Tech News : No More Passwords For Microsoft Logins

In a bold step, Microsoft has announced that it is getting rid of all password logins, and that users will have to use an authenticator app or other solution instead.

Vision

Back in 2019, Microsoft announced that 100 million people were already using Microsoft’s passwordless sign-in (Ignite) each month, and in December 2020, Microsoft announced that 2020 had been “a banner year for passwordless technology” and laid out its vision for a passwordless future. This latest announcement, therefore, marks a major step towards the company making its vision a reality.

The Trouble With Passwords

Microsoft is not the only company wanting to escape from the many negative aspects of relying on password-based logins. Some of the key challenges with passwords are:

– They are a target for attacks. For example, one in every 250 corporate accounts is compromised each month, and 579 password attacks every second (18 billion every year).

– They’re inconvenient and difficult to manage across multiple accounts. For example, users are expected to create complex and unique passwords, remember them, and change them frequently. Also, 20 to 50 per cent of all help desk calls are for password resets (Gartner).

– They’re open to human error. People often choose passwords that are too simple (and very easy to remember), which makes them more vulnerable to being cracked. Also, password sharing (using the same password for multiple websites/platforms) increases the risk.

“The Passwordless Future is Here”

Microsoft has, therefore, announced that in line with its vision of the passwordless future, with immediate effect (and the rollout time over the coming weeks) its users can completely remove the need to use a password for their Microsoft accounts. Microsoft says that instead of a password-based login, users can now choose to use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to the user’s phone or email to sign in to Microsoft’s apps and services including Outlook, OneDrive, Microsoft Family Safety, and more. Microsoft says that those who have two-factor authentication will need to have access to two different recovery methods.

Like Microsoft’s In-House Passwordless System

Microsoft says that almost 100 per cent of its employees already use the new, more secure system for their corporate account and when passwordless login is enabled, users re-logging in to a Microsoft accounts are asked to give their fingerprint, or other secure unlock, on their mobile phone.

What Does This Mean For Your Business?

Businesses need to make sure that their IT systems are secure and compliant. Also, businesses need to be sure that users, perhaps in different locations (remote or hybrid working), can access their accounts (convenience) and maintain the company’s security at the same time. This bold move by Microsoft seems to tick these boxes and can be a way to help businesses to stay one good step away from cybercriminals who have already found many ways to beat password-based systems. Passorwordless and biometric systems have been highlighted, for a few years now, as the way forward, and Microsoft has now taken the first big step towards this.

Tech News : Apple Issues Patch To Stop iPhone ‘Zero-Click’ Spyware

Apple has issued a security update following the discovery of a zero-day, zero-click “spyware” that could infect iPhones and iPads.

Discovered By Researchers

The threat was discovered by independent researchers from the University of Toronto’s Citizen Lab while they were analysing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware.

What Is It?

The Citizen Lab has described the threat as a zero-day (unknown, or known but with no patch yet), zero-click “spyware”. This is spying malware that doesn’t need users to click on a link or file to launch it. The Citizen Lab, which has identified the threat as being “in the wild” (already in circulation), says that a “maliciously crafted” PDF file could lead to arbitrary code execution. The threat uses malicious Adobe PDF files disguised to look like GIF (files with the “.gif” extension). The exploit has been dubbed “FORCEDENTRY” and, is believed to target Apple’s image rendering library, and works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).

iOS, MacOS, and WatchOS Devices At Risk

The researchers found the threat to be effective against Apple iOS, MacOS, and WatchOS devices, and that it has been used by a mercenary spyware company called “NSO Group” to remotely exploit and infect the latest Apple devices with the Pegasus spyware.

Patch Issued In Response

After The Citizen Lab passed the details of its findings to Apple, the tech giant released a patch/security update. Apple issued iOS 14.8 and iPadOS 14.8 patches for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Apple says that it is “aware of a report that this issue may have been actively exploited”.

Bad Timing

The news of the discovery of the exploit, which may have been in use since at least February this year, came at a bad time for Apple as the company prepared to unveil its new devices, including its new iPhones and updates to its AirPods and Apple Watch, at its annual launch event (Tuesday).

What Does This Mean For Your Business?

The Citizen Lab researchers have blamed the Israel-based NSO Group for selling technology that is being used as “despotism-as-a-service” by unaccountable government security agencies. Even though this is a real threat to iPhones, iPads, and Apple watches, security commentators say that the vast majority of iPhone owners don’t need to be too concerned because this type of attack is usually highly targeted. Nevertheless, the discovery has come at an unfortunate moment for Apple which has been busy trying to promote the benefits of its new products while competitors like Microsoft have announced the launch of a new, secure, passwordless login system.

Google Accused of ‘Stealing’ Android Data

Google is being sued for (allegedly) secretly using Android users’ cellular data allowances without user consent, to perform “passive” information transfers.

