting to see many of my colleagues publicly reject <a href="https://www.macleans.ca/society/environment/the-indigenous-grandmothers-who-stopped-a-pipeline/">extractivist pursuits like pipelines</a> while remaining silent or uncertain about similar tactics <a href="https://www.cbc.ca/news/canada/saskatchewan/carrie-bourassa-indefinite-leave-indigenous-1.6233247">employed against Indigenous personhood</a>.</p>
<h2>The rush to “indigenize”</h2>
<p>While it is widely acknowledged that <a href="https://doi.org/10.1353/aiq.2001.0030">Indigenous identity can be complicated</a> given the decades of <a href="https://theconversation.com/not-in-the-past-colonialism-is-rooted-in-the-present-157395">ongoing colonialism</a>, the move to conflate ancestry with indigeneity is an entirely different issue that is <a href="https://www.cbc.ca/news/canada/ottawa/queens-university-open-letter-faculty-indigenous-ancestry-1.6065656">on the rise in universities and other public institutions</a>.</p>
<p>The issue is that in their rush to “indigenize,” universities have created the conditions whereby someone who has mined the genealogical archives can access a position reserved for an Indigenous person, displacing those of us who are connected to and claimed by a living community/Nation of people. </p>
<p>This phenomenon undermines the inherent sovereignty of Indigenous Nations who <a href="https://theconversation.com/fraudulent-claims-of-indigeneity-indigenous-nations-are-the-identity-experts-171470">have the right to determine who does and does not belong</a> to their communities.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/stolen-identities-what-does-it-mean-to-be-indigenous-podcast-ep-8-166248">Stolen identities: What does it mean to be Indigenous? Podcast EP 8</a>
</strong>
</em>
</p>
<hr>
<p>When Indigenous folks push back against self-indigenization or re-indigenization, they receive considerable backlash that in many ways distracts from the key issues at hand. </p>
<p>We are often accused of being caught up <a href="https://www.npr.org/sections/codeswitch/2018/02/09/583987261/so-what-exactly-is-blood-quantum">in divisive blood quantum requirements</a>. The irony, of course, is that I have yet to hear any Indigenous critic of the extractivist logic even mention “Indian status” or “blood quantum” in their arguments. </p>
<p>The only ones who seem obsessed with “native blood” are those whose entire claim to indigeneity is based on them locating someone in their genetic or ancestral history. </p>
<p>I recently heard arguments that self-indigenization is a moral, ethical and traditional process that brings us out of the colonial shackles of the Indian Act. But erasing or ignoring the reality of the Indian Act, and of Indigenous survival in the face of it, does not magically bring about decolonization. </p>
<p>Indigenous Peoples settled that argument when they rejected <a href="https://www.thecanadianencyclopedia.ca/en/article/the-white-paper-1969">Pierre Trudeau’s infamous White Paper</a> more than 50 years ago.</p>
<figure class="align-center ">
<img alt="Archive photo: A woman carries her baby on her back, she's in the forest with another woman and two children." src="https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=354&fit=crop&dpr=1 600w, https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=354&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=354&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=445&fit=crop&dpr=1 754w, https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=445&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/441192/original/file-20220117-23-jk1chm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=445&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Indigenous Nations have always maintained their citizenship orders. They have always retained the right to determine who does and does not belong.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/lac-bac/49483789437/">(R. D. Davidson. Department of Mines and Technical Surveys/Library and Archives Canada, PA-020304)</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<h2>Re-casting oneself as Indigenous</h2>
<p>The problem with re-inventing oneself as “Indigenous” is based on the same logic of possession and fantasies of entitlement that rationalized settler possession of Indigenous lands. </p>
<p>Embracing your “Indigenous roots,” re-casting oneself as Indigenous and thinking that this is the best way to account for your history or to help Indigenous Peoples is not supporting <a href="https://doi.org/10.1177/1177180121994681">Indigenous sovereignties</a> or the movement toward <a href="https://doi.org/10.7577/njcie.3518">decolonial futures</a>. </p>
<p>In her new book, <a href="https://www.ucpress.edu/book/9780520303188/red-scare"><em>Red Scare: The State’s Indigenous Terrorist</em></a>, Lenape scholar Joanne Barker uses the term “kinless Indian” to describe how individuals whose initial claim to indigeneity stems from a false, tenuous or distant ancestor, and how this claiming absolves the notion that they have any benefit from or complicity with the dispossession of, and violence against, Indigenous Peoples.</p>
<p>Drawing on the work of <a href="https://ualberta.academia.edu/AdamGaudry">Métis scholar Adam Gaudry</a>, Barker clearly articulates how this process of individual or collective Indigenous “re-invention” undermines Indigenous self-determination and sovereignty, as it reflects this idea that Indigenous communities and their respective governance systems did not survive colonization.</p>
<p>It is very clear that we are not facing an Indigenous identity crisis in public institutions. Indigenous Nations have always maintained their citizenship orders. They have always retained the right to determine who does and does not belong. We know who we are. </p>
<p>What we are facing has been, and continues to be, a settler colonial crisis, which under its current guise, seeks to replace us.</p><img src="https://counter.theconversation.com/content/175136/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Celeste Pedri-Spade does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Indigenous Nations have always maintained their citizenship orders. They have always retained the right to determine who does and does not belong. We know who we are.Celeste Pedri-Spade, Associate Professor & QNS in Indigenous Studies, Queen's University, OntarioLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1737962022-01-05T13:47:38Z2022-01-05T13:47:38ZHow cybercriminals turn paper checks stolen from mailboxes into bitcoin<figure><img src="https://images.theconversation.com/files/439400/original/file-20220104-15-uf0yj.jpg?ixlib=rb-1.1.0&rect=78%2C47%2C3420%2C2281&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Mailboxes are increasingly becoming the scene of a crime. </span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/getting-the-mail-royalty-free-image/182683036">GregAIT/E+ via Getty Images</a></span></figcaption></figure><p>While <a href="https://www.nist.gov/blogs/taking-measure/cybercrime-its-worse-we-thought">cybercrime gets a lot of attention</a> from law enforcement and the media these days, I’ve been documenting a less high-tech threat emerging in recent months: a <a href="https://www.fox29.com/news/suspect-found-with-checks-credit-cards-to-be-believed-stolen-from-mail-police-say">surge in stolen checks</a>. </p>
<p>Criminals are increasingly targeting U.S. Postal Service and personal mailboxes to pilfer filled-out checks and sell them over the internet using social media platforms. The buyers then alter the payee and amount listed on the checks to rob victims’ bank accounts of thousands of dollars. While the banks themselves <a href="https://www.bai.org/banking-strategies/article-detail/the-banking-industrys-multi-billion-dollar-problem/">typically bear the financial burden</a> and reimburse targeted accounts, criminals can use the checks to steal victims’ identities, which <a href="https://www.pcmag.com/news/5-ways-identity-theft-can-ruin-your-life">can have severe consequences</a>. </p>
<p>I founded and now direct Georgia State University’s <a href="https://ebcs.gsu.edu/">Evidence Based Cybersecurity Research Group</a>, which is aimed at learning what works and what doesn’t in preventing cybercrime. For the past two years, we’ve been surveilling 60 black market communication channels on the internet to learn more about the online fraud ecosystem and gather data on it in a systematic way in order to spot trends. </p>
<p>One thing we didn’t expect to see was a surge in purloined checks. </p>
<h2>An old threat returns</h2>
<p>In general, bank check theft is a type of fraud that involves the stealing and <a href="https://sqnbankingsystems.com/blog/types-of-check-fraud/">unauthorized cashing of a check</a>. </p>
<p>It’s hardly a new phenomenon. Criminals were committing check fraud as soon as the <a href="https://sqnbankingsystems.com/blog/history-of-check-fraud/">first modern checks were cut in the 18th century in England</a> – and the authorities <a href="https://www.econstor.eu/bitstream/10419/57670/1/602139635.pdf">were already looking for ways to prevent it</a>. </p>
<p>While there’s little historical data on this type of fraud, we do know it became <a href="https://books.google.com/books?id=TzJZXIoo4tIC&pg=PA78&lpg=PA78&dq=check+theft+from+mailboxes+in+the+1990s&source=bl&ots=u7SzV2GzYx&sig=ACfU3U2c5MiFGEQLiFiUPhMq9dEKzK_h0A&hl=en&sa=X&ved=2ahUKEwjkqurEmuv0AhUWTDABHbqBCNkQ6AF6BAgvEAM#v=onepage&q=check%20theft%20from%20mailboxes%20in%20the%201990s&f=false">particularly problematic in the 1990s</a> as the internet made finding willing buyers of illicit items easier than ever. For example, financial institutions <a href="https://www.occ.gov/publications-and-resources/publications/banker-education/files/check-fraud-a-guide-to-avoiding-losses.html">estimated they lost</a> about US$1 billion to check fraud from April 1996 to September 1997. </p>
<p>But what may seem a little surprising is that its resurgence now at a time when the <a href="https://www.statista.com/statistics/1111233/payment-method-usage-transaction-volume-share-worldwide/">vast majority of transactions are conducted electronically</a> and <a href="https://www.atlantafed.org/-/media/documents/banking/consumer-payments/research-data-reports/2020/02/13/us-consumers-use-of-personal-checks-evidence-from-a-diary-survey/rdr2001.pdf%27">check use continues to wane</a>. </p>
<h2>What check fraud looks like</h2>
<p>Broadly speaking, the check scams we’ve been tracking look something like this: </p>
<p>Someone breaks into a mailbox that stores letters waiting to be sent and <a href="https://www.nbcwashington.com/news/local/a-man-put-a-check-in-the-mail-it-was-stolen-altered-and-cashed-for-1900/2892470">grabs some of them</a> in hopes they’ll contain a check that’s been filled in. Often, the crime scene where the theft occurs is the victim’s own mailbox, but it can also be one of those <a href="https://newyork.cbslocal.com/2021/12/09/teaneck-checks-stolen-from-mail">blue USPS boxes</a> you pass on the street. </p>
<p>Criminals can access those with a <a href="https://www.fox5dc.com/news/montgomery-county-residents-claim-checks-were-stolen-from-usps-mailboxes">stolen or copied mailbox key</a>, which we have seen on sale for as much as $1,000.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Three USPS mailbox keys lie on a gray surface" src="https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=870&fit=crop&dpr=1 600w, https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=870&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=870&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1093&fit=crop&dpr=1 754w, https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1093&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/437642/original/file-20211214-21-1arvsvf.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1093&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An image of USPS mailbox keys on sale.</span>
<span class="attribution"><span class="source">Screenshot from Telegram</span></span>
</figcaption>
</figure>
<p>Thieves may deposit or cash the checks themselves or sell them on to others via a marketplace of illicit items, such as fake IDs and credit cards. Prices are typically $175 for personal checks and $250 for business ones – payable in bitcoin – but always negotiable and cheaper in bulk, based on our observations and direct interactions with the sellers. </p>
<p>Buyers then use nail polish remover to erase the intended payee’s name and the amount displayed on the check, replacing those details with their own preferred payee – such as a retailer – and amount, usually a lot higher than the original check. A buyer might also simply cash the check at a location like Walmart using a fake ID. </p>
<p>In some cases we believe criminals are using the checks to steal the victim’s identity by using their name and address to manufacture fake driver’s licenses, passports and other legal documents. Upon taking over someone’s identity, a criminal may use it to submit false applications for loans and credit cards, <a href="https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud">access the victim’s bank accounts</a> and engage in other types of online fraud.</p>
<h2>Tracking black market chat rooms</h2>
<p>To better understand how cybercriminals operate, my team of graduate students began monitoring 60 online chat room channels where we knew people were trafficking in fraudulent documents. Examples of these types of channels are group chats on messaging apps like WhatsApp, ICQ and Telegram, in which users post pictures of items they wish to sell. Some of the channels we are monitoring are public, while others required an invitation, which we managed to procure.</p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A check sits in a bowl that was used to to remove pen ink, with other checks scattered on the table, with details blacked out." src="https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=800&fit=crop&dpr=1 600w, https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=800&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=800&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1005&fit=crop&dpr=1 754w, https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1005&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/439422/original/file-20220104-25-a77y61.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1005&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">After stealing a check, criminals use nail polish remover to remove the pen ink used to fill them out. Criminals blacked out the check account and code numbers so they can’t be used without purchase. Names and addresses have been blacked out to protect victims’ identities.</span>
<span class="attribution"><span class="source">Screenshot from Telegram</span></span>
</figcaption>
</figure>
<p>After we noticed a rise in stolen checks on sale, we began systematically gathering data from those channels about six months ago in order to track the trend. We downloaded the images, coded them and then aggregated the data so we could spot trends in what was being sold. </p>
<p>In our observations, we came across an average of 1,325 stolen checks being sold every week in October 2021, up from 634 per week in September and 409 in August. Although little historical data on this practice exists, a one-week pilot study we conducted in October 2020 places these numbers in some perspective. Back then, we observed only 158 stolen checks during that period. </p>
<p>Furthermore, these figures likely only represent a small fraction of the number of checks actually being stolen and sold. We focused on only 60 markets, when in fact there are <a href="https://ieeexplore.ieee.org/abstract/document/9378229">thousands currently active</a>. </p>
<p>In dollar amounts, we found that the face value of the checks, as written, was $11.6 million in all of October and $10.2 million in September. But again, these values likely represent a small share of the actual amount of money being stolen from victims because criminals <a href="https://www.nbcwashington.com/news/local/a-man-put-a-check-in-the-mail-it-was-stolen-altered-and-cashed-for-1900/2892470">often rewrite the checks</a> for much higher amounts. </p>
