Here is another long and interesting article on how Amazon failed to protect consumer data: Amazon’s Dark Secret: It Has Failed to Protect Your Data
If it asks you to subscribe to Wired, then here is another link: Amazon’s Dark Secret: It Has Failed to Protect Your Data
Use DownThemAll next time.
If you read the above article on Wired, you’d learn that it probably wasn’t Amazon purging those reviews, but compromised rogue employees that were paid by the third party sellers.
Privacy protection going forward could become more difficult if you want to do business online with the IRS. This is stolen from the WaPo:
IRS planning as of this summer to make Americans scan in their face and provide it in order to access their IRS account online. The picture will be used for face-recognition software. The photo and software will be famred out to a private compay to do gthe face recognition.
This announcement has now raised a lot of questions about privacy.
> To verify one’s identity, ID.me [the private contractor] requires scans of a person’s face as well as copies of identifying paperwork, such as a driver’s license, government-issued ID or utility bill. The company then uses facial recognition software to assess whether a person’s “video selfie” and official photo match.
>
> If the system flags an issue, the person will have to join a live video call with one of the company’s “trusted referees,” who then asks them to hold up physical copies of personal documents such as a passport, birth certificate or health insurance card.
>
> Critics say there’s a big difference between a person deciding to use software, which locks their face data on their phone, and being required to send it to a company that retains control of the data for years. Advocates also have warned that the technical demands of an Internet-connected video camera can unfairly burden the millions of Americans with spotty online access or old phones.
>
> ID.me’s work with the IRS will start in full this summer, when the agency stops accepting previously created online accounts and forces everyone to use newer accounts verified through ID.me. The shift will come at a time when Treasury officials are warning of “enormous challenges” for the IRS, which is overwhelmed by a backlog of returns and years of budget cuts.
How am I supposed to join a live video call?
Some of the concerns raised:
> The $86 million ID.me contract with the IRS also has alarmed researchers and privacy advocates who say they worry about how Americans’ facial images and personal data will be safeguarded in the years to come.
> The partnership with ID.me has drawn anger from some members of Congress, including Sen. Ron Wyden (D-Ore.), who tweeted that he was “very disturbed” by the plan and would push the IRS for “greater transparency.” Rep. Ted Lieu (D-Calif.) called it “a very, very bad idea by the IRS” that would “further weaken Americans’ privacy.”
>
> “No one should be forced to submit to facial recognition as a condition of accessing essential government services," Wyden said in a separate statement.
>
> A Treasury official said Friday that the department was “looking into” alternatives to ID.me, saying Treasury and the IRS always are interested in improving “taxpayers experience.”
>
> The official offered no further detail, however, and referred reporters to ID.me for “details of their technology and safety controls.” Spokespeople for ID.me declined to comment.
>
> Jeramie D. Scott, senior counsel of the Electronic Privacy Information Center, a research group in Washington, said the IRS’s outsourcing of identity checks to a private company could weaken the public’s ability to know how information is being used, especially because no federal laws govern how facial recognition should work nationwide.
>
> “You go from a government agency, that at least has some obligation under the Privacy Act and other laws, to a third party, where [there’s a] lack of transparency and understanding, and the potential risks go up,” Scott said.
>
> “We haven’t even gone the step of putting regulations in place and deciding if facial recognition should even be used like this,” he added. “We’re just skipping right to the use of a technology that has clearly been shown to be dangerous and has issues with accuracy, disproportionate impact, privacy and civil liberties.”
>
> The company’s privacy policy says it can use people’s sensitive or personally identifiable information to “cooperate with law enforcement activities,” and Blake Hall, ID.me’s co-founder and chief executive, said the company alerts its government clients when it detects “clear cases” of fraud.
The real question to ask is, how much fraud is there really, involving accessing online tax transcripts?
False tax returns, sure, that’s a big problem - but this isnt going to address that one bit.
Is it too jaded for me to wonder who’s financially benefitting from this $86-million “improvement”? I suspect there’s a quite a windfall for those leading the push, either directly or through some wheel-greasing.
Imagine the outrage if a state were to start requiring the use of id.me to cast a vote…
There would be a huge amount if that replaced all forms of voting. A bit less if you could still cast a vote via all previously existing normal means.
I think that’s why there’s not much outrage at this because most Americans do not have an account with the IRS and don’t need it to file their taxes, get their refunds, etc.
Yes the main issue is what will this actually improve in terms of security. Since you won’t need it to file taxes, I’m not sure how that’ll help with fraud. How many fraudsters were calling the IRS help line (and actually getting through hehe) impersonating others before? That sounds like a cash grab solution looking for a problem or the beta test for more of this junk to be forced upon everyone. I just wish the idea eventually gets shelved. But it’s also coming to Social Security but at least they don’t force people to use a third party like ID.me, it’s only one of the options.
Personally, I don’t think I’ll transition to the new accounts unless I have an absolute necessity to do so. Not worth giving away all this personal information.
If it’s just the IRS that uses it, I’m totally with you there but this is creeping up everywhere from state unemployment agencies to Social Security website. How long it’ll be until you need to do this facial recognition stuff to access vital part of the government systems is anyone’s guess but it feels to me like it could be soon.