Passive Information Transfers

The lawsuit was filed by Taylor et al v. Google in a US federal district court in San Jose.  The group of Plaintiffs have filed a Class Action Complaint against Google which alleges that those who own Android mobile devices are having their costly cellular data plans used (secretly) by Google to enable its own surveillance activities.  The complainants say that Android user data plans are therefore the subject of “passive” information transfers which are not initiated by any action of the user and are performed without their knowledge and that these information transfers deprive users of data for which they, not Google, have paid.

Designed That way?

It is also alleged this secret transfer of users’ data allowances can happen when a user is within Wi-Fi range to avoid consuming cellular data allowances but that Google may have designed and coded its Android operating system and Google applications to indiscriminately take advantage of data allowances and passively transfer information at any time of the day, and even when Google apps have been put to the background, the programs have been closed completely, or location-sharing has been disabled.

Didn’t Sign Up To It?

The complainants are also arguing that they didn’t consent to the transfers and what amounts to subsidising of Google’s surveillance, and were given no warning or option to disable the transfers.  It is alleged that although users sign up to Terms of Service, the Privacy Policy, the Managed Google Play Agreement, and the Google Play Terms of Service, none of these documents explicitly disclose that Google spends users’ cellular data allowances for background transfers.

Android Lockbox

One explanation may be the Android Lockbox project, whereby Google collects Android user data to use within Google.  This has been in operation since 2013 and this project is understood to be a way for Google to collect information through its Mobile Services, apps and APIs, Chrome, Drive and Maps (pre-installed with Android) with a view to tracking usage of its own apps and to compare those apps with third-party and rival apps.

What Does This Mean For Your Business?

The matter is the subject of unproven allegations and a legal case and, as such, there is no official conclusion but based purely on the details in the complaint it does seem that it would unfair for customers to have paid for a certain quantity of data which may not only be technically unavailable when they need it due to background data transfers for Google’s own ends, but that there appears to have been no real consent or no way to stop it.  Some may say that Google appears to have ‘form’ in this area.  For example. Back in May, Google was the subject of a lawsuit by filed over allegations that Google illegally tracked Android users’ location without their consent and that this still happened when location tracking features had been manually disabled. It appears, therefore, that while big tech companies argue that data and information may be legitimately needed to improve services, users are increasingly conscious that there are ongoing issues concerning transparency, privacy and more that need to be monitored and questioned where necessary.

Featured Article – Data Breaches: The Fallout

In this article, we look not just at data breaches but also at the impact of data breaches on business and organisations.

Data Breaches

A personal data breach, as defined by the UK’s data watchdog and regulator, The Information Commissioner’s Office (ICO), is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” This definition highlights, therefore, that a breach could be accidental or deliberate, and could be more than just about losing personal data.  For example, data breaches could occur through third-party access, accidentally sending data to the wrong recipient, devices being lost or stolen, altering data without permission or losing the availability of personal data.

GDPR

As UK businesses should know, GDPR (the regulations of which will soon be brought into UK law, post-Brexit) alongside The Data Protection Act 2018 (DPA 2018), covers how companies and organisations collect and handle data. The ICO is the body in charge of enforcing these data regulations.

Under the current law, companies and organisations must notify the ICO of a breach within 72 hours of becoming aware of it, even if all the details are not available yet.

Data Breach Consequences For Businesses

There are many different consequences of a data breach for businesses, not all of which are legal. Examples of the effects that a data breach can have include:

– Loss of customer trust, leading to …

– Loss of customers and, therefore, a loss of income from those customers, and a gift to competitors (strengthening of competitors) as customers jump ship. One well-known example is the TalkTalk data breach back in 2015 where the hack of 155,000+ customer records resulted in the loss of 100,000+ customers within months. 

– Fines. For example, the ICO gave British Airways the biggest ever fine (to date) under GDPR at £183 million for a data breach where the personal details of 500,000 customers were accessed by hackers. In addition to the British Airways fines, other big company fine decisions arrived at by the ICO just in the second half of this year alone for data breaches include Ticketmaster UK Limited on 13 November 2020,  £1.25 million for failing to protect customers’ payment details, and Marriott International Inc on 30 October 2020, fined £18.4million for failing to keep millions of customers’ personal data secure.  GDPR sets a maximum fine of €20 million (£18 million) or 4% of annual global turnover (whichever is greater) for the most serious data breaches, although infringements don’t always result in fines.

– Loss of revenue. A big loss of customers means a big loss of revenue; the knock-on effects of which can be cuts and a loss of jobs.  In TalkTalk’s case, the initial financial hit was £15 million with exceptional costs of £40 to £45 million.

– Other (perhaps unconnected) areas of the business under the same brand being tarred with the same brush.

– Lost potential of future customers.

– Loss of upsell opportunities for other services.