<p><iframe id="yOHe0" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/yOHe0/4/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>Using the victims addresses, which <a href="https://www.nerdwallet.com/article/banking/understanding-the-parts-of-a-check">appeared on the left top corner of the checks</a>, and focusing on the data we collected in the month of October 2021, we found New York, Florida, Texas and California were the top sources. </p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A dozen filled-in checks are displayed and slightly overlapping one another, with the back of a $100 bill at the bottom. The names and addresses are blacked out to protect victims' identities." src="https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=1761&fit=crop&dpr=1 600w, https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=1761&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=1761&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=2214&fit=crop&dpr=1 754w, https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=2214&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/439421/original/file-20220104-15-14vsyah.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=2214&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Stolen personal checks typically go for $175 – but they’re cheaper purchased in bulk.</span>
<span class="attribution"><span class="source">Screenshot from ICQ</span></span>
</figcaption>
</figure>
<h2>How to protect yourself</h2>
<p>The best advice I can give consumers who want to avoid falling victim to these schemes is to avoid mailing checks, if you can. </p>
<p>Bank checking accounts usually offer customers the option to send money electronically, whether to a friend or a company, for free. And there are many apps and other services that allow you to make digital payments from bank accounts or via credit card. While there are risks with these methods as well, in general they are a lot safer than writing a check and sending it in the mail. </p>
<p>Still, some types of businesses may require a physical check for payment, such as landlords, <a href="https://www.policygenius.com/banking/what-is-a-check/">utilities and insurance companies</a>. Moreover, as a matter of personal preference, some people – myself included – prefer to pay their bills using checks rather than other methods of payment. </p>
<p>To avoid the risk, I make sure to drop off all my letters containing checks inside my local post office. That’s generally your best bet for keeping them out of the hands of criminals and ensuring they reach their intended destination. </p>
<p>The <a href="https://www.uspis.gov/">United States Postal Inspection Service</a>, the agency responsible for preventing mail theft, also <a href="https://www.uspis.gov/tips-prevention/mail-theft">offers tips</a> to stay protected. </p>
<p>As for enforcement, the inspection service works with the police and others to crack down on mail-related crime. These efforts result in the arrest of <a href="https://www.uspis.gov/tips-prevention/mail-theft">thousands of mail and packages thieves every year</a>. However, for every arrest, there are many more criminals who go undetected. </p>
<p>[<em>Over 140,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-140ksignup">Sign up today</a>.]</p>
<p>And when we informed officials of our findings, they were also surprised by what we discovered but planned to step up monitoring of these types of black market communication channels. </p>
<p>Our research suggests much more systematic data on this type of fraud is needed in order to better understand how it works, crack down on the activity and prevent it from occurring in the first place.</p><img src="https://counter.theconversation.com/content/173796/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Maimon receives funding from the National Science Foundation, Minerva, Department of Homeland Security, and the Federal Reserve Bank. </span></em></p>A cybersecurity research group has been tracking a significant rise in the number of stolen checks being sold on sites like WhatsApp and Telegram, which often results in stolen identities.David Maimon, Associate Professor of Criminal Justice and Criminology, Georgia State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1624042021-06-24T12:11:47Z2021-06-24T12:11:47ZRansomware, data breach, cyberattack: What do they have to do with your personal information, and how worried should you be?<figure><img src="https://images.theconversation.com/files/408030/original/file-20210623-13-1spz03x.jpg?ixlib=rb-1.1.0&rect=0%2C15%2C3360%2C2045&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Credit bureau Equifax announced in 2017 that the personal information of 143 million Americans – about three-quarters of all adults – had been exposed in a major data breach.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/CongressEquifaxDataBreach/5911edac571e40b48f562110ebfbc782/photo">AP Photo/Mike Stewart</a></span></figcaption></figure><p>The headlines are filled with news about <a href="https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html">ransomware attacks</a> tying up organizations large and small, <a href="https://www.kaspersky.com/resource-center/definitions/data-breach">data breaches</a> at major brand-name companies and <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">cyberattacks</a> by shadowy hackers associated with Russia, China and North Korea. Are these threats to your personal information? </p>
<p>If it’s a ransomware attack on a pipeline company, probably not. If it’s a hack by foreign agents of a government agency, <a href="https://abcnews.go.com/US/exclusive-25-million-affected-opm-hack-sources/story?id=32332731">maybe</a>, particularly if you’re a government employee. If it’s a data breach at a credit bureau, social media company or major retailer, very likely.</p>
<p>The bottom line is that your online data is not safe. Every week <a href="https://www.gearbrain.com/data-breach-cybersecurity-latest-hacks-2633724298.html">a new major data breach is reported</a>, and most Americans <a href="https://www.pewresearch.org/internet/2017/01/26/1-americans-experiences-with-data-security/">have experienced some form of data theft</a>. And it could hurt you. What should you do? </p>
<h2>Mildly annoyed or majorly aggrieved</h2>
<p>First, was the latest digital crime a <a href="https://www.techrepublic.com/article/infographic-ransomware-attacks-by-industry-continent-and-more/">ransomware attack</a> or was it a <a href="https://www.lifelock.com/learn-data-breaches-data-breaches-need-to-know.html">data breach</a>? Ransomware attacks <a href="https://www.cloudflare.com/learning/ssl/what-is-encryption/">encrypt</a>, or lock up, your programs or data files, but your data is usually not exposed, so you probably have nothing to worry about. If the target is a company whose services you use, you might be inconvenienced while the company is out of commission.</p>
<p>If it was a data breach, find out if your information has been exposed. You may have been <a href="https://privacyrights.org/consumer-guides/what-do-when-you-receive-data-breach-notice">notified</a> that your personal data was exposed. U.S. laws require companies to tell you if your data was stolen. But you can also check for yourself at <a href="https://haveibeenpwned.com/">haveibeenpwned.com</a>.</p>
<p>A data breach could include theft of your online <a href="https://www.pcmag.com/encyclopedia/term/login-credentials">credentials</a>: your user name and password. But hackers might also steal your bank account or credit card numbers or other sensitive or protected information, such as your personal health information, your email address, phone number, street address or Social Security number. </p>
<p>Having your data stolen from a company can be scary, but it is also an opportunity to take stock and apply some common-sense measures to protect your data elsewhere. Even if your data has not been exposed yet, why not take the time now to protect yourself?</p>
<h2>How bad is it?</h2>
<p>As a <a href="http://www.misprofessor.us/">cybersecurity scholar</a>, I suggest that you make a <a href="https://www.researchgate.net/publication/352520422_Information_System_Security_and_Privacy">risk assessment</a>. Ask yourself some simple questions, then take some precautions.</p>
<p>If you know your data was stolen, the most important question is what kind of data was stolen. Data thieves, just like car thieves, want to steal something valuable. Consider how attractive the data might be to someone else. Was it highly sensitive data that could harm you if it were in the wrong hands, like financial account records? Or was it data that couldn’t really cause you any problems if someone got hold of it? What information is your worst-case vulnerability if it were stolen? What could happen if data thieves take it?</p>
<p>Many e-commerce sites retain your purchase history, but not your credit card number, so ask yourself, did I authorize them to keep it on file? If you make recurring purchases from the site, such as at hotel chains, airlines and grocery stores, the answer is probably yes. Thieves don’t care about your seat preferences. They want to steal your credit card info or your loyalty rewards to <a href="https://theconversation.com/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it-158934">sell on the black market</a>.</p>
<h2>What to do</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A hand holds a smartphone showing a text message on the screen" src="https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=558&fit=crop&dpr=1 600w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=558&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=558&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=702&fit=crop&dpr=1 754w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=702&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=702&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Two-factor authentication, which typically involves receiving a code in a text message, provides an extra layer of security in case your password is stolen.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/192004829@N02/51019543372/">The Focal Project/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span>
</figcaption>
</figure>
<p>If you haven’t already, set up two-factor authentication with all websites that store your valuable data. If data thieves stole your password, but you use <a href="https://authy.com/what-is-2fa/">two-factor authentication</a>, then they can’t use your password to access your account. </p>
<p>It takes a little effort to enter that single-use code sent to your phone each time, but it does protect you from harm when the inevitable breach occurs. Even better, use an <a href="https://www.pcmag.com/picks/the-best-authenticator-apps">authentication app</a> rather than texting for two-factor authentication. This is especially critical for your bank and brokerage accounts. If you think your health-related information is valuable or sensitive, you should also take extra precautions with your health care provider’s website, your insurance company and your pharmacy.</p>
<p>If you used a <a href="https://www.webroot.com/us/en/resources/tips-articles/how-do-i-create-a-strong-password">unique password</a> instead of reusing a <a href="https://theconversation.com/a-secure-relationship-with-passwords-means-not-being-attached-to-how-you-pick-them-110557">favorite password</a> you’ve used elsewhere, hackers can’t successfully use your <a href="https://www.pcmag.com/encyclopedia/term/login-credentials">credentials</a> to access your other accounts. One-third of users are vulnerable because they <a href="https://www.digicert.com/blog/3-reasons-for-strong-password-policy">use the same password for every account</a>. </p>
<p>Take this opportunity to change your passwords, especially at banks, brokerages and any site that retains your credit card number. You can record your unique passwords on a piece of paper hidden at home or in an encrypted file you keep in the cloud. Or you can download and install a good <a href="https://www.wsj.com/articles/what-keeps-people-from-using-password-managers-11623086700">password manager</a>. Password managers encrypt passwords on your devices before they’re sent into the cloud, so your passwords are protected even if the password manager company is hacked.</p>
<p>If your credit card number was exposed, you should notify your bank. Now is a good time to set up <a href="https://www.thebalance.com/mobile-banking-alerts-everyone-should-activate-4178499">mobile banking alerts</a> to receive notifications of unusual activity, big purchases and so on. Your bank may want to issue new cards with new numbers to you. That’s considerably less of a hassle than <a href="https://www.identitytheft.gov/steps">experiencing identity theft</a>. </p>
<p>You should also consider closing old unused accounts so that the information associated with them is no longer available. Do you have a loyalty account with a hotel chain, restaurant or airline that you haven’t used in years and won’t use again? Close it. If you have a credit card with that company, make sure they report the account closure to the credit reporting agencies.</p>
<p>Now is a great time to check your credit reports from all three credit bureaus. Do you rarely apply for new credit and want to protect your identity? If so, <a href="https://www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts">freeze your credit</a>. Make sure to generate unique passwords and record them at home in case you need to unfreeze your credit later to apply for a loan. This will help protect you from some of the worst consequences of identity theft.</p><img src="https://counter.theconversation.com/content/162404/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Merrill Warkentin does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>If an organization that has your data gets hacked, your vulnerability depends on the kind of attack and the kind of data. Here’s how you can assess your risk and what to do to protect yourself.Merrill Warkentin, James J. Rouse Endowed Professor of Information Systems, Mississippi State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1440602020-08-18T20:09:41Z2020-08-18T20:09:41ZFake COVID-19 testing kits and lockdown puppy scams: how to protect yourself from fraud in a pandemic<figure><img src="https://images.theconversation.com/files/353301/original/file-20200818-16-10a618i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Fraudsters are ruthless and will use any means necessary to gain financial advantage. </p>
<p>Earlier this year, as Australians were battling the devastating <a href="https://theconversation.com/beware-of-bushfire-scams-how-fraudsters-take-advantage-of-those-in-need-129549">bushfires</a>, fraudsters were tailoring their approaches to <a href="https://www.scamwatch.gov.au/news-alerts/bushfires-and-scams-0">exploit</a> the good intentions of citizens wanting to help victims. </p>
<p>And come March and the declaration of COVID-19 as a <a href="https://www.who.int/dg/speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19---11-march-2020">global pandemic</a>, offenders have seamlessly shifted their approaches to take advantage of yet another crisis.</p>
<h2>Online fraud on the rise during COVID-19</h2>
<p>Given the known links between <a href="https://www.fcc.gov/consumers/guides/after-storms-watch-out-scams">natural disasters</a> and <a href="https://www.researchgate.net/publication/228634781_Finding_a_Pot_of_Gold_at_the_End_of_an_Internet_Rainbow_Further_Examination_of_Fraudulent_Email_Solicitation">fraud</a>, it is unsurprising offenders are using COVID-19 to target potential victims. While there are limited statistics on crime rates during this period, evidence suggests fraud and other online scams have spiked.</p>
<p>The Australian Competition and Consumer Commission (ACCC) <a href="https://7news.com.au/travel/coronavirus/huge-spike-in-id-scams-during-covid-19-c-1243904">issued</a> an alert this week warning of a dramatic spike in identity theft, with some 24,000 reports of stolen personal information this year, a 55% increase over the same time last year.</p>
<p>Further, Scamwatch has received more than <a href="https://www.scamwatch.gov.au/types-of-scams/current-covid-19-coronavirus-scams">3,600 reports</a> specifically mentioning COVID-19, with victims so far claiming losses of about $2.3 million. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1293446626309287936"}"></div></p>
<p>Fraud costs millions of dollars annually, as shown in the ACCC’s latest <a href="https://www.accc.gov.au/system/files/1657RPT_Targeting%20scams%202019_FA.pdf">Targeting Scams</a> report. It found that in 2019, Australians reported losing more than $634 million to fraud, a dramatic increase from <a href="https://www.accc.gov.au/system/files/Targeting%20scams%E2%80%94Report%20of%20the%20ACCC%20on%20scams%20activity%202018.pdf">$489 million</a> in 2018. </p>
