Category: Cyber Security

NZ cryptocurrency exchange loses ‘significant’ funds in breach

IT Wire reports that New Zealand cryptocurrency exchange Cryptopia has suffered a breach and its operations have been locked down, with police saying that they are not yet in a position to indicate the quantum of the theft.

The company said in a notice on its site that there had been “significant losses” but went no further, only saying that “once identified, the exchange was put into maintenance while we assessed damages”.

Cryptopia was set up in July 2014 and is based in Christchurch. It has two directors, Adam Clark and Robert Dawson, according to Blockonomi, a site that covers cryptocurrencies, fintech and the blockchain economy.

The police statement said they were trying to establish what happened and how the site had been breached.

“A priority for police is to identify and, if possible, recover missing funds for Cryptopia customers; however there are likely to be many challenges to achieving this,” the statement said.

The website Crypto News cited a tweet from the chief executive of Binance, another cryptocurrency exchange, as saying some of the funds stolen from Cryptopia had been frozen.

These funds had been moved to Binance by the individuals who carried out the hack.

The police statement said: “While police are unable to go into details about specific steps being taken at this stage, we can say that our focus includes commencing both a forensic digital investigation of the company, and a physical scene examination at the building.

“We are dealing with a complex situation and we are unable to put a timeframe on how long the investigation may take.

“We are also aware of speculation in the online community about what might have occurred. It is too early for us to draw any conclusions and Police will keep an open mind on all possibilities while we gather the information we need.”

Beware scammers wanting access to your computer and bank account

The ACCC says that scammers are increasingly catching out people by impersonating well-known businesses or the police so they can get access to computers and steal money or banking information.

The ACCC’s Scamwatch website has recorded a significant spike in these types of scams, known as remote access scams, with more than 8000 reports recorded in 2018 so far and losses totalling $4.4 million.

“The spike in remote access scams is very concerning; losses so far in 2018 have already surpassed those for the whole of 2017, and sadly it is older Australians that are losing the most money,” ACCC Deputy Chair Delia Rickard said.

Scammers will impersonate a well-known company, most commonly Telstra, NBN or Microsoft, or even the police, and spin you a very credible and believable story about why they need to access your computer using software such as TeamViewer.

“The scammers are becoming more sophisticated. The old trick scammers used to use was to call people and say there was a virus on their computer that needed fixing but, in a new twist, scammers are now telling people they need their help to catch hackers,” Ms Rickard said.

The scammers claim they are tracking the ‘scammers’ or ‘hackers’, and tell the consumer that their computer has been compromised and is being used to send scam messages. This is where they say with the victim’s help, they can use the victim’s computer and online banking to trap the (fake) ‘scammer’.

The scammer will then pretend to deposit money into their victim’s account. In reality the scammer just shuffles money between the victim’s accounts (for example, from a person’s credit card account to a savings account), which gives the illusion of money being deposited. The money is then sent out of the victim’s account as part of the con to ‘catch a scammer’, straight to the scammer’s own bank accounts.

“Unfortunately there are many stories from people who give a scammer access to their computer and are then conned into giving access to online banking. Some are also tricked into providing iTunes gift card numbers over the phone to these scammers,” Ms Rickard said.

Once the scammer has a victim on the hook, if they start to doubt the situation, the scammer will become threatening, stating that the victim would jeopardise the investigation if they refuse to help and may even face legal consequences.

These types of scam can be very scary, as scammers can become threatening and aggressive if they sense they are ‘losing’ the victim, or starting to cotton on. This is particularly frightening for older people who may not be as tech savvy.

“It’s vital that people remember they should never, ever, give an unsolicited caller access to your computer, and under no circumstances offer your personal, credit card or online account details over the phone,” Ms Rickard.

“If you receive a phone call out of the blue about your computer and remote access is requested, it’s a scam 100 per cent of the time. Just hang up.”

Financial Sector Cyber Risk Is Rising – IMF

Cyber risk has emerged as a significant threat to the financial system according to the IMFBlog. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.

Recent cases show that the threat is real. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the threat that a targeted institution could be left unable to operate.

Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks, as in the graphic below.

