Pete Recommends Weekly highlights on cyber security issues, January 22, 2022

Subject: ID verification, analytics can help agencies fight fraud
Source: GCN
https://gcn.com/cybersecurity/2022/01/id-verification-analytics-can-help-agencies-fight-fraud/360777/

Combining an automated verification system and data analytics for prevention and detection helps create a powerful tool for government IT professionals facing a flood of fraud.

That said, it should come as no surprise that COVID-19 created an environment especially ripe for fraudulent activity. When the pandemic hit in early 2020, government unemployment offices were flooded with both legitimate requests as well as hits from scammers looking to take advantage of the system and the chaos caused by the flood of claims.

Access to new technology like bots and artificial intelligence has given criminals, both those acting individually and larger organized crime syndicates, the power to submit fraudulent benefit applications on a tremendous scale.

First, fraudsters either buy stolen IDs, many of which are purchased from the dark web or create synthetic (or “Frankenstein”) IDs by combining various bits of identity data from different sources. Then, they employ bots to completely inundate government systems and slip in fraudulent applications, which often go unnoticed among the flood of legitimate ones.

Automated identity verification

With nearly 30% of the fraudulent UI claims in larger states based on stolen Social Security numbers, it’s much more difficult for government agencies to catch anomalies. Implementing an automated identity verification (AIV) system can be a lifesaver for agency IT teams that are understaffed and overworked for several reasons:

Data analytics for fraud detection and prevention

Banks, hospitals, educational institutions and manufacturing firms have been using data analytics, artificial intelligence and machine learning to aid in fraud detection in for several years now. Both internal IT and outside contractors have found it to be a valuable analytical tool for detecting fraud, monitoring transactions and ensuring compliance for both employees and clients.

Filed: https://gcn.com/cybersecurity/?oref=gcn-nav


Subject: The ‘Brussels Effect’ of the EU’s ‘AI Act’ on Data Privacy Outside Europe
Source: UNSW Law Research via beSpacific
https://www.bespacific.com/the-brussels-effect-of-the-eus-ai-act-on-data-privacy-outside-europe/

Greenleaf, Graham, The ‘Brussels Effect’ of the EU’s ‘AI Act’ on Data Privacy Outside Europe (June 7, 2021). (2021) 171 Privacy Laws & Business International Report 1, 3-7, UNSW Law Research, Available at SSRN: https://ssrn.com/abstract=3898904“The European Commission’s publication of a proposal for a Regulation on Artificial Intelligence (also described as an ‘AI Act’) is likely to become a pivotal moment in the global regulation of artificial intelligence, but it will also have major global implications for privacy and data protection. Many businesses located outside Europe are keeping a wary eye on the GDPR because of the risks that its extra-territorial application might apply to them, or because …


Subject: EPIC Urges Postal Service to Reverse Plans to Expand Law Enforcement Access to Customer Data
Source: EPIC via beSpacific
https://www.bespacific.com/epic-urges-postal-service-to-reverse-plans-to-expand-law-enforcement-access-to-customer-data/

“In comments to the U.S. Postal Inspection Service (USPIS), EPIC urged the agency to reverse a system of records expansion that would pull data from U.S. Postal Service customers for use by the law enforcement wing of the Postal Service. The proposed modification would give the USPIS access to information used for package tracking and other services, including customers’ home addresses, IP-addresses, phone numbers, and emails. USPIS staff could use this data for “link analysis” and other surveillance activities. EPIC’s comments highlighted the conflicts of interest inherent in housing a law enforcement agency within a government corporation offering basic services to the public. EPIC also noted the agency’s troubled history of persecuting the LGBTQ community and more recent abusive surveillance practices to illustrate the threats to Postal Service customers from expanded data collection. These comments build upon recent filings in EPIC’s case to enforce the E-Government Act against the Inspection Service, EPIC v. USPS. In that case, EPIC is challenging a secret surveillance program run out of the Postal Inspection Service. In recent years, agents from the Internet Covert Operations Program (iCOP) have used facial recognition, social media monitoring tools, and other advanced surveillance technologies to infiltrate online communities and monitor protests. The USPIS used these tools without undertaking a privacy impact assessment, as required by the E-Government Act of 2002.”