– Falling share prices.

– Damage to reputation. For example, a CISO Benchmark Report (2020) showed that the number of organisations that reported reputational damage from data breaches has risen from 26 per cent to 33 per cent in the past three years. Taking Facebook’s Cambridge Analytica data-sharing scandal as an example, a survey by The Manifest (2019) showed that 44 per cent of social media users surveyed said that their view of Facebook had become more negative after Cambridge Analytica. Getting a bad reputation can now be exacerbated by the speed of communications, naming and shaming online (often on multiple websites) and the fact that bad news can hang around for a long time on the Internet and can be extremely difficult to remove, hide, or distract from.  Re-building reputation and trust can be a long and expensive process.

– Facing difficult questions, often in a very public setting e.g. Facebook questioned by the U.S. Congress, or a grilling by shareholders, and other business stakeholders.

– Costly disruption and downtime. Data breaches can bring the business to a standstill, and companies without business continuity or disaster recovery plans can suffer more serious financial and other consequences or could go out of business altogether (see below).

– The business being forced to close.  For example, a 2019 survey, commissioned by the National Cyber Security Alliance (U.S.) and conducted by Zogby Analytics found that 10 per cent of small businesses that suffered a data breach closed down and 25 per cent filed for bankruptcy.

– Lawsuits.  Carrying on with the example of Facebook’s Cambridge Analytica scandal, following a £500,000 ICO fine for data breaches, the social media giant was hit with a £266 billion lawsuit by the Australian Information Commissioner. There is also the possibility that in the event of a data breach, companies may incur huge costs by having to pay compensation to victims.

Damage to the supply chain. A loss of customers and bad publicity that hangs around for a long time can inflict damage to other businesses in the supply chain.  This, in turn, could lead to loss of alliances and synergies that helped create a product’s/service’s differentiation of source of competitive advantage.

– Loss of supplier trust. Many suppliers now prefer to do business with companies that are GDPR compliant as a way of helping to maintain their own compliance.  A serious data breach could not only damage or destroy current supplier relationships but could result in word getting around within the industry, thereby scuppering future value-adding relationships with some suppliers.

End-User Victims

Although the main focus of this article is the effects on businesses of data breaches, it should not be forgotten that end-users who have had their personal details stolen, lost, or compromised are also victims.  It should be remembered that many end-users still indulge in password sharing (using the same password for several websites and platforms) and using generally weak passwords. This can amplify the effects of one data breach through one company as their personal details are sold and shared among other cybercriminals who may use credential stuffing to access other websites for the same user.  Examples of the consequences that end-user data-breach victims can face include:

– Theft of bank details, money, and other personal details.

– Having to change multiple passwords and enact credit freezes.

– Fraud and extortion.

– Identity theft and complications resulting from this.

Biometric Data Breach

As the use of biometric data for verification is now gaining in popularity due its security advantages over passwords, the big problem with a breach of biometric data e.g. faces and fingerprints are that, unlike passwords and PINs, it can’t be changed.  This means that unless there are multiple forms of verification in a system, stolen biometric data could continue to be damaging for an end-users far into the future and could cause problems for companies that have invested heavily in a biometric system.  A recent example of a potential biometric data (fingerprint scanning) breach was where, back in August 2019, Suprema, a South Korea-based biometric technology company, and one of the world’s top 50 security manufacturers, was reported to have accidentally exposed more than one million fingerprints online after installing its standard Biostar 2 product on an open network. The bigger potential problem was that Biostar 2 is part of the AEOS access control system, which is used by over 5,700 organizations in 83 countries, including big multinational businesses, SMEs, governments, banks, and even the UK Metropolitan Police.

Dealing With A Data Breach

How a company deals with a data breach can make a big difference in the outcome for that company.  For example, a good approach to dealing with a data breach may be evaluating the situation, closing loopholes and removing the threat, then offering transparent and open communications e.g. notifying customers, notifying the ICO, issuing a public statement (on the website) and opening communication channels with customers (online chat, social media, telephone, and email).

Prevention

Prevention is clearly the best way to avoid the negative effects of breaches and this requires assessing risks, putting data security and data privacy policies in place, training staff, keeping anti-virus, patches and fixes up to date, monitoring for new threats and potential risks, paying attention to staying GDPR compliant and much more.

Scammer Accidentally Calls Cyber-Crime Squad

A hapless scammer pretending to be from a broadband network got more than he bargained for when he accidentally called (and tried to work his scam) on the cyber-crime squad of an Australian police force.

Claimed To Be From Broadband Network

The scammer, claiming to be from Australia’s National Broadband Network (NBN), which does not make such calls to end-users, accidentally called the Financial and Cybercrime Investigation Branch (FCIB) of South Australia.  The purpose of the call appeared to direct the recipient to a website imitating the NBN website. Once there, the call recipient would be encouraged to download remote access software onto their computer with the ultimate aim of gaining access to personal information, including passwords for online banking details.

