Remember when global surveillance used to be a meme among conspiracy theorists ?
Pepperidge Farm remembers
What can we say about a corporation doing a trust score for half of the connected population in the world ? I wonder about their ego, or what went wrong in their management.
Would this be a breach of GDPR for us EU residents?
I'm getting seriously disillusioned with all this surveillance stuff. At first I thought, you know, these were isolated incidents falling through the cracks, but in truth it's become pervasive and global. The scariest aspect is how individual actors have the ability these days to gather, interpret and isolate individuals from massive datasets, anonymising the data seems pie in the sky.
I don't see much stopping it either, in society it seems to be the extremes, some wrongly think GDPR applies to everything and others are so sophisticated they can bypass it completely. Have we gotten too advanced, whereby only experts understand the impacts of our actions? Sorry I'm getting all philosophical.
It is, and this article announced Noyb filed a complaint against BICS, TeleSign and Proximus with the Belgian DPA to request actions be taken (investigation, fines, removal of data, …).
One of the most sobering experiences I’ve had was reading a writeup on how someone was doxxed using ad telemetry. If that can be done by a lone individual, imagine what can be done en masse.
Unfortunately it appears the site this had been on is not available anymore. However I found an equally interesting article talking about similar things. Rather than buying aggregate data and attempting to de-aggregate it, this is about targeting an individual using previously obtained information (say email, cellphone, or physical address) and “ad sniping” them.
It definitely would, but GDPR is not being enforced anywhere near enough to matter. Facebook and Google are still alive and you bet their tracking and profiles are much more accurate than these clowns.
Well, literally billions of people accept their privacy agreements and actively provide them with data from their phones by using their software. That's quite different from an unknown party telling other companies whether you're reliable without your knowledge based on data neither you nor your provider ever agreed to give them.
Nobody reads their privacy agreements. They accept them as a formality because these services became effectively mandatory to participate in modern society, but they do freak out when they see the consequences of all this non-consensual data collection: https://www.newstatesman.com/science-tech/2016/09/people-you...
> I wonder about their ego, or what went wrong in their management.
The article didn't insinuate that data is being used to objectively harm users. It's being used to generate "trust scores" for anti-fraud systems. The specific example given in their piece is allowing a user to attach a certain number for SMS verification.
Rather, the point here is that such data could be used to objectively harm users, so those users should have to provide consent. Second to that is that BICS doesn't appear to inform users requesting GDPR data that their data was shared.
I'm not sure I'd label that failures in ego, it smells like failures in process and compliance, which also need to be dealt with in lawsuits.
It likely does cause users to be treated differently and that may not always be lawful or in users best interest. I was forced to go to a bank branch likely because my provider doesn’t share the data. Better yet, when I realized my mistake of dealing with the said bank, going to the branch was the only way to stop the application.
I work in fraud prevention with vendors such as this. Let me be the devil's advocate here: trust and risk scores such as these are often very useful for identifying account takeovers and stolen identities in the financial and telecom worlds. We often see folks on HN complaining about how banks don't protect them from fraud losses - companies like this are how there is any hope left for some modicum of consumer protection.
You may ask: Then why do banks not protect me from losses better?
I say: They're already doing something (invisible as it may be). They can definitely do a better job. But without companies such as Telesign, fraud losses would far, far worse.
You may ask: What if my data gathered is used for nefarious purposes?
I say: In my experience, data such as this is not allowed to be used for marketing purposes but strictly for consumer protection. I'm not specifically speaking about TeleSign but similar vendors. The worst that should happen is that you get a transaction declined, or get denied for a credit card etc. But no marketing or any other manipulative practice is allowed, in theory.
> They're already doing something (invisible as it may be). They can definitely do a better job. But without companies such as Telesign, fraud losses would far, far worse.
Until banks accept that they got defrauded, not you, whatever they do will be too little.
> Until banks accept that they got defrauded, not you, whatever they do will be too little.
