What You Know? Why PII Authentication Should Change For Future Generations. G3C 2019Abigail McAlpine G3C Presentation 2019.pdf
AbigailMcAlpine
8 views
54 slides
Jun 27, 2024
Slide 1 of 54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
About This Presentation
PII of Minors Online and Exploring Why We Should Move Away From the PII Authentication Model for Future Generations due to PII No Longer Fitting the CIA Triad.
Slide Content
WHAT YOU KNOW?
WHY PII AUTHENTICATION
SHOULD CHANGE FOR FUTURE
GENERATIONS
Abigail McAlpine
WHY PII AUTHENTICATION
SHOULD CHANGE FOR FUTURE
GENERATIONS
Abigail McAlpine
Abigail McAlpine
Cyber Security Researcher (PhD)
from the Secure Societies
Institute at The University of
Huddersfield
Cyber Security Researcher (PhD)
from the Secure Societies
Institute at The University of
Huddersfield
AM
Background
•Cyber Security Researcher (PhD) from the Secure Societies Institute at
the University of Huddersfield
•Research on Personally Identifiable Information (PII) of children aged
(11-16) on Social Networking Services (SNS) focussing particularly on
the most commonly used platforms according to Ofcom’s “Children
and parents: media use and attitudes report 2018
•Human-based cyber security research, particularly focusing on the
“what” and “where” of sharing online when it comes to children’s
information
•Research is still in collection, public, parents and children
•My background pre-PhD was in business and marketing as a
marketing manager
Background
•Cyber Security Researcher (PhD) from the Secure Societies Institute at
the University of Huddersfield
•Research on Personally Identifiable Information (PII) of children aged
(11-16) on Social Networking Services (SNS) focussing particularly on
the most commonly used platforms according to Ofcom’s “Children
and parents: media use and attitudes report 2018
•Human-based cyber security research, particularly focusing on the
“what” and “where” of sharing online when it comes to children’s
information
•Research is still in collection, public, parents and children
•My background pre-PhD was in business and marketing as a
marketing manager
AM
Contrary to popular belief….
•A doctorate in cyber security does not make me an expert in all things
cyber security, I’m not particularly tech based, I’m not a hacker.
•Eventually, by the end of my PhD I might be able to say that I’m an
expert in one particular niche area of cyber security around children’s PII
on social media.
Contrary to popular belief….
•A doctorate in cyber security does not make me an expert in all things
cyber security, I’m not particularly tech based, I’m not a hacker.
•Eventually, by the end of my PhD I might be able to say that I’m an
expert in one particular niche area of cyber security around children’s PII
on social media.
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 5
Imagine a circle that contains all of human
knowledge:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 5
Imagine a circle that contains all of human
knowledge:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 6
By the time you finish elementary school, you
know a little:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 6
By the time you finish elementary school, you
know a little:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 7
By the time you finish high school, you know a
bit more:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 7
By the time you finish high school, you know a
bit more:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 8
With a bachelor's degree, you gain a specialty:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 8
With a bachelor's degree, you gain a specialty:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 9
A master's degree deepens that specialty:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 9
A master's degree deepens that specialty:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 10
Reading research papers takes you to the edge
of human knowledge:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 10
Reading research papers takes you to the edge
of human knowledge:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 11
Once you're at the boundary, you focus:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 11
Once you're at the boundary, you focus:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 12
You push at the boundary for a
few years:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 12
You push at the boundary for a
few years:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 13
Until one day, the boundary
gives way:
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 13
Until one day, the boundary
gives way:
AM
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 14
And, that dent you've made is
called a Ph.D.:
@mattmight
Brief Illustrated Guide to a PhD
•http://matt.might.net/articles/phd-school-in-pictures/
G3C 2019 - Abigail McAlpine 14
And, that dent you've made is
called a Ph.D.:
@mattmight
AM
The Secure Societies Institute (SSI)
•“Research staff and students from across the seven Schools work
collaboratively to address global security challenges as diverse as
terrorism, modern slavery, child sexual abuse and cyber crime.” –
Prof Rachel Armitage
•Nearly 100 staff and post-graduate researchers from The University
of Huddersfield working on a variety of inter-disciplinary research
projects in the hopes of addressing security topics nationally and
internationally.
G3C 2019 - Abigail McAlpine 15https://research.hud.ac.uk/institutes-centres/ssi/welcome/
The Secure Societies Institute (SSI)
•“Research staff and students from across the seven Schools work
collaboratively to address global security challenges as diverse as
terrorism, modern slavery, child sexual abuse and cyber crime.” –
Prof Rachel Armitage
•Nearly 100 staff and post-graduate researchers from The University
of Huddersfield working on a variety of inter-disciplinary research
projects in the hopes of addressing security topics nationally and
internationally.