Tech Support Hoax

The caller, who is believed to have been part of a group of scammers calling Adelaide landlines, claimed to be a tech support person and that the call recipient needed to download software in order to fix an Internet problem (after an alleged hack).

Police Answered

Unfortunately for the scammer, the call was answered by a member of the FCIB who then used secure software in order to safely follow the caller’s instructions and thereby understand the true nature of the scam. 

Directed To A Poorly Designed Website

The member of the FCIB reported being directed by the scammer to a “poorly designed” website where they were told to carry out the steps needed to download software.  The FCIB member reported seeing that the fake website had Web-hosting text preceding the .com, thereby indicating that it was not affiliated with the NBN and was most probably a fake.

Following failed attempts by the scammer to convince the FCIB member to download the software (malware), the scammer terminated the call.

What Does This Mean For Your Business?

Luckily, in this case, the FCIB were able to see exactly how a group of scammers were operating and were able to issue detailed warnings in the local area.  This story is a reminder to all that no-one is safe from scam calls and that scammers using phishing and social engineering pose a serious risk.  Even though many businesses may know that legitimate companies do not call out of the blue and ask people to download software, all staff in an organisation should be made aware (e.g. by training) of the policy and procedures regarding this kind of risk (e.g. never to click on unfamiliar emails, links or to download unfamiliar software). Businesses should instruct staff that if they are in any doubt of who a caller is, hang up and only call the organisation back on the known, reputable number.  Incidents should, ideally, be reported to the police, Action Fraud, and to the relevant member of staff in the call recipient’s company.

That said, cyber-criminals are becoming more sophisticated in their attacks on businesses, and a Proofpoint Human Factor report from last year showed that as many as 99 per cent of cyber-attacks now involve social engineering through cloud applications, email or social media.  This illustrates how attackers are now much keener on trying to enable a macro, or trick people into opening a malicious file or follow a malicious link through human error, rather than having to face the considerable and time-consuming challenge of trying to hack into the (often well-defended) systems and infrastructure of enterprises and other organisations.  Businesses should therefore boost their efforts in guarding against this type of attack.

Are You Being Tracked By WhatsApp Apps?

A recent Business Insider Report has highlighted how third-party apps may be exposing some data and details of the activity of WhatsApp users.

WhatsApp – Known For Encryption

Facebook-owned WhatsApp is known for its end-to-end encryption.  This means that only the sender and receiver can read the message between them. 

In addition to being convenient, free, and widely used in business, the secure encryption that users also value has even been a target for concerned governments (including the UK’s) who have campaigned for a ‘back door’ to be built-in in order to allow at least some security monitoring.

Able To Exploit Online Signalling

If the Business Insider revelations are correct, however, third-party apps may already be making the usage of WhatsApp less secure than users may think.  The business news website has reported that third-party apps may be able to use WhatsApp’s online signalling feature to enable monitoring of the digital habits of anyone using WhatsApp without their knowledge or consent.  This could include tracking who users are talking to, when they are using their devices and even when they are sleeping.

Shoulder Surfing

Back in April, there were also media reports that hackers may be potentially able to use ‘shoulder surfing’ (spying in close proximity to another phone) and the knowledge of a user’s phone number to obtain an account restoration code from WhatsApp which could allow a user’s WhatsApp account to be compromised.

Numbers In Google Search Results

Also, back in June, an Indian researcher highlighted how WhatsApp’s ‘Click to Chat’ feature may not hide a user’s phone number in the link and that looking up “site:wa.me” in Google, at the time, allegedly revealed 300,000 users’ phone numbers through public Google search results.

Other Reports

Other reports questioning how secure the data of WhatsApp users really is have also focused on how, although messages may be secure between users in real-time, backups stored on a device or in the cloud may not be under WhatsApp’s end-to-end encryption protection.  Also, although WhatsApp only stores undelivered messages for 30 days, some security commentators have highlighted how the WhatsApp message log could be accessed through the chat backups that are sometimes saved to a user’s phone.

Signal?

One potential signal that WhatsApp may not be as secure as users may think could be the fact that, back in February, The European Commission asked staff to use the SIgnal app instead of WhatsApp.

What Does This Mean For Your Business?

As may reasonably be expected from a widely used and free app owned by a tech giant, yes, WhatsApp collects usage and some other data from users, but it does still have end-to-end encryption. There are undoubtedly ways in which aspects of security around the app and its use could be compromised but for most business users it has become a very useful and practical business tool that has become central to how they regularly communicate with each other.  At the current time, WhatsApp’s owner, Facebook, appears to be busy concentrating much of its effort on competing with Zoom and on promoting its own desktop Messenger app free group video calls and chats that it has just launched. Even though WhatsApp is coming in for some criticism over possible security problems, the plan is still to grow the app, add more features, and keep it current and competitive which is why it recently ceased support for old operating systems.

