The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide between the IT & OT Teams

A primary challenge to improving the security of organizations’ Industrial Control System (ICS) and Operational Technology (OT) environments, as revealed in this research, is the need to overcome the cultural and technical differences between OT and IT teams. Ideally, organizations should work toward establishing a unified IT and OT approach to addressing the threats and closing the gaps in security that leave organizations vulnerable to cyber attackers. Sponsored by Dragos, Ponemon Institute surveyed 603 IT, IT security and OT security practitioners at the C-level, managerial and director level in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices within their organizations.

In the context of this research, OT represents the programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples include industrial control systems (ICS), building management systems, safety control systems, and physical access control mechanisms.

ICS encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system components such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components that act together to achieve an industrial objective.

The cultural divide between IT and OT teams affects the ability to secure both the IT and the ICS/OT environment. Because of the lack of alignment between an organization’s cybersecurity policies and procedures with OT and ICS security objectives, only 35 percent of respondents say their IT and OT teams have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities. Only 39 percent of respondents say IT and OT teams work cohesively to achieve a mature security posture in both the IT and OT environments.

The risks created by the cultural divide between the IT & OT Teams 

  • Fifty percent of respondents are optimistic about the future of their ICS/OT cybersecurity program. However, only 21 percent of respondents say their ICS/OT program activities have achieved full maturity and emerging threats drive priority actions. A fully mature program also means C-level executives and the board of directors are regularly informed about the efficiency, effectiveness, and security of the program. Twenty-nine percent of respondents say their organizations are in the late-middle stage which means C-level support, adequate budget, risk assessment and a cross-functional team of IT and OT SMEs work together cohesively. 
  • As the frequency and severity of attacks increase, organizations are struggling to keep ahead of these threats. Sixty-three percent of respondents say their organizations had an ICS/OT cybersecurity incident in the past two years. 
  • For the first time, this research calculates the cost of one cybersecurity incident in the ICS/OT environment. The average cost per cybersecurity incident research is $2,989,550 (the calculation is shown in Table 1 of this report). An average of 316 days is spent to detect, investigate and remediate the cybersecurity incident. Based on the use of a threat hunting and incident response team that averages six IT and IT security personnel, it costs an average of $963,168 to detect, investigate and remediate the incident. The fixed costs including the replacement of equipment, downtime, legal and regulatory fines total $2,026,382. This equals the average total cost of $2,989,550. 
  • The majority of respondents say senior management lacks an understanding about the cyber risks in the ICS/OT environments. As a result, not enough resources are allocated to defend the ICS/OT environments. Paradoxically, according to 56 percent of respondents, the primary blocker for investing in ICS/OT cybersecurity is that ICS/OT cybersecurity is managed by the engineering department, which does not have security expertise followed by 53 percent of respondents who say ICS/OT security is managed by an IT department without engineering expertise. 
  • The Director/Manager of IT and the VP of Engineering are the functions most respondents in this study report to. However, by far the VP of Engineering is most accountable for the security of the ICS/OT program. Only 12 percent of respondents say the CISO is most accountable for the security of ICS/OT program. Further, only 35 percent of respondents say someone responsible for ICS and OT cybersecurity reports IT and cybersecurity initiatives to the board of directors. Of these respondents, 41 percent say such reporting takes place only when a security incident occur.
  • Only 38 percent of respondents say the security safeguards in place to protect the ICS and OT environments are covered during board meetings and only 36 percent of respondents say the effectiveness and efficiency of security programs and measures are presented.
  • Cultural and technical differences must be overcome to have OT and IT teams work cohesively. The challenges often are not caused by a competition for budget dollars and new security projects (only 32 percent of respondents). Rather, it is the cultural and technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors that cause conflicts between these two functions (50 percent and 44 percent of respondents, respectively).
  • Only 46 percent of respondents say their organizations are effective in gathering intelligence about threats to the ICS/OT environment and 45 percent of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle.

To read the full report, visit, Dragos.com. 

She donated to help a friend get a kidney; then., she was forced to make a ‘hostage’ video

Bob Sullivan

A California woman who thought she was helping an old friend pay for a kidney transplant has been caught up in an Instagram hacking scheme with a nightmarish twist —  criminals drained her bank account via Zelle and then forced her to make a hostage-style video endorsing a get-rich-quick scheme in an attempt to get some of it back.

I found her “hostage” video online, which was posted by an Instagram account containing hundreds of similar videos endorsing a scheme promising 1,000 percent% on investments; many seem to be coerced.

Makaylah Lervold wrote to me on Friday desperately seeking help getting a refund after her bank account was hacked and criminals sent themselves about $3,000 of her money. The hack followed a chain of events that began with an old friend reaching out over Instagram messages saying he’d finally found a kidney donor match after a four-year search.  Lervold had met the sick friend several years ago at work, but hadn’t stayed in touch, though she was aware that he was indeed seeking a transplant.  His search was public; I’ve been able to confirm it through local news coverage.  Lervold said she messaged with the writer, whom she now knows was an imposter, and agreed to take a phone call from a hospital representative who would provide instructions on how to contribute.

She sent $1,000 to the caller’s account via Zelle, thinking it was a donation. Instead, the money was sent to a criminal’s account. The caller gleaned enough information — she asked for Lervold’s authentication codes — that the criminal or someone else was able to transfer nearly $3,000 more out of Lervold’s account through a series of additional Zelle transactions.  Lervold provided a screenshot of those transactions to me. Then, using stolen credentials, someone hacked into Lervold’s Instagram account and locked her out. The criminal subsequently threatened Lervold with more financial crimes unless she produced a video endorsing an investment scheme.

“Hi everyone. It’s Makaylah,” she says in the video. “I’m just here. I want to let you know about a huge opportunity. I just invested $1,500 with [name removed] and she turned my $1,500 investment into $15,000. Don’t miss out on this opportunity. I’m so grateful. Thank you [name removed]. Hit her up. She will invest your money. And turn it into a huge profit. You won’t regret it.”

Other videos on the “investment” Instagram account page contain similar messages. The account has more than 1,500 followers and has made 1,700 posts, dating back well into last year.

Posing as an old acquaintance, I contacted the hijacked account that originally belonged to Lervold’s sick friend, offering congratulations for finding a kidney match. The response came quickly: “Thank you so much sweetheart and I was about to ask you if you’d be interested in making some extra money.” Then later in our exchange, the imposter wrote, “Can you help me out $300 until tomorrow morning. I was short on a bill…I’m actually at the hospital.”

That victim declined to respond to a request for an interview.

Joseph Cox at Motherboard reported last week on a victim who was also forced to make a hostage-style video after being coerced into a bogus bitcoin investment. It’s unclear if these incidents are related, but my concern is the compelling tactic of forced video endorsement.

Lervold said the experience was terrifying.

“I’m so distraught…it was really scary,” she said. They drained all the money that I had saved for my wedding in June. It’s devastating. …  They forced me to make a video just like the last video they posted on my friend’s hacked account. …  They said if I didn’t do it they would completely drain my account. It was the scariest situation I have ever been in.”

Worse yet, when she contacted me, the criminals were using Lervold’s hijacked account in an attempt to scam her friends, she said.

“Now they are trying to scam my friends and inviting people from my Instagram to our wedding and are asking for money,” Lervold said.

She provided me with screen grabs of a dialog between a friend and the hacker in which the criminal offers to invite the friend to the wedding…then tries to convince the friend to send in money for the investment scheme.

“Did you see my ad? I actually made $15k from the investment. I posted it,” the message from the criminal, posting as Lervold, says. “Was wondering if you’d like to tap in.”

Last week, I reported that there was a large increase in consumers reporting that their Instagram accounts had been attacked by hackers. This complex scheme…involving trusted friend relationships, and hopping from one hijacked account to another, armed with intimate knowledge of each hacked victim…shows why hacked Instagram attacks can fetch nearly $50 on the digital black market.

Lervold said she reported that her Instagram account had been hacked to Facebook late last week; she has not yet heard back from the company. On Facebook, she can be seen pleading for friends to unfollow her Instagram account and asking them to report it as fraudulent so they would not be deceived by her video.

Monday afternoon I reported her account to Facebook’s media relations deparment, along with the account hosting the hostage videos.  Facebook has not yet returned my request for comment, but by Tuesday morning, Lervold’s account and the account hosting the hostage videos were both taken offline.

“Apparently each scam is different,” Lervold said. “They were messaging me already knowing I was (the kidney patient’s) friend. Which is why they knew I would donate. Other people they have used this investment scam saying they can turn a certain amount of money and turn it into a huge profit. Like the videos. You can turn $1,000 into $10,000. They took over my account and are asking people for money to help with my wedding. They must have read personal messages and are using that to get to my Instagram friends…the read back years in my messages.”

Eva Velasquez, CEO of the Identity Theft Resource Center, said her agency has been tracking the large increase in Instagram scams.  She said she was very concerned about the hostage video trend.

“It’s a new twist on ransoms,” she said. “Instead of asking for money, they are asking for videos.”

Her message to the public: Don’t make coerced videos. Paying the “ransom” doesn’t work.