<p>Fraud is an <a href="https://eprints.qut.edu.au/122426/">underreported</a> crime, so these figures are likely to be a fraction of the actual losses incurred by victims. In addition, there are many <a href="https://www.aic.gov.au/publications/tandi/tandi518">barriers</a> to victims reporting scams. They might not realise they are a victim, for example, or might not know where to report such crimes. Some people also feel a strong sense of shame and embarrassment at having been deceived. </p>
<p>The government is putting more attention on the threat of fraud and other cybercrime with its newly released <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy">cybersecurity strategy</a>, which will see a record $1.67 billion invested in cybersecurity and cybercrime prevention over the next decade.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/some-crimes-have-seen-drastic-decreases-during-coronavirus-but-not-homicides-in-the-us-142718">Some crimes have seen drastic decreases during coronavirus — but not homicides in the US</a>
</strong>
</em>
</p>
<hr>
<h2>What types of fraud are occurring now</h2>
<p>There is nothing new in the ways offenders are targeting potential victims at the moment. Rather, we are seeing well-established schemes reappearing under the guise of COVID-19. </p>
<p><strong>Online shopping fraud</strong></p>
<p>With more people at home during the pandemic, there has been a substantial <a href="https://www.abc.net.au/news/2020-05-20/coronavirus-sends-shoppers-online-retailers-reconsider-stores/12259808">increase in online shopping</a>. Consequently, there has also been an increase in online shopping fraud. </p>
<p>Some of these schemes involve <a href="https://www.abc.net.au/news/2020-05-12/warning-coronavirus-scams-increase-as-online-shopping-targeted/12239102">fake websites and social media pages</a> being set up to sell goods to people that never arrive, including <a href="https://www.canberratimes.com.au/story/6756483/scammers-target-people-trying-to-protect-themselves-from-covid-19/">personal protective equipment</a> and even <a href="https://www.scamwatch.gov.au/news-alerts/dont-get-scammed-looking-for-a-lockdown-puppy">puppies</a>. </p>
<p>There has also been a rise in online sales of <a href="https://www.theguardian.com/australia-news/2020/apr/30/darknet-investigation-finds-hundreds-of-coronavirus-cures-vaccines-and-expensive-ppe">products</a> that simply do not exist or work as promised, such as <a href="https://www.fda.gov/consumers/consumer-updates/beware-fraudulent-coronavirus-tests-vaccines-and-treatments">coronavirus testing kits</a> or <a href="https://www.abc.net.au/news/2020-07-22/how-to-avoid-covid-19-scams/12476456">supposed cures for the virus</a>. </p>
<p><strong>Phishing</strong></p>
<p>Fraudsters use phishing emails and text messages as a means of getting personal information from victims, like bank account details and passwords. Phishing attempts usually come from what appear to be legitimate sources, persuading recipients to click on a link or reply with required personal information. </p>
<p>In the context of COVID-19, phishing attempts are being launched under the guise of <a href="https://www.scamwatch.gov.au/types-of-scams/current-covid-19-coronavirus-scams#phishing-government-impersonation-scams">government departments</a>. Some messages claiming to be from health authorities say the recipient has had contact with a known case of the virus, for instance, while others advertise the need for testing. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/working-from-home-risks-online-security-and-privacy-how-to-stay-protected-134599">Working from home risks online security and privacy – how to stay protected</a>
</strong>
</em>
</p>
<hr>
<p>Others have pretended to be the <a href="https://www.ato.gov.au/general/online-services/identity-security/scam-alerts/">Australian Taxation Office</a> with offers of tax refunds or the availability of government benefits or support payments.</p>
<p>In addition, offenders have also used the pretext of <a href="https://www.canberratimes.com.au/story/6708076/250-supermarket-voucher-too-good-to-be-true-scamwatch-warns/">legitimate businesses</a> like Coles and Woolworths, appearing to offer services or discounts to those who are struggling. Other approaches are using the Australia Post logo to ask people to pay additional <a href="https://auspost.com.au/about-us/about-our-site/online-security-scams-fraud/scam-alerts">fees for delivery</a> of purchased items. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1295239443423485952"}"></div></p>
<h2>Increased vulnerability to fraud</h2>
<p>These examples highlight how offenders exploit anxiety to take advantage of people in uncertain times. They play on people’s fears and anxieties.</p>
<p>Everyone is <a href="https://www.youtube.com/watch?v=TRDgOGf5VAM">vulnerable</a> to fraud. Research suggests there is “<a href="http://fraudresearchcenter.org/wp-content/uploads/2012/11/Scams-Schemes-%20Swindles-FINAL_11.20.121.pdf">no typical fraud victim</a>”. However, COVID-19 has arguably made more people vulnerable to fraud across large sections of society. </p>
<p>Isolation and loneliness can increase vulnerability. Without the presence and accessibility of support networks (such as family and friends), individuals may be more responsive to fraudulent approaches. </p>
<p>Economic hardship could also make people more susceptible to fraud. Offenders do not need to offer outrageous returns for their approaches to be attractive to potential victims. People are more motivated than ever to improve their financial situations, which plays into the hands of fraudsters.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1260340616828817408"}"></div></p>
<h2>How you can protect yourself</h2>
<p>It is important people understand how fraudsters work and are using the crisis to their advantage, so they can take the necessary steps to protect themselves. Here are a few tips to prevent becoming a victim.</p>
<ul>
<li><p>Stay connected to family, friends and colleagues, even in a virtual environment. Offenders relish the isolation of victims to increase the success of their attempts. </p></li>
<li><p>Talk about what is happening. Ask someone directly if they have received any strange emails or phone calls. Offenders rely on <a href="https://eprints.qut.edu.au/118434/">secrecy and shame</a> to keep people silent about their victimisation.</p></li>
<li><p>Be vigilant with emails, phone calls, texts and even those who knock on your door. Do not feel you have to respond to anything immediately and take the time to think about and seek advice. Offenders rely on immediate responses from people that overcome any rational thought. </p></li>
<li><p>Report any fraud attempts or losses you may have incurred to <a href="https://www.scamwatch.gov.au/report-a-scam">Scamwatch</a> or <a href="https://www.cyber.gov.au/acsc/report">ReportCyber</a>. Also, contact your bank if you have lost money, or a service like <a href="https://www.idcare.org/">IDcare</a> if you have had your identity compromised. It is important for these organisations to be able to gain accurate figures on the prevalence of fraud during these times. </p></li>
</ul>
<p>COVID-19 has thrown the world into uncertainty. But one thing that’s clear is fraudsters will remain active and continue to target victims. We need to recognise this changing environment, support each other and collectively do as much as possible to guard against fraud victimisation.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/beware-of-bushfire-scams-how-fraudsters-take-advantage-of-those-in-need-129549">Beware of bushfire scams: how fraudsters take advantage of those in need</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/144060/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Cassandra Cross is affiliated with the Cybersecurity Cooperative Research Centre (CRC). She has also received funding from the Australian Institute of Criminology.</span></em></p>There has been a dramatic spike in identity theft and online shopping scams this year as fraudsters try to take advantage of people’s vulnerability during uncertain times.Cassandra Cross, Senior Research Fellow, Faculty of Law, Cybersecurity Cooperative Research Centre, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1397582020-06-02T07:43:54Z2020-06-02T07:43:54ZIs your super money safe? Here’s how you can dodge cyber fraud<figure><img src="https://images.theconversation.com/files/339100/original/file-20200602-133851-85mtzt.jpg?ixlib=rb-1.1.0&rect=53%2C60%2C4414%2C3014&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Alongside growing concerns over a possible <a href="https://www.abc.net.au/radio/programs/coronacast/hello-winter!-is-coronavirus-about-to-get-worse/12305314">resurgence</a> of the coronavirus during winter, the pandemic is now creating even more victims as cybercriminals aim to capitalise on the economic upheaval.</p>
<p>According to <a href="https://www.abc.net.au/news/2020-06-01/scammers-stealing-thousands-through-coronavirus-super-scheme/12301010">news reports</a>, people have had money stolen from their super funds by fraudsters exploiting the COVID-19 early access scheme.</p>
<p>The attackers reportedly used victims’ stolen identity credentials to create <a href="https://au.finance.yahoo.com/news/afp-investigates-early-superannuation-coronavirus-hack-233908986.html">fake myGov accounts and lodge applications</a> for the early release of up to A$10,000 from superannuation accounts. </p>
<p>If you’re worried about accessing the scheme, there are a few ways you can strengthen your protection against fraudsters looking for quick financial gain at your expense.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-be-phish-food-tips-to-avoid-sharing-your-personal-information-online-138613">Don't be phish food! Tips to avoid sharing your personal information online</a>
</strong>
</em>
</p>
<hr>
<h2>Always looking for weak points</h2>
<p>COVID-19 has threatened the national economy and left more than 700,000 people <a href="https://www.abc.net.au/news/2020-04-21/covid-19-costs-6-per-cent-of-jobs-in-3-weeks/12168670">without work</a>. In April, the federal government responded by allowing access to A$10,000 worth of super funds for eligible applicants in this financial year, and a further A$10,000 after June 30, to help sustain people during this difficult time.</p>
<p>Unsurprisingly, cybercriminals have sought to take advantage of flaws in the scheme. </p>
<p>In May, the Australian Taxation Office reportedly found <a href="https://www.skynews.com.au/details/_6154750974001">at least 100 cases</a> of applications lodged using stolen personal information.</p>
<p>It’s not known how attackers managed to access the personal information required for such fraud. It may have been stolen earlier this month from the hacked customer files of a tax agent, as <a href="https://7news.com.au/business/finance/australia-super-scheme-tax-office-freezing-early-access-to-superannuation-due-to-identity-fraud-c-1024707">confirmed by federal home affairs minister Peter Dutton</a>. </p>
<p>Or this may have been a less sophisticated scheme. All it takes to steal identity details is a fake email or web page that looks trustworthy enough to dupe you into sharing your information. </p>
<p>Cybercriminals often try a broad approach, sending the same malicious email to hundreds of thousands of people in the hope someone will fall into the trap. And someone usually does.</p>
<h2>What can you do to stay safe?</h2>
<p>Now is a good time to check your super fund statement to make sure there hasn’t been any unauthorised withdrawal. Even better, you should regularly check all financial statements, including bills. If you see a transaction you don’t remember making, block your bank cards and inform your bank immediately. </p>
<p>Although there are <a href="https://link.springer.com/chapter/10.1007/978-3-642-39736-3_17">algorithms that help detect credit card fraud</a>, you are the only person who can recall whether you made a specific purchase. With <a href="https://abc7news.com/coronavirus-fraud-credit-card-scam-7-on-your-side/6111485/">online shopping booming</a> during lockdown, the <a href="https://www.wired.com/story/magecart-credit-card-skimmers-coronavirus-pandemic/">pool of potential victims</a> has increased.</p>
<p>It’s also common for fraudsters to “test” whether a credit card works by deducting a very small amount (as little as 10 cents) with a generic description such as “service fee” or “<a href="https://www.zdnet.com/article/the-surprising-lesson-i-learned-as-a-victim-of-credit-card-fraud/">top-up charge</a>”. </p>
<p>This may seem insignificant, but for cybercriminals it’s the “perfect crime” as its simplicity and perceived lack of damage means it often escapes detection. Also, the operational costs of committing such a crime are very low, which means more people can be targeted. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/339104/original/file-20200602-133875-1di1q00.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">In some ways, making very minor deductions from victims’ accounts is a ‘perfect crime’ for cybercriminals. These charges tend to go unnoticed, but add up in the end.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Verify information and report</h2>
<p>One foolproof way to keep your personal information safe from hackers is to double-check the websites you use – whether it’s for online shopping, checking emails or chatting with friends online. Make sure there are no obvious spelling mistakes in the URL, or otherwise. </p>
<p>If in doubt, try to verify the site’s legitimacy through a quick Google search. Often some online cross-checking, or a phone call to an organisation’s official phone number, is enough to reveal a scammer. And if you can’t confirm authenticity, ask yourself: is sharing my details worth the risk? </p>
<p>If anything doesn’t seem right, always report it to the relevant authorities so others don’t fall victim. In Australia and New Zealand, you can report identity theft on <a href="https://www.idcare.org/">IDCARE</a> and any type of cybercrime on the government’s <a href="https://www.cyber.gov.au/report">ReportCyber</a> website.</p>
<p>And if you do become victim to fraud, alert your superannuation provider and bank as soon as possible. Cybercrime victims should always be empowered to report fraud, as this is the first step to potentially getting your money back.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/click-for-urgent-coronavirus-update-how-working-from-home-may-be-exposing-us-to-cybercrime-133778">'Click for urgent coronavirus update': how working from home may be exposing us to cybercrime</a>
</strong>
</em>
</p>
<hr>
<h2>Are more checks needed?</h2>
<p>Some ways to potentially make the early release of super funds more secure include allowing only one verified account per person which should be confirmed, potentially via a physical interview, before any account activity is carried out. Requiring double-factor authentication throughout the process of submitting an application would also be helpful.</p>
<p>The successful exploitation of the scheme indicates the government may have rushed trying to process and complete applications. One member of the public said it <a href="https://www.abc.net.au/news/2020-06-01/scammers-stealing-thousands-through-coronavirus-super-scheme/12301010">took 12 hours</a> to have their application approved.</p>
<p>This sudden administrative efficiency raises reasonable doubt about the level of security checks in place. And if fraudsters have managed to bypass security protocols, it’s very likely more checks will be needed.</p><img src="https://counter.theconversation.com/content/139758/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Roberto Musotto is affiliated with the Cyber Security Research Cooperative Centre (CSCRC), whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme.</span></em></p>Fraudsters have managed to exploit security gaps in the federal government’s early release of super scheme. Here’s what to look out for.Roberto Musotto, Cyber Security Cooperative Research Centre Postdoctoral Fellow, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1258112019-10-24T22:24:47Z2019-10-24T22:24:47ZWhy the government’s proposed facial recognition database is causing such alarm<figure><img src="https://images.theconversation.com/files/298497/original/file-20191024-170499-65x8j3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Andrew Hastie said the broad objectives of the identity-matching system were sound, but key changes were needed to ensure privacy and transparency.