Featured Article – Facial Recognition, Facial Authentication and the Future

Facial Recognition and facial authentication sound similar but there are distinct differences and this article takes a broad a look at how both are playing more of a role in our lives going forward. So firstly, what’s the difference?

Facial Recognition

This refers to the biometric technology system that maps facial features from a photograph or video taken of a person e.g. while walking in the street or at an event and then compares that with the information stored in a database of faces to find a match. The key element here is that the cameras are separate from the database which is stored on a server.  The technology must, therefore, connect to the server and trawl through the database to find the face.  Facial recognition is often involuntary i.e. it is being used somewhere that a person happens to go – it has not been sought or requested.

Facial recognition is generally used for purposes such as (police) surveillance and monitoring, crime prevention, law enforcement and border control.

Facial Authentication

Facial Authentication, on the other hand, is a “match on device” way of a person proving that they are who they claim to be.  Unlike facial recognition, which requires details of faces to be stored on a server somewhere, a facial authentication scan compares the current face with the one that is already stored (encrypted) on the device.  Typically, facial authentication is used by a person to gain access to their own device, account, or system.  Apple’s FaceID is an example of a facial authentication system. Unlike facial recognition, it is not something that involuntarily happens to a person but is something that a person actively uses to gain entry/access.

Facial recognition and facial authentication both use advanced technologies such as AI.

Facial Recognition – Advantages

The advantages of facial recognition technology include:

– Saving on Human Resources. AI-powered facial recognition systems can scan large areas, large moving crowds and can pick out individuals of interest, therefore, saving on human resources.  They can also work 24/7, all year round.

– Flexibility. Cameras that link to facial recognition systems can be set up almost anywhere, fixed in place or as part of mobile units.

– Speed. The match with a face on the database happens very quickly (in real-time), thereby enabling those on the ground to quickly apprehend or stop an individual.

– Accuracy – Systems are very accurate on the whole, although police deployments in the UK have resulted in some mistaken arrests.

Facial Recognition Challenges

Some of the main challenges to the use of facial recognition in recent times have been a lack of public trust in how and why the systems are deployed, how accurate they are (leading to possible wrongful arrest), how they affect privacy, and the lack of clear regulations to effectively control their use.

For example, in the UK:

– In December 2018, Elizabeth Denham, the UK’s Information Commissioner launched a formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy. This stemmed from the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces, which was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

– Trials of FRT at the 2016 and 2017 Notting Hill Carnivals led to the Police facing criticism that FRT was ineffective, racially discriminatory, and confused men with women.

– In September 2018 a letter, written by Big Brother Watch (a privacy campaign group) and signed by more than 18 politicians, 25 campaign groups, and numerous academics and barristers, highlighted concerns that facial recognition is being adopted in the UK before it has been properly scrutinised.

– In September 2019 it was revealed that the owners of King’s Cross Estate had been using FRT without telling the public, and with London’s Metropolitan Police Service supplying the images for a database.

– A recently published letter by London Assembly members Caroline Pidgeon MBE AM and Sian Berry AM to Metropolitan Police commissioner Cressida Dick asked whether the FRT technology could be withdrawn during the COVID-19 pandemic on the grounds that it has been shown to be generally inaccurate, and it still raises questions about civil liberties. The letter also highlighted concerns about the general inaccuracy of FRT and the example of first two deployments of LFR this year, where more than 13,000 faces were scanned,  only six individuals were stopped, and five of those six were misidentified and incorrectly stopped by the police. Also, of the eight people who created a ‘system alert’, seven were incorrectly identified. Concerns have also been raised about how the already questionable accuracy of FRT could be challenged further by people wearing face masks to curb the spread of COVID-19.

In the EU:

Back in January, the European Commission considered a ban on the use of facial recognition in public spaces for up to five years while new regulations for its use are put in place.

In the U.S.

In 2018, a report by the American Civil Liberties Union (ACLU) found that Amazon’s Rekognition software was racially biased after a trial in which it misidentified 28 black members of Congress.

In December 2019, a US report showed that, after tests by The National Institute of Standards and Technology (NIST) of 189 algorithms from 99 developers, their facial recognition technology was found to be less accurate at identifying African-American and Asian faces, and was particularly prone to misidentifying African-American females.

Backlash and Tech Company Worries

The killing of George Floyd and of other black people in the U.S by police led to a backlash against facial recognition technology (FRT) and strengthened fears by big tech companies that they may, in some way be linked with its negative aspects. 