“Do not make these videos endorsing something to get your money back or your account back because it’s not going to happen, you’re not getting it back,” she warned.  “Just walk away from the account.”  Work through the social media companies to get account access restored she said, admittedly an “arduous process.”

She warned that victims would suffer even deeper emotional consequences than those who send money to criminals — because their accounts and their words can be used to scam friends.

“When you add a layer that you were an instrument of victimization involving people you know and love, who are part of your personal network. that just adds another layer of emotional grief,” she said.

Velasquez also reminded users never to share authentication credentials — including two-factor text message codes  — with anyone.

I’ve decided that those SMS codes should no longer be used; it’s time that users switch to an authentication app for two-factor needs.  There are too many stories about criminals accessing text messages through hacking or coercion.

The Impact of Ransomware on Healthcare During COVID-19 and Beyond

Larry Ponemon

The purpose of this research is to understand how COVID-19 has impacted how healthcare delivery organizations protect patient care and patient information from increasing virulent cyberattacks, especially ransomware. Prior to COVID-19, 55 percent of respondents say they were not confident they could mitigate the risks of ransomware. In the age of COVID-19, 61 percent of respondents are not confident or have no confidence.

Sponsored by Censinet, Ponemon Institute surveyed 597 IT and IT security professionals in HDOs. In the context of this research, HDOs are entities that deliver clinical care and rely upon the security of third parties with whom they contract services and products. These include integrated delivery networks, regional health systems, community hospitals, physician groups, and payers.  Click here to visit Censinet and download the full report.

Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers. We also analyzed steps that HDOs are taking to protect patient safety, data, and care operations to determine what is working since so many respondents have been victims of more than one ransomware attack.

Ransomware attacks on healthcare organizations can be a life-or-death situation.

The onset of COVID-19 introduced new risk factors to HDOs, including remote work, new systems to support it, staffing challenges, and elevated patient care requirements. There’s been a great deal of media coverage on the rise of cyberattacks such as ransomware both within the healthcare industry and beyond. This research focuses on the healthcare industry to understand the extent to which HDOs are being targeted and ascertain the impact of those attacks. Both are covered in-depth in the key findings section of the report.

Over the last two years, 43 percent of respondents say their HDOs experienced a ransomware attack. Of these respondents, 67 percent of respondents say their HDO had one and 33 percent of respondents say they experienced two or more.

These attacks risk patient safety, data, and overall care availability. Respondents report that ransomware attacks had a significant impact on patient care, reporting longer length of stay (71 percent of respondents), delays in procedures and tests (70 percent of respondents), increase in patient transfers or facility diversions (65 percent of respondents) and an increase in complications from medical procedures (36%) and mortality rates (22%).

HDOs forecast that the number of contracted third parties will increase by 30 percent over the next 12 months

Driven by cost containment, regulatory directives and the demand for accessible, higher-quality patient care, HDOs have shifted to the digitization and distribution of health information. Moreover, medical devices, whether in patient rooms or labs, rely on network connectivity for operations and maintenance.

Nearly all of the technology components described are not developed by the HDO. These include software, services, and hardware development from organizations known as third parties. This study revealed that the average number of third parties that organizations contract with is 1,950, and this will increase to an average of 2,541 in the next 12 months.

Third-party products and services are a necessary and critical part of the HDO IT blueprint, but each brings another set of risk factors to the table. Some risks are inherent to the third party such as secure operating systems and other software in medical devices. Other risks involve how the HDOs deploy and use third parties, including storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party or the HDO use of the third party needs to be managed. The burden is on the HDO to perform assessments throughout their relationship with the third party (e.g., procurement, implementation, usage, updates, termination, etc.).

Third-Party Risk Management is Hard, and COVID-19 Made it Worse

This research also looks at the capabilities and maturity of HDOs to manage third-party risk, both before and during COVID-19. According to only 44 percent of respondents, controls critical to assessing third-party risks are only partially accomplished in HDOs. Only 40 percent of respondents say their organization always completes a risk assessment of its third parties prior to contracting with them. However, 38 percent of respondents state the assessment findings are ignored by leaders.

Re-assessments are another critical part of third-party risk management and are not conducted as often as required. More than half (53 percent) of respondents say re-assessments are conducted only on-demand or on no regular schedule.

Recommendations for Mitigating Ransomware and Third-Party Risks

According to the findings, healthcare organizations are less prepared to deal with third-party risks. Following are recommended steps for HDOs to take to protect patient safety, data, and care operations.

  • Invest in workflow automation, resources, and processes to establish a digital inventory of all third parties and PHI records. An HDO must know the number and location of PHI records that are accessed, transmitted or stored by third-party products or services.
  • Increase overall risk coverage of third parties by leveraging automation to conduct more assessments. The average number of third parties that organizations contract with is expected to increase from 1,950 to 2,541 over the next 12 months. However, only 40 percent of respondents say their organizations always complete a risk assessment prior to engaging with a third party. If their organizations conduct an assessment, only 38 percent of respondents say their leaders always accept their recommendation not to contract with them.
  • Allocate resources and funding to re-assess high-risk third parties. Currently, only an average of 32 percent of critical and high-risk third parties are assessed annually, and only an average of 27 percent of these third parties are re-assessed annually.
  • Increase efforts to secure medical devices. Only 36 percent of respondents say their organizations know where all medical devices are. Only 35 percent of respondents say they know when a medical device vendor’s operating device is end-of-life or out-of-date. Only 29 percent of respondents say they know the non-planned expense of medical device operating system patches.
  • Ensure critical steps for identifying and mitigating third-party risks are in place. Sixty percent of organizations represented in this research had a data breach in the past two years, resulting in an average of 28,505 records containing sensitive and confidential information compromised. According to the research, organizations can only partially evaluate the various threats targeting their assets and IT vulnerabilities. They also lack the capability to continuously monitor vendor risks.
  • Assign risk accountability and ownership to one role. The ability to execute an enterprise-wide risk management strategy is affected by not assigning accountability and ownership to one role.

Click here to visit Censinet and download the full report.

Fix Facebook now: Let users opt-out of its addictive algorithm

Bob Sullivan

It’s the news feed, stupid. The algorithm.

You’re probably going to read 1,000 things about the recent Facebook whistleblower hearing, so I won’t belabor the discussion. I have just one point I’d like to drive home. But first– I will say I’m sad that, after all this time, journalists from all over give prominent placement to the disinformation published by Facebook about Facebook — The New York Times felt the need to put the firm’s misdirection statement about the hearings in the fourth paragraph of its story about the hearings, showing journalists have learned little about the way both-sides-ism is abused in the information age.   I won’t repeat it here, but suffice to say the company just attacked the message without disputing any of the messages.

I’d like people to focus on something simple and often overlooked when it comes to the harm Facebook’s apps cause in the world: Control of the news feed.   Witness Fraunces Haugen talked quite a bit about Instagram and Facebook’s use of “engagement-based ranking” for items that appear before users.  You can’t pick what appears on these apps, not really. Facebook picks. And it picks the most extreme, most manipulative, most addictive content it can place in front of you. All the time.

Facebook has spent billions of dollars hacking you. Researching you. Picking you apart. Finding your weakness. And then feeding it. Like candy bars with too much sugar, or better yet, opioids that ease the pain just enough. Well, nearly enough, but not quite. So, you must come back for more, and more, and more.   To one man, it’s angry Trump content. To a young woman, it’s workout videos. Still another gets climate change outrage, or posts about the Latin Mass.  Facebook doesn’t care.  Like an evil creature from a science-fiction movie, it finds your weakness and exploits it. To feed the ever-hungrier beast inside.

This is “engagement-based ranking,” as Haugen called it.  And when we like or share these addictive things, we “give little hits of dopamine” to our friends.  Like a nightmare digital drug gang — *shiver*

Users have forever asked for a simpler way.  They want control of the news feed, or the way Instram picks images to display.  Consumers have forever wanted a simple page full of close friends’ posts.  Babies, weddings, the occasional professional announcement.  This request has been denied over and over by Facebook.  In fact, the company has stopped outside firms from creating plugins that would enable just that simple feature.  Why?    Haugen explained: Engagement would fall. Clicks would drop. Revenue would fall.

Facebook claims the reason is something else: User-directed feeds would be full of spam and other annoying content. That reasoning — Facebook-i-an NewsSpeak — is so bogus I hesitate to repeat it.  We all deal with spam, every day. We could handle it on Facebook and Instagram in exchange for ending the tool’s ever-increasing, artificial intelligence-fueled addictive algorithm.

So as Congress and other law enforcement ponder what should happen now, here’s my wish list of one: Require Facebook to let users opt out of the algorithm.  Or, as  Haugen suggested, end Section 230 protections for algorithm-programmed content farms.  If they pick the things we see, they should be responsible for them. I’m not saying this would fix every problem. But it sure would fix a lot. And it could happen….immediately.

It’s not that hard to fix. We’ve just failed…so far.  Tim Sparapani, another former Facebook employee, told me that last year in my “Original Sin of the Internet” podcast. It’s more true than ever now.