So part of me is also wondering if I should just “plant my flag” before someone else does it for me. I’ve done this proactively with my state unemployment agency (without needing to use ID.me) even though I’m not unemployed or at much risk of becoming unemployed, but just so nobody could make claims using my identity.
The main thing that holds me back from doing it via ID.me is the fact that it’s a third party subjected to much less oversight than a normal government agency.
This is interesting but I still wouldn’t trust them.
Wow that must either be some very specific rentals or a new policy because I’ve got a rental for March and that did not require anything. Did you have to submit the ID information to AirBnB or to the landlord? Either way, that’d turn me off renting from them in the first place.
Seems like the IRS got a lot of heat for their plan to force people to use ID.me third party facial recognition: IRS won’t be using facial recognition
I hope whatever they come up with to replace it to increase security is not via another third party without oversight, and preferably not a massively cumbersome process either. Reading Krebs on security adventures in getting his ID.me profile to work did not inspire confidence.
I think they may go with Login.gov since it’s been in use for a while, is managed by the US government so you’d hope for more transparency and oversight, and it’s been committed to not use facial recognition. Hopefully it’s more secure than the current systems.
That’s great for airbnb, but irrelevant – airbnb is not a federal agency with which everyone regularly deals, and last I checked they don’t outsource the ID verification to a third party.
Here’s the direct link, since The Hill article doesn’t make it clear and doesn’t provide the relevant quotes:
Just an FYI regarding login.gov. Nobody mentioned this before and I did not know, since I did not need to use that service until now. What’s very interesting and very cool about it, is that it does not require any of your personally identifying information. You may provide a phone number if you select SMS as your second factor, but it’s not required. It does not care who you are, it simply allows you to login (ha!) with an email address, password, and at least one of multiple available 2FA methods. After you create the account, you can associate it with the actual government service that requires it. That service is the one that collects all your personal info.
The big idea behind this service is to make it simple for the average person to “use one account and password for secure, private access to participating government agencies.” But what’s even better, and I would highly recommend in the context of this thread, is to create a separate login.gov account for each and every government service that uses login.gov, just like you would if they didn’t all rely on login.gov.
This way if someone else gains access to one account, they won’t necessarily gain access to all of them. It’s in the same line of thinking as not reusing your login/email address and password across multiple services.
Lots of bad information in the first article. Unauthorized transactions are unauthorized and carry legal protections, even if the bank tries to claim they’re authorized. They also straight up imply that Zelle is an app. It’s not – it’s a service that also happens to have an app. The second article is not of much better quality, but it’s more concerning, because it implies that the victim’s phone was hacked. One easy solution is to not install any banking apps on your phone.
That’s good advice for the Zelle app, but it won’t help if they use a bank’s app and have multiple accounts at that bank – you can select another source for transfers.
Banks implement various transaction limits for Zelle, and I think $5K/day is the max. Some start with lower limits at first and increase with use. They should send 2FA codes when you’re adding a new contact or sending more than usual. Losing $40K like the first article claims is no easy task without a full-on phone hack.
I think the issue is that many people are authorizing the transactions TO scammers while many other people are mistakenly giving scammers ACCESS and the scammers are authorizing the transactions. The bank has to decide how much they are going to fight to say it was the customer’s fault. Then these articles come along and the reporter makes no distinction between the two scams.
My understanding is that, if a scammer figures out your bank login and password and they want to add a recipient (themselves) to Zelle, they are going to have to do some social engineering. Because bank websites don’t just let you add a recipient to Zelle and pay them with only an email address and password. That is where the argument over “authorized transactions” comes in. The customer has to “authorize” the addition of the recipient or the payment usually via text message authentication, but in order for the scammer to get away with it, they had to have the account hacked in the first place. So the question then becomes, did the customer really “authorize” the “transaction” or did they get hacked. I would argue they got hacked because no where along the way of the customer giving that text message code did they realize the scammer had access to their account. The fact the scammer was in their account without them having permission makes all the transactions “UNauthorized.” But, I’m sure there are sometimes where the customer not only gives out the text message code, but gave out the login/password too. I think in those cases, the bank can argue everything was authorized. If the customer is adamant they didn’t give out the login/password, only the text message authentication code, the transaction should still be considered unauthorized. But I don’t know how an arbitrator or judge would view it. Probably 50/50.
The old lady, on the other hand, tricked into Zelleing money to her “grandson” for bail - that was an authorized transaction and she shouldn’t expect the bank to cover her for that.
One big difference between Zelle and most other money payment and transfers that regular people use regularly is that they’re not instant and are reversible. Even wire transfers are reversible, I think. Given Zelle’s origins, there really must be more protections against fraudulent transfers – transactions must be reversible.
Are you suggesting they change their process to something where the money “shows up” instantly like it does now, but it is left “pending” or otherwise unable to be withdrawn by the receiving party for 2-3 business days? I think that makes sense and would instill more confidence in users. As long as the receiving bank that leaves it pending doesn’t overdraw people’s accounts in the meantime before the transactions fully posts.
It’d be no better than Venmo if they did that. I’m thinking they should just be smarter about sending money to new recipients. They must ensure that the link is legitimate and authorized – send verification requests to both parties, don’t allow large initial transfers, place a long hold on the first transaction (or the first few), etc. Once the link has been established for a while, instant transfers should not be an issue.