</span> <span class="attribution"><span class="source">Lukas Coch/AAP</span></span></figcaption></figure><p>Since before the 2019 election, the Morrison government has been keen to introduce a new scheme that would allow government agencies, telecos and banks to use facial recognition technology to collect and share images of people across the country. </p>
<p>While there are some benefits to such a system – making it easier to identify the victims of natural disasters, for example – it has been heavily criticised by <a href="https://which-50.com/human-rights-groups-sound-alarm-on-governments-facial-recognition-laws/">human rights groups</a> as an attempt to introduce mass surveillance to Australia and an egregious breach of individual privacy. </p>
<p>The plan hit a roadblock when the government-controlled Parliamentary Joint Committee on Intelligence and Security (PJCIS) <a href="https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Identity-Matching2019/Report">handed down an extensive report</a> calling for significant changes to the legislation to ensure stronger privacy protections and other safeguards against misuse.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/close-up-the-governments-facial-recognition-plan-could-reveal-more-than-just-your-identity-92261">Close up: the government's facial recognition plan could reveal more than just your identity</a>
</strong>
</em>
</p>
<hr>
<h2>What are the identity-matching laws?</h2>
<p>The <a href="https://www.aph.gov.au/Parliamentary_Business/Bills_LEGislation/Bills_Search_Results/Result?bId=r6387">identity-matching bills</a> aim to set up a national database of images captured through facial recognition technology and other pieces of information used to identify people, such as driver’s licenses, passports, visa photos. This information could then be shared between government agencies, and in some cases, private organisations like telcos and banks, provided certain legal criteria are met. </p>
<p>The proposed database follows <a href="https://www.coag.gov.au/sites/default/files/agreements/iga-identity-matching-services.pdf">an agreement</a> reached by the Commonwealth and the states and territories in 2017 to facilitate the “secure, automated and accountable” exchange of identity information to help combat identity crime and promote community safety. </p>
<p>Critical to this agreement was that the system include “robust privacy safeguards” to guard against misuse.</p>
<p>The agreement gave the federal government the green light to introduce laws to set up the identity-matching system.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-regulating-facial-recognition-technology-is-so-problematic-and-necessary-107284">Why regulating facial recognition technology is so problematic - and necessary</a>
</strong>
</em>
</p>
<hr>
<p>Access to the service could potentially encompass a wide range of purposes. For example, a government agency could use the system to identify people thought to be involved in identity fraud or considered threats to national security. </p>
<p>But the bill also includes more pedestrian uses, such as in cases of “community safety” or “road safety”. </p>
<p>The proposed laws contain some safeguards against misuse, including criminal sanctions when an “entrusted person” discloses information for an unauthorised purpose. In addition, access by banks or other companies and local councils can only occur with the consent of the person seeking to have their identity verified. </p>
<p>However, much of the detail about precisely who can access the system and what limits apply is not set out in the bills. This will be determined through government regulation or subsequent intergovernmental agreements.</p>
<h2>Concerns about scope and safeguards</h2>
<p>The Coalition government’s bills were first introduced in 2018, but didn’t come up for a vote. After the government reintroduced the bills in July, the PJCIS launched an inquiry and invited <a href="https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Identity-Matching2019/Submissions">public submissions</a>.</p>
<p><a href="https://www.lawcouncil.asn.au/resources/submissions/review-of-the-identity-matching-services-bill-2019-and-the-australian-passports-amendment-identity-matching-services-bill-2019">Legal bodies</a> have argued that amendments are needed to tighten the boundaries of who can access the identity-matching services and for what purposes. They note that as currently drafted, the proposed laws give too much discretionary power to government officials and actually create opportunities for identity theft. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dna-facial-prediction-could-make-protecting-your-privacy-more-difficult-94740">DNA facial prediction could make protecting your privacy more difficult</a>
</strong>
</em>
</p>
<hr>
<p>This is particularly problematic when coupled with the potential for the rapid spread of facial recognition technology in Australian streets, parks and transport hubs. </p>
<p>The <a href="https://which-50.com/human-rights-groups-sound-alarm-on-governments-facial-recognition-laws/">Human Rights Law Centre</a> said the proposed system is “<a href="https://www.theguardian.com/uk-news/2019/aug/12/regulator-looking-at-use-of-facial-recognition-at-kings-cross-site">more draconian</a>” than the one launched in the UK. Another concern is that it could be used by a wide range of agencies to confirm the identity of any Australian with government-approved documentation (such as a passport or driver’s license), regardless of whether they are suspected of a crime. </p>
<p>The <a href="https://www.humanrights.gov.au/about/news/identity-matching-bills-threaten-our-rights">Australian Human Rights Commission</a> also pointed to <a href="http://gendershades.org/overview.html">research</a> suggesting the software used to capture or match facial imagery could result in higher error rates for women and people from certain ethnic groups.</p>
<h2>What’s next for the bills?</h2>
<p>When handing down the committee’s unanimous report, <a href="https://www.aph.gov.au/Senators_and_Members/Parliamentarian?MPID=260805">Andrew Hastie</a> said the broad objectives of the identity-matching system were sound, but key changes were needed to <a href="https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Identity-Matching2019/Report/section?id=committees%2freportjnt%2f024343%2f27805#s27805rec1">ensure</a> privacy protections and transparency. </p>
<p>While the PJCIS cannot actually stop the bills from being passed, it has a strong track record of turning its <a href="https://find.library.unisa.edu.au/primo-explore/fulldisplay?id=9916263102501831&vid=ROR&sortby=rank&lang=en_US">recommendations into legislative amendments</a>. </p>
<p>The states and territories also have an interest in ensuring a national identity-matching scheme gets the balance right when it comes to addressing identity crime and assisting law enforcement and protecting individual privacy. </p>
<p>The question is whether these calls for improvements will be loud enough to put these bills back on the drawing board. </p>
<p>The future of the legislation will tell us something important about the <a href="http://www.unswlawjournal.unsw.edu.au/wp-content/uploads/2018/03/41-1-2.pdf">strength of human rights protections in Australia</a>, which rely heavily on parliamentary bodies like the PJCIS to help raise the alarm when it comes to rights-infringing laws.</p><img src="https://counter.theconversation.com/content/125811/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sarah Moulds does not currently receive any external funding. Sarah Moulds previously (2015- 2018) received a Australian Postgraduate Award to complete her PhD at the University of Adelaide.