 

The 2021 Global Encryption Trends Study

Ponemon Institute is pleased to present the findings of the 2021 Global Encryption Trends Study, sponsored by Entrust. We surveyed 6,610 individuals across multiple industry sectors in 17 countries – Arabian Cluster (which is a combination of respondents located in Saudi Arabia and the United Arab Emirates), Australia, Brazil, France, Germany, Hong Kong, Japan, Mexico, Netherlands, the Russian Federation, Spain, Southeast Asia, South Korea, Sweden, Taiwan, the United Kingdom, and the United States.

The purpose of this research is to examine how the use of encryption has evolved over the past 16 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a US sample of respondents.  Since then we have expanded the scope of the research to include respondents in all regions of the world.

Since 2015 the deployment of encryption has steadily increased. This year, 50 percent of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise and 37 percent of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a slight decrease from last year. Following are the findings from this year’s research:

Strategy and adoption of encryption

Enterprise-wide encryption strategies increase. Since conducting this study 16 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of the study.

Certain countries have more mature encryption strategies. The prevalence of an enterprise encryption strategy varies among the countries represented in this research. The highest prevalence of an enterprise encryption strategy is reported in Germany, the United States, Japan and the Netherlands. Respondents in the Russian Federation and Brazil report the lowest adoption of an enterprise encryption strategy. The global average of adoption is 50 percent.

The IT operations function is the most influential in framing the organization’s encryption strategy over the past 14 years. However, in the United States the lines of business are more influential (305percent of respondents). IT operations are most influential in Sweden, Korea and France.

Trends in adoption of encryption

 The use of encryption increases in all industries Results suggest a steady increase in all industry sectors, with the exception of communications and service organizations. The most significant increases in extensive encryption usage occur in manufacturing, hospitality and consumer products.

 The extensive use of encryption technologies increases. Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady increase in the encryption solutions extensively used by organizations.

Threats, main drivers and priorities

Employee mistakes continue to be the most significant threats to sensitive data. The most significant threats to the exposure of sensitive or confidential data are employee mistakes.

In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary or contract workers and malicious insiders.

The main driver for encryption is the protection of customer’s personal information. Organizations are using encryption to protect customers’ personal information (54 percent of respondents), to protect information against specific, identified threats (50 percent of respondents), and the protection of enterprise intellectual property (49 percent of respondents).

A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization. Sixty-five percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. Forty-three percent of all respondents cite initially deploying encryption technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.

Deployment choices

No single encryption technology dominates in organizations. Organizations have very diverse needs. Internet communications, databases and internal networks are the most likely to be deployed and correspond to mature use cases. For the fourth year, the study tracked the deployment of encryption of IoT devices and platforms. Sixty-one percent of respondents say encryption of IoT platforms devices and 61 percent of respondents say encryption of IoT platforms have been at least partially deployed.

Encryption features considered most important

Certain encryption features are considered more critical than others. According to the consolidated findings, system performance and latency, management of keys and enforcement of policy are the three most important encryption features.

Which data types are most often encrypted? Payment related data and financial records are most likely to be encrypted as a result of high-profile data breaches in financial services. The least likely data type to be encrypted is health-related information and non-financial information, which is a surprising result given the sensitivity of health information.

Attitudes about key management

How painful is key management? Fifty-six percent of respondents rate key management as very painful, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 69 percent occurs in Spain. At 37 percent, the lowest pain level occurs in France. No clear ownership and lack of skilled personnel are the primary reasons why key management is painful.

Importance of hardware security modules (HSMs)

The United States, Germany and Japan organizations are more likely to deploy HSMs. T United States, Germany and Japan are more likely to deploy HSMs than other countries. The overall average deployment rate for HSMs is 49 percent.

How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12 months. Forty-one percent of respondents say their organizations own and operate HSMs on-premise, accessed real-time by cloud-hosted applications and 39 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. The use of HSMs with Cloud Access Security Brokers and the ownership and operation of HSMs on premise are expected to increase significantly.

The overall average importance rating for HSMs, as part of an encryption and key management strategy in the current year is 66percent. The pattern of responses suggests the United States, Arabia (Middle East) and the Netherlands are most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.

What best describes an organization’s use of HSMs? Sixty-one percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e. private cloud model). Thirty-nine percent say each individual application owner/team is responsible for their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center deployment approach.

What are the primary purposes or uses for HSMs? The three top uses are application-level encryption, SSL/TLS, followed by container encryption/signing services. There is a significant increase in the use of database encryption 12 months from now.

Cloud encryption

 Sixty percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another 24 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud.

How do organizations protect data at rest in the cloud? Thirty-eight percent of respondents say encryption is performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 36 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of Bring Your Own Key (BYOK) approach.

What are the top three encryption features specifically for the cloud? The top three features are support for the KMIP standard for key management (59 percent of respondents), SIEM integration, visualization and analysis of logs (59 percent of respondents) and granular access controls (50 percent of respondents).

 Read the full Global Encryption Trends story at Entrust’s website.

 

Facebook earns billions from scam ads, lawsuit alleges

Bob Sullivan

Facebook profits from advertisements it knows, or should know, are fraudulent, a federal lawsuit filed in  California alleges. The social media giant makes it easy for criminals to target consumers who are not only likely to click on certain kinds of ads, but also likely to follow through with purchases, the case claims.  The firm is “actively soliciting, encouraging, and assisting scammers,” the suit claims.

Alleged frauds include ads for products that never ship, or are substantially different from what is advertised. Fraud rates for some types of ads are as high as 30%, the suit claims.

Not only does Facebook look the other way when such ads are placed, but it has actively recruited suspicious sellers through conferences and other means, the case claims. Lawyers for the plaintiffs seek class-action status for the case, and claim there are potentially millions of victims and Facebook has earned billions of dollars.

Facebook did not immediately respond to a request for comment about the lawsuit (I’ll update the story if needed).

Tech companies have faced allegations they profit off fraud enabled by their platforms for a long time. Journalists have been writing about fake Google Maps businesses for at least seven years.  Instagram fraud had its day in the sun back in 2018. The firms make money off disinformation, too. Recently, I searched for “Can I get the vaccine from my doctor” on Google and was presented with a long list of anti-vaxx links and products for sale.

There have long been questions about how hard these services work to correct these problems. “More than a third (34%) of people that reported a scam ad to Google said it was not taken down while just over a quarter (26%) said the same had happened with Facebook, according to a study published by British consumer group Which?” BusinessInsider has reported.

The recent Facebook case, filed in August, alleges negligence, breach of contract, and breach of covenant of good faith and fair dealing. It builds on the work of several journalists who have written about Facebook ad fraud in recent years — most notably Zeke Faux’s story in 2018, which includes details from a Facebook ad conference that Bloomberg attended; and a Buzzfeed story from last year, titled Facebook Gets Rich Off Of Ads That Rip Off Its Users. 

The California lawsuit claims that “Facebook’s sales teams have also been aggressively soliciting ad sales in China and providing extensive training services and materials to China-based advertisers, despite an internal study showing that nearly thirty percent (30%) of the ads placed by China-based advertisers — estimated to account for $2.6 billion in 2020 ad sales alone — violated at least one of Facebook’s own ad policies.”

It also cites increased social media advertising fraud complaints, driven most recently by stay-at-home orders during the pandemic. “In October 2020, the Federal Trade Commission (“FTC”) reported that about 94% of the complaints it collected concerning online shopping fraud on social media identified Facebook (or its Instagram site) as the source,” the case notes.

Facebook denied to Buzzfeed that it profits off fraud. It told the news site: “Bad ads cost Facebook money and create experiences people don’t want. Some of the things raised in this piece are either misconstrued or missing important context. We have every incentive — financial and otherwise — to prevent abuse and make the ads experience on Facebook a positive one. To suggest otherwise fundamentally misunderstands our business model and mission.”

But it’s hard to deny the incentives large tech companies have to look the other way when companies are paying them millions of dollars to get finely-tuned ads in front of users.

In the lawsuit, plaintiff Christopher Calise says he spent about $50 to buy a car engine assembly kit and never received it. He reported the ad as fraud to Facebook, and the social media company took it down, but the alleged scam firm was able to re-place the ad using a slightly different name soon after.   Plaintiff Anastasia Groschen says she responded to an ad for a child’s activity board. When a simple puzzle arrived instead, she complained to the company, only to be instructed that she’d have to pay to ship the puzzle back to China.

The lawsuit seeks monetary damages for all impacted members of the class, and wants the court to force Facebook to make immediate changes to the way it patrols ads.

Phishing costs have tripled since 2015

Ponemon Institute is pleased to present the results of The 2021 Cost of Phishing Study sponsored by Proofpoint. Initially conducted in 2015, the purpose of this research is to understand the risk and financial consequences of phishing. For the first time in this year’s study we look at the threats and costs created by business email compromise (BEC), identity credentialing and ransomware in the workplace.

The key takeaway from this research is that the costs have increased significantly since 2015. Moreover, with the difficulty many organizations have in securing a growing remote workforce due to COVID-19, successful phishing attacks are expected to increase.