Financial sector’s vulnerability

The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. Many institutions still use older systems that might not be resilient to cyber-attacks. And a successful cyber-attack can have direct material consequences through financial losses as well as indirect costs such as diminished reputation.

Recent high-profile cases have increasingly put cyber risk on the agenda of the official sector—including international organizations. However, quantitative analysis of cyber risk is still at an early stage, especially due to the lack of data on the cost of cyber-attacks, and difficulties in modeling cyber risk.

Cyber risk has emerged as a significant threat to the financial system.
A recent IMF study provides a framework for thinking about potential losses due to cyber-attacks with a focus on the financial sector.

Estimating potential losses

The modeling framework uses techniques from actuarial science and operational risk measurement to estimate aggregate losses from cyber-attacks. This requires an assessment of the frequency of cyber-attacks on financial institutions and an idea of the distribution of losses from such events. Numerical simulations can then be used to estimate the distribution of aggregate cyber-attack losses.

We illustrate our framework using a data set covering recent losses due to cyber-attacks in 50 countries. This provides an example of how potential losses for financial institutions could be estimated. The exercise is difficult and is made even more challenging by major data gaps on cyber risk. Moreover, thankfully, there has yet been no successful, large-scale cyber-attack on the financial system.

Our results should thus be considered as illustrative. Taken at face value, they suggest that average annual potential losses from cyber-attacks may be large, close to 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or $270 billion to $350 billion.

The framework could be used to examine extreme risk scenarios involving massive attacks. The distribution of the data we have collected suggests that in such scenarios, representing the worst 5 percent of cases, average potential losses could reach as high as half of banks’ net income, putting the financial sector at risk.

Such estimated losses are several orders of magnitude greater than the present size of the cyber insurance market. Despite recent growth, the insurance market for cyber risk remains small with around $3 billion in premiums globally in 2017. Most financial institutions do not even carry cyber insurance. Coverage is limited, and insurers face challenges in evaluating risk because of uncertainty about cyber exposures, lack of data, and possible contagion effects.

The way forward

There is much scope to improve risk assessments. Government collection of more granular, consistent, and complete data on the frequency and impact of cyber-attacks would help assess risk for the financial sector.

Requirements to report breaches—such as considered under the EU’s General Data Protection Regulation—should improve knowledge of cyber-attacks. Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread and design adequate responses by private institutions and governments.

Further work is needed also to understand how to strengthen the resilience of financial institutions and infrastructures, both to reduce the odds of a successful cyber-attack but also to facilitate smooth and rapid recovery. There is also a need to build capacity in the official sector in many parts of the world to monitor and regulate such risks.

In sum, strengthening the regulatory and supervisory frameworks for cyber risk is needed, and efforts should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. The IMF is providing technical assistance to help member countries improve their regulatory and supervisory frameworks.

Australians Warned to Beware of Phone Scams

Australians are urged to be on guard against unscrupulous, unsolicited callers, claiming to represent the Australian Banking Association and asking for bank details to issue a ‘refund’, survey customer satisfaction or record banking history.

According to the ACCC every year 33,000 Australians are targeted by scammers in this particular way, with callers pretending to represent banks and other financial institutions, with recent estimates placing the cost to victims at over $4.7 million. This scam targeting the ABA is ongoing and was first reported in 2016. Banks often encounter this type of scam, with callers claiming to contact customers on their behalf.

Some of the techniques used by these scammers include:

  • Asking who you bank with, how long you have banked with them and your level of satisfaction
  • Asking for personal and banking details, including your name and driver’s licence number, bank account or credit card number, PINs or internet banking login
  • Telling people they are owed a ‘refund’ for overcharged bank fees but they have to pay a fee for it. They ask people to send money via post or Western Union.

Executive Director of Consumer Policy Christine Cupitt said that it was important customers remain vigilant against scammers even if they claim to be from reputable organisations such as banks or associations.

“We’ve seen a concerning rise in the number of people falsely claiming to be from the ABA, preying on unsuspecting victims and asking for them personal financial details,” Ms Cupitt said.

“The ABA, or any member bank, will never call members of the public seeking information about their personal bank accounts or security information.

“If you think you’ve given your personal information to a scammer we urge you to urgently contact your financial institution.