In 2014-2015 Sarah Moulds was Legal Affairs Policy Advisor to Australian Greens Senator Penny Wright.</span></em></p>Human rights groups say the bill is an attempt to introduce mass surveillance to Australia and an egregious breach of individual privacy.Sarah Moulds, Lecturer of Law, University of South AustraliaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1182652019-06-04T06:35:49Z2019-06-04T06:35:49Z19 years of personal data was stolen from ANU. It could show up on the dark web<figure><img src="https://images.theconversation.com/files/277835/original/file-20190604-69051-fwysn3.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5991%2C3170&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">It's been reported that names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, passport details and student academic records were accessed.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/canberra-australia-12-dec-2016-view-750983656?src=cLDuFZ3RkwjE1ODvbATK3w-1-4">www.shutterstock.com</a></span></figcaption></figure><p>Today it was revealed the Australian National University (<a href="https://www.anu.edu.au/">ANU</a>) fell <a href="https://www.abc.net.au/news/2019-06-04/anu-data-hack-bank-records-personal-information/11176788">victim to a cyber security attack</a> in late 2018, but only detected two weeks ago*. Stolen was a substantial amount of data dating back 19 years relating to staff, students and visitors. </p>
<p>We don’t know for sure how long the cyber attackers were inside the ANU systems in this case. However, the university revealed details of other attempted attacks <a href="https://www.theguardian.com/australia-news/2018/jul/07/australian-national-university-hit-by-chinese-hackers">last year</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/hackers-cause-most-data-breaches-but-accidents-by-normal-people-arent-far-behind-99684">Hackers cause most data breaches, but accidents by normal people aren't far behind</a>
</strong>
</em>
</p>
<hr>
<p><a href="https://www.abc.net.au/news/2019-06-04/anu-data-hack-bank-records-personal-information/11176788">The ABC reported</a> that the types of data stolen were “names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.” </p>
<p>These are very critical data. Privacy and security are at risk when this sort of information, especially people’s personal and financial details, are hacked. </p>
<p>The question now is what will happen with the stolen data. </p>
<p>There are three likely outcomes: </p>
<h2>1. Invitation to pay a ransom</h2>
<p>The hackers who stole the data might ask ANU to pay a ransom and they will “erase” the data they stole (or at least say they will). If the ransom is not paid, they will probably release it to the public. </p>
<p>We have seen cases like this before around the world. A recent example involved <a href="https://www.theverge.com/2019/5/6/18531222/hacker-data-theft-ransom-stolen-git-code-bitcoin">stolen coding tools</a>.</p>
<p>Another example is <a href="https://www.zdnet.com/article/hackers-publish-516gb-of-data-belonging-to-some-of-the-largest-companies-worldwide/">an attack</a> on a German IT company, Citycomp, where hackers broke into its systems and stole a lot of critical data. Citycomp was asked to pay a ransom of $5,000 – but did not. The hackers published the data.</p>
<h2>2. Free public release of data</h2>
<p>The hackers may release the stolen data to the public without asking for any payment. This might happen as a show of strength, to provide evidence of their capabilities, or to cause chaos.</p>
<p>The consequences are still very serious in this case. It could lead to serious breaches of personal privacy, fake identities being created and important intellectual property becoming available to competitors or other hackers. </p>
<p>More broadly, the university <a href="https://www.oaic.gov.au/media-and-speeches/media-releases/mandatory-data-breach-notification-comes-into-force-this-thursday">may attract fines from the government</a> if it was later found that correct data protection practices were not followed. That said, there is no evidence this is the case here. </p>
<h2>3. Sell for profit on the dark web</h2>
<p>The hackers may sell the data on the dark web to make a profit. Others could buy the data to create fake identities and as a result fake credit cards.</p>
<p>An example where hackers have stolen data involving up to 150 million users and sold it on the dark web involved Under Armour’s <a href="http://fortune.com/2019/02/14/hacked-myfitnesspal-data-sale-dark-web-one-year-breach/">MyFitnessPal</a> app. </p>
<p>The entire stolen data set is <a href="https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/">reportedly available</a> for an asking price of less than $20,000 in bitcoin – around one year after the breach occurred. </p>
<h2>Hackers are hard to stop</h2>
<p>What makes this ANU case very interesting is that in 2018 <a href="https://www.theguardian.com/australia-news/2018/jul/07/australian-national-university-hit-by-chinese-hackers">The Guardian </a> reported that ANU had spent many months fighting off a threat to its systems. There were unverified reports this might have come from hackers based in China. </p>
<p>This means the ANU has known it was being targeted for a while now, and was still not able to fend off the data breach revealed today. </p>
<p>You might ask why the university hadn’t bolstered its cyber defences in response. The answer is the ANU probably did, to the best of its abilities. </p>
<p>However, when you are dealing with elite hackers and those using “<a href="https://theconversation.com/from-botnet-to-malware-a-guide-to-decoding-cybersecurity-buzzwords-77958">zero day exploits</a>”, it means your chances of preventing a hack are quite limited. Zero day-based exploits focus on vulnerabilities that are not yet known to anti-malware companies or for which no targeted solutions are available, such as patches or updates. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/from-botnet-to-malware-a-guide-to-decoding-cybersecurity-buzzwords-77958">From botnet to malware: a guide to decoding cybersecurity buzzwords</a>
</strong>
</em>
</p>
<hr>
<h2>This is still a dangerous situation</h2>
<p>There are still aspects of this situation that will present concerns to the ANU and its stakeholders. </p>
<p>For example, it’s possible the hackers could still be in the systems, but hidden. They may have user names and passwords for student accounts or hidden backdoors the university has not yet discovered.</p>
<h2>It could be worse than we know</h2>
<p>Another issue is whether the hackers have stolen even more data than is being reported. </p>
<p>It <a href="https://www.abc.net.au/news/2019-06-04/anu-data-hack-bank-records-personal-information/11176788">currently appears</a> data not stolen includes “credit card details, travel information, medical records, police checks, workers’ compensation information, vehicle registration numbers, and some performance records”.</p>
<p>ANU vice-chancellor Brian Schmidt has <a href="https://www.canberratimes.com.au/story/6198631/personal-details-of-anu-staff-students-exposed-in-mass-data-breach/">said</a>: “We have no evidence that research work has been affected. But the university may not yet know for sure. A very concerning aspect for the university will be the potential for intellectual property and unpublished academic works to be accessed. This could be very valuable to sell off online or even to other universities.” </p>
<p><a href="https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/">This has happened before</a>: Iranian hackers targeted 76 universities across 14 countries to steal intellectual property from research projects in 2018.</p>
<p>Only time will reveal what happens next. The bad news is that hackers have stolen critical data and it’s in the wind. The outcomes could be minimal or they could be disastrous, depending on the hackers’ intentions. </p>
<p>A big concern will be if the hackers still have access to the university systems, via an established backdoor, and are siphoning off critical data as it emerges.</p>
<p><em>*This article originally said the cyber attack took place two weeks ago. It has now been corrected: the attack took place in late 2018, and was only detected two weeks ago.</em></p><img src="https://counter.theconversation.com/content/118265/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nicholas Patterson does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The worst-case scenario is that hackers still have access to the university systems via a backdoor and are siphoning off critical data as it emerges.Nicholas Patterson, Senior lecturer, Deakin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1169992019-05-16T20:05:05Z2019-05-16T20:05:05ZYour credit report is a key part of your privacy – here’s how to find and check it<figure><img src="https://images.theconversation.com/files/274769/original/file-20190515-69192-5qp08u.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The Privacy Act gives you the right to find out what’s in your credit report and change any incorrect information in your report.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/business-woman-hands-working-financial-plan-646040347?src=X3er8kj77M7s2B5Em_fOXA-1-76">from www.shutterstock.com</a></span></figcaption></figure><p>The Australian government encourages citizens to protect their privacy and personal information. </p>
<p>Most of the <a href="https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-8-ten-tips-to-protect-your-privacy">tips provided</a> by the Office of the Information Commissioner are pretty intuitive – know your rights, read privacy policies, use security software and more. </p>
<p>But you might be surprised to know “check your credit report” is also on the list of recommended actions. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/seven-ways-the-government-can-make-australians-safer-without-compromising-online-privacy-111091">Seven ways the government can make Australians safer – without compromising online privacy</a>
</strong>
</em>
</p>
<hr>
<p>Checking your credit report, preferably annually, is a good way to ensure incorrect information is not listed against you. Having the right information in place can protect you against <a href="https://www.moneysmart.gov.au/scams/identity-fraud">identity theft</a>, so is an important component of privacy in this sense. </p>
<p>The <a href="https://www.oaic.gov.au/privacy-law/privacy-act/">Privacy Act 1988</a> is an Australian law which regulates the handling of personal information about individuals. The Privacy Act has very strict rules, reflected in 13 <a href="https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles">Australian Privacy Principles</a>, that control the way information about you is accessed, used and corrected. </p>
<p>The Privacy Act gives you the right to find out what’s in your credit report and change any incorrect information in your report.</p>
<p>As well as stopping others from stealing your identity, having an accurate credit report is also crucial if you want to borrow money. For example, when applying for credit such as a home loan, the lender will obtain your credit report to assess your credit worthiness and also your ability to repay the loan. You really don’t want your application for a home loan to be knocked back because of errors in your credit report, do you? </p>
<h2>How to check your credit report</h2>
<p>The first step is getting a copy of your credit report. This can be obtained free from credit reporting agencies such as <a href="https://www.equifax.com.au/">Equifax</a>, <a href="https://www.illion.com.au/">illion</a> and <a href="http://www.experian.com.au/">Experian</a>. Tasmanians can also refer to the <a href="https://www.tascol.com.au/">Tasmanian Collection Service</a>. </p>
<p>Make sure you spend a bit of time looking carefully for this free option – it is there, but can sometimes be a little buried. </p>
<p>The report will be sent to you in about ten days. If you are in a hurry and need it faster, you can pay between A$30 to A$50 dollars and the credit report will arrive in a day or two. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/another-day-another-data-breach-what-to-do-when-it-happens-to-you-99150">Another day, another data breach – what to do when it happens to you</a>
</strong>
</em>
</p>
<hr>
<h2>Look at the details</h2>
<p>Once you have your credit report, there are <a href="https://www.moneysmart.gov.au/media/400943/your-credit-report.pdf">certain things that you must check</a>. </p>
<p>First, as a minimum, check that your personal details such as name, date of birth, employment and driver’s license or other identifying documents are correct. </p>
<p>Second, have a look at your credit history in the report. This will include details of all credit or loans that you applied for, any overdue payments more than 60 days for which default actions have been initiated, and any other credit infringements. Such credit infringements can be listed on your credit report for between five to seven years, depending on their severity. </p>
<p>Third, examine your repayment history to determine whether you missed any payments on due dates. </p>
<p>Last, check whether any recorded serious adverse credit activities such as bankruptcies, court judgements and debt agreements are correct and accurately reflect your circumstances.</p>
<h2>What happens if it’s wrong?</h2>
<p>You are entitled to request changes to any incorrect listing and this should be done free for you. </p>
<p>In the first instance, you can contact the credit reporting agency directly and they will be able to fix small errors immediately. For other errors originating from a credit provider such as a bank, they will sometimes even contact the bank on your behalf. </p>
<p>However, if you have to contact the credit provider yourself, do so and explain why the listing is incorrect. Most often, they will fix the mistake. If they refuse, you can then go to an independent dispute resolution scheme, such as the <a href="https://www.afca.org.au/">Australian Financial Complaints Authority</a>. </p>
<p>If all else fails, you can also contact the <a href="https://www.oaic.gov.au/">Office of the Australian Information Commissioner</a> who will deal with your complaint if it is not older than a year.</p>
<p>So, what are you waiting for? It really is in your best interest to check your credit report, and no one else can do it for you.</p><img src="https://counter.theconversation.com/content/116999/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Checking your credit report is a good way to ensure that incorrect information is not listed against you, and can protect you against identity theft.Harjinder Singh, Senior lecturer, Curtin UniversityNigar Sultana, Senior Lecturer, Faculty of Business and Law, Curtin UniversityYeut Hong Tham, Lecturer, Curtin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1043712018-10-26T10:54:09Z2018-10-26T10:54:09ZAs digital threats grow, will cyber insurance take off?<figure><img src="https://images.theconversation.com/files/241733/original/file-20181022-105748-a7kqra.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Do people need insurance against hacking?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/business-man-defending-light-beams-umbrella-350979452">ra2studio/Shutterstock.com</a></span></figcaption></figure><p>Cyberattacks cost the world <a href="https://www.france24.com/en/20180909-cyber-insurance-market-double-2020-says-munich">more than natural disasters</a> – <a href="https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/">US$3 trillion in 2015</a>, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat. </p>