We surveyed 591 IT and IT security practitioners in organizations in the United States. Forty-four percent of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The following findings reveal that phishing attacks are having a significant impact on organizations not only because of the financial consequences but also because these attacks increase the likelihood of a data breach, decrease employee productivity and increase the likelihood of a business disruption.

The cost of phishing more than tripled since 2015. The average annual cost of phishing has increased from $3.8 million in 2015 to $14.8 million in 2021.The most time-consuming tasks to resolve attacks are the cleaning and fixing of infected systems and conducting forensic investigations. Documentation and planning represent the least time-consuming tasks.

Loss of employee productivity represents a significant component of the cost of phishing. Employee productivity losses are among the costliest to organizations and have increased significantly from an average of $1.8 million in 2015 to $3.2 million in 2021. Employees are spending more time dealing with the consequences of phishing scams. We estimate the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails averages 7 hours annually, an increase from 4 hours in 2015.

The cost of resolving malware infections has doubled total cost of phishing. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098. Costs due to the inability to contain malware have more than doubled from an average of $3.1 million to $5.3 million.

Credential compromises increased dramatically. As a result, organizations are spending more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period.

Credential compromises not contained have more than doubled. The average total cost of credential compromised not contained is $2.1 million and has increased significantly from $1 million in 2015.

BEC is a security exploit in which the attacker targets employees who have access to an organization’s funds or data. The average total cost of BEC’s exploits was $5.96 million (see Table 1a). Based on the findings, the extrapolated average maximum loss resulting from a BEC attack is $8.12 million. The average total amount paid to BEC attackers was $1.17 million.

What is the cost of business disruption due to ransomware? Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files. The average total cost of ransomware last year was $5.66 million, and the average percentage rate of ransomware attacks from phishing was 17.6 percent.

Employee training and awareness programs on the prevention of phishing attacks can reduce costs. Phishing attacks are costing organizations millions of dollars. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.

Respondents were asked to estimate what percentage of phishing costs that could be reduced through training and awareness programs that specifically address the risks of phishing attacks targeting the workforce.  The cost can be reduced by an average of more than half (53 percent) if training is conducted.

Part 2. Key findings

Loss of employee productivity represents a significant component of the cost of phishing.
The average annual cost of phishing has increased from $3.8 million in FY2015 to $14.83 million in 2021. As shown, productivity losses have increased significantly from $1.8 million in 2015 to $3.2 million in FY2021. Please note that information about BEC and ransomware was not available in FY2015. In the current study, we estimate an annual cost of phishing for BEC at $5.97 million and ransomware at $996 thousand.

Employees are spending more time dealing with the consequences of phishing scams. The range of hours is less than 1 to more than 25 hours per employee each year. We estimate the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails. As shown, each employee wastes an average of 7 hours annually due to phishing scams, an increase from 4 hours in 2015.

As discussed, the costliest consequence of a successful phishing attack is employees’ diminished productivity. Here we assume an average-sized organization with a headcount of 9,567 individuals with user access to corporate email systems.  Based on an average of 7 hours per employee we calculate 65,343 hours wasted because of phishing.  Assuming an average labor rate of $49.5 for non-IT employees (users) we calculate a total productivity loss of $3.2 million annually, an increase from $1.8 million in 2015.

An average of 15 percent of an organization’s malware infections are caused by phishing scams. Respondents were asked to estimate the percentage of malware infections caused by phishing scams. The estimated range is less than 1 percent to more than 50 percent. The extrapolated average rate is 15 percent. As discussed above, the cost to contain malware is estimated to be $353,582 (see Table 1).

The likelihood of a malware attack causing a material data breach due to data exfiltration has increased since 2015. In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. The probability distribution ranged from less than .1 percent to more than 5 percent. The extrapolated average likelihood of occurrence is 2.3 percent over a 12-month period, an increase from 1.9 percent.

The total cost attributable to malware attacks caused by phishing scams more than doubles. The total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.

Phishing costs due to the inability to contain malware have more than doubled and represents 11 percent of the total cost of phishing.  Malware not contained is malware at the device level that has evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. Following are two attacks caused by an active malware attack that are difficult to contain: (1) data exfiltration (a.k.a. material data breach) and (2) business disruptions. The total cost of malware not contained has increased from $3.1 million to $5.3 million.

A malware attack resulting in a data breach due to data exfiltration could cost an organization an average of $137.2 million. The following formula is used to determine the probable maximum loss (PML) and the likelihood of such an attack:

What is the cost of business disruption due to a malware attack? Respondents were asked to estimate the PML resulting from business disruptions caused by a malware attack. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The distribution of maximum losses ranges from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $117.3 million, an increase from $66.3 million.

How likely are business disruptions caused by a malware attack will affect your organization? Respondents were asked to estimate the likelihood of material business disruptions caused by malware. The probability distribution ranges from less than .1 percent to more than 5 percent. The extrapolated average likelihood of occurrence is 2.1 percent over a 12-month period, an increase from 1.6 percent in 2015.

Visit Proofpoint’s website to download the entire 2021 Cost of Phishing Report

Hear how an FBI agent conned a con artist; got him to fly to the US for prosecution

Bob Sullivan

How do you catch Internet con artists? Well, you con them.

Alan, who lives near Washington D.C., had traveled to Dubai and to Ghana thinking he was helping a princess gain access to her multi-million dollar inheritance.  Before his fever was broken, Alan — not his real name — sent about $600,000 to a man named Eric and a woman who called herself “Precious.”  By the time the FBI got involved, it was too late for Alan’s money.  But Alan did have a photograph of the two criminals, taken in Dubai.  When a rookie FBI agent named Mike saw that, he decided there might be just enough evidence to pursue the criminals through cyberspace.

He had one big problem, however. Agent Mike — we’re protecting his identity — couldn’t fly to Dubai or Ghana and arrest them. He had to get them to fly, willingly, to the U.S.

You don’t often get to hear an FBI agent talk about chasing after online criminals. And rarely do stories involving $600,000 sent overseas to criminals have a happy ending. But in this recent episode of The Perfect Scam, I pull back the curtain on a remarkable piece of crime-fighting and a relentless pursuit by one very determined agent.

Listen to this episode by clicking here, or by clicking the play button below.  Below that, a partial transcript appears. It’s a two-part episode. You can hear part 2 at this link, or hit the second play button below.

———-PARTIAL TRANSCRIPT—————-

 

FROM PART 1

[00:06:25] Mike: Yeah, it’s almost heartbreaking, because when you read the transcripts, you can see how the victim actually thinks it’s real. I mean he’s actually saying things like, “Well when can I meet you,” or “Can you send me more pictures?” The scammer usually almost always just returns to, “Oh I love you so much,” et cetera, et cetera, you know, “How are you?” that kind of thing. And it’s just so one-sided in terms of the victim is like actually trying to have a relationship, but the scammers are just uh clearly have an agenda on their mind. And then uh, it will, you know, usually transition then to, “Oh, hey something terrible just happened. My mother just got into a car accident,” “We’re overseas for the moment,” or “My, my dad’s uh late on his rent,” or “I’m late on my rent,” or something like that. “Can you just send me, MoneyGram me uh, 500 bucks, ” or something like that.

[00:07:13] Bob: But those smaller asks are just the beginning of the crime. Soon, Precious starts to tell a much bigger story to Alan.

[00:07:21] Mike: One thing that happened, which I’ve come to realize this might be a common thing for scammers from Ghana, is that the uh the women, in this case, Precious, eventually will let the victim know that, “I am actually an African princess, I’ve actually inherited millions of dollars’ worth of gold, it’s back overseas in Ghana, and here’s my lawyer,” you know. In, in this case Precious had a lawyer named Eric, and other, other scammers will introduce other like a, they’ll, they’ll almost always introduce a second player, um, like a second figure. And then the lawyer will come in, in this case, Eric, with a very formal sounding, uh you know, email signature block and very formal sounding, uh, language and write, you know, big, long paragraphs, with very lawyerly sounding text to say, “I understand, Alan, that you’re here to help Precious. Uh, that’s a great thing that you’re doing. And in order to have her, you know, receive her inheritance of millions of dollars which will help her and her family, you need to start paying,” you know, this and that for legal documents, for shipping fees, et cetera, et cetera.

[00:08:40] Bob: So far, this looks like a crime that FBI agents unfortunately see pretty often, but as Mike keeps reading, he confirms one of his chief suspicions. That trip to Dubai and Ghana, that means the crime went a whole lot farther.

[00:08:55] Mike: Eventually, I think the reason to get Alan on a plane was so that he could meet the supposed lawyer, Eric, in Dubai so that they could sign some legal documents towards the uh, the release of the gold.

[00:09:08] Bob: And what did he actually sign when he got to Dubai?

[00:09:11] Mike: It was just, you know, something that you could drum up on Microsoft Word in 10 minutes.

[00:09:16] Bob: So this, this was still all just a, a movie scene that they were playing out for him. Um, well did you see the part of the discussion where he said, yes, I’ll, I’ll fly, I’ll get on an airplane? I mean, that must be amazing to see in black and white.