“It’s vitally important that Australians keep their financial identity safe by following important measures such as not giving out your PIN, deleting spam e-mails, keeping antivirus software up to date and not responding to requests from unknown phone numbers.

“This week is ‘National Scams Awareness Week’, a timely reminder that if you think you’ve been the target of scammers, or indeed the victim of one, you should report it immediately to ACCC’s www.scamwatch.gov.au,” she said.

Tips to protect your financial identity

  • Don’t provide your financial details, including PIN or internet banking login or password to anyone.
  • Guard the following identity information carefully and only provide to trusted people and entities: date of birth, current address, driver’s licence number and passport details.
  • Delete spam and scam e-mail – if the offer sounds too good to be true, it probably is.
  • Keep your anti-virus and firewall software up-to-date.
  • Do not respond to requests that ask you to call unknown or unverified phone numbers.

Be very careful about clicking on links in emails. Do not use links to access trusted websites. Enter the correct address for websites into the address bar of your browser.

Australians lost $340 million to scammers in 2017

The ACCC says that Australians lost more money to scammers in 2017 than in any other year since the ACCC began reporting on scam activity. According to the ACCC’s ninth annual Targeting scams report  more than 200,000 scam reports were submitted to the ACCC, Australian Cybercrime Online Reporting Network (ACORN) and other federal and state-based government agencies in 2017. Total losses reported were $340 million – a $40 million increase compared to 2016.

The top three most reported scam categories of 2017 were phishing, identity theft and false billing scams. Losses to investment scams reported to Scamwatch increased by 33 per cent which translates to an increase in losses of $7.6 million. Combined losses with ACORN reports brings investment scam losses to $64.6 million in 2017, an increase over the $59 million in combined losses reported in 2016. False billing scams reported to Scamwatch increased by 324 per cent, from $659 835 in 2016 to

$2.7 million in 2017.  Remote access scams reported to Scamwatch increased by 72 per cent representing an increase in losses of $1 million.

Targeting scams report 2017 infographic

This is the first time reported losses to scams have totalled more than $300 million and demonstrates the increasing impact of scams on Australians. Investment scams topped the losses at $64 million, an increase of more than 8 per cent. Dating and romance scams caused the second greatest losses at $42 million.

“It’s very worrying that Australians are losing such extraordinary amounts to scammers. Based on just the reports provided to the ACCC, victims are losing an average of $6500. In some cases people have lost more than $1 million,” ACCC Deputy Chair Delia Rickard said.

“Some scams are becoming very sophisticated and hard to spot. Scammers use modern technology like social media to contact and deceive their victims. In the past few years, reports indicate scammers are using aggressive techniques both over the phone and online.”

Today marks the beginning of Scams Awareness Week 2018 and this year Scamwatch is asking people to “Stop and check: is this for real?” when they’re contacted by scammers who are pretending to be from well-known government organisations or businesses.

Scamwatch received almost 33,000 reports of these threat-based impersonation scams in 2017. Over $4.7 million was reported lost and more than 2800 people gave their personal information to these scammers.

“These scams can be very frightening. For example, scammers will impersonate the Australian Taxation Office and threaten people with immediate arrest unless they pay an outstanding tax bill. They may pretend to be from Telstra to try to hack into your computer or from Centrelink promising extra payments in return for a ‘fee’,” Ms Rickard said.

“Scammers scare us or butter us up with promises of cash because they know it clouds our judgement. People get so worried about being arrested they don’t question if the person threatening them is genuine.”

“If you’re being threatened, take a deep breath, and ask yourself if the call makes sense. The ATO will never threaten you with immediate arrest; Telstra will never need to access your computer to ‘fix’ a problem; and Centrelink will never require a fee to pay money it owes you. Finally, none of these organisations will ask you to pay using iTunes gift cards,” Ms Rickard said.

“If something doesn’t feel right, hang up the phone or hit delete. If the person said they were, for example, from Telstra or the ATO, find the phone number for that organisation online or in the phone book, call them and let them know about the call you received. They’ll let you know if it’s genuine or a scam.”

The ACCC encourages people to visit www.scamwatch.gov.au (link is external) to report scams so we can warn others about them and learn more about what to do if they’re targeted by scams.

