Court rules companies can be sued for collecting biometric data without consent

A reminder of how quickly the technology world evolves; it’s not only regulations which need to catch-up, but business practices too, as a Supreme Court opens the door for privacy lawsuits.

In an interesting case, the Supreme Court of Illinois has set precedent for its Biometric Information Privacy Act (BIPA). Companies who have not appropriately obtained consent from individuals before storing biometric data can now be sued under the BIPA without said individual being damaged, fraud for example, by the scenario. The ruling makes BIPA a dangerous piece of paper, as effective use of the Freedom of Information Act could put a few in precarious positions.

This case, Rosenbach versus Six Flags, has pinned a 14-year-old against the amusement park for collection and storage of thumbprint data without informed consent. The BIPA prohibits companies from gathering, using, or sharing biometric information without informed opt-in consent, though the issue which the Supreme Court has been considering is whether there are grounds for a lawsuit without damage being inflicted to the user.

“Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act,” stated Chief Justice Lloyd Karmeier in his decision.

But why is this a dangerous decision for businesses locating or operating in Illinois? Because business practises are not keeping up with the tsunami of data which emerging, and many companies do not have fully visibility into the data which they hold.

One of the problems we saw in the build up to General Data Protection Regulation (GDPR) in Europe was an understanding of what data companies actually had their hands on. With the 21st century’s version of a land-grab seeing companies scrap for as much information as possible through the last decade, few companies actually managed to effectively store and categorize.

Before any company can consider calling themselves complaint (under GDPR, BIPA or any new data-orientated regulations) a full data audit would have to be completed; this discovery process was a critical step in the process. In conversations over coffee, a few consultants told us this was a significant issue for UK companies. During the audit, some were finding they were holding onto sensitive data, which they had no idea existed, and were in violation of data privacy and protection regulations.

BIPA is a no-where near as wide-ranging as some data protection and privacy regulations, though we suspect there will certainly be numerous companies who are now non-compliant under this new ruling and precedent. This is the issue with technology; it’s moving so much faster than the red-tape bureaucrats. Technology is implemented before regulations governing the usage, or business practises to ensure compliance, can be deployed. It creates a dangerous position where companies could be non-compliant without even realising.

In Illinois, as there no-longer needs to be proof of damages to individuals anymore, effectively placed Freedom of Information Acts could see similar cases brought in-front of the courts. In the rush to remain relevant through embracing technology, few have considered the boring aspect of regulation. Who would, considering how long it takes the courts to catch-up? But this is a case where being cutting-edge technology is a two-edged sword.

Huawei CFO charged with hiding connection to Skycom, which worked with Iran

The bail hearing for Huawei CFO Meng Wanzhou has revealed she is charged with concealing ties between her company and another that violated US trade sanctions.

Meng was arrested last week in Canada and had her bail hearing at the end of the week. In it, according to multiple reports, she committed fraud when she told US banks in 2013 that Huawei had no connection to Hong Kong firm Skycom, which was apparently doing business with Iranian telecoms companies. The suggestion is that Skycom was used to disguise Huawei’s own violations of US trade sanctions, which is what caused ZTE so much grief earlier this year.

“Ms. Meng personally represented to those banks that Skycom and Huawei were separate when in fact they were not separate,” said Crown Counsel John Gibb-Carsley. “Skycom was Huawei.” Evidence for this is reportedly contained in a PowerPoint presentation from that time and it looks like this manoeuvre may be what was referred to in ZTE’s F7 memo.

In a bid to get bail Meng’s lawyers that she’s not a flight risk because she wouldn’t want to embarrass her father, the founder of Huawei, as well as the company itself and the whole country. She also apparently has a couple of houses in Vancouver, which she could stay in. Counter-arguments have focused on how much cash she has, meaning she could afford to leg it.

The original scoop on Skycom seems to have come from Reuters, which reported back in January 2013: ‘Huawei CFO linked to firm that offered HP gear to Iran’. The reason this case has escalated to an arrest isn’t the business Huawei may or may not have done with Iranian companies, but the allegations of deliberately misleading US banks – hence committing fraud.

How can the telecoms industry block the account takeover threat?

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Roberto Valerio, CEO of anti-fraud specialist, Risk Ident, explores the challenge of identity theft in the telecommunications sector, and explains how companies can cut off the fraudsters before they do damage.

Identity theft used to be something that only worried banks, insurers and financial institutions. Over the past several years, however, the threat has expanded to other critical industries, including the mobile telecommunications space.

So widespread is the issue of identity theft that it is now reaching epidemic levels. In 2016, for example, 1.4 billion data records were exposed in nearly 1,800 security breaches worldwide. In September 2017, the network security system of U.S. credit bureau Equifax was breached, compromising the personal data of 143 million consumers.

The UK company TalkTalk was hit with a record £400,000 fine in October 2016 for the cyber attack in 2015 that placed the personal details of more than 150,000 customers in the hands of criminals.

