Tag Archives: VTech

How to Make Smart Devices More Secure

Smart-television maker Vizio agreed to pay a penalty this month for spying on 11 million customers. According to the Federal Trade Commission, the company captured second-by-second information on what customers viewed, combined it with their gender, age and income and sold it to third parties.

How much was the fine for Vizio, which has sales in excess of $3 billion? It was $2.2 million — barely a slap on the wrist.

These kinds of privacy breaches are increasingly common as billions of devices now become part of the “Internet of Things” (I.o.T.). Whether it be our TV sets, cars, bathroom scales, children’s toys or medical devices, we are already surrounded by everyday objects equipped with sensors and computers. And the companies that make them can get away with being careless with consumer security — and with stealing customer data.

Vizio has been accused of exposing its customers to hackers before. In November 2015, security researchers at Avast demonstrated how easy it was for hackers to gain complete access to the WiFi networks that Vizio’s TVs were connected to and that it recorded customer data even when they explicitly opted out of its terms of service.

See also: ‘Smart’ Is Everywhere, but…  

On Black Friday in 2015, hackers broke into the servers of Chinese toymaker VTech and lifted personal information on nearly five million parents and more than six million children. The data haul included home addresses, names, birth dates, email addresses and passwords. Worse still, it included photographs and chat logs between parents and their children. VTech paid no fine and changed its terms of service to require that customers acknowledge their private data “may be intercepted or later acquired by unauthorized parties.”

Regulations and consumer protections are desperately needed.

One option would be to hold the manufacturers strictly liable for these hacks, to financially motivate them to improve product security. In the same way that seat belt manufacturers are responsible for the safety of their products, I.o.T. device makers would be presumed to be liable unless they could prove that they had taken all reasonable precautions. The penalties could be high enough to put a company out of business.

But this would be inequitable. One of the factors enabling such hacking is that users don’t use sufficiently complex passwords and thus leave the front door unlocked. It could also stifle innovation, with the big players avoiding the possibility of extreme penalties by becoming averse to innovations, and small players avoiding entering the market because they lack the resources to handle possible litigation.

Duke School of Law researcher Jeremy Muhlfelder says that copyright law has a history of Supreme Court cases that have ruled on this exact principle, of not wanting to curb the “next big thing” by holding innovators liable for their innovations. Innovators themselves wouldn’t, and shouldn’t, be liable for how carelessly their innovations are incorporated into new products. But imposing strict liabilities on manufacturers, because it would lead indirectly to canceling the rewards of innovation, might not be legally realistic either.

A more reasonable solution may be along the lines of what attorney Matt Sherer recommends in a paper on regulating artificial intelligence systems that was published in the Harvard Journal of Law and Technology: Impose strict liability but with the potential for pre-certification that removes the liability. I.o.T. devices would be deemed inherently dangerous, and thus the producer would be strictly liable for faults unless an independent agency certifies the devices as secure. This would be similar to the UL certification provided by Underwriters Laboratories, a government-approved company that carries out testing and certification to ensure products meet safety specifications.

See also: Why 2017 Is the Year of the Bot  

Equipment certification is also one of the recommendations that former Federal Communications Commission chairman Tom Wheeler made in a letter to Sen. Mark R. Warner (D-Va.) regarding the government’s response to the October 2016 attack on the internet. He proposed a public–private partnership that creates a set of best practices for securing devices, the certification or self-certification of products, and labeling requirements to make consumers aware of the risks. Wheeler proposed “market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”

As Wheeler also noted, addressing I.o.T. threats is a national imperative and must not be stalled by the transition to a new president. This is beyond politics. It is a matter of national security and consumer safety.

Expect More Cyber Turbulence in 2016

In February 2015, Anthem, the nation’s second-largest health care insurer, disclosed losing records for 80 million employees, customers and partners. That was followed a few weeks later by Premera Blue Cross admitting it lost records for 11 million people.

Then in July 2015, the U.S. Office of Personnel Management began a series of mea culpas. OPM ultimately conceded that hackers swiped sensitive personnel records for 21.5 million federal employees, contractors and their family members. Anthem, Premera Blue Cross and OPM were among the high-profile breaches in a year when the Identity Theft Resource Center counted more than 750 publicly disclosed data leaks.

ThirdCertainty asked three IDT911 experts — Brian Huntley, Eduard Goodman and Victor Searcy — for their 2016 prognostications. (Full disclosure: IDT911 underwrites ThirdCertainty.)

Wire fraud and politics 

Brian Huntley, IDT911 Chief Information Security Officer
Brian Huntley, IDT911 Chief Information Security Officer

 

Huntley: In the coming year, fraud and theft will plague the merchant payments and ACH wire transfer systems. Small and medium-size businesses are especially vulnerable. If enough SMBs get victimized, it could result in a public outcry about the inherent vulnerabilities in these systems, especially as consumers and small business owners come to realize there is minimal regulatory protections in these types of cases.

This being an election year, U.S. presidential candidates will focus on cyber war strategy and armament. Armchair quarterbacking of the 2015 U.S.-China cybersecurity agreement will arise as the centerpiece of this debate. We could see the U.S.-China cyber accord ascend as the basis for peer agreements between other nation states.

Meanwhile, the search will continue in different industries for an information security control framework that is akin to what the financial services sector has in the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Guidelines and the health care sector has in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Data tranfers and children’s privacy

Eduard Goodman, IDT911 Chief Privacy Officer
Eduard Goodman, IDT911 Chief Privacy Officer

 

Goodman: U.S. companies with a European presence will encounter a tremendous amount of uncertainty in 2016 with respect to Europe’s stricter Safe Harbor data privacy rules, relating to the sensitive data transfers to businesses in the U.S.

European regulators can be expected to harass the likes of Facebook and Google. And the threat of sanctions for noncompliance with Europe’s tougher Safe Harbor standards could easily filter down to many smaller companies, as well.

In another area, the recent hacking of toy maker VTech and Hello Kitty parent company SanrioTown.com signals that the theft of children’s information could become a worrisome new trend. As children obtain earlier access to social media, smartphones and Web-enabled toys, details of their personal information and preferences are rapidly becoming part of the greater data ecosystem.

As a result, we will see more breaches that involve the theft of information for individuals under the age of 18. Hopefully, we also will see more public dialogue about the concept of preserving children’s privacy, whether it be school record data, health information or data files containing images, video and audio recordings.

Taxpayers targeted—once again

Victor Searcy, IDT911 Director of Fraud Operations
Victor Searcy, IDT911 Director of Fraud Operations

 

Searcy: One of the most pervasive identity theft scams involves the filing of a faked federal tax return using an ill-gotten Social Security number. Sadly, this will continue to be true again in 2016.

In the 2010 and 2011 tax seasons, the Internal Revenue Service paid out $8.8 billion of taxpayer money to identity thieves. And statistics pulled from a sampling of customers assisted through IDT911’s Resolution Center in 2014 show a 120% increase in tax fraud victims in 2014 and another 134% increase in 2015.

We expect this number to grow again in 2016. It can take months for a victim to sort out the mess with the IRS. Worse, there is little stopping criminals from using a victim’s Social Security number and other personal information in other scams.

IDT911 stats show that 16% of tax fraud victims also were victims of financial identity theft; 12% of customers experienced multiyear tax fraud; and 16% were victims of both federal and state tax fraud.