True. Regardless of accepting responsibility, I think they're spending a good bit of money in preventing fraud from happening [1]. Maybe some regulation around banks taking fraud losses would do the trick but the flipside would be that simple financial flows of legitimate customers would become full of friction as banks race to lock down fraud losses. Fraud detection is a really hard fraud problem for even a human, let alone models.
No-one is actually breaking into a bank and stealing $$ from your account.
Virtually most of the fraud is happening due to customer's own fault, not strictly bank's fault:
1. installed malware and got all saved CC data stolen
2. website you ordered your widgets got hacked and your CC stolen
3. clicked phish linked and lost your online bank credentials
4. got scammed and sent zelle to a scammer
5. used shady website to order deeply discounted electronics / signed up for adult membership website - and gave your CC data right into hands of fraudsters
6. used shady third party ATM in tourist place like Cancun and got your card skimmed etc
7. used same user/pass credentials for online banking, as your email account, and your online bank got taken over
So point by point:
1. Stealing a credit card number, ccv, expiry, and name shouldn't be game over. It is because businesses want to reduce friction for customer purchases. If card not present transactions required a second step of verification, for example, multi-factor authentication, it would drastically reduce this type of fraud. Unfortunately it would also increase friction for online purchases, which is why everyone in the card processing chain is looking to shift liability away from themselves.
2. That is not the customers fault. Full stop. Yes, some sites are more shady than others, but there is nothing a consumer can do to determine if a service provider will get hacked.
3. Yes. Unfortunately, phishing is really easy. Despite the prevalence of this attack, training users to effectively detect and avoid being a victim is almost impossible.
4. See #3.
5. See #2.
6. How is a customer supposed to validate the security of an ATM against modern skimming technology, many of which are virtually indistinguishable from normal bank machines.
7. Yep, not great. Why don't banks require 2FA? Because it creates friction and increases costs. Better to just externalize the risk.
Your entire blame the user argument is bunk that has been packaged up and recirculated by the finance community for almost 20 years (and I have been using these arguments against them for nearly that long, granted it's close to ~12 years since I worked in infosec at a bank).
Answer is simple: if you cant use technology safely - dont use it! Problem is nobody is teaching effective fraud defense for consumers at scale.
Disable online banking, use checkbook and write checks everywhere or carry cash. I still see older people use checkbooks from time to time, even shopping groceries.
Problem solved.
We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.
So that you cannot blame the bank for your own fault.
Or migrate to something Apple Pay, but that also does not guarantee 100% fraud prevention
Oh if the world could just be so simple. Can't protect yourself from getting mugged, stop going outside. Problem solved.
The reality of any non-trivial issue is that we have to consider potential improvements from all angles. I want to improve tech for grandma and for the bank, doesn't that seem like a goal worth working towards? And let's please not pretend that banks are infallible in all of this, they also have opportunities to improve.
the actual protection from getting mugged is moving to a safe neighbourhood.
People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.
same with fraud - user will continue getting defrauded and scammed until user learns the lesson and either abandons tech he.she is unable to use securely, or adapt and learn how to use it
> the actual protection from getting mugged is moving to a safe neighbourhood. People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.
It's almost cute how you think people living in places with high crime rates wouldn't jump at the chance to move to a nicer neighborhood with lower crime rates, and that the reason they don't is because they haven't "learned their lesson".
Everyone buying guns and then going around shooting criminals is not a solution to crime, but if you're convinced it's a good idea, why not try it for yourself and "learn your lesson"
So you are advocating for the vast majority of the internet population to stop using online banking.
Let's flip the omelette: no one forces banks to do business online; if a bank can't build secure online banking, they can default to checkbooks and cash. They have the means and motive to build solutions that are actually secure and usable, so they should bear the burden of dealing with fraud when their solutions fail to be secure.
Most of the online banks are pretty secure for non-oblivious person.
I always used online banking and never got scammed. It is pretty secure for me.
Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
These people need life lesson to learn how to operate technology safely.
Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
> Most of the online banks are pretty secure for non-oblivious person.
