Category: Privacy

No surprise, but Google just changed its privacy policy to reflect broader uses of all the surveillance data it has captured over the years:

Research and development: Google uses information to improve our services and to develop new products, features and technologies that benefit our users and the public. For example, we use publicly available information to help train Google’s AI models and build products and features like Google Translate, Bard, and Cloud AI capabilities.

(I quote the privacy policy as of today. The Mastodon link quotes the privacy policy from ten days ago. So things are changing fast.)

The Washington Post has an article about popular printing services, and whether or not they read your documents and mine the data when you use them for printing:

Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information they’re collecting and why. Some services, like the New York Public Library and PrintWithMe, do both.

Others dodged our questions about what data they collect, how long they store it and whom they share it with. Some—including Canon, FedEx and Staples—declined to answer basic questions about their privacy practices.

When it comes to alternative asset trading, protecting investor data is of critical importance.

Related: Preserving the privacy of the elderly

As more traders and investors engage in these investment avenues, it is crucial to adopt robust security measures to safeguard sensitive and regulated information. Here are seven tips to protect investor data in alternative asset trading.

•Conduct regular penetration testing. Regular and thorough penetration testing is crucial for identifying vulnerabilities within trading systems. By engaging third-party experts to simulate real-world hacks, companies can proactively uncover potential weaknesses and address them promptly.

Nazdan

Penetration testing provides valuable insights into a system’s security posture, allowing companies to fortify their defenses and protect investor data from malicious actors.

•Foster collaborative partnerships. Having access to a partner focused in cybersecurity brings fresh perspectives and allows for an unbiased evaluation of the systems in use. These partnerships strengthen a security posture by leveraging the expertise of professionals who specialize in identifying vulnerabilities and allows them to suggest remediation strategies. By working together, a robust cybersecurity framework can be established to protect investor data.

•Employ real-time antivirus scanning. Implement a multi-layered approach to protect against potential threats. By using real-time antivirus scanning to detect and neutralize security risks as they enter the trading system, threats can be quickly identified and eliminated.

This includes scanning all materials, such as investor onboarding documents and communication. Real-time antivirus scanning enhances the security of investor data by providing immediate protection against known and emerging threats.

•Implement strong data encryption. Data encryption is fundamental for protecting sensitive information in alternative asset trading. Industry-standard algorithms for encryption can ensure all data, in transit and at rest, is safe.

Encryption renders data unreadable to unauthorized individuals, significantly reducing the risk of data breaches. Implementing strong data encryption protocols and adhering to best practices fortifies the confidentiality and integrity of investor data.

•Prioritize continuous threat detection. Maintaining continuous observability of the trading system is essential for early threat detection. It’s important to implement robust monitoring systems that analyze activities and network traffic, which identify unauthorized access or suspicious behavior.

Prompt detection and response to potential security incidents mitigate the impact of breaches, ensuring ongoing protection of investor data. Continuous threat detection is a proactive approach to maintaining trading environment security.

•Stay informed about security best practices. Staying current on the latest trends, emerging threats and industry best practices is crucial to security. Some great ways to keep a team informed on evolving security challenges and effective countermeasures include participating in industry forums, attending conferences and engaging with security professionals.

Active awareness of security developments allows for adaptable strategies in addressing emerging risks and effectively protecting investor data.

•Conduct employee training and awareness programs. Investing in comprehensive employee training and awareness programs is essential for a security-conscious environment. It’s important to educate staff on the significance of data protection, potential security threats and proper handling of sensitive information.

Enforce a culture of strong passwords, two-factor authentication and responsible data access practices to foster a security-conscious culture.

Protecting investor data is vital for maintaining trust and confidence in alternative asset trading. By adopting a comprehensive approach to security, fintechs and issuers can establish robust security measures. Safeguarding sensitive information not only mitigates risks but also allows investors to focus on maximizing their investment opportunities with peace of mind.

About the essayist: Brian Nadzan, is CTO/CISO of Templum, a provider of technology and infrastructure solutions for the private markets. He has over 25 years of global leadership experience within the financial services industry, having spearheaded development across Electronic Trading, OMS, Risk, Compliance and Data.

Just how much do porn websites know about your sexual peccadillos? How are Barbie dolls involved in identity scams? And would you trust a completely free telly? Oh, and Graham has some opinions to share about "Indiana Jones and the Dial of Destiny". All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Matt Davey from the "Random but Memorable" podcast.

Police are already using self-driving car footage as video evidence:

While security cameras are commonplace in American cities, self-driving cars represent a new level of access for law enforcement ­ and a new method for encroachment on privacy, advocates say. Crisscrossing the city on their routes, self-driving cars capture a wider swath of footage. And it’s easier for law enforcement to turn to one company with a large repository of videos and a dedicated response team than to reach out to all the businesses in a neighborhood with security systems.

“We’ve known for a long time that they are essentially surveillance cameras on wheels,” said Chris Gilliard, a fellow at the Social Science Research Council. “We’re supposed to be able to go about our business in our day-to-day lives without being surveilled unless we are suspected of a crime, and each little bit of this technology strips away that ability.”

[…]

While self-driving services like Waymo and Cruise have yet to achieve the same level of market penetration as Ring, the wide range of video they capture while completing their routes presents other opportunities. In addition to the San Francisco homicide, Bloomberg’s review of court documents shows police have sought footage from Waymo and Cruise to help solve hit-and-runs, burglaries, aggravated assaults, a fatal collision and an attempted kidnapping.

In all cases reviewed by Bloomberg, court records show that police collected footage from Cruise and Waymo shortly after obtaining a warrant. In several cases, Bloomberg could not determine whether the recordings had been used in the resulting prosecutions; in a few of the cases, law enforcement and attorneys said the footage had not played a part, or was only a formality. However, video evidence has become a lynchpin of criminal cases, meaning it’s likely only a matter of time.

SMS toll fraud is spiking. I learned all about the nuances of deploying – and defending – these insidious attacks in a recent visit with Arkose Labs CEO, Kevin Gosschalk, who explained how the perpetrators victimize businesses that use text messages to validate phone users signing up for a new account.

Related: Countering Putin’s weaponizing of ransomware

The fraudsters set themselves up as “affiliates” of phone companies in Indonesia, Thailand and Vietnam and then use bots to apply for online accounts, en masse, at a targeted business. The con: each text message the business then sends in return —  to validate the applicant — generates a fee for the phone company which it shares with the affiliate.

This fraudulent activity usually remains undetected until the business receives a bill for an unusually high number of text messages sent to seemingly legitimate users.

As a solution, Arkose Labs aims to increase the cost of attacks, making them less profitable for the fraudsters.

Guest expert: Kevin Gosschalk, CEO, Arkose Labs

Their technology detects malicious actions and offers differing levels of challenges, based on a risk threshold. They also provide their customers with threat intelligence that can be used to prevent attackers from profiting. For a full drill down on our discussion, please give the accompanying podcast a listen.

This is one more example of cybercriminals cleverly exploiting the flaws in a convenient business process. It surely won’t be the last. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Back in 2020, law enforcement agents across Europe had a major breakthrough in their fight against organised crime. They managed to crack into EncroChat - a secure encrypted messaging service which ran on modified Android phones, that promised "worry-free secure communications". But investigators managed to gain full control of EncroChat's infrastructure, and could read users' supposedly-encrypted messages in real-time.