<p>Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common. In the U.S., companies, families and even government agencies paid a combined <a href="https://data.oecd.org/insurance/gross-insurance-premiums.htm">$2.7 trillion in insurance premiums</a> in 2016 – and received <a href="https://stats.oecd.org/viewhtml.aspx?datasetcode=PT7&lang=en">payouts totaling $1.5 trillion</a>. But <a href="https://www.jltspecialty.com/our-insights/publications/cyber-decoder/cyber-insurance-market-grows-as-competition-intensifies">just $2.5 billion</a> – 0.09 percent of the total spending – went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was <a href="https://economictimes.indiatimes.com/industry/banking/finance/insure/demand-for-cyber-cover-jumps-50/articleshow/62360112.cms">$27.9 million</a>, <a href="https://data.oecd.org/insurance/gross-insurance-premiums.htm">0.04 percent of the total insurance premiums</a> paid in the country that year. </p>
<p>From <a href="https://scholar.google.com/citations?user=Qx3YMi4AAAAJ&hl=en">my research</a> on <a href="https://doi.org/10.1016/j.intman.2005.09.009">cybercrime</a> and <a href="https://theconversation.com/using-blockchain-to-secure-the-internet-of-things-90002">cybersecurity</a> over the past two decades, it is clear to me that cyberattacks have become <a href="https://theconversation.com/are-cryptocurrencies-a-dream-come-true-for-cyber-extortionists-80115">increasingly sophisticated</a>. The cyber insurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, <a href="https://www.ft.com/content/72e11ca6-98ad-11e7-8c5c-c8d8fa6961bb">insurance coverage for cyberattacks could be standard for every homeowner</a>. </p>
<h2>Who is buying cyber insurance?</h2>
<p>Certain types of companies tend to have – or not have – cyber insurance. The <a href="https://www.oecd-forum.org/users/85359-william-below-and-leigh-wolfrom/posts/30529-the-cyber-insurance-market-responding-to-a-risk-with-few-boundaries">larger the firm</a> and the more closely it <a href="https://economictimes.indiatimes.com/industry/banking/finance/insure/demand-for-cyber-cover-jumps-50/articleshow/62360112.cms">depends on computerized data</a>, the more likely it is to have coverage against digital threats. </p>
<p>For a company, that can make sense, because a digital intrusion can cost <a href="https://www.csoonline.com/article/3227065/security/cyber-attacks-cost-us-enterprises-13-million-on-average-in-2017.html">hundreds of thousands</a> or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even <a href="https://www.bjs.gov/content/pub/pdf/vit14.pdf#page=7">as high as $5,000</a>.</p>
<p>Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is <a href="https://www.bloombergquint.com/law-and-policy/will-personal-cyber-insurance-cover-phishing-hacking-and-stalking">less than 1 percent</a> of the total cyber insurance market. <a href="https://www.insurancejournal.com/news/national/2018/06/07/491496.htm">In the U.S.</a> and elsewhere, most products are <a href="https://www.ft.com/content/72e11ca6-98ad-11e7-8c5c-c8d8fa6961bb">targeted at rich people</a>. Insurers such as <a href="https://www.computerworld.com/article/3190209/cybercrime-hacking/how-one-personal-cyber-insurance-policy-stacks-up.html">AIG</a>, <a href="http://news.chubb.com/2018-05-30-Chubb-Launches-New-Personal-Cyber-Protection-Coverage">Chubb</a>, <a href="https://www.usatoday.com/story/money/personalfinance/2017/10/08/personal-cyber-insurance-deploy-case-attack/720073001/">Hartford Steam Boiler and NAS Insurance</a> sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.</p>
<p>The insurance industry is doing more, too. A wide range of insurers such as <a href="https://www.munichre.com/HSB/personal-cyber-insurance/index.html">Munich Re</a>, AIG’s CyberEdge, <a href="https://newsroom.saga.co.uk/news/saga-is-first-to-launch-personal-cybercrime-insurance-within-their-legal-expenses-cover">Saga Home Insurance</a>, <a href="https://www.burnsandwilcox.com/getting-personal-cyber-insurance-individuals/">Burns & Wilcox</a> and Chubb all offer cyber insurance for individuals. These plans <a href="https://www.insurancejournal.com/news/national/2018/06/07/491496.htm">cover as much as $250,0000</a> to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to <a href="https://www.munichre.com/HSB/personal-cyber-insurance/index.html">undo identity theft</a>. </p>
<p>Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of <a href="https://www.computerworld.com/article/3190209/cybercrime-hacking/how-one-personal-cyber-insurance-policy-stacks-up.html">psychiatric services if a family member is victimized by cyberbullying</a>. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying. Some insurers offer policies that provide help to <a href="https://www.americanbar.org/content/dam/aba/administrative/litigation/materials/2018-insurance/written-materials/cyber-policies.authcheckdam.pdf">assess policyholders’ data security practices and scan for cyberthreats</a>. </p>
<h2>Emerging dangers</h2>
<p>Another cybercrime that’s becoming increasingly common is called <a href="https://theconversation.com/the-petya-ransomware-attack-shows-how-many-people-still-dont-install-software-updates-77667">ransomware</a> – in which <a href="https://theconversation.com/its-easier-to-defend-against-ransomware-than-you-might-think-57258">malicious software takes over a person’s computer</a> and encrypts his or her data. Then the program <a href="https://theconversation.com/are-cryptocurrencies-a-dream-come-true-for-cyber-extortionists-80115">demands the victim pay a ransom</a> – often in bitcoin or other cryptocurrencies – to get the data decrypted. </p>
<p>Some ransomware attackers <a href="https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/">don’t actually decrypt the data</a>, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least <a href="https://news.vice.com/en_us/article/4345ep/ransomware-how-hackers-make-you-pay">$1 billion in 2016 alone</a>. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even <a href="https://www.munichre.com/HSB/personal-cyber-insurance/index.html">paying the ransom</a>. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/241741/original/file-20181022-105773-1jt0bde.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Smart home technologies may be vulnerable to hackers.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/hand-using-smart-phone-home-control-593310101">mangpor2004/Shutterstock.com</a></span>
</figcaption>
</figure>
<p>As <a href="https://www.smartcitiesworld.net/special-reports/special-reports/why-the-smart-city-could-increasingly-start-at-home">smart home systems</a> become more popular – as well as various <a href="https://ssrn.com/abstract=2636412">technologies to monitor and help coordinate</a> local government services – they’ll provide <a href="http://www.zdnet.com/article/internet-of-things-a-security-threat-to-business-by-the-backdoor/">more potential entry points for hackers</a>. An average home insured by AIG <a href="https://www.ft.com/content/72e11ca6-98ad-11e7-8c5c-c8d8fa6961bb">has 20 Wi-Fi-enabled devices</a>. Replacing a hijacked home’s entire smart lighting system, smart entertainment center, thermostat and digital security devices will be expensive – and the bill will only be higher for communities using <a href="https://www.richardvanhooijdonk.com/en/blog/6-smartest-smart-cities-world/">internet-connected streetlights, water meters, electric cars and traffic controls</a>. Those are opportunities for insurance companies to step in.</p>
<h2>Some current challenges</h2>
<p>Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about <a href="https://www.marsh.com/my/insights/research/cyber-risk-in-asia-pacific-the-case-for-greater-transparency.html">what will and won’t be covered</a>. At the moment <a href="http://www.theactuary.com/news/2018/08/uk-firms-ahead-of-the-curve-for-cyber-insurance-uptake/">each plan differs substantially</a> – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people <a href="https://www.marsh.com/my/insights/research/cyber-risk-in-asia-pacific-the-case-for-greater-transparency.html">know enough</a> to be truly informed customers. Even <a href="https://www.insurancejournal.com/news/international/2018/05/15/489196.htm">insurance brokers don’t know enough</a> about cyber risks to usefully help their clients.</p>
<p>In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be <a href="https://blog.abacus.com/basics-of-cybersecurity-insurance/">conservative and overcharge</a>.</p>
<p>As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.</p><img src="https://counter.theconversation.com/content/104371/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>As cyberattacks and hacking become more common, businesses and private individuals are realizing that cleaning up from digital destruction can be expensive.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/991502018-07-03T20:12:25Z2018-07-03T20:12:25ZAnother day, another data breach – what to do when it happens to you<figure><img src="https://images.theconversation.com/files/225874/original/file-20180703-116139-dq06b5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">With so many reports of data breaches, it is easy to tune out to what is happening.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/blurred-large-crowd-people-719944354?src=H-X5LEKcXXIL-BL2gsY7pA-1-35">Shutterstock</a></span></figcaption></figure><p>Reports of data breaches are an increasingly common occurrence. In recent weeks, <a href="http://www.abc.net.au/news/2018-06-28/ticketmaster-contacts-customers-personal-details-data-breach/9919124">Ticketmaster</a>, <a href="https://www.computerworld.com.au/article/643222/healthengine-notifies-users-data-breach/">HealthEngine</a>, <a href="http://www.abc.net.au/news/2018-06-06/australian-data-may-be-compromised-in-pageup-security-breach/9840048">PageUp</a> and the <a href="http://www.abc.net.au/news/2018-07-01/data-breach-for-tasmsanian-voters/9928848">Tasmanian Electoral Commission</a> have all reported breaches.</p>
<p>It is easy to tune out to what is happening, particularly if it’s not your fault it happened in the first place. </p>
<p>But there are simple steps you can take to minimise the risk of the problem progressing from “identity compromise” to “identity crime”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-identity-data-is-turning-toxic-for-big-companies-88436">How identity data is turning toxic for big companies</a>
</strong>
</em>
</p>
<hr>
<p>In 2012 former FBI Director <a href="https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies">Robert Mueller</a> famously said:</p>
<blockquote>
<p>I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.</p>
</blockquote>
<p>The types of personal information compromised might include names, addresses, dates of birth, credit card numbers, email addresses, usernames and passwords.</p>
<p>In some cases, very sensitive details relating to <a href="https://www.oaic.gov.au/media-and-speeches/statements/australian-red-cross-blood-service-data-breach">health</a> and <a href="https://eprints.qut.edu.au/119373/">sexuality</a> can be stolen.</p>
<h2>What’s the worst that can happen?</h2>
<p>In most cases, offenders are looking to gain money. But it’s important to differentiate between identity compromise and identity misuse.</p>
<p>Identity compromise is when your personal details are stolen, but no further action is taken. Identity misuse is more serious. That’s when your personal details are not only breached but are then used to perpetrate fraud, theft or other crimes.</p>
<p>Offenders might withdraw money from your accounts, open up new lines of credit or purchase new services in your name, or port your telecommunication services to another carrier. In worst case scenarios, victims of identity crime might be accused of a crime perpetrated by someone else.</p>
<p>The Australian government estimates that <a href="https://www.homeaffairs.gov.au/crime/Documents/infographic-identity-crime-australia.pdf">5% of Australians</a> (approximately 970,000 people) will lose money each year through identity crime, costing at least <a href="https://www.homeaffairs.gov.au/about/crime/identity-security/id-crime-australia">$2.2 billion annually</a>. And it’s not always reported, so that’s likely a conservative estimate.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cambridge-analytica-is-more-than-a-data-breach-its-a-human-rights-problem-96601">Cambridge Analytica is more than a data breach – it's a human rights problem</a>
</strong>
</em>
</p>
<hr>
<p>While millions of people are exposed to identity compromise, far fewer will actually experience identity misuse. </p>
<p>But identity crime can be a <a href="https://www.smh.com.au/business/banking-and-finance/hounded-by-bill-collectors-credit-denied-my-three-years-in-identity-theft-hell-20170914-gyh2ob.html">devastating and traumatic</a> event. Victims spend an average of <a href="https://www.homeaffairs.gov.au/crime/Documents/infographic-identity-crime-australia.pdf">18 hours</a> repairing the damage and seeking to <a href="http://www.abc.net.au/news/2017-07-04/id-theft-like-a-bad-movie/8672400">restore their identity</a>. </p>
<p>It can be very difficult and cumbersome for a person to prove that any actions taken were not of their own doing.</p>
<h2>How will I know I’ve been hacked?</h2>
<p>Many victims of identity misuse do not realise until they start to receive bills for credit cards or services they don’t recognise, or are denied credit for a loan.</p>
<p>The organisations who hold your data often don’t realise they have been compromised for days, weeks or <a href="https://www.infocyte.com/blog/2016/7/26/how-many-days-does-it-take-to-discover-a-breach-the-answer-may-shock-you">even months</a>.</p>
<p>And when hacks do happen, organisations don’t always tell you upfront. The introduction of <a href="https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme">mandatory data breach notification laws</a> in Australia is a positive step toward making potential victims aware of a data compromise, giving them the power to take action to protect themselves.</p>
<h2>What can I do to keep safe?</h2>
<p>Most data breaches will not reveal your entire identity but rather expose partial details. However, motivated offenders can use these details to obtain further information.</p>
<p>These offenders view your personal information as a commodity that can be bought, sold and traded in for financial reward, so it makes sense to <a href="https://eprints.qut.edu.au/89299/">protect it</a> in the same way you would your money.</p>
<p>Here are some precautionary measures you can take to reduce the risks:</p>
<ul>
<li><p>Always use strong and unique passwords. Many of us reuse passwords across multiple platforms, which means that when one is breached, offenders can access multiple accounts. Consider using a <a href="https://1password.com/">password manager</a>.</p></li>
<li><p>Set up two-factor authentication where possible on all of your accounts.</p></li>
<li><p>Think about the information that you share and how it could be pieced together to form a holistic picture of you. For example, don’t use your mother’s maiden name as your personal security question if your entire family tree is available on a genealogy website. </p></li>
</ul>
<p>And here’s what to do if you think you have been caught up in a data breach:</p>
<ul>
<li><p>Change passwords on any account that’s been hacked, and on any other account using the same password.</p></li>
<li><p>Tell the relevant organisation what has happened. For example, if your credit card details have been compromised, you should contact your bank to cancel the card.</p></li>
<li><p>Report any financial losses to the <a href="https://www.acorn.gov.au/">Australian Cybercrime Online Reporting Network</a>. </p></li>
<li><p>Check all your financial accounts and consider getting a copy of your credit report via <a href="https://www.equifax.com.au/personal">Equifax</a>, <a href="http://dnb.com.au/">D&B</a> or <a href="http://www.experian.com.au/">Experian</a>. You can also put an alert on your name to prevent any future losses. </p></li>
<li><p>Be alert to any phishing emails. Offenders use creative methods to trick you into handing over personal information that helps them build a fuller profile of you. </p></li>