Ok, granted, I spent the last 23 years of my life working in IT security across consulting, government, finance, and tech companies, but this is just garbage. Banks only invest in security to the degree that:
- they are legally required to
- they have contractual obligations to
- that the risk of loss for a specific class of incident exceeds their self-insurance threshold
That's not a hypothetical comment, that is something that was explained to me as an AppSec lead when running into walls trying to get some issues fixed at one of the largest banks in the world. For the record, the issues that I was trying to have remediated would have had to exceeded an annualized loss expectancy for the region I was operating in of 10 million dollars per year to be considered risky.
Your definition of a bank being pretty secure and mine are probably radically different.
> Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
Sure, users should choose strong passwords. Banks should also require multi-factor authentication (real 2fa, not the SMS based weaksauce that a bunch use). But, that increases support and transaction costs. So, instead, blame the user! Beyond password selection, there is also the issue of how passwords are hashed, salted, stored, and brokered into a more reliable back-end credential that can be used, absolutely none of which the user has input into or control over, but sure, blame the user.
> User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
sigh you really like banging that drum.
> These people need life lesson to learn how to operate technology safely.
> Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
There is absolutely no way to train average users to operate modern internet technologies safely because the average user has no effective control over the software and hardware they use (yes, Linux is a thing, and so is open source hardware, but users of those OS and hardware are not average users)
The primary reason the incidence of fraud is so high in the finance sector is because business has chosen to optimize for high transaction volume, and has accepted the risks of doing so. Stop trying to blame end users.
> We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.
Sure. Why not start with an outline for what infosec101 should look like. Include estimates for how long the training should take, what the cadence for testing should be, and which agency should be responsible for validating that training. Do be sure to accurately communicate the degree to which an end user with a chip enabled bank or credit card has the ability to distinguish and disambiguate what constitutes a 'safe' or 'legitimate' online business. Also, include some details about how individuals who have been certified as completing this class and/or licensing scheme should procure insurance to protect themselves in case of an accidental data breach (for example, they leak their card info), and outline the process by which that same licensee can file an insurance claim against the insured party downstream of the physical point of payment or online payment portal that allowed a breach to happen. After all - if we are going to require online safety training, and licensing, then we should create another insurance scheme to facilitate resolution of those claims and resolve the costs.
It is really easy to point the fingers at a customer and say "problem exists between chair and keyboard", but the reality is that in the modern economy, the end user has almost no control over the security of their transactions, and little ability to influence how their purchase is handled beyond the question of "cash or card".
The only incentive that retailers, online stores, payment processors, and financial institutions have to resolve this is the simple fact that they own the liability for this, and it's only through the myth of the idiot user that they have been able to shift that liability, to varying degrees, back to the consumer.
8. Using android phones that haven't received any security updates in the last few years because the vendor stopped releasing updates a couple of years after the release.
So true and something I see everyday on my job! it's no wonder then that financial companies have to resort to using data from companies like Telesign to view these red flags and attempt to detect fraud.
The question here isn't (primarily at least) whether this is a good or bad thing, the important question is if this arrangement is legal under EU law. It can be the most beneficial thing in the world and still be illegal.
That's very true. I think my comment was more in response to other comments talking about "surveillance" and "trust", but you're right that if the data collection itself is illegal, there are no two sides about it :)
Since the NSA has shown they can't do it, I'd venture to guess the likelihood of Telesign or any other company being breached is approaching a 100% chance.
Ahh that's a great question - it's a very real risk. In my mind, most of the data these companies have is sourced from other companies so all that these vendors do is increase the surface area for the attack vectors. And the (probably naive) hope is that the attackers can't do much with data such as trust scores and the underlying factors.
How come all online VISA transactions don't have to completed through a redirect to visa.com or master.com (or may bank website), but instead we're typing card numbers into sketchy websites? (I guess EU 2FA requirements are pushing the boundary, but very slowly and often in ways that still appear remarkably sketchy).
Trust scores of IPs and phones numbers is a tool, but when physically hardened security tokens aren't widely supported, I'd argue the essential tools simply aren't available to users.