Even though big tech companies supply facial recognition software such as Amazon (Rekognition), Microsoft and IBM, some have not sold it to police departments pending regulation, but most have also had their own concerns for some years.  For example, back in 2018, Microsoft said on its blog that “Facial recognition technology raises issues that go to the heart of fundamental human rights protections like privacy and freedom of expression. These issues heighten responsibility for tech companies that create these products. In our view, they also call for thoughtful government regulation and for the development of norms around acceptable uses”.

With big tech companies keen to maintain an ethical and socially responsible public profile, follow-up on their previous concerns about problems with FRT systems and a lack of regulation,  and to distance themselves from the behaviour of police as regards racism/racial profiling or any connection to it e.g. by supplying FRT software, four big tech companies recently announced the following:

– Amazon has announced that it is implementing a one-year moratorium on police use of its FRT in order to give Congress enough time to implement appropriate rules. 

– After praising progress being made in the recent passing of “landmark facial recognition legislation” by Washington Governor Jay Inslee, Microsoft has announced that it will not sell its FRT to police departments until there is a federal law (grounded in human rights) to regulate its use.

– IBM’s CEO, Arvind Krishna, has sent a letter to the U.S. Congress with policy proposals to advance racial equality, and stating that IBM will no longer offer its general-purpose facial recognition or analysis software.

– Google has also distanced itself from FRT with Timnit Gebru, leader of Google’s ethical artificial intelligence team, commenting in the media about why she thinks that facial recognition is too dangerous to be used for law enforcement purposes at the current time.

Masks

The need to wear masks during the pandemic has proven to be a real challenge to facial recognition technology.  For example, recent research results from the US National Institute of Standards and Technology showed that even the most advanced facial recognition algorithms can only identify as little as between 2 and 50 per cent of faces when masks are worn.

Call For Clear Masks

There have been some calls for the development of clear or opaque masks or masks with a kind of ‘window’, as highlighted by the National Deaf Children’s Society, to help the 12 million people in the UK who are deaf or suffer from degrees of hearing loss e.g. to help with lip-reading, visual cues and facial expressions.  Some companies are now producing these masks e.g. the FDA-approved ‘Leaf’ transparent mask by Redcliffe Medical Devices in Michigan.  It remains to be seen how good facial recognition technology is at identifying people with a clear/opaque mask as opposed to a normal mask.

Authentication Challenges

The security, accuracy, and speed challenges of more traditional methods of authentication and verification have made facial authentication look like a more effective and attractive option.  For example, passwords can be stolen/cracked and 2-factor authentication can be less convenient and can be challenging if, for example, more than one user needs access to an account.

Facial Authentication Advantages

Some of the big advantages of facial authentication include:

– Greater Accuracy Assurance. The fact that a person needs to take a photo of their government-issued ID photo e.g. from a passport to match with a selfie + embedded 3D likeness detection to set up their facial authentication on their device means that it is likely to be accurate in identifying them.

– Ease of Use. Apple’s  Face ID is easy to use and is likely to become a preferred way of authentication by users.

– Better Fraud Detection. Companies and individuals using facial authentication may have a better chance of detecting attempted fraud (as it happens) than other current systems. Companies that use facial authentication with systems may, therefore, be able to more confidently assess risk, minimise fraud losses, and provide better protection for company and customer data.

– Faster For Users. Face ID, for example, saves time compared to other methods.

– Cross-Platform Portability. 3D face maps can be created on many devices with a camera, and users can enrol using a laptop webcam and authenticate from a smartphone or tablet. Facial authentication can, therefore, be used for many different purposes.

The Future – Biometric Authentication

The small and unique physical differences that we all have (which would be very difficult to copy) make biometric authentication something that’s likely become more widely used going forward.  For example, retinas, irises, voices, facial characteristics, and fingerprints are all ways to clearly tell one person from another. Biometric authentication works by comparing a set of biometric data that is preset by the owner of the device with a second set of biometric data that belongs to a device visitor. Many of today’s smartphones already have facial or fingerprint recognition.

The challenge may be, however, if biometric data is required for entry systems access that is not “on device” i.e. a comparison will have to be made with data stored on a server, thereby adding a possible security risk step.

Human Micro-Chipping

There may be times where we do not have access to our devices, where fast identification is necessary or where we may need to carry data and information that can’t be easily learned or remembered e.g. our medical files.  For these situations,  some people have presented the argument for human micro-chipping where microchip implants, which are cylindrical ‘barcodes’, which can be scanned through a layer of skin to transmit a unique signal.

Neuralink Implant

Elon’s Musk’s Neuralink idea to create an implantable device that can act as an interface between the human brain and a computer could conceivably be used in future for advanced authentication methods.

Looking Forward

The benefits of facial recognition e.g. for crime prevention and law enforcement are obvious but for the technology to move forwards, regulatory hurdles, matters of public trust and privacy, and technical challenges e.g. bias, and accuracy need to be overcome.