APRA Introduces First Anti-Cyber Attacks Prudential Standard

The Australian Prudential Regulation Authority (APRA) has responded to the growing threat of cyber attacks by proposing its first prudential standard on information security.

APRA today released a package of measures, titled Information Security Management: A new cross-industry prudential standard, for industry consultation. The package is aimed at shoring up the ability of APRA-regulated entities to repel cyber adversaries, or respond swiftly and effectively in the event of a breach.

The proposed new standard, CPS 234, would require regulated entities to:

  • clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
  • maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
  • implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
  • have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
  • notify APRA of material information security incidents.

Executive Board Member Geoff Summerhayes said the draft standard built on prudential guidance first released by APRA in 2010 and backed it with the force of law.

“Australian financial institutions are among the top targets of cyber criminals seeking money or customer data, and the threat is accelerating,” Mr Summerhayes said.

“No APRA-regulated entity has experienced a material loss due to a cyber incident, but a significant breach is probably inevitable. In a worst-case scenario, a cyber attack could even force a company out of business.”

Key areas where APRA is hoping to lift standards include assurance over the cyber capabilities of third parties such as service providers, and enhancing entities’ ability to respond to and recover from cyber incidents.

“Cyber security is generally well-handled across the financial sector, but with criminals constantly refining and expanding their tools and capabilities, complacency is not an option,” Mr Summerhayes said.

“Implementing legally binding minimum standards on information security is aimed at increasing the safety of the data Australians entrust to their financial institutions and enhance overall system stability.”

Submissions on the package are open until 7 June. APRA intends to finalise the proposed standard towards the end of the year, with a view to implementing CPS 234 from 1 July next year.

Copies of the consultation package are available on APRA’s website at: http://www.apra.gov.au/CrossIndustry/Consultations/Pages/Information-security-requirements-Mar18.aspx

The findings of APRA’s latest cybersecurity survey can be found in the December 2017 issue of Insight.

Customer Credit Data At Risk

The US arm of the credit score company Equifax –  the company who organises, assimilates and analyses data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 6,600 employers – has disclosed that one of it’s databases was breached through an unspecified vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada.

This highlights again the hidden risks in the online world, as such data is very valuable and could be used to create false identities or lead to phantom transactions.

Equifax Australia (ex. Veda), which itself holds the credit history information on Australian customers is a wholly owned subsidiary. The local company tweeted “please be assured that we have found no evidence that personal information of consumers in Australia or New Zealand has been impacted by the US cybersecurity incident”.

Equifax says the US penetration occurred sometime between mid-May and the end of July, but has only recently announced that the breach happened. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Equifax has established a dedicated website, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.

Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

CEO Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”

There is a fine print “arbitration clause” which seeks to protect the company from class actions, but in a response to consumer inquiries, the company says the arbitration clause and class action waiver included in its terms of use does not apply to this cybersecurity incident.

Also, according to documents filed with securities regulators, three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach. However, Equifax has said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”

 

 

Open Banking May Catalyse Digital Disruption

Last week Treasurer Scott Morrison’s media release on the proposal to introduce an open banking regime in Australia was framed around the requirement for banks to be able and willing (with customer agreement) to share product and customer data with third parties.

The timing is interesting given the disruptive rise of FinTechs and the fact there are new entities emerging across the banking value chain. Until recently banks tended to regard their data as a strategic asset (for example not sharing default data) but with positive credit now in force, this is already changing. So this is a logical next step, and should be welcomed.

From our work whit a number of FinTechs we know that access to data is one of the barriers to success, alongside concerns about data security, and identity fraud. Opening the door to data sharing may be laudable, but there are significant technical issues to work through.

If open banking arrives, it would have the potential to increase competition, and perhaps put pressure on bank product pricing, as well as differentiated servicing; but we will see. It may open the door to more automated product switching, as well as better portfolio management and cross-selling. It certainly is another dimension in the wave of digital disruption already in play, which is ultimately being facilitated by the adoption of mobile technologies and devices.

The Turnbull Government has commissioned an independent review to recommend the best approach to implement an Open Banking regime in Australia, with the report due by the end of 2017.

Greater consumer access to their own banking data and data on banking products will allow consumers to seek out products that better suit their circumstances, saving them money and allowing them to better achieve their financial goals. It will also create further opportunities for innovative business models to drive greater competition in banking and contribute to productivity growth.