I support your argument about Yubikeys - I myself use them for any financial site that allows it. A lot of companies do use them to check for fraudulent logins. But the friction of it is high enough that companies would much rather take the loss than force their customers to authenticate every time a transaction has to be made. Also, I think until it is normalized in the industry, there is a consumer perception of physical keys being too technically difficult to obtain, set up and manage. Not to mention, all the Yubikeys in the world still don't help if one goes and gets phished/socially engineered :)
It would be trivial for sketchy websites to have fake (but real looking) "official" Visa/MC forms, or even for multiple fake "official" sites to be set up. So redirecting everyone to the One True Payment System is no solution to fraudulent websites.
It is when a bank phone app is being used as a second factor (or, when on your phone, it redirects to it). This has been used in the Netherlands for almost 2 decades[1] for online payments (iDeal) and card fraud is basically a non-issue.
[1] Before smartphones a hardware token that requires your physical card was used.
What I want to know is how "the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic" translates to a trust score. Do less trustworthy people tend to make longer or shorter phone calls than more trustworthy people? And what even is range activity, not to mention how does it relate to trustworthiness?
I haven't worked with Telesign data but I can attempt a guess. Think of how a fraudster uses a phone versus how a legitimate customer uses a phone:
1. The former is likely using a throwaway phone number, the latter is using an established phone number. You can tell the difference with the number of completed calls over time, call duration etc. Burner phones will have bursts of high intensity activity to several different phone numbers whereas legitimate phones will have lots of successfully completed phone calls over a long period of time to repeating phone numbers.
2. The former will likely place calls all over the country or world as they attempt to raid several bank accounts digitally. The latter will probably have more local calls since they're calling their doctors, schools, etc. This is probably where range activity plays a role.
I'm not defending Telesign or how they collect data - I'm merely saying this data has value in account protection.
Please someone blow the lid off the telco fraud world already. The reason companies such as telesign exist is because telcos are allowing fraudsters and scammers to run amok using their infrastructure and in lots of cases directly benefiting from their activities or even participating themselves. The whole telephone system is broken and the ones running the show are not showing any intent to fix it.
However, I do think there is room for protocols that verify phone numbers in a way. The spam and fraudulent calls that people receive and are hard to distinguish from “good” calls is a problem that deserves more attention.
This would be a nice use case but the reality is everyone still gets a boatload of scam calls, so these companies are farming the data and using it against us instead of for us
I get a bunch of scam sms messages and calls from scam financial firms here in Spain. That’s ignoring all the local spam calls from every phone provider and insurance company here.
Phone numbers have some value as a verification endpoint, but because it's so easy to steal people's mobile phone numbers via Sim jacking, calling the phone company and saying Hi. I'm xyz and I have a new SIM card and please transfer my number to me, it happens all the time, mobile phone numbers are not safe for this purpose.
Is there any legal way to obtain your own data from these companies? Does the US have any law that compels them to provide my own data they have on me and any derivative scores they calculate from it?
"Is there any legal way to obtain your own data from these companies?"
Of course there is: sign up and use their API.
For many years I had the "Ekata Reverse Phone" API enabled in my Twilio account which allowed me, for 8 cents or something, to query a phone number and see subscriber history, "related subscribers", address history, etc.
Kind of a neat party trick.
It also allowed me to verify and re-verify that the fictional nyms my SIM cards and phone numbers belong to have almost zero history or identification ...
Thanks for posting this here. Does does like neat party trick.
I got randomly assigned a "troubled" phone number once. It was a PITA. It should probably be illegal for phone companies to recycle numbers from old users with certain types of legal or financial problems, to innocent random new users who are literally paying for the privilege of inheriting a hot mess.
Assuming they do business in CA, so CA law applies, yes. That doesn't mean they comply with the law, and as far as I know, enforcement is mostly still on a ya, sure we will get around to it someday attitude.
So, just because you can in theory, doesn't mean you can in practice. Let us know how it works out for you!
SWIFT was founded 50 years ago, around the time of the Brenton woods system collapse. BICS parent company seems to be much older, from the telegraph era.
These are mostly behemoth created as a consequence of the West rising at the time.