Facial authentication provides a fast, accurate and easy way for people to prove that they are who they say they are.  This benefits both businesses and their customers in terms of security, speed and convenience as well as improving efficiency.

More services where sensitive data is concerned e.g. financial and medical services, and government agency interactions are likely to require facial authentication in the near future.

Cyber Security Top of List for Digital Transformation

A recent survey appears to have shown that changes brought by the pandemic have meant that IT buyers from companies working on digital transformation now value cybersecurity the most.

Survey

The survey, conducted among IT business leaders attending the all-virtual Digital Transformation Expo (DTX), DTX: NOW this month showed that 26 per cent of respondents put IT security at the top of their digital transformation list. A close second place was the cloud at 21 per cent.

Pandemic Accelerated Digital Transformation

As shown in survey results published last month by Studio Graphene, the need to quickly shift staff to working from home because of the lockdown appeared to be a driver and an accelerator of digital transformation for businesses.  The survey showed that nearly half (46 per cent) of business leaders said that said Covid-19 had driven the most pronounced digital transformation that their businesses had experienced.

Adapt

The distribution of the workforce/staff working from home which the pandemic lockdown caused has meant that not only have businesses have been forced to adapt their cloud strategy, but also their cybersecurity measures, and their business cultures to ensure that their businesses function as well as possible.

Challenges and Gains

The survey found that the biggest challenges to digital transformation projects were identified as being changes in the scope, reduced budgets, and changes in team structures.  At the same time, the survey results revealed that the need to ensure that all employees could work from home revealed IT issues that may not otherwise have been addressed, thereby helping the business to modernise and realise which areas needed investment going forward.

New Ways of Working

With further restrictions, local lockdowns, the possibility of new, stricter restrictions ahead and a decidedly uncertain near future for traditional office-based working, the pandemic has driven diversification of work methods and structures. Flexible, smarter, hybrid working, involving different location looks to be a reality for businesses as we try to gain more control in an increasingly unpredictable world and businesses environment.

What Does This Mean For Your Business?

The results of the survey appear to support the idea that necessity has driven digital transformation.  The pandemic lockdown has been a catalyst that has moved many aspects of businesses forward and led them to clearly and quickly see the importance of cybersecurity, where weaknesses are, where investment is needed next and has shown them that new, more flexible models of work can benefit employer and employee.  Whilst changes have been difficult, and people and their organisations have been forced to adapt to changes quickly, the lessons learned in digital transformation may have boosted confidence within organisations that they have the in-built flexibility, creativity, experience and ability to weather the storm and reinvent how they work according to prevailing conditions.

Featured Article – The Challenge of User Access Permissions

Employees being given too much access to privileged, sensitive company data can put an organisation in danger.  In this article, we explore the issues around this subject and how businesses can minimise the risk.

Survey

In a recent survey of 900 IT professionals commissioned by IT security firm Forcepoint, it was revealed that 40 per cent of commercial sector respondents and 36 per cent of public sector respondents said they had privileged access to sensitive company data through their work.  Also, 38 per cent of private sector and 36 per cent of public sector respondents said that they did not need the amount of access they were given to complete their jobs.  The same survey showed that 14 per cent of respondents believed that their companies were unaware of who had what access to sensitive data.

The results of this survey confirm existing fears that by not carefully considering or being able to allocate only the necessary access rights to employees, companies may be leaving open a security loophole.

Risks and Threats

The kinds of risks and threats that could come from granting staff too many privileges in terms of sensitive data access include :

Insider Threats

Insider threats can be exceedingly difficult to detect and exact motives vary but the focus is generally to gain access to critical business assets e.g. people, information, technology, and facilities.  Insiders may be current or former full-time employees, part-time employees, temporary employees, contractors/third parties, and even trusted business partners. The insider may be acting for themselves or for a third party.  Information or data taken could be sold e.g. to hackers or to representatives of other organisations/groups or used for extortion/blackmail. An insider could also use their access for sabotage, fraud, social engineering or other crimes. An insider could also cause (unintentional) damage.

The insider threat has become more widely recognised in recent years and in the U.S., for example, September is National Insider Threat Awareness Month (NIATM).

Intrusions From Curiosity

The digitisation of all kinds of sensitive information, and digital transformation, coupled with users being given excessive access rights, has led to intrusions due to curiosity, which can lead to a costly data breach.  One example is in the health sector where, in the U.S., data breaches occur at the rate of one per day (Department of Health and Human Services’ Office for Civil Rights figures).  Interestingly, Verizon figures show that almost 60 per cent of healthcare data breaches originate from insiders.

Accidental Data Sharing

Some employees may not be fully aware of company policies and rules, particularly at a time when the workforce has been dispersed to multiple locations during the lockdown.  A 2019 Egress survey, for example, revealed that 79 per cent of employers believe their employees may have accidentally shared data over the last year and that 45 per cent sent data to the wrong person by email. Unfortunately, the data shared or sent to the wrong person may have been sensitive data that an individual did not need to have access to in order to do their job.