[00:09:30] Mike: Yep, we saw that. I think it must have been several months into their, the scam where he actually got onto the plane, if I recall correctly. But uh yep, they met in Dubai. That was actually one of the reasons why I decided that we could probably take on this case, because he had actually gone overseas, and he actually met these people in person, at least Alan could pick them out from a lineup, for example.

[00:09:55] Bob: He could pick Precious and Eric out of a lineup, if ever there were a way to get them into a lineup. But maybe even more important, there’s pictures.

[00:10:06] Mike: Yeah, so they meet in Dubai. It’s Eric and Precious. It’s uh, an African man and a Caucasian woman claiming to be Eric and Precious, and they have Alan pay for the hotel, they have Alan pay for the meals, everything. In fact, I think there’s this picture of Alan with uh, Eric and Precious in like, it looks like a Chili’s or something in the Dubai airport. It was one of the first times that we actually saw the scammers for real when, uh Alan shared that picture with us.

[00:10:34] Bob: Okay, yeah. Now before we go on, you have a picture of them at, of the three of them at a, at a Chili’s in Dubai?

[00:10:40] Mike: I, I don’t know what restaurant it is, but it looked like, you know, uh there’s, there’s a few more pictures of them at the uh, the Dubai airport, so you know, it’s just pretty good uh proof that corroborates the story.

[00:10:53] Bob: That’s, I’m almost, I’m kind of amazed that they were brazen enough to pose for a picture like that.

[00:10:58] Mike: You know, it’s um, sometimes I think about that, too. So I think from the perspective of a scammer, it’s really a risk/reward calculation they have to make because uh, when you’re trying to scam these folks, if you, you know, obviously, you know, it’s a romance scam, so your victim wants to meet you because you guys are supposed to be in love. So if you never meet with the victim, obviously they will start to get suspicious after a while. And there’s only so much that you can keep the victim on the hook for, there’s only so, so much money you can squeeze out of them. However, if you take the risk and you actually meet with the victim, and you have the uh, I guess the props to show that this is actually a true story, then you’ve got the victim hooked for even more, right. Now he knows it’s real.

(MUSIC SEGUE)

[00:11:43] Bob: Mike says the three of them looked pretty jolly in the photos, like they’re on vacation together.

[00:11:48] Mike: Eric and Alan, just kind of posing, big smiles somewhere, it must have been somewhere in Dubai, if I recall correctly. And then, when we saw pictures of Precious, she was indeed a Caucasian young woman. She must, she must have been in her mid–, she looked like she was in her mid-20s. Eric looked like he was a bit older, probably in his 40s, but you know, the pictures that Precious had been sending to Alan via Skype were, you know, pictures of just gorgeous women that you find on the internet, right, and it was pretty clear that the Precious in real life was not the same.

[00:12:26] Bob: Eventually, the group gets down to business. But they don’t stay in Dubai very long.

[00:12:31] Mike: After signing these documents for the uh, supposed gold, Eric kind of suddenly proposes to Alan, “Hey why don’t I take you to Ghana so that you could actually see the gold for yourself, and so that you can actually see all of Precious’s inheritance, so that you know it’s real.” And then um, the real reason that Eric’s doing this is because he wants to get Alan on some more scams that he has waiting for him back in Ghana. From there, Precious actually goes back to her home country; we found out later that was Ukraine. Eric, I think he just takes Alan’s credit cards, and he just buys tickets for them to go from Dubai to Ghana.

[00:13:08] Bob: And when they get to Ghana, Eric puts on quite a show for Alan.

[00:13:12] Mike: Pretty shortly after they landed, Eric takes Alan to what sounds like some sort of compound or some sort of building that he has, and inside is what Alan described as some sort of safety deposit box. Unfortunately, there was no pictures uh really from, that describe this, so I don’t, we don’t really have a good visual on it, but it looked pretty official. Uh, Alan, you know, Alan described that there was like a bank guard there, and there were some other folks there, and so, you know, Eric does the whole “bring forth the gold” kind of thing. Alan describes um, the guards bringing over I guess a chest of, you know, gold bars, and uh Alan picked one up, and, and he said it sure felt like they were pretty heavy, so it must be gold.

[00:14:05] Bob: Wow, and but to Alan’s estimation, it was maybe millions of dollars’ worth of gold?

[00:14:10] Mike: Yeah, that’s what Eric was claiming the whole time. That was part of the story, so…

[00:14:14] Bob: Of course, Eric has another reason to bring Alan to Ghana. He wants to introduce Alan to another criminal with another elaborate story.

[00:14:23] Mike: Eric kind of uses this opportunity to, to introduce a, another scam. It’s another scam that we’ve heard of before, it’s sometimes you call it like, uh I’ve heard it referred to as like a kind of a washing the money scam, or the black money scam. There’s different variations of it, but really what it amounts to is a magic trick that is really impressive in the moment and really uh hooks your victim. And what Eric does is he says, okay, great, now you’ve seen Precious’s gold. I’d like to introduce you to another person. This person here is Daniel. Daniel’s about 18 years old. You know, he’s also some sort of African nobility. And Daniel’s there, and he’s smiling and he’s, you know, playing the part of a, a poor 18-year-old kid, and Eric’s just trying to help him out too, just the way like he’s trying to help out Precious. And Daniel has inherited a large quantity of, of sheets, uh, you know, just like you’ve seen those sheets that are uncut at the Treasury Department. But these sheets are worthless unless you start cutting them, and once you cut them all, then they’ll be worth millions, but uh, the way to cut them is, you can’t just use scissors. You need a chemical that only, Frank, the other character, he uses introduces guy, Frank. Frank was kind enough to bring it, so let me show you how it works. Puts the chemicals in a bowl, pours water over it, mixes it all up, and then he dips one of these sheets into the bowl, and you know, before Alan’s eyes, the sheets separate into the separate individual $100 bills. So, just like that, we made 400 bucks. And so Eric says, you know, it’s as simple as that, so if we want to start getting Daniel’s uh money, then we need to start paying money for the rest of the chemicals from Frank.

—-FROM PART 2—–

[00:04:24] Mike: Plan C was, you know with Alan’s permission, and also his wife, too, we, we kept the wife in the loop the entire time. I didn’t want her to feel like she was being excluded, but I asked them if they’d be willing to, you know, take some pictures of Alan in the hospital undergoing, well, post, uh, his medical procedures, and to go back to Eric and Precious and say, “Hey, you know, my health is really declining. I really want to help you, Precious, so uh, here’s proof that I can’t go overseas and see you. Why don’t you guys come over here, and we can do things like, I’ll put you in my will,” and so Precious will have, you know, $10,000 a month in perpetuity or something like that, or, or uh, I got a, another, another ruse that we started coming up with was, we had Alan say, “I’ve got a really rich businessman man and he’s really looking to invest in uh, in Africa, you know, and Africa’s the next place to invest in, especially with uh, raw minerals, and you, you seem to know a lot about gold, so yeah, this, yeah this rich businessman wants to meet you. He wants to talk about gold.” So we kind of started coming up with stories to uh, you know, scam Eric and Precious and Daniel with.

[00:05:40] Bob: It strikes me that it’s a good thing you work for the FBI. Otherwise you’d have another career that might not be as wholesome.

[00:05:46] Mike: Oh, (laugh). Well, sometimes you’ve got to think like scammers to catch them, so.

[00:05:52] Bob: Mike has to really work to open the door to the US for Precious and Eric. One of the most important steps, getting the State Department to issue a visa.

[00:06:01] Mike: We were kind of playing multiple stories at the same time, and I think the pictures of Alan, uh, you know, in the hospital, they were effective, but what was even more effective was we were telling Alan to ask Eric like, “Hey look, go to the Embassy in Ghana, apply for a visa, just get that process started,” and then I actually started kind of going behind the scenes, and I started, uh, talking to some reps at the State Department to say, like, hey look, we’re going to, we’re trying to set this up now, you know. This person, Eric, which I, you know, by that time we had kind of identified who Eric really was, he’s a criminal, he’s a, he’s a subject of an investigation, there’s an active FBI investigation on him. Here’s what, here’s kind of what’s going on. Basically I said, “I need you to give him a visa.”

(MUSIC SEGUE)

[00:06:51] Bob: Meanwhile, Mike is coaching Alan on what to say to Eric and Precious. They lay it on pretty thick.

[00:06:57] Mike: We had Alan say, “Hey, you got your visa, because my friend, my rich friend pulled some strings with the government.” That was the story that we were spinning towards him, and then we were saying, “Okay, well now my rich friend really wants to talk to you about gold, so he’s going to buy you a plane ticket.”

[00:07:11] Bob: Even after Mike gets the State Department to play along, there are still a whole lot of steps before Eric and Precious might actually get on a plane and land in a US airport where they can be apprehended. Would Eric even show up for his visa appointment? What if he got cold feet right before boarding the plane? You’d think Mike might be worried by these things, but he says he wasn’t.

[00:07:32] Mike: You know, it wasn’t really so much nervousness, I think, uh, just the way that we think here, we always have plan A, plan B, plan C, so this plan that we were setting forth, even though it was plan C, which is now plan A, we still had backup plans, you know, in place, so I knew that if Eric never really came here, or if uh, he never followed up on his visa appointment. We had other ways, you know, it’s just, you know at the FBI we just, we, time is on our side. So something would have come eventually. Like, for example, the UAE would have told us who these people really were. And so we could have, you know, these investigations drag on for a while, and eventually something would have broken, so I wasn’t um, part of me was like, there’s no way he’s actually going to do this. But even, and even if he didn’t, that would be okay, because this investigation will still be going forward.