The review will be ably led by Mr Scott Farrell. Mr Farrell is a Partner at King & Wood Mallesons and has more than 20 years’ experience in financial markets and financial systems law. Mr Farrell has given many years of service to the public and private sector in advising on, and guiding, regulatory and legal change in the financial sector. He has intimate knowledge of the financial technology (FinTech) sector and is a member of the Government’s FinTech Advisory Group.

Mr Farrell will be supported by a secretariat located within Treasury and will draw upon technical expertise from the private sector as required. The review will consult broadly with the banking, consumer advocacy and FinTech sectors and other interested parties in developing the report and recommendations.

The Review terms of reference have been released and an Issues Paper will shortly be made available for interested parties to provide input to the review.

Purpose of the review

The Government will introduce an open banking regime in Australia under which customers will have greater access to and control over their banking data. Open banking will require banks to share product and customer data with customers and third parties with the consent of the customer.

Data sharing will increase price transparency and enable comparison services to accurately assess how much a product would cost a consumer based on their behaviour and recommend the most appropriate products for them.

Open banking will drive competition in financial services by changing the way Australians use, and benefit from, their data. This will deliver increased consumer choice and empower bank customers to seek out banking products that better suit their circumstances.

Terms of reference

  1. The review will make recommendations to the Treasurer on:1.1. The most appropriate model for the operation of open banking in the Australian context clearly setting out the advantages and disadvantages of different data-sharing models.1.2. A regulatory framework under which an open banking regime would operate and the necessary instruments (such as legislation) required to support and enforce a regime.1.3. An implementation framework (including roadmap and timeframe) and the ongoing role for the Government in implementing an open banking regime.
  2. The recommendations will include examination of:2.1. The scope of the banking data sets to be shared (and any existing or potential sector standards), the parties which will be required to share the data sets, and the parties to whom the data sets will be provided.2.2. Existing and potential technical data transfer mechanisms for sharing relevant data (and existing or potential sector standards) including customer consent mechanisms.2.3. The key issues and risks such as customer usability and trust, security of data, liability, privacy safeguard requirements arising from the adoption of potential data transfer mechanisms and the enforcement of customer rights in relation to data sharing.

    2.4. The costs of implementation of an open banking regime and the means by which costs may be imposed on industry including consideration of industry-funded models.

  3. The review will have regard to:3.1. The Productivity Commission’s final report on Data Availability and Use and any government response to that report.3.2. Best practice developments internationally and in other industry sectors.3.3. Competition, fairness, innovation, efficiency, regulatory compliance costs and consumer protection in the financial system.

Process

The review will consult broadly with representatives from the banking, consumer advocacy and financial technology (FinTech) sectors and other interested parties in developing the report and recommendations.

The review will report to the Treasurer by the end of 2017.

7 in 10 smartphone apps share your data with third-party services

From The Conversation.

Our mobile phones can reveal a lot about ourselves: where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits. With all the information stored on them, it isn’t surprising that mobile device users take steps to protect their privacy, like using PINs or passcodes to unlock their phones.

The research that we and our colleagues are doing identifies and explores a significant threat that most people miss: More than 70 percent of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API or Crashlytics.

When people install a new Android or iOS app, it asks the user’s permission before accessing personal information. Generally speaking, this is positive. And some of the information these apps are collecting are necessary for them to work properly: A map app wouldn’t be nearly as useful if it couldn’t use GPS data to get a location.

But once an app has permission to collect that information, it can share your data with anyone the app’s developer wants to – letting third-party companies track where you are, how fast you’re moving and what you’re doing.

The help, and hazard, of code libraries

An app doesn’t just collect data to use on the phone itself. Mapping apps, for example, send your location to a server run by the app’s developer to calculate directions from where you are to a desired destination.

The app can send data elsewhere, too. As with websites, many mobile apps are written by combining various functions, precoded by other developers and companies, in what are called third-party libraries. These libraries help developers track user engagement, connect with social media and earn money by displaying ads and other features, without having to write them from scratch.

