Pete Recommends – Weekly highlights on cyber security issues, May 21, 2022

Subject: Why Twitter May Be Doomed
Source: The RISKS Digest Volume 33 Issue 20

Why Twitter May Be Doomed – Lauren Weinstein <[email protected]> on, 9 May 2022 14:56:01 -0700

If a Musk “new regime” ruling @Twitter permits all speech that “is legal” — Twitter is doomed. Because the parade of legal (in the U.S.) hate speech that will flood the platform will drive away most advertisers, brands, and support services that Twitter needs to operate.

Subject: Hackers are Hijacking Phone Numbers to Empty Crypto Accounts

Aggrieved investors are suing their telecoms providers after falling victim to scammers using SIM-Swapping techniques.

Small-scale crypto investors are being increasingly targeted by hackers, according to one report published this week.

Cybercriminals are performing a fraudulent practice called SIM-swapping – within which a person’s phone number is switched to a new device. Several telecoms carriers are now embroiled in lawsuits brought by victims who feel they were not sufficiently protected.

Shielding yourself from SIM-Swapping involves limiting the personal information you put on social media and using tech like password managers and authenticator apps. [such as a time-based pseudo random number [ed.]

Crypto-Thieves Move on to Smaller Fish

Reporting in The Wall Street Journal details how one individual who invested their life savings in Bitcoin had their accounts emptied overnight, losing $80,000 or more in cryptocurrency value.

Small-time investors have been affected by these large-scale attacks in the past – but now, it seems cybercriminals are cutting out the middle man and going straight for the investors themselves via sim-swapping scams.

What is SIM-Swapping

SIM-swapping is an increasingly common way to subsume control of someone’s mobile number. This initially involves some social engineering on behalf of the hacker in question, as they will have to ‘verify’ who they are, duping the telephone carrier into thinking they are in fact their victim.

Legal Battles and FCC Action

Aggrieved investors have already opened legal proceedings against various phone carriers, which The Wall Street Journal says has already caused some providers to modify their security provisions.

Subject: In Romance Scams, a New Technique Emerges
Source: Bloomber via Newser

(Newser) – You know from the get-go you’re in for an interesting read: “It’s a tale as old as Tinder: Girl meets Boy. Boy convinces Girl to hand over a large chunk of cash. Boy ghosts Girl.” That’s how David Voreacos and Francesco Maglione begin their tale at Bloomberg of an online romance scam that cost one woman a staggering $8 million. And while romance scams are nothing new these days—the FBI says they cost victims a collective $956 million in 2021, up 60% from the previous year—the story introduces what for many will be a new phrase in the lexicon of such schemes: “pig butchering.” It refers to scammers’ technique of fattening up a victim’s bank account before draining it, the better to earn their confidence. This particular story involves 25-year-old Divya Gadasalli of Texas, whose father’s death in 2015 left the family flush with cash.

It soon became clear the trading platform she was using was bogus, as was Bulasa, whom she never met in person.

Subject: How Often Do Ads Share Your Data Every Day? Hundreds of Times
Source: Gizmodo

Advertisers—and shady ad middlemen—are paying to violate your privacy hundreds of times every day you’re online.How many times do you think your privacy gets violated every day you spend surfing the web? Maybe once? Twice? A few dozen times? It turns out that daily number is in the hundreds, according to a new report from the Irish Council for Civil Liberties (ICCL). On average, a European user’s data is shared with advertising and adtech middlemen 376 times per day—and for Americans, it’s double that: 747 times daily, the report reads.

That’s how often people online across the world are exposed to a little-known process called “real-time bidding,” or RTB, the ICCL says, citing figures from a “confidential” source. RTB is the process that advertisers use to place bids on advertising slots on a page, auction style. Every time you load up a webpage, there’s a span of about 200 milliseconds where the webpage shares data about you and your browser. Then advertisers offer a dollar amount to target their ads towards that bundle of data. The highest bidder takes the slot, and their ad appears to you. RTB happens on your desktop, in your mobile browser, inside apps, or really anywhere ads are found.

Filed: Privacy and Security

Subject: Feds Warn: Don’t Accidentally Hire a North Korean Hacker
Source: Gizmodo

A new advisory from three U.S. federal agencies is warning businesses of North Korean hackers pretending to be your friendly neighborhood IT professional looking for contract work. Imagine Tinker Tailor Soldier Spy but instead everyone’s on the internet, and suddenly it doesn’t seem like an international spy thriller and more like the all-too common story of people getting catfished by data-thirsty keyboard warriors.Reuters first reported on a new document released Monday by the U.S. Treasury and State Department along with the FBI. It advises public businesses of the potential threat of the Democratic People’s Republic of Korea corps of fake IT workers who pose as non-North Korean nationals looking for long-distance work.

Filed: TechNews

Subject: Your Bosses Could Have a File on You, and They May Misinterpret It
Source: New York Times

The New York Times: “Are you an “insider threat?” The company [or federal government employer] you work for may want to know. Some corporate employers fear that employees could leak information, allow access to confidential files, contact clients inappropriately or, in the extreme, bring a gun to the office. To address these fears, some companies subject employees to semi-automated, near-constant assessments of perceived trustworthiness, at times using behavioral science tools like psychology …

Subject: The Right to Contest AI
Source: Columbia Law Review

Kaminski, Margot E. and Urban, Jennifer M., The Right to Contest AI PDF 92 pages (November 16, 2021). Columbia Law Review, Vol. 121, No. 7, 2021, U of Colorado Law Legal Studies Research Paper No. 21-30, Available at SSRN:

Artificial intelligence (AI) is increasingly used to make important decisions, from university admissions selections to loan determinations to the distribution of COVID-19 vaccines. These uses of AI raise a host of concerns about discrimination, accuracy, fairness, and accountability.

In the United States, recent proposals for regulating AI focus largely on ex ante and systemic governance. This Article argues instead—or really, in addition—for an individual right to contest AI decisions, modeled on due process but adapted for the digital age. The European Union, in fact, recognizes such a right, and a growing number of institutions around the world now call for its establishment. This Article argues that despite considerable differences between the United States and other countries,establishing the right to contest AI decisions here would be in keeping with a long tradition of due process theory.

This Article then fills a gap in the literature, establishing a theoretical scaffolding for discussing what a right to contest should look like in practice. This Article establishes four contestation archetypes that should serve as the bases of discussions of contestation both for the right to contest AI and in other policy contexts. The contestation archetypes vary along two axes: from contestation rules to standards and from emphasizing procedure to establishing substantive rights. This Article then discusses four processes that illustrate these archetypes in practice, including the first in depth consideration of the GDPR’s right to contestation for a U.S. audience. Finally, this Article integrates findings from these investigations to develop normative and practical guidance for establishing a right to contest AI.

Keywords: AI, algorithms, algorithmic accountability, due process, privacy, big data

Subject: Threat actors compromising US business online checkout pages to steal credit card information
Source: TechRepublic

A threat actor has successfully compromised and modified a US business website’s checkout page in order to collect all the credit card data from unsuspecting customers. Read more about how to protect from this threat.A new FLASH report [7-page PDF] from the FBI warns about cyber actors scraping credit card data from compromised online checkout pages from US businesses.

Posted in: AI, Criminal Law, Cybercrime, Cybersecurity, Economy, Financial System, KM, Privacy, Social Media, Technology Trends