[00:08:22] Bob: But, to the surprise of many agents involved, the plan works. Eric gets his visa and gets on a plane headed for Dulles Airport outside Washington DC.

[00:08:33] Bob: So it worked, okay. Are, are you there at the airport when they arrive?

[00:08:36] Mike: Yep, yes, it’s myself and a few more agents, and uh, um, you know we kind of confirmed with the Department of Homeland Security that he did indeed board the flight. We actually bought his plane ticket for him. And so we knew exactly when he was arriving. As he’s going through the immigration queues, one of the uh customs and border protection officers was with us, had kind of taken us behind the scenes at the airport. We saw him just going through. I think he had like a blue suit on, and uh, he had like one of those neck pillows. He looked very tired, obviously. We kind of pulled him out of the queue. We told him to sit in a, a place that’s called secondary inspection, uh with CBP at the airport. We just kind of looked at his uh travel documents again, just to confirm that he really was the person we were looking for, and we kind of went to him, kind of broke the bad news.

[00:09:34] Bob: What was the, the expression on his face when you did that?

[00:09:36] Mike: I think he was very tired. He was very jetlagged. He was very like, uh just absolute resignation. No fight, no denial, just okay, sure. Take me.

 

Managing digital fraud risks in government — the 2021 study

The treasure trove of customer data and financial information that government generates, stores and processes on a daily basis makes it a rich target for hackers. The purpose of this study is to understand the steps government agencies are taking to mitigate digital fraud risks and protect customer data. In the context of this study, customers are individuals who receive and use services from federal, state and local governmental agencies.

Digital services enable government to conveniently deliver information and services to customers anytime, anywhere and on any platform or device. However, such convenience needs to be supported by a strong security posture.

Sponsored by TransUnion, Ponemon Institute surveyed 594 IT and IT security practitioners who work in the federal, state and local/municipal government organizations  (click for full study). All respondents are familiar with their agency’s efforts to prevent and detect fraud and are aware of their agency’s information security vulnerabilities and threats. In addition to studying the state of security in government agencies, the research reveals respondents’ awareness of the extreme dissatisfaction customers have with the security and convenience of agencies’ websites. 

A key finding is that government agencies are not making the necessary investment in security technologies to protect customer data and make online access to accounts convenient. Only 43 percent of respondents say their agency has the security technologies necessary to provide customers with both a secure and convenient online experience when accessing their accounts. Another fraud risk is that only 37 percent of respondents say their agency makes it as easy as possible for customers to notify them if they believe their account has been compromised.

Following is a summary of digital fraud risks revealed in this research and the solutions needed to protect customer data and improve the online experience.

Similar to the commercial sector, government agencies are having multiple data breaches involving the loss or theft of customers’ personal information. These data breaches are most often caused by employee carelessness (64 percent of respondents). This indicates the need for regular training and awareness programs and enforceable privacy and security policies. An important part of this training should be to prevent phishing and social engineering attacks. The other top root causes are hackers (56 percent of respondents) and lost or stolen devices (52 percent of respondents).

Without having the necessary security technologies and in-house expertise most agencies find it impossible or very difficult to detect attacks. The most difficult types of attacks to detect are social engineering (66 percent of respondents), credential stuffing (60 percent of respondents) and knowing the real customer from a criminal imposter using stolen credentials (60 percent of respondents).

ATOs are on the rise and respondents believe mobile phones are most vulnerable to attacks. Mobile phones are ubiquitous, and 62 percent of respondents say they are the most vulnerable to ATO fraud. Further, not only are ATO attacks increasing, the severity of these attacks is also on the rise according to 59 percent of respondents.

Most agencies’ senior leadership are not prioritizing the ATO risk. Barriers to managing the risk of ATO fraud is that only 41 percent of respondents say senior leadership makes it a priority to prevent ATOs and only 38 percent of respondents say their agency regularly assesses the ability of its IT systems to prevent and detect fraud. As a consequence, only 37 percent of respondents say most ATO attacks are quickly detected and remediated and only 28 percent of respondents say their agency has a comprehensive view of its customers’ accounts.

To address the increase in account takeover attacks, agencies should consider a layered fraud management solution based on risk-based identity and device authentication. On average in the past two years, agencies have experienced 18 ATOs. More than half (53 percent) of respondents say they have significantly increased (19 percent) or increased (34 percent). Sixty-five percent of respondents say their agencies use two-factor authentication to reduce ATOs.

Polices for the prevention and detection of fraud are not reviewed as frequently as they should be. The threat landscape is constantly evolving but only 25 percent of respondents say these policies are reviewed monthly (12 percent) or quarterly (13 percent).

Accountability for managing fraud risks is dispersed throughout the organization. A possible reason for not prioritizing the digital fraud risks is that no single function emerges as most accountable. Twenty-one percent of respondents say it is in compliance/legal. Only 19 percent of respondents say the IT security leader is most accountable.

Without the necessary security technologies and support from senior leadership, it is difficult for agencies to be effective in protecting customers’ personal information.

Fifty percent say they are very effective or effective in reducing customer fraud, which means many agencies (50 percent of respondents) are not effective. Only 41 percent of respondents say their agencies are very effective in protecting customers’ personal information and only 38 percent are very effective in detecting and preventing account takeover fraud.

Customers are frustrated with the security and convenience of government websites. Only 27 percent of respondents say customers are satisfied with the convenience and 26 percent of respondents say customers are satisfied with the security of the website. As discussed previously, only 37 percent of respondents believe it is easy for customers to notify agencies if they believe their account has been compromised.

Artificial intelligence (AI) and improvements in identity authentication are considered important to improving the customer experience. Sixty-five percent of respondents say AI decision-making tools/technologies and interconnected devices will improve the ability to track customers’ status in order to improve the security and convenience when accessing online accounts. Sixty-one percent of respondents say improvement in identity authentication will improve the state of access governance and, therefore, improve customers’ user experience.

Download the full study at TransUnion.com

Debugger: The 1,000 companies that track you with every click and swipe

Bob Sullivan

I like a good challenge as a storyteller.  And let me tell you, making “third-party code” sound sexy is a challenge.  But that recent Apple ad showing an army of people following a cell phone user around, cataloging his every move — well, that’s real.  It’s hard to believe, but the commercial actually understates the problem.

Every day, with every click you make and every app you swipe, a virtual army of companies you’ve never heard of are tracking you.  Their 1×1 pixels and browser fingerprints lurk in every corner of the Internet, privacy landmines vacuuming up data about every aspect of your life.

I know you’ve heard this before, and I’ll bet you assume companies like Facebook and Google are tracking you to this degree — but you probably don’t realize, or don’t think about, the hundreds of small companies that attach themselves to name-brand websites like CNN.com which track you in the same way.

Why do they do that? So later, the billions of pieces of information collected about us can be married to billions of dollars being spent trying to get our attention.  Over and over and over: a mindless search for anxiety medicine or sexual dysfunction is auctioned off to the highest bidder, and shared with thousands of other firms. The result? A gigantic one-way mirror that not only intrudes on our most intimate thoughts but logs them forever, making them easy prey for murky data brokers and creepy hackers alike. For the rest of Internet time.

That’s what this podcast is about.  The Internet has a third-party problem — a number of third-party problems, really — and it’s time we talked about them.

To help me with this storytelling problem, I’ve enlisted the help of some real experts for this podcast — including Jeff Orlowski, director of the hit Netflix docu-drama The Social Dilemma. Orlowski certainly succeeded in making technology and privacy conflicts sexy. Also, you’ll hear from Chris Olson of The Media Trust; Jason Kint from Digital Content Next; and Jolynn Dellinger from Duke University. Debugger is brought to you by Duke University’s Sanford School of Public Policy and the Kenan Institute for Ethics.

Please listen to the podcast: If you prefer, a transcript of the show is below. If a play button doesn’t appear for you, click this link to listen.

 

 

 

 

AUDIO
1. Chris Olson: Imagine this: it’s the beginning of Spring, and you’re excited to begin a long-needed home renovation project. You select Bob, a trusted and well-known contractor.

 

On the first day, Bob shows up with a handful of subcontractors, many of them expected. But as the days wear on, the number of subcontractors grows substantially, several of them questionable in need, skill, and character. Even if you fire the bad ones, new ones appear. By the end of the following week, your property is littered with trash, the newly installed toilets aren’t working, and things are starting to go missing—silverware, jewelry, and even a painting.

 

By the end of the month, the unvetted subcontractors that Bob brought to your home are knocking on your door daily trying to sell you things. Even worse, they’ve sold your address to others who are also calling on you with unrelated offers. It’s clear that Bob hasn’t done a great job vetting his subcontractors ….