However, in addition to their valuable help, most libraries also collect sensitive data and send it to their online servers – or to another company altogether. Successful library authors may be able to develop detailed digital profiles of users. For example, a person might give one app permission to know their location, and another app access to their contacts. These are initially separate permissions, one to each app. But if both apps used the same third-party library and shared different pieces of information, the library’s developer could link the pieces together.

Users would never know, because apps aren’t required to tell users what software libraries they use. And only very few apps make public their policies on user privacy; if they do, it’s usually in long legal documents a regular person won’t read, much less understand.

Developing Lumen

Our research seeks to reveal how much data are potentially being collected without users’ knowledge, and to give users more control over their data. To get a picture of what data are being collected and transmitted from people’s smartphones, we developed a free Android app of our own, called the Lumen Privacy Monitor. It analyzes the traffic apps send out, to report which applications and online services actively harvest personal data.

Because Lumen is about transparency, a phone user can see the information installed apps collect in real time and with whom they share these data. We try to show the details of apps’ hidden behavior in an easy-to-understand way. It’s about research, too, so we ask users if they’ll allow us to collect some data about what Lumen observes their apps are doing – but that doesn’t include any personal or privacy-sensitive data. This unique access to data allows us to study how mobile apps collect users’ personal data and with whom they share data at an unprecedented scale.

In particular, Lumen keeps track of which apps are running on users’ devices, whether they are sending privacy-sensitive data out of the phone, what internet sites they send data to, the network protocol they use and what types of personal information each app sends to each site. Lumen analyzes apps traffic locally on the device, and anonymizes these data before sending them to us for study: If Google Maps registers a user’s GPS location and sends that specific address to maps.google.com, Lumen tells us, “Google Maps got a GPS location and sent it to maps.google.com” – not where that person actually is.

Trackers are everywhere

Lumen’s user interface, showing the data leakages and their privacy risks, found for a mobile Android game called ‘Odd Socks.’ ICSI, CC BY-ND

More than 1,600 people who have used Lumen since October 2015 allowed us to analyze more than 5,000 apps. We discovered 598 internet sites likely to be tracking users for advertising purposes, including social media services like Facebook, large internet companies like Google and Yahoo, and online marketing companies under the umbrella of internet service providers like Verizon Wireless.

Lumen’s explanation of a leak of a device’s Android ID. ICSI, CC BY-ND

We found that more than 70 percent of the apps we studied connected to at least one tracker, and 15 percent of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique 15-digit IMEI number. Unique identifiers are crucial for online tracking services because they can connect different types of personal data provided by different apps to a single person or device. Most users, even privacy-savvy ones, are unaware of those hidden practices.

More than just a mobile problem

Tracking users on their mobile devices is just part of a larger problem. More than half of the app-trackers we identified also track users through websites. Thanks to this technique, called “cross-device” tracking, these services can build a much more complete profile of your online persona.

And individual tracking sites are not necessarily independent of others. Some of them are owned by the same corporate entity – and others could be swallowed up in future mergers. For example, Alphabet, Google’s parent company, owns several of the tracking domains that we studied, including Google Analytics, DoubleClick or AdMob, and through them collects data from more than 48 percent of the apps we studied.

Data transfers observed between locations of Lumen users (left) and third-party server locations (right). Traffic frequently crosses international boundaries. ICSI, CC BY-ND

Users’ online identities are not protected by their home country’s laws. We found data being shipped across national borders, often ending up in countries with questionable privacy laws. More than 60 percent of connections to tracking sites are made to servers in the U.S., U.K., France, Singapore, China and South Korea – six countries that have deployed mass surveillance technologies. Government agencies in those places could potentially have access to these data, even if the users are in countries with stronger privacy laws such as Germany, Switzerland or Spain.

Connecting a device’s MAC address to a physical address (belonging to ICSI) using Wigle. ICSI, CC BY-ND

Even more disturbingly, we have observed trackers in apps targeted to children. By testing 111 kids’ apps in our lab, we observed that 11 of them leaked a unique identifier, the MAC address, of the Wi-Fi router it was connected to. This is a problem, because it is easy to search online for physical locations associated with particular MAC addresses. Collecting private information about children, including their location, accounts and other unique identifiers, potentially violates the Federal Trade Commission’s rules protecting children’s privacy.