The issue with these data breaches is what criminals do with the information afterwards. Once identity data has been stolen, fraudsters create new accounts online – or worse – use the personal information to hijack existing accounts. They can masquerade as a legitimate user and hide behind their good history to make fraudulent purchases – this “account takeover” threat is rising fast.

Mobile telecoms is at particular risk

The mobile telecoms industry is especially vulnerable to the threat of identity theft. The mobile phone contract model that is prevalent across the whole of Europe – where customers receive a high-value phone handset up-front and pay for it monthly – is very attractive for fraudsters, precisely because it offers so many avenues for crime to occur.

Such mobile phone fraud is growing fast. Cifas reported a 60% uplift in such mobile telecoms identity fraud from 2016-2017. Failure by firms to respond now could cause untold misery for customers, as they battle to recoup losses and protect their hard-earned cash. For the companies themselves, inaction could lead to financial penalties, such as fines, and a significant negative impact on their brand reputation.

So, what can mobile telecoms companies do to protect themselves and their customers?

Understanding fraud

There are a number of ways criminals are using stolen identities to carry out contract fraud.

A common and straightforward one sees fraudsters use a victim’s account details to sign up to a mobile contract – complete with expensive phone – then quickly sell the handset on, leaving the genuine account holder to deal with the contract repayments and other fall-out.

Contract extensions are also carefully targeted by criminals.

Many telecom providers aim to reduce friction with customers by avoiding the complex re-sign process – which inadvertently presents an attractive target to nimble fraudsters. It is not uncommon for criminals to use stolen data to hijack contract renewals by changing victims’ details to ensure the new handsets arrive at an address they can access.

These attacks are easy to carry out and can be highly lucrative – it’s no wonder that they are so attractive and tempting to criminals. With this in mind, it is vital that businesses do all they can to safeguard their customers’ data.

So, what can be done?

Quite simply, telecoms firms need to find ways of not just tightening security around their data storage, but of trying to close the gaps presented by the mobile phone contract process by predicting where customers may be most vulnerable to fraud.

Tackling the problem over the past five years, we’ve found that slightly more than 19 percent of confirmed fraud cases are identified as account takeovers.

At the same time, we identified several characteristics that can help any telecoms firm spot a case of account takeover, including:

  • Recent account changes: In nearly every instance RISK IDENT determined ATO to have occurred, either the password, email address or physical address had been changed in the previous 10 days.
  • Big spend: In cases of account takeover, the average order value is four times higher than typical orders – crucial for fraudsters to justify the effort. Fraudulent contract requests may involve a phone handset with a significantly higher RRP than the customer’s previous phone.
  • Customer’s age: The older an account holder is, the more likely they are to be the victim of an account takeover. Older users may have less technical expertise that could leave them vulnerable to data theft.

With these in mind, telecoms firms should take these factors into account when evaluating whether or not they have a problem with ATO, so they can take steps to act to protect their customers, before any fraud is actually committed.

Other business’ leaks will cause you headaches

Successfully protecting customer information means doing more than simply shoring up your own business’ computer systems and taking steps to predict the likelihood of account takeover fraud among your customer base. Other businesses and partners also present weak spots in a telecoms firm’s defences that fraudsters can exploit.

Take the 2017 Equifax breach, for example. More than 140 million credit records were leaked and telecoms businesses were among the victims hardest hit. Many ultimately paid for the security failings of Equifax, suffering a rash of mobile phone contract applications from crooks using stolen credentials.

The risk of partners suffering data breaches is significant. Telecoms firms, then, need to ensure their customers’ data is protected across the supply chain, by promoting solutions to help predict fraud risk.

A game of cat and mouse

It is not a question of “winning” against fraud – no one wins. Fraud is a cat-and-mouse game and telecoms firms have to up the stakes to take on the fraudsters. The harder you make it for them, the less likely you will be hit.

Simple steps like incorporating systems to predict account takeover vulnerability can go a long way towards helping telecoms companies prepare themselves to tackle the ever-increasing fraud threat. By talking to experts, firms can ensure their fraud prevention processes are fit for purpose well into the future.

 

Roberto Valerio CEO Risk IdentRoberto Valerio is one of the foremost experts on the rise of AI in combating fraud and founder of RISK IDENT, Europe’s leading provider of new intelligent anti-fraud software. Roberto sits on the European Advisory Board of the Merchant Risk Council and is a regular speaker on Europe’s anti-fraud conference circuit

Crime moves upmarket as fraud becomes the UK’s number 1 offence

New research from Experian claims fraud is now the UK’s most common criminal offence, much to the dismay of thugs and hoodlums everywhere.

The company’s Annual Fraud Indicator 2017 estimates the annual cost of fraud in the UK is £190 billion, exceeding the total Gross Domestic product of 148 out of 191 countries on the planet. Splitting it down, private sector fraud costs the UK economy £140 billion over the course of 2017, while it is only £40.3 billion in the public sector.