2. BOB SULLIVAN: Welcome to Debugger, a podcast where we ask the big questions about technology. It’s brought to you by the Duke University’s Sanford School of Public Policy and the Keenan Institute for Ethics. I’m your host, Bob Sullivan. And we begin with that extended metaphor because today we’re going to talk about how web pages are built.  Sort of.
3. BOB : You’re not going to believe this but….most of the time you are visiting websites or firing up apps on your phone, you aren’t visiting the company the you *think* you are.  Really.  Imagine if you were at the mall, and you walked into a Macy’s to buy some shoes….but the second you stepped in, you weren’t *really* at Macy’s. You were really at Ace’s Gender Information Collection Company. And Bob’s Income Estimators Inc. And Charlie’s One Stop Shop for Likely Diabetics. Pretty soon I’m going to run out of the alphabet here.  There might be hundreds of others.

That’s what your life as a consumer is really like. Really.  Just one example: When you visit a site like CNN, you imagine you are getting information from CNN…FROM a bunch of computers sitting somewhere in the CNN center in Atlanta, or at least controlled by someone in the CNN Center in Atlanta.

4. BOB  : But when I visited CNN.com just now, I was really visiting….Outbrain. And Bounce Exchange. And Integral Ad Science. And Salesforce. And Onetag. And Sourcepoint. And appnexus. [speeding up] And the Rubicon Project. And Criteo. And Quantcast International. And Nati. And Axciom. And the Trade Desk.  And Sharethrough Inc.  And Oracle.  And Pubmatic Inc. And Mediamath. [Can barely make it out here] And RTL Group. And Openx software. And dyonomi. And Rhytmone. And Iponweb. And Openxsoftware. And Zeta Global.
5. BOB : And you thought you were just getting some headlines and checking on your stocks.
6. BOB : You might not have heard of any of these companies, but they sure have heard of you.  In fact every one of these companies knows you really well, maybe better than you know yourself, thanks to all these opportunities they get to learn about you.  But if you haven’t heard of them, don’t feel bad.  Most of the people who work for the brand-name websites you *think* you are visiting probably haven’t heard of them, either. Fully 90% — maybe more! — of the computer code that lands on your computer when you open up a website *isn’t* written by people at that website.  It comes from third party companies, like the ones I just listed. THAT…is how web pages are built. One strange company you’ve never heard of before at a time.

 

As you might imagine, that’s a big risk for the brand-name companies you *think* you are visiting, like CNN as it would be for that imaginary construction company at the beginning of this podcast. Chris Olson runs a company named The Media Trust, which tries to help companies deal with this third-party risk. That was him reading the opening metaphor about housing contractors. But in real life…real, virtual life…it’s his job to protect companies from getting in bed with the wrong sub-contractors.  And he’s … seen a lot of things. The world he works in is….amazing. Here, he tries to explain the morass to me

7. Bob: of the first things you said, which I think would surprise most listeners, is that you help digital companies maintain control of their websites, their digital assets. How did they lose control of them?

Chris: Great question.When you go you as a consumer, you visit a website or an app, what renders on your device, it’s not what you see that that is rendering on your device, but really the backend of that website, all of the source code. … The place where control all has been lost and it’s almost in its entirety, um, uh, for most companies, is that 20 years, 20%, roughly of all of the source code that rendered on you was third or fourth or fifth party.

The transition and where control has been lost is that that 20% of third fourth party is now 90 95 on news or information websites.

It’s often 98 or 99% of what actually renders on the consumer. The application security teams remain the same. Meaning, they still cover the owned and operated portion of the consumer’s device experience. Um, but that leaves roughly 90 to 95% open to thousands of third parties that are looking to gain access to the consumer.

So that, that idea of third-party code, is where the control has been lost and really where that battle, I think is, is, is really raging today.

Bob: Uh, this sounds crazy. 99% of the stuff that’s on a webpage. I look at when I go to look at a major news site is written by somebody else?

Chris: The source code.

8. BOB : So, let’s talk about what I think of as the third-party problem. Actually, on the Internet, you have a lot of third-party problems.  Third party code can be behind all kinds of malicious attacks — ransomware for example – and we’ll talk about those in future episodes. But today we’re going to talk about third-party tracking, just to illustrate the problem.  You think you are visiting CutePuppies.com, but you are really getting code from Secretive Data Collection Inc. on your computer.  You think you are buying from Groceries.com, but you are really telling BigPharma Inc. how likely it is that you are a diabetic.  You think you have a relationship with CNN, when you really have a relationship — a rather one-sided relationship — with Acxiom and all the rest. Every day, with every click, or every smartphone swipe, you are letting hundreds and hundreds of strange subcontractors into your life, into you digital home. And you have no idea who they are.
9. BOB : Of course, companies aren’t invading your space like this this for fun. They’re doing it for data.  The Web is awash in mysterious companies that sneak onto your laptops and smartphones, watching your every move.
10. BOB : At this point, you might be thinking, ‘the joke is on them.’ You’re just reading stories with headlines like “29 Optical Illusions to Kill Time” or “Dealing with cat depression.”  Who cares?  Well, these companies don’t just follow your click-trail around CNN. They follow you all over the web. Your next click, and your next, and your next, building an ever more detailed profile about you.
11. BOB : They do this by implementing a series of trackers. Not just cookies, which you might have heard of, but all kinds of hidden tracking tools. Browser fingerprints. 1×1 pixel images. MAC addresses.  All because the most essential element of all this data collection is that it can be tied back to you, specifically…your device, anyway.  The Electronic Frontier Foundation has called this a “One Way Mirror” and in a recent report, argued that trackers are hiding in nearly every corner of today’s Internet.  Placed there, like privacy land mines, by companies you’ve never heard of.  The only time you might become aware of their presence? When you get an ad that seems….just perfect for you.
12. BOB : Ever wonder why you get that ad for a power nap pillow (with pockets for your hands!) right as you’re about to nod off at your desk?  Jeff Orlowski, Director of The Social Dilemma has noticed this phenomenon.
13. JEFF ORLOWSKI: I’m no longer on Facebook. I stopped using it while making this film, but when I was on Facebook, I was a very, very heavy user of it. And I remember seeing countless cinematography tools being targeted.

Specifically to me, some that I actively bought and regretted purchasing some that were like terrible waste of money, but were effective at convincing me to buy them. Um, for me personally, the ads were effective. Um, there was a, there’s a skateboard thing that I saw that was like, it totally figured me out.

It knew that I was into adventurous sports. It was this one wheel, um, a skateboard platform. You could take it on trails, you could take it off road. It looked like a really fun thing. And then when they started showing me ads of using it as a cinematography platform, there were people in the ads like using it to get really awesome shots in places that you couldn’t get like it totally reverse engineered me and I freaking cracked.

Right. I bought the thing and I don’t use it ever anymore.

14. BOB : These ads appear thanks to a rapacious ecosystem fueled by thousands of companies and billions of dollars that relentlessly tracks you everywhere you go. At the visible part of this iceberg are companies like Google and Facebook, and the money they make from your data is…..incredible.  Google generates $183 billion in revenue annually — about $150 billion of that from advertising. That’s more money…just from showing ephemeral, digital ads, than General Motors generates from selling cars all over the world. And Facebook, well it’s annual revenue is $87 billion — nearly all of it, $84 billion is from ads.
15. BOB : But under the surface of this iceberg are thousands of third-party companies which are playing the same game. Tracking you.  Most of them would fit neatly under the broad descriptor of “data brokers.” And the obvious problem is that if you’ve never heard of them, you have no way of knowing what they know about you.  Whether it’s right or wrong, whether it’s hurting your ability to rent a home, or get a job, or even get a fair price.
16. JEFF O: And once again, it’s not the ads themselves that are the problem. It’s everything that incentivizes them, leads up to the need to show you that ad at that moment in time, you know, every time you do a search on Google, An auction is being run on you. There are 40,000 Google searches that happen every second.

So there are 40,000 auctions of human interaction happening every single second on Google. And the question is like, who’s willing to spend the most money to put something in front of your eyes right now, in that particular case, like those cinematography, platforms were the thing that, that people were spending money to get in front of me.

And that could be something used very innocently and innocuously to sell a product to me, or it could be something that is very maliciously being used to put a political ideology in front of me. Like it’s the same tools that do that same work. Um, and so it becomes an incredibly slippery slope.

17. BOB : 40,000 Google searches a second….all generating ads hand-picked….or AI picked…for you.  It sounds almost nonsensical, that there is a place in the world where the billions of pieces of information known and stored about us is married to the billions of dollars chasing out attention…wll, there isn’t a place exactly, but there is a process. It’s called RTB, or real time bidding.  Estimates are that a billion times a day — a billion times a day! — all this data and all those dollars are throw into a virtual trading floor and out comes …a lot of personalized ads.  As Privacy International puts it, ” If you’re reading an article about erectile dysfunction, depression or self-harm, chances are high, that this will be broadcast to thousands of companies. If you’re booking a table at a restaurant, purchased an item at an online retailer, searched for a flight, or read the news, this will also likely be shared with ad exchanges.”  Your most intimate information, shared thousands of times per second, without thousands of companies, all in an effort to sell you a desk nap pillow.
18. BOB : Underneath all this is advertising technology — AdTech — that makes order out of this chaos.  There’s DSPs and SSPs and DMPs and CMPs….and…suffice to say that people who want to place ads use DSP software — demand side platforms — to bid on people and places they want to put ads, while publishers use SSPs — supply side platforms — to hawk their available ad inventory.  Each platform might talk to thousands of brands and websites, constantly, marrying desk nap pillows with tired, high income office workers.