By asking to have your data through a GDPR request you are effectively giving to the receiver of the request:
1) your full name
2) your phone number
3) your e-mail
i.e. basically a confirmation that both the phone number and e-mail are good/active/attended and that they are yours (and that you "exist"), while the data they may already have likely is only the telephone number and the patterns of its usage.
I have no idea how it could be possible to make a valid request without providing this kind of info (i.e. providing only the phone number, which they already have).
Maybe a sort of (public/certified) authorization service?
I agree that this might be a gap in the law, in theory. However, I've seen how many businesses work and they often don't have a process for randomly enriching production data from e-mails to the privacy department.
There's also the fact that the law does say that this personal data can only be use for the purpose of providing user data and must then be deleted. But we also know that there's little chance companies like this will do that.
It's a double edged sword, but I'm going to err on the side of danger and send in a data request anyway. My curiosity is much bigger than my fear of providing them my e-mail address.
these are the (not so) digital equivalent to what appeared in phone book anyway.
Then, your phone number and emails are in any of your resumes, business card, subscription forms, contact details for any web service... They're not exactly private information anyway
And I'm sure anyone can call your phone number and listen to the message of the voicemail, in which most ppl say their name out loud anyway.
Lastly, isn't your email address firstname.lastname@gmail.com, as for most folks ?
> isn't your email address firstname.lastname@gmail.com, as for most folks
I'm going to guess that for 'most folks' there's probably someone else with the same name and therefore this way of guessing someone's email address is far from reliable.
It's actually so unreliable that one email address I have receives mail for others who for some reason think it's their email. This includes plane tickets, accounts for phone contracts and order confirmations.
> It's actually so unreliable that one email address I have receives mail for others who for some reason think it's their email.
Ask me about the Brazilian teenager with my name who keeps using my email to open facebook accounts that I keep recovering the password for and closing.
I use different names/email on every site, but phone numbers are always these 2~3 numbers. If I'm going to send a deletion request under GDPR alike laws, it would be under different names.
Pretty much. Only your person has rights, not the fake identities you created. They can actually request a copy of an ID or something comparable to confirm your identity. You might have a hard time removing your data, in some cases, when using fake names since then your identity can't be confirmed.
> Only your person has rights, not the fake identities you created.
But if they only know u/lucb1e to own +31612345678, then it's all good and well that you're requesting data as Luc Lastname but that's not going to match their records anyway; that doesn't prove you're the legitimate person to send this data to.
> They can actually request a copy of an ID or something comparable to confirm your identity.
When I called the Dutch DPA about this, specifically about MAC address tracking (I got an email "welcome to ikea!", sent to anothercompany@lucb1e.com, when I connected to ikea's free wifi), and they said that supplying the MAC address is the identifier to use because that's the only thing they can match anyway. This was in 2018-ish so I may misremember details, to be fair.
As far as I know, this is similar to copyright under a pseudonym. If you can't prove it's yours, sucks, but if you can, then your rights are yours to exercise.
Yes, and unlike a sign up for a random site, you are actually stating the info and signing the form, it is as "official" a document as a non-notarized/non-certified one can be, there could be (improbable anyway in practice) legal consequences if you sign something with fake or non-existing data, it is a false declaration.
And when you (if asked/needed by the procedure) provide a copy of your ID, you are actually giving them other data points, like your birth date, often nationality, and in some cases even the address of residence.
I know there are several services that helps you with removing your data from data brokers continuously, but only limits to residents in Countries which has GDPR alike laws.
I feel defenseless against these sophisticated international corporation mass surveillances. Sending GDPR to each of them when you have learned their existence is like whac-a-mole.
The only way to stop them I can forsee is them losing expensive lawsuits where the outcome is they have to ask your permission first, along with a clearing house to find out where all of them are so you can check and tell them no - of course they'll try to set it up legally so that if you use your credit card it will indicate default approval or something.
Pepperidge Farm remembers
What can we say about a corporation doing a trust score for half of the connected population in the world ? I wonder about their ego, or what went wrong in their management.