Subject: IRS Will Soon Require Selfies for Online Access
Sources: Krebs on Security
https://krebsonsecurity.com/2022/01/irs-will-soon-require-selfies-for-online-access/

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.


Subject: Ransomware and phishing: Google Drive will now warn you about suspicious files of bills and identity documents, as well as a live video feed of their faces via a mobile device.
Source: ZDNet
https://www.zdnet.com/article/ransomware-and-phishing-google-drive-will-now-warn-you-about-suspicious-files/

Users of the Google Drive file and syncing app will now start to see warning banners if they open a potentially dodgy file.The new alerts are rolling out to Workspace Google Drive users globally today and aim to help protect users and their organizations from malware, phishing and ransomware. The alerts are displayed in a yellow banner at the top of the page after a user has clicked on a link, but before the file is downloaded. The warning states that the file looks suspicious and “might be used to steal your personal information”.


Subject: How to avoid seeing yourself on video calls. Sometimes you can’t turn your camera off but you still want to stay out of view.
Sources: Popular Science
https://www.popsci.com/diy/remove-own-video-from-video-call/

If you would rather square off against 100,000 hungry Everglades mosquitoes on their home turf than see your own face on video, a “cameras must be on” mandate is enough to get you buzzing with anxiety. Sure, some people love to stare directly into their own eyes while someone else talks, but that’s not you.

Thankfully, most major video calling platforms offer the ability to remove your own video feed from view, while keeping it visible to all others on the call. And some, like Microsoft Teams, plan to add it soon.


Subject: Bill to Ban Surveillance Advertising Introduced
Source: EPIC.org
https://epic.org/bill-to-ban-surveillance-advertising-introduced/

[January 18, 2022] Congresswomen Anna G. Eshoo (D-CA) and Jan Schakowsky (D-IL) and Senator Cory Booker (D-NJ) introduced the Banning Surveillance Advertising Act, legislation that prohibits advertising networks and facilitators from using personal data to target advertisements, with the exception of broad location targeting to a recognized place, such as a municipality. “The time to disrupt corporate surveillance has come,” said EPIC Deputy Director Caitriona Fitzgerald. “Targeted advertising isn’t just creepy, it can have significant impacts on marginalized communities. Individuals in these communities can be targeted with scams and disinformation, or prevented from seeing information about housing and job openings, depriving them of important life opportunities. The Banning Surveillance Advertising Act will stop these discriminatory practices and will block advertisers and data brokers from commodifying every tiny bit of our personal data. EPIC is proud to support this bill.”


Subject: What You Need to Know About the Cybersecurity Risks In the Ukraine Conflict
Source: Gizmodo
https://gizmodo.com/what-you-need-to-know-about-the-cybersecurity-risks-in-1848399011

In case you haven’t heard, Ukraine is in trouble: a spat between Russian and NATO-allied forces involving the country has spurred a territorial dispute with major implications for everybody involved.

People are saying this could mean war. The political crisis has spurred a Russian troop build-up of 100,000 soldiers at the Ukrainian border—leading to the interpretation by multiple U.S. officials that Putin’s government may have imminent plans to invade the neighboring country. America, meanwhile, has threatened to deepen its involvement if the situation deteriorates.

Amidst all this turmoil, one might be tempted to see cyber operations as something of an afterthought but, actually, digital incursions are turning out to be a critical part of the political conflict. In fact, such activities could prove to be a flashpoint that tips the action in one direction or another—for better or worse. We’ll give you a short run-down on what’s happening in that space, why the cyber situation has the potential to get ugly, and what that could mean for the stability of the situation overall.

Posted in: AI, Congress, Cybercrime, Cybersecurity, Government Resources, Legal Research, Legislative, Privacy