<li><p>If your email or social media accounts have been compromised, let your contacts know. They might also be targeted by an offender pretending to be you. </p></li>
<li><p>You can access personalised support at <a href="https://www.idcare.org/">iDcare</a>, the national support centre for identity crime in Australia and New Zealand. </p></li>
</ul>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-latest-health-data-breach-is-one-reason-why-ill-be-opting-out-of-myhealthrecord-96644">The latest health data breach is one reason why I’ll be opting out of MyHealthRecord</a>
</strong>
</em>
</p>
<hr>
<p>The vast number of data breaches happening in the world makes it easy to tune them out. But it is important to acknowledge the reality of identity compromise. That’s not to say you need to swear off social media and never fill out an online form. Being aware of the risks and how to best to reduce them is an important step toward protecting yourself.</p>
<p>For further information about identity crime you can consult <a href="https://www.acorn.gov.au/">ACORN</a>, <a href="https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information">Scamwatch</a>, or the <a href="https://www.oaic.gov.au/">Office of the Australian Information Commissioner</a>. </p>
<p>If you are experiencing any distress as a result of identity crime, please contact <a href="https://www.lifeline.org.au/">Lifeline</a>.</p><img src="https://counter.theconversation.com/content/99150/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Cassandra Cross has received funding from the Criminology Research Grants Scheme. </span></em></p>Data breaches are fact of modern life. It’s likely each of us will have our personal information compromised at some point. Here’s how to reduce the risk and limit the damage if and when it occurs.Cassandra Cross, Senior Lecturer in Criminology, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/884362017-12-04T09:05:38Z2017-12-04T09:05:38ZHow identity data is turning toxic for big companies<figure><img src="https://images.theconversation.com/files/197295/original/file-20171201-10155-re4sju.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">We want your data.</span> <span class="attribution"><span class="source">gualtiero boffi / Shutterstock.com</span></span></figcaption></figure><p>Google might be <a href="http://www.bbc.co.uk/news/technology-42166089">in trouble</a> for collecting the personal data of its users, but many companies have a growing incentive to rid their hands of the data that users entrust them with. This is because of growing costs of holding onto it. </p>
<p>A major cause is the rising number of cyber attacks where hackers steal the identity information held by companies, often to sell them on to various black markets. Take the <a href="http://www.bbc.co.uk/news/business-41474329">recent example of US giant Equifax</a>, one of the top three companies in the consumer credit reporting industry. It chalked up another 2.5m identity-theft casualties to its existing toll of 143m in October 2017. The firm has suffered a steady stream of identity information loss following a cyber-attack that took place in May this year, where hackers capitalised on weaknesses in its software. </p>
<p>The security breach – as a primary cause – resulted in around US$4.8 billion being wiped off Equifax’s market value from May to September 2017. It also tarnished its image and cost the firm’s longstanding CEO his job.</p>
<p>The Equifax data breach is just the tip of the iceberg. The latest Breach Level Index (BLI) <a href="http://breachlevelindex.com">published</a> by digital security company Gemalto shows a mounting figure of around 9.2 billion data-record losses since 2013. The BLI also reports that only a meagre 368m out of the 9.2 billion stolen records were concealed from potential hackers through the use of data-encoding technology. </p>
<p>The rate at which valuable identity information is flying out of the control of firms is alarming – more than 3,500 records per minute. Around 23% of the top data-breaches over the past five years contained consumers’ identity information – like names, dates-of-birth, addresses and account passwords. Corporate victims include big names such as Yahoo, eBay and JP Morgan Chase. </p>
<iframe src="https://datawrapper.dwcdn.net/bQMc7/1/" scrolling="no" frameborder="0" allowtransparency="true" allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" oallowfullscreen="oallowfullscreen" msallowfullscreen="msallowfullscreen" width="100%" height="441"></iframe>
<p>The volume and sophistication of these cyber-assaults will make top-level executives of firms that hold sensitive identity data anxious about its safe-keeping. </p>
<h2>Growing cost of regulation</h2>
<p>As well as cyber attacks, companies are having to contend with growing levels of regulation. As well as the regulations of the jurisdiction they are based in, when firms are spread across nations, they must also abide by international standards. </p>
<p>The costs of this compliance in the banking sector is increasing at an alarming rate. <a href="https://www.thetradenews.com/Sell-side/Banks-spent-close-to-$100-billion-on-compliance-last-year/">One report</a> has found that banks spent nearly US$100 billion on compliance in 2016 and the global spending on meeting the regulatory requirements increased from 15% to 25% over the previous four years. This skyrocketing spend on compliance leaves <a href="http://www.computerweekly.com/feature/Compliance-projects-take-40-of-Barclays-Banks-IT-budget-says-technology-chief">little room for product development</a>.</p>
<p>It has now become imperative for companies holding information on EU citizens to implement control mechanisms to protect personal data in accordance with the EU’s strict General Data Protection Regulation (GDPR) <a href="https://www.eugdpr.org/">guidelines</a>. GDPR, in essence, is about enhancing existing privacy protection. It will be enforced from May 25, 2018. </p>
<p>Non-compliance with GDPR may lead to fines to the tune of €20m or 4% of a firm’s global annual sales figure – whichever is greater. Already, implementing the necessary steps to adhere to the new regulation is proving to be expensive for organisations – especially firms with diverse and intertwined business portfolios. </p>
<p>Some estimates predict that purchasing the technology to adhere to the GDPR standards and avoid paying the exorbitant fines <a href="https://iapp.org/news/a/survey-breaks-down-gdpr-compliance-spending/">will cost</a> Fortune 500 companies on average US$1m each. Add to this the costs of permanent staffing and legal advice for this compliance, you get the picture of overall spending required for one set of regulatory standards. Clearly, the price of such compliance will compel large organisations to explore the burgeoning market of cost-effective and innovative regulatory technology. </p>
<h2>A logical solution?</h2>
<p>At the point where the cost of protecting identity assets outweighs the benefit of storing it, it becomes toxic for the organisation. As with any risk, companies must act to mitigate or remove it – in this case breach of identity data. When similar risks emerged around the processes for securing payment card processing, solutions focused on tokenisation of card information within an organisation to minimise handling of clear text credit card numbers. It is hard to see how a similar approach could be applied to a multifaceted entity such as identity. </p>
<p>However there is a potential in the application of decentralised technologies that have emerged from the development of cryptocurrencies such as Bitcoin. In these models people could choose whether a centralised entity – such as a bank, for example – would manage their identity or whether they could manage it themselves. Models for a decentralised identity are emerging with parallel developments in the creation of a decentralised web. </p>
<p>There are a number of challenges for both private individuals and the traditional identity provider to overcome for this move to become a reality – including wider adoption of peer-to-peer trust models. But it seems increasingly possible that the cost of cyber attacks, together with regulatory compliance, could be the nudge that drives organisations to surrender their control over vast pools of identity information.</p><img src="https://counter.theconversation.com/content/88436/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The rate at which valuable identity information is flying out of the control of firms is alarming – more than 3,500 records per minute.Bhargav Mitra, Senior Engineer, Queen's University BelfastRobert McCausland, R&D Programme Manager, Queen's University BelfastLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/814712017-07-31T19:53:53Z2017-07-31T19:53:53ZFacebook is fighting social media identity theft in India, but it’s a global problem<p>Every Facebook account comes with a profile picture, but how can we prevent these often personal photos from being stolen? </p>
<p>Facebook has some ideas. In India, it recently <a href="https://newsroom.fb.com/news/2017/06/giving-people-more-control-over-their-facebook-profile-picture/">introduced new measures</a> – including a download guard and watermark – to fight the phenomenon. They’re useful tools, but user education must continue so that everyone understands and uses the platform’s privacy controls.</p>
<p>Stealing identifying information from social media sites is a <a href="https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf">favoured form</a> of identity theft. Typically it involves taking a user’s <a href="http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1729&context=law_pubs">publicly available data</a> such as addresses, phone numbers, gender, date of birth and photos, and using them to create fake online personas for the purposes of harassment or fraud.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-a-cashless-society-would-hurt-the-poor-a-lesson-from-india-79735">Why a 'cashless' society would hurt the poor: A lesson from India</a>
</strong>
</em>
</p>
<hr>
<p>This is a particular problem in India. It’s hard to get definitive data on the problem, but some reports suggest that identity theft <a href="http://www.experian.in/assets/Experian-launches-India-Fraud-Report-2016.pdf">accounted for 77%</a> of financial fraud cases in India in 2015. Social media scams are also a growing concern.</p>
<p>Facebook’s new picture protections are a good first step, but they are not enough.</p>
<h2>Will it be effective?</h2>
<p>In India, Facebook <a href="https://newsroom.fb.com/news/2017/06/giving-people-more-control-over-their-facebook-profile-picture/">has rolled out</a> a profile picture guard, which aims to prevent others from downloading or sharing the image on Facebook. </p>
<p>When uploading a profile picture, a border and shield symbol will now appear around it. The design feature adds an overlay akin to a watermark as a deterrent.</p>
<p>Facebook claims the design overlay may reduce the chances of profile picture copying by <a href="https://newsroom.fb.com/news/2017/06/giving-people-more-control-over-their-facebook-profile-picture/">at least 75%</a>. However, the pictures could still be captured via screenshot.</p>
<p>The ability to prevent a screenshot being taken of the profile picture is only available when using Facebook on <a href="https://newsroom.fb.com/news/2017/06/giving-people-more-control-over-their-facebook-profile-picture/">Android devices</a> and not on iOS, so far. There is also no restriction for users who take a screenshot from their desktop or laptop browsers.</p>
<p>The design overlay, however, may offer an effective deterrent to image theft. </p>
<p>It’s a step that other social media companies should follow, but companies like Snapchat already have some of their own inbuilt protections.</p>
<p>Photos shared on Snapchat self-destruct. The app also alerts users when someone takes a screenshot, potentially reducing some of the anxiety of photo-sharing. Facebook could learn from Snapchat by introducing a feature that sends an alert whenever another person takes a screenshot of your profile picture. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=460&fit=crop&dpr=1 600w, https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=460&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=460&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=578&fit=crop&dpr=1 754w, https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=578&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/180157/original/file-20170728-23805-16m6i2m.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=578&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Facebook explains how to turn on privacy guard.</span>
<span class="attribution"><span class="source">Facebook</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<h2>Who owns your picture, anyway?</h2>
<p>Depending on the jurisdiction, unlawfully accessing a user’s social media account, taking personal information and creating a fake online profile may be illegal. </p>
<p>In the <a href="http://www.cps.gov.uk/consultations/social_media_consultation_2016.html">United Kingdom</a>, for example, the creation of a false or offensive social media profile could lead to a criminal conviction. In <a href="http://www.legalaid.nsw.gov.au/publications/factsheets-and-resources/online-social-networking-identity-theft">Australia</a> the situation is similar. Creating a fake profile “with the intention of committing a crime” is illegal.</p>
<p>Facebook also bans fake profiles. The copyright holder (the person who originally uploaded their profile picture) typically retains <a href="https://www.facebook.com/help/1020633957973118?helpref=hc_global_nav">legal rights</a> to their image. But by uploading photos on Facebook, users give <a href="https://www.facebook.com/terms.php">Facebook</a> a non-exclusive, transferable, sub-licensable, royalty-free, worldwide licence to use them.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/everyone-falls-for-fake-emails-lessons-from-cybersecurity-summer-school-81389">Everyone falls for fake emails: lessons from cybersecurity summer school</a>
</strong>
</em>
</p>
<hr>
<p>If identity theft does occur, identifying and proving rights and ownership of copyrighted content can also be <a href="https://books.google.com.au/books?id=3RUdCgAAQBAJ&pg=PA178&lpg=PA178&dq=Federal+Trade+Commission+%2B+identity+theft+victim+%2B+200+hours&source=bl&ots=6UT1sSbEq_&sig=YBzI9lq_3x17_o1t0N6dMOoIBz0&hl=en&sa=X&ved=0ahUKEwji5IfsmKvVAhWCE7wKHfyYAFwQ6AEIVjAI#v=onepage&q&f=false">a drawn out and frustrating process</a>.</p>
<p>No matter the legal situation, every time an image is shared on social media, the quandary of sharing versus protecting must be considered.</p>
<h2>It’s not just India</h2>
<p>Social media identity theft is a global issue. </p>
<p>In Australia, the government estimates the annual cost of identity crime to be <a href="https://www.ag.gov.au/RightsAndProtections/IdentitySecurity/Pages/Trends-in-Identity-Crime.aspx">A$2.2 billion</a>. In <a href="https://www.ag.gov.au/RightsAndProtections/IdentitySecurity/Documents/Identity-crime-and-misuse-in-Australia-2016.pdf">9% of cases</a> the personal information of victims was stolen from social media. <a href="https://www.scamwatch.gov.au/news/spot-social-media-scams-national-consumer-fraud-week-2017">One third</a> of reported dating and romance scams are perpetrated through social media. </p>
<p>Identity fraud represents <a href="https://www.cifas.org.uk/secure/contentPORT/uploads/documents/160706_cifas_fraudscape_ONLINE.pdf">53% of all fraud</a> in the United Kingdom, with <a href="https://www.cifas.org.uk/secure/contentPORT/uploads/documents/160706_cifas_fraudscape_ONLINE.pdf">86% of identity fraud cases</a> enabled via the internet.</p>