Hacking

If hackers and other cybercriminals are able to obtain the login credentials of a user that has access rights to sensitive data (beyond what is necessary) this can provide relatively easy access to the company network and its valuable data and other resources.  For example, cybercriminals could hack or find lost devices or storage media, use social engineering, or use phishing or other popular techniques to get the necessary login details.

How Does It Happen?

The recent Forcepoint and the Ponemon Institute survey showed that 23 per cent of IT pros believe that privileged access to data and systems are given out too easily.  The survey results suggest that employees can end up having more access rights than they need because:

– Companies have failed to revoke rights when an employee’s role has changed. 

– Some organisations have assigned privileged access for no apparent reason.

– Some privileged users are being pressured to share access with others.

How To Stop It

Stopping the allocation of too many privileged access rights may be a holistic process that considers many different aspects and activity from multiple sources, including:

– Incident-based security tools. Although these can alert the organisation to potential problems and can register logs and configuration changes, they can also give false positives and it can take a prohibitively long time to fully review the results, find and plug the breach.

– Trouble tickets and badge records.

– Reviews of keystroke archives and video.

– User and entity behaviour analytics tools.

– The challenge is that many organisations lack the time, resources, and expertise to piece all these elements together in a meaningful way.

Looking Forward

It appears that where there is a disconnect between IT managers and staff, and where access rights are not regularly monitored or checked, a whole business or organisation can end up being in danger. Some security commentators suggest that the answer lies in easy-to-use technology that incorporates AI to help monitor how data flows and is shared to bring about the necessary visibility as regards who has access and what they’re doing with that access.  Always seeking verification and never acting simply on trust is a key way in which organisations can at least detect malicious activity quickly.

Amazon Review Fraud

An FT investigation appears to have uncovered an estimated 20,000 Amazon reviews where the reviewers were suspected of being paid to give a five-star rating.

Reviews

The Competition and Markets Authority (CMA) in the UK estimates that £23 billion a year of UK consumer spending is potentially influenced by online reviews.  This makes them especially important to the many businesses selling through platforms like Amazon.

The CMA also acknowledges that there are practices that can breach the Consumer Protection from Unfair Trading Regulations 2008 (CPRs) and UK Advertising Codes and that these practices may prevent consumers from choosing the product or service that best suits their needs.  These can include businesses writing or commissioning fake positive reviews about themselves, businesses or individuals writing or commissioning fake negative reviews, review sites ‘cherry-picking’ positive reviews, or suppressing negative reviews and review sites’ moderation processes possibly causing some genuine negative reviews not to be published.

One recently reported trend appears to be the use of multiple one-star feedback reviews for products on Amazon, perhaps funded by competitors, as a form of manipulation.

Deletions

The FT investigation, which has led to the deletion by Amazon of the 20,000 allegedly fraudulent reviews reportedly showed the UK’s top Amazon reviewer appeared to have left an average of one five-star rating on the platform every four hours in August.

How Can It Happen?

The process that leads to fraudulent/fake five-star reviews may begin with companies meeting reviewers on social networks (e.g. in Facebook groups) or messaging apps, reviewers receiving free product samples, a good review being left on the platform and the reviewer then being given a refund on the product that was free to them in the first place.

Not New

Fake and fraudulent reviews are not new. Back in July, The Markup claimed to have found suspicious-looking reviews on Amazon and back in December 2019 a Daily Mail report claimed that Marketing firms were selling positive reviews on Amazon. At the time, Amazon said that it had already taken legal action against some firms for this.

Amazon’s Efforts

In the UK, fake reviews fall under UK consumer protection law and last year alone, Amazon is reported to have spent 400 million (US dollars) to protect customers from reviews abuse, fraud, and other forms of misconduct.  It has also bee reported that Amazon monitors around 10 million review submissions each week before they go public in an attempt to protect buyers and the credibility of its own review system.  

How To Spot Fake Reviews

Ways to spot fake review include using services like free site ‘Fakespot’ where users can copy and paste a link to a product page, then click Analyse to show any evidence of fake reviews.

What Does This Mean For Your Business?

Amazon is a vital sales platform for many businesses and, with the power that good reviews have in increasing sales and bad or low star reviews have in deterring sales, it is clear to see how some businesses may be tempted to resort to paid-for manipulation as a competitive tactic. Consumers, Amazon itself, and businesses that are affected by unfair reviews all lose out where fake/fraudulent/manipulated reviews can slip through the vetting process. Many people feel, therefore, that Amazon and other platforms (e.g. social media) need to work together and increase the effort, investment, technology, and creative thinking that could deliver a much improved or an innovative and new review system.