Just a small look

Although our data include many of the most popular Android apps, it is a small sample of users and apps, and therefore likely a small set of all possible trackers. Our findings may be merely scratching the surface of what is likely to be a much larger problem that spans across regulatory jurisdictions, devices and platforms.

It’s hard to know what users might do about this. Blocking sensitive information from leaving the phone may impair app performance or user experience: An app may refuse to function if it cannot load ads. Actually, blocking ads hurts app developers by denying them a source of revenue to support their work on apps, which are usually free to users.

If people were more willing to pay developers for apps, that may help, though it’s not a complete solution. We found that while paid apps tend to contact fewer tracking sites, they still do track users and connect with third-party tracking services.

Transparency, education and strong regulatory frameworks are the key. Users need to know what information about them is being collected, by whom, and what it’s being used for. Only then can we as a society decide what privacy protections are appropriate, and put them in place. Our findings, and those of many other researchers, can help turn the tables and track the trackers themselves.

More lessons on fintech to come for Scott Morrison

From The Conversation.

This week, Treasurer Scott Morrison will be in Germany, as part of the run up to this year’s G-20 Summit, talking to other finance ministers about “Digitising finance, financial inclusion and financial literacy”. The Treasurer is due to give a keynote speech on “Developments and challenges of fintech with a focus on Australia”.

Just before Christmas, ASIC released a document with the new rules on how new fintech businesses can test certain services without holding an Australian financial services or credit licence. The waivers provide a “sandbox” for new fintech start-ups to play in without incurring the wrath of the regulator.

However, the restrictions for playing in the sandbox are actually quite onerous. First, and probably the biggest hurdle, is that would-be Warren Buffets must be a member of “one or more ASIC – approved external dispute resolution (EDR) schemes”, such asthe Financial Ombudsman Service (FOS). The budding billionaires must also organise some professional indemnity insurance cover, of at least A$1 million. Not too many small firms will have the sort of money lying around to do both of those.

The things that the startups are allowed to do are fairly restrictive, with limits on the products that they may offer and the money they can manage with a “total customer exposure of no more than A$5 million”.

When in Europe the Treasurer will also visit London, where among other visits, he is due to meet with Internet royalty – none other than Sir Tim Berners Lee. He’s the inventor of the World Wide Web (www) and head of a new UK government initiative, called the Open Data Institute(ODI).

Among many areas that Berners-Lee and the ODI are looking at is Finance and particularly something called the Open Banking Standard. This standard has the lofty goal of:

Unlocking the potential of open banking to improve competition, efficiency and stimulate innovation.

ODI describes the rationale for the standard:

The European Union is rapidly advancing legislation that will, upon implementation in the next two years, require UK banks (subject to consent from individuals and businesses) to open access to their customer data and payments capabilities.

It means the banks will be required to make (some of their) data available, or “open”, to all. But it won’t be everything, the example ODI gives is “financial product information”, basically the pamphlets that are available in bank branches today. But it’s a start.

Other data is considered “closed” or “shared” such as personal bank details or a company’s transaction data. Access to such sensitive data would, according to ODI, be subject to the consent of the individual or business to whom the data belongs and specific governance related to that. Access to the data would be through standardised application programming interfaces (APIs) and, subject to privacy constraints, data could be made available to banks and fintech developers.

The ODI approach promotes fintech development by allowing start-ups to develop new services and products that can access bank data directly rather than having to suck data out of banks and massage it locally. The data remains with the banks and customers, but the logic moves to the fintech developer.

The banks, in the UK or Australia, are not going to be happy. For example, a fintech could write a program to extract a customer’s data from their bank or credit card accounts and run a program to see how much better the customer would be if they moved their accounts to another bank, using real data rather than marketing promises. Customers, for example, could also set up alerts on their account balances not at the simple overdraft level but also using real rules taking into account upcoming expenses, such as holidays.

On the subject of bank accounts, the Treasurer should take note of how the UK banking system is actually implementing bank account number portability rather than still talking about it as in Canberra.

But while fintech is a fascinating subject, I suspect other topics in global finance might just take up some of the visit, such as the reversal of the global trade agenda and Brexit both of which could be considered financial exclusion rather than inclusion.

Author: Pat McConnell, Honorary Fellow, Macquarie University Applied Finance Centre, Macquarie University