<p>While Facebook’s picture guard and picture watermark are not foolproof, they could well reduce identity theft and give Indian social media users some additional peace of mind. India is a test case but the countermeasures rolled out by Facebook should be available to everyone. </p>
<p>Social media companies could do more to build protections against photo stealing into their platforms, and make users aware of the available tools. Users should also use their discretion and not let their guard down in the social media hunting ground.</p><img src="https://counter.theconversation.com/content/81471/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ritesh Chugh does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Every Facebook profile comes with a profile picture, but how can we prevent these often personal photos from being stolen?Ritesh Chugh, Senior Lecturer (Information Systems Management), CQUniversity AustraliaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/752742017-05-03T14:07:24Z2017-05-03T14:07:24ZOnline security won’t improve until companies stop passing the buck to the customer<figure><img src="https://images.theconversation.com/files/165124/original/image-20170412-25862-13lfj3o.jpg?ixlib=rb-1.1.0&rect=0%2C231%2C3518%2C2570&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">'No, I absolutely do not wish to change my password, thanks.'</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/cyber-security-firewall-privacy-concept-429812950?src=gECwMTjbbIUW6Ep2hKl0SQ-1-1">Shutterstock/Rawpixel.com</a></span></figcaption></figure><p>It’s normally in the final seconds of a TV or radio interview that security experts get asked for advice for the general public – something simple, unambiguous, and universally applicable. It’s a fair question, and what the public want. But simple answers are usually wrong, and can do more harm than good.</p>
<p>For example, take the UK government’s <a href="https://www.cyberaware.gov.uk/">Cyber Aware scheme</a> to educate the public in cybersecurity. It recommends individuals choose long and complex passwords made out of three words. The problem with this advice is that the resulting passwords are hard to remember, especially as people have many passwords and use some infrequently. Consequently, they will be tempted to use the same password on multiple websites.</p>
<p>Password re-use is far more of a security problem than insufficiently complex passwords, so advice that doesn’t help people manage multiple passwords does more harm than good. Instead, I would recommend remembering your most important passwords (like banking and email), and store the rest in a password manager. This approach <a href="https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers">isn’t perfect or suitable for everyone</a>, but for most people, it will improve their security.</p>
<h2>Advice unfit for the real world</h2>
<p>Cyber Aware also tells people not to write down their passwords, or let anyone else know them – banks require the same thing. But we know that people <a href="https://www.benthamsgaze.org/2016/02/17/are-payment-card-contracts-unfair/">commonly share their banking credentials</a> with family, for legitimate reasons. People also realise that writing down passwords is a pretty good approach if you’re only worried about internet hackers, rather than people who can get close to you to see the written notes. Security advice that doesn’t stand up to scrutiny or doesn’t fit with people’s lives will be ignored – and will discredit the organisation offering it.</p>
<p>Because everyone’s situation is different, good security advice should include helping people to understand what risks they should be worried about, and to take steps that mitigate these risks. This advice doesn’t have to be complicated. Teen Vogue published a tutorial on <a href="http://www.teenvogue.com/story/how-to-keep-messages-secure">how to select and configure a secure messaging tool</a>, which very sensibly explains that if you are more worried about invasions of privacy from people who can get their hands on your phone, you should make different choices than if you are just concerned about, for example, companies spying on you. </p>
<p>The <a href="http://www.teenvogue.com/story/how-to-keep-messages-secure">Teen Vogue article</a> was widely praised by security experts, in stark contrast to <a href="https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages">an article in The Guardian</a> that made the eye-catching claim that encrypted messaging service WhatsApp is insecure, without making clear that this only applies in an obscure and extremely unlikely set of circumstances.</p>
<p>Zeynep Tufekci, a researcher studying the effects of technology on society, reported that the article was exploited to <a href="http://technosociology.org/?page_id=1687">legitimise misleading advice</a> given by the Turkish government that <a href="http://www.cumhuriyet.com.tr/haber/dunya/659903/WhatsApp_ta_korkutan_guvenlik_acigi_iddiasi__Devlet__sifreli_mesaji_okuyabilir.html">WhatsApp is unsafe</a>, resulting in human rights activists using SMS instead – which is far easier for the government to censor and monitor.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/165128/original/image-20170412-25898-gk72ce.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">WhatsApp introduced encrypted chats in April 2016.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/riga-latvia-september-8-2016-whatsapp-500187130?src=qPXnEvv-saFm3fbhCl0clg-1-6">Shutterstock/Kaspars Grinvalds</a></span>
</figcaption>
</figure>
<p>The Turkish government’s “security advice” to move from WhatsApp to less secure SMS was clearly aimed more at assisting its surveillance efforts than helping the activists to whom the advice was directed. Another case where the advice is more for the benefit of the organisation giving it is that of banks, where the terms and conditions small print gives <a href="https://www.benthamsgaze.org/2016/06/02/international-comparison-of-bank-fraud-reimbursement-customer-perceptions-and-contractual-terms/">incomprehensible security advice</a> that isn’t true security advice, instead merely a legal technique to allow the banks wiggle room to refuse to refund victims of fraud. </p>
<p>It’s for this reason that prominent bank marketing is aimed at making customers feel safe, while security advice is buried in places banks know customers don’t read. Despite complaints from consumer groups like Which? to the Payment Systems Regulator, so far <a href="http://www.which.co.uk/news/2016/12/super-complaint-response-lets-banks-off-the-hook-458882/">banks have got away with this</a>.</p>
<h2>Out of your hands</h2>
<p>Giving good security advice is hard because very often individuals have little or no effective control over their security. For example, the extent to which a customer is at risk of being defrauded largely depends on how good their bank’s security is, something customers cannot know. </p>
<p>Similarly, identity fraud is the result of companies doing a poor job at verifying identity. If a criminal can fraudulently take out a loan using another’s name, address, and date of birth from the public record, that’s the fault of the lender – not, as Cifas, a trade organisation for lenders, <a href="https://www.cifas.org.uk/press_centre/identity-fraud-reaches-record-levels">claims</a>, because customers “don’t take the same care to protect our most important asset – our identities”. </p>
<p>Keeping your computer or smartphone software up-to-date is good advice, but is only any use if the device’s manufacturer provides security updates and ensures that they’re tested and don’t cause <a href="https://vaniea.com/papers/chi2016.pdf">more problems than they solve</a>.</p>
<p>It is precisely because security is so often out of the hands of individuals that the new UK National Cyber Security Centre (NCSC) has focused its advice on helping companies improve security, without placing an undue burden on the customer (or even requiring them to read the advice). Its <a href="https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach">passwords guidance</a> shows how companies can remain secure even when most of their customers choose fairly simple passwords. This advice was developed in collaboration with the <a href="https://www.riscs.org.uk/">Research Institute in Science of Cyber Security (RISCS)</a> which promotes evidence-based research. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/u6x9C7t_41s?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>NCSC chief executive Ciaran Martin promoted this guidance at an event in February, and at the CyberUK event in Liverpool last month. And in March, NCSC launched a video explaining that “<a href="https://www.ncsc.gov.uk/information/people-strongest-link">If security does not work for people, it doesn’t work</a>”. This workable security advice, based on RISCS research, is having an effect: the government no longer recommends regularly changing passwords, because doing so has been shown to have a harmful effect on security. However, Cyber Aware, another government website, still offers advice to consumers that is out-of-date and counterproductive. </p>
<p>Customers do want to protect themselves, and there is a clear demand for good security advice. But this advice needs to be realistic, needs to consider that different individuals have different circumstances that require different approaches, and put the interests of the customer first. Companies that develop security systems are in the best position to improve security, and they must take responsibility for doing so by learning from the research that reveals how individuals really use, understand, and misunderstand security technology.</p><img src="https://counter.theconversation.com/content/75274/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven J. Murdoch receives funding from the Royal Society, the European Union, and VASCO. </span></em></p>If security advice from government agencies doesn’t ring true, customers won’t take it – which puts us all at risk.Steven J. Murdoch, Royal Society University Research Fellow, UCLLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/521592015-12-14T04:19:24Z2015-12-14T04:19:24ZHow to avoid getting hooked by a festive season phishing scam<figure><img src="https://images.theconversation.com/files/105385/original/image-20151211-22337-1m8069m.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">If an online offer seems too good to be true, it probably is and you're being phished.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Email phishing attacks are <a href="https://docs.apwg.org/reports/apwg_trends_report_q4_2014.pdf">especially popular</a> over the festive season, partly because there’s an increase in email marketing and special offers linked to the holidays.</p>
<p>During the fourth quarter of 2014, for instance, the number of unique phishing attacks globally went up by 18% compared with the third quarter that year, <a href="https://docs.apwg.org/reports/apwg_trends_report_q4_2014.pdf">according to</a> the Anti-Phishing Working Group.</p>
<p>A total of 437 brands were targeted and 46,824 unique phishing websites were <a href="https://docs.apwg.org/reports/apwg_trends_report_q4_2014.pdf">reported</a>, the majority of them hosted in the US. The most-targeted industries for phishing attacks are retail/service, financial services and payment services. </p>
<p>It seems that during the Christmas period people are probably more likely to respond to these offers. They also appear willing to spend more money than usual. This creates a perfect opportunity for cyber criminals to hook their bait.</p>
<p>But what is phishing and why does it happen? And how can people guard against it?</p>
<h2>Identity theft</h2>
<p>To begin with, it’s important to understand the practice that lies at the heart of phishing: identity theft. This is a form of fraud in which one person pretends to be someone else to illegitimately benefit at the victim’s expense.</p>
<p>Cyber criminals usually acquire the information that they need by stealing a wallet, going through mail, or <a href="http://www.nytimes.com/2003/12/21/magazine/21IDENTITY.html?pagewanted=all">dumpster diving</a>. They also target organisations that are in possession of sensitive private information by stealing IDs, back-ups or documentation.</p>
<p>In the US in 2014 there was one new victim of identity theft <a href="http://www.bjs.gov/content/pub/pdf/vit14.pdf">every two seconds</a>.</p>
<p>In South Africa, identity theft losses amount to more than R1 billion annually according to the <a href="https://www.safps.org.za">Southern African Fraud Prevention Services</a>. In 2014, 3600 cases were reported and it believes that more than 4000 cases would be reported by the end of 2015.</p>
<p>In the anonymous world of the internet, individuals are uniquely identified by account numbers and passwords which form the basis of online authentication.</p>
<p>Online identity theft happens when a victim’s online identity is stolen by cyber criminals and used for unauthorised purposes that cause financial losses to the victim. Email phishing attacks are an increasingly popular and sophisticated method that cyber criminals employ to get the information they require to commit online identity theft.</p>
<h2>Phishing</h2>
<p>Phishing is an online identity theft method in which spoofed emails are sent out to lure recipients through embedded hyperlinks to fraudulent websites. Here, cyber criminals attempt to trick online users into divulging personal financial data like passwords and account numbers.</p>
<p>Initially phishing emails and the associated bogus websites where mostly masked as coming from financial services institutions. These were easily identifiable because of poor language and grammar or non-authentic looking copies of websites.</p>
<p>But this is no longer the case. As users grew more sophisticated, so too did cyber criminals. In recent years they have begun targeting a wider set of industries, using more authentic looking emails and websites.</p>
<h2>A possible solution?</h2>
<p>Well-planned phishing websites fool more than 90% of respondents, while 23% do not notice browser-based security warnings and indicators and 15% ignore these warnings, according to a Harvard University <a href="http://www.eecs.berkeley.edu/%7Etygar/papers/Phishing/why_phishing_works.pdf">study</a>. Researchers found no correlation between victims’ vulnerability and their gender, age, education levels or computer experience.</p>
<p>Keeping yourself abreast of phishing trends is useful. Research recommends these <a href="http://www.emeraldinsight.com/doi/abs/10.1108/02640470710829514">anti-phishing measures</a> as first steps to protect your online privacy:</p>
<ul>
<li><p>be cautious with emails and confidential information;</p></li>
<li><p>look for indications that browsers and websites are secure and legitimate; </p></li>
<li><p>employ available security measures; and</p></li>
<li><p>keep in mind that when an offer appears too good to be true, it probably is.</p></li>
</ul>
<p>We are doing new research to find out how people view the threat of phishing and what steps they take to avoid phishing. The information will help us find ways to improve online security. </p>
<p>Whether you think you’re vulnerable to phishing, believe you’re well protected or genuinely have no idea, you can contribute to this research by clicking <a href="https://www.surveymonkey.com/r/OnlineSafetyConversation">here</a> to complete the survey.</p><img src="https://counter.theconversation.com/content/52159/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Phishing attempts tend to rise during the festive season when people are more likely to respond to online marketing and to spend more money. How can you protect yourself?Rika Butler, Associate Professor in Auditing at the School of Accountancy, Stellenbosch UniversityMartin Butler, Senior Lecturer in Business Management and Administration, Stellenbosch UniversityLicensed as Creative Commons – attribution, no derivatives.