And for this we let them know every click we make and every app we open?

19. CHRIS: I would say that maybe the easiest way for a consumer to just kind of come to the final answer. Is that we are at a stage now where every single individual’s experience on the world wide web is different than every other individuals. Every experience you have is tailored to you. Everywhere wants to know you and everywhere wants to bring you back to something, whether it’s convincing you of an idea, um, having you buy other products and services making you stay there. So you click, click, click and drive more ad impressions, maybe a purely economic reason. Uh, that is the predominance of source code that is executing on everyone’s devices.

And right now society is looking at this saying all of those terrible companies are doing these, you know, these [00:44:00] things. Well, it’s happening under all of our noses on our stuff. Right. I think those companies are geared toward delivering what we’re asking them to give. Um, and it’s just now that, that people are really sort of starting to say, no, wait, what, what’s the bigger impact of this.

20. BOB :  What’s the bigger impact of this? It’s incredible, the amount of companies inlved in delivering this…”experience” … to you.
21. CHRIS: So essentially the ecosystem, um, has access to your device. And it’s bringing you things that make it money or that they think are interesting to you, basically, whatever it perceives to be the ideal experience, um, in context of dollars that they can make. Um, and at the same time, it’s learning all about you. So that happens when things like data management platforms run. Um, if you look at a large ad supported website, You may have 15 different data management platforms rendering on one page view because it’s not just the websites DMP that’s arriving. It’s the DMP of each of the advertiser or the mechanism that brings the advertiser, the targeting mechanism, whatever that might be.

So lots of different data transactions are occurring. This is how the digital ecosystem learns about you. From there as you start to move different parts of that ecosystem have access to your behavior on the actual site. If you click on shoes, maybe only the website itself has access to know that you like shoes, maybe third parties know that you like shoes, right?

So that is one of the places where, um, the website owner or operators should know who’s on the site. What are they allowed to access? Why are they here? Right. So it’s in their best interest to have this, by the way, not just your best interest. I think from there, as you move through a purchase funnel on a retail site, all sorts of other, um, executions that are occurring as you run through, um, to the page, I would, I’d say that that’s very, um, important, um, is that most companies today that are on.

The digital ecosystem, meaning they have a website or an app, um, for all intents and purposes, our media companies, they just haven’t admitted it yet, or they haven’t figured it out yet. So if you’re a retail company, just like an ad supported newspaper right or a new site, or a social media platform, a significant part of your job and a major part of what executes on the consumer is you acting like a media company….more or less in real time

22. BOB :  One thing I think about a lot….despite all this technology, billions of dollars changing hands…I still often get what I call the worst ads ever designed in the history of advertising.  When I search online for a new drum kit, and then buy, I am then stalked by ads for that very drum kit…the one I just bought…for weeks, or longer.  What’s worse than an ad for something I just bought!!! I have a friend who recently posted that her dad had died more than 10 years ago, but still, she gets pummeled with ads for Father’s Day every year. You’d think this system which delivers personalized ads for everything, all the time….wouldn’t get things so wrong.

 

I asked Jason Kint about this. He’s the CEO of Digital Content Next, a trade group that adcates for content companies. He’s also a frequent critic of Facebook and Google

23. Bob: I mean, it’d be one thing if it was very, very effective, you know, maybe you could talk me into surrendering my privacy for that. But if people are just collecting all this data about me and storing it somewhere where it’s eventually gonna do no good it’ll be hacked or something. I mean, well, the ads I get still stink, that seems like a really bad bargain.

Jason Kint: It is a bad bargain. And I think it’s why you’re seeing both from policy changes. Yeah. And technology changes a shift towards what’s often called first-party data, but a shift towards data that’s being collected in the context of what the user’s trying to do at the moment, the site that they’re visiting the app that they’re using and that data being allowed as part of the experience.

24. Bob: Billions of dollars is being spent tracking me. And yet I still get really stupid ads. So what’s the explanation for that?

Jason Kint: I mean, it is one of the fallacies, I think, you know, in some way we have a whole generational change that has defined relevance based on, you know, based on the individual that’s being targeted and whether or not they’re going to click on the ad or respond to it in that moment in time.

Rather than, you know, we have centuries of research on, on advertising and, and relevancy is much broader than that. It can be done based on the context of the, the entertainment or the news you’re looking at. Right. Um, or it can be done on, you know, on the context of where your state of mind is at that moment.

And, you know, just trying to create some desire, deman for the advertisers product that may be actionable down the road. And so. This idea that, that we need this kind of third-party data from tracking in order to be relevant as is. I think it’s false. And I think the faster we get past that it actually will probably be good for the advertisers to, um, who have kind of moved down this stream of using digital advertising almost entirely for kind of performance-based media direct response.

The equivalent of junk mail in our mailbox rather than really shaping minds and creating desire for products. Like they, you know, they do on a lot of other means.

 

BOB: Okay. I have not heard someone say that before, and I think it’s quite brilliant. What we’re looking at is digital junk mail all the time.

 

Jason Kint: Yeah. It’s a lot of it is now. Within the video space, you know, there’s, there’s advertising that resembles almost the commercials on television that, that do make us stop and think and do create, you know, that that relationship or consideration of a brand that are more are more, um, than I think that equivalent to junk mail, but, but a lot of the impressions on the internet are entirely focused on getting somebody to convert…that’s where creative is lost

25. BOB:  Great!  We’ve spent perhaps trillions of dollars building the world’s most powerful data collection system, the universe’s best tool for slinging fake news around the world…all so we can fill our every waking second with digital junk mail from thousands of companies we’ve never heard of.  Human achievement unlocked!!!

 

But, there is hope. I’ve already said I think a lot of this problems stems from the third-party nature of these relationships. After all, if BigNews.com did something that pissed you off, you could just go to SecondBiggestNews.com’s website.  That’s capitalism. But if the real culprit is Spooky Data Broker Inc….and Spooky Data Broker Inc gets information from every news website…what is a consumer supposed to do?  That’s the difference between a first party and a third party relationship. But lately…there’s been a shift in the winds thanks to projects underway at Apple and Google.  They are both taking measures to insulate users from third party companies – Apple, by requiring that apps like Facebook now get explicit opt-in from users for some kinds of tracking… And Google with its program called Privacy Sandbox, which theoretically will prevent third-party cookies from stalking Chrome users.  Now, these projects are by no means perfect…people are rightly worried they will entrench Big Tech companies and give them even more power… but, at least they are getting people talking about the third-party problem, and that’s great.

26. BOB : But I don’t think it’s a great idea to rely on the largesse of two or three large tech companies to fix this problem.  If we want to get all these anonymous subcontractors swinging hammers out of our homes…I think we’re going to have to call the cops. We’re going to need a federal law, with teeth, that lets people take back control of who gets in their living rooms, and their hearts and minds. Here’s Duke University professor Jolynn Dellinger – we’ve heard from her a couple of times on Debugger
27. Jolynn: I will say I’d like to underscore that we do have a system that in my view has been tilted in far of business. And companies for the past 20, some years, this notice and consent, each company basically makes its own decision about how it’s going to treat data and maybe, or maybe not gives you the option to opt out.

And I feel that’s one way to look at it. We’ve done that. We’ve tried that out now in my view with not great consequences. And so what about the idea of opt-in. What about if a company’s out there and they have a great idea and a million reasons why you should use their service or their product persuade us of that.

And then we’ll opt in and we’ll say, Oh, that sounds fun. I like to use that service. I think it’s possible [00:39:00] that the internet won’t break. I think it’s possible that we won’t lose all innovators and technologists. I think maybe we will even find, I mean, there was a recent great article about. Uh, a company like the BBC, I think it’s called the NPO and another one’s that’s gotten rid of behavioral advertising.

It’s gone back to contextual advertising and their revenues went up. Right. And maybe that will happen. Um, maybe there are other ways there are other business models. There are other things that we could do that more accurately reflect. Our values as people. And that’s what I guess I just want to keep coming back to is all of this is choice.

Our legislation is choice. Our actions are choice, and we want to get back to a point where citizens are making choices and the more I’m surveilled and the more my data is [00:40:00] collected and used in ways. I don’t understand the less choice and the less agency I have. And that’s what we have to rely on.

Keeping this stuff …human.

 

28. BOB : But before we go too far down the  ‘how do we fix this road,’ I think it’s worth spending some time better understanding how we got to this crazy situation in the first place. You know me, I love history lessons. So we’re going to dive into what I think might be the craziest history lesson of all, a story about where all these thousands of anonymous data collection companies come from.  We’re going to dive into the history of data brokers. It’s a dark, secretive tale.  I mean, what else would the history of data brokers be? That’s our next special feature, on Debugger. (And then, after that, we’ll talk about the risk to national security that data brokers pose….)