“Awareness of the dangers fraud poses is growing, but the total of £190 billion is startlingly high,” said Nick Mothershaw, Director of Fraud and Identity Solutions at Experian. “Plastic card and online banking fraud continues to increase, so new regulations which make it harder for fraudsters to use someone’s cards online are a necessary step.

“Fraudsters are shamelessly opportunistic and are now turning their attention to the pensions release, lured by the promise of high value returns when their scams are successful.”

Procurement has been pinned down as the biggest sucker for fraud, but the report notes new technologies are opening up new opportunities for the tricksters. Online Banking fraud has grown by 226% and Telephone Banking Fraud by 178% in the past year, with millennials getting caught out as well.

While this number is surprisingly high, the growing popularity of mobile money and contactless payment solutions might add to the problem. Another area which we haven’t seen the impact of is social media.

With the online world taking more control of our daily lives, authentication techniques using social media accounts are becoming more common. The vast majority are used for free services, but that doesn’t mean someone won’t work out how to commit a white collar crime using this little development. Individuals seems very enthusiastic about handing out their personal information online, and in truth we haven’t seen any particularly devastating negative impacts yet. That doesn’t mean it isn’t possible though.

Breaking the bottleneck of counter fraud management

Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Joseph George, Senior Vice President of Fraud & Security at Mobileum, argues operators need to revise their approach to countering fraud.

We live in a golden age of data. For operators looking to counter fraud, there has never been more actionable information available at their fingertips, than there is now.

In theory, this is an amazing advantage for communications service providers (CSP) looking to stay one step ahead of increasingly sophisticated ‘fraudsters’, as well as gain insights that can help their business thrive in new service areas. A wealth of useful data, an increased ability to fight fraud, and a way to add to the bottom line all are all wonderful things for operators. However, this explosion of data has also created unforeseen challenges too.

Operators are reaching a tipping point, as the telecoms sector significantly expands its global services with faster broadband, 5G roll-out and more connected devices. Combined with the overall trend of traffic moving from voice to data networks, CSPs are facing huge challenges as many fraud management systems are buckling under the weight of trying to detect and act with the speed and accuracy needed to prevent potential revenue losses.

Simply put, many traditional fraud management systems can’t keep up with the sheer volume of data out there. It’s leaving operators staring at a mountain of overlooked (and underutilized) data, too much of a pain and inconvenience to be analysed thoroughly.

The root problem with many systems is that they can only handle limited datasets, not accounting for volume, variety and velocity of critical data. Also, modern capabilities and features are missing in older systems, including mobility, machine-learning, self-service analytics, and more visual and intuitive interfaces. In fact, some legacy systems still in use today by CSPs monitor fraud by only analysing aggregate records of calls.

There is a real, looming threat that fraud management is becoming a bottleneck, impeding CSPs’ ability to offer and expand services until fraud data can be interpreted and managed. Like a clogged kitchen sink, fraud management is creating a backup. Initially it might just cause a small pipe leak, but if operators aren’t proactive, they could have a full-blown burst on their hands.

That burst may be caused from the pressure of a mounting catalogue of services (and data) CSPs are involved in the delivery of, which they also need to analyse. Although outside their control, CSPs are often best positioned to identify instances of fraud occurring over carrier traffic on their networks. Examples of this include data fraud, international revenue share fraud and bypass fraud, among others. Along with the risk of IoT and sensor networks having fraudulent apps installed, the result is that the blind spots of many current CSP systems are being exposed by emerging sources of fraud.

So how can operators get ahead of the problem? How can they break this ballooning bottleneck, take advantage of that fact that they have access to vast amounts of data, and expand their services? The first step is to go beyond merely detecting fraud. CSPs should look inward, circling back and advancing their fraud protection tactics.

CSPs should have integrated, actionable and prescriptive control of fraud and abuse, based upon a combination of dynamically auto-configured business rules and policy control. By obtaining a high degree of detection accuracy, operators can get a clear understanding of the fraud data they are being presented with, and what it is telling them. With IoT for example, it means having an ability to uncover fraud outside of rule-based detection.

The implementation of predictive, big data technologies and machine-learning is a way to keep up with new frauds in real time, stopping it in its tracks. It also offers the added benefit of creating more parameters and making greater volumes of data available for analysis. All of this can be accomplished by employing a comprehensive multi-protocol solution that is nimble, fast and adds to an operator’s current system capabilities.

It’s no secret that the telecoms sector is significantly expanding its services and capabilities. But it’s the savvy operators who realize that breaking through the bottleneck of fraud data saves time and money in the long-term, and facilitates investment in new opportunities and services that otherwise would have been missed.

 

Joseph GeorgeJoseph George joined Mobileum in May 2017 as Senior Vice President, Fraud & Security. He leads the global strategy for solutions that help service providers control their risks related to fraud & security and prevent revenue leaks in their business.