G3C 2019 - Abigail McAlpine 15https://research.hud.ac.uk/institutes-centres/ssi/welcome/
Take another look
Imagine this girl in the same
scenario today.
What personal information
can you see?
Imagine this girl in the same
scenario today.
What personal information
can you see?
AM
What is Personal Identifiable
Information (PII)?
•Personal data is information that relates to an identified or identifiable
individual.
•What identifies an individual could be as simple as a name or a number or
could include other identifiers such as an IP address or a cookie identifier,
or other factors.
•If it is possible to identify an individual directly from the information you
are processing, then that information may be personal data.
•https://ico.org.uk
G3C 2019 - Abigail McAlpine
What is Personal Identifiable
Information (PII)?
•Personal data is information that relates to an identified or identifiable
individual.
•What identifies an individual could be as simple as a name or a number or
could include other identifiers such as an IP address or a cookie identifier,
or other factors.
•If it is possible to identify an individual directly from the information you
are processing, then that information may be personal data.
•https://ico.org.uk
G3C 2019 - Abigail McAlpine
AM
What is Personal Identifiable
Information (PII)?
•If you cannot directly identify an individual from that information, then
you need to consider whether the individual is still identifiable.
•You should take into account the information you are processing
together with all the means reasonably likely to be used by either you
or any other person to identify that individual.
G3C 2019 - Abigail McAlpine
What is Personal Identifiable
Information (PII)?
•If you cannot directly identify an individual from that information, then
you need to consider whether the individual is still identifiable.
•You should take into account the information you are processing
together with all the means reasonably likely to be used by either you
or any other person to identify that individual.
G3C 2019 - Abigail McAlpine
AM
What is PII?
•Even if an individual is identified or identifiable, directly or indirectly,
from the data you are processing, it is not personal data unless it ‘relates
to’ the individual.
•When considering whether information ‘relates to’ an individual, you
need to take into account a range of factors, including the content of the
information, the purpose or purposes for which you are processing it and
the likely impact or effect of that processing on the individual.
•It is possible that the same information is personal data for one
controller’s purposes but is not personal data for the purposes of
another controller.
G3C 2019 - Abigail McAlpine 19
What is PII?
•Even if an individual is identified or identifiable, directly or indirectly,
from the data you are processing, it is not personal data unless it ‘relates
to’ the individual.
•When considering whether information ‘relates to’ an individual, you
need to take into account a range of factors, including the content of the
information, the purpose or purposes for which you are processing it and
the likely impact or effect of that processing on the individual.
•It is possible that the same information is personal data for one
controller’s purposes but is not personal data for the purposes of
another controller.
G3C 2019 - Abigail McAlpine 19
Take another look
From a marketing
perspective.. What can we
use?
From a marketing
perspective.. What can we
use?
AM
If we took this information online
•We can develop an idea of her potential likes and dislikes
•We can produce and idea of products and services that relate to her
age/location/trends in the area
•We can curate a timeline of products and services we can push towards her
•We can identify potential placement in the AIDA Model/Sales Funnel
G3C 2019 - Abigail McAlpine 21
If we took this information online
•We can develop an idea of her potential likes and dislikes
•We can produce and idea of products and services that relate to her
age/location/trends in the area
•We can curate a timeline of products and services we can push towards her
•We can identify potential placement in the AIDA Model/Sales Funnel
G3C 2019 - Abigail McAlpine 21
AM
Marketing potential
•We can guess her age is probably between 11-14 (Wider guess of
10-16)
•We can reasonably articulate an idea of her assigned gender
•We can see her uniform – idea of location, confirmation of age
group
•We can see she has her own phone – she seems very attached
G3C 2019 - Abigail McAlpine
Marketing potential
•We can guess her age is probably between 11-14 (Wider guess of
10-16)
•We can reasonably articulate an idea of her assigned gender
•We can see her uniform – idea of location, confirmation of age
group
•We can see she has her own phone – she seems very attached
G3C 2019 - Abigail McAlpine
AM
In marketing this would be seen as
rich data – worth investing time
and money into…
•With this information we could curate a customer persona, we could adjust
marketing, we could curate a timeline of potential sales funnels to pitch.
•This information is still very valuable to us
•We don’t need to know her identity
G3C 2019 - Abigail McAlpine 23
In marketing this would be seen as
rich data – worth investing time
and money into…
•With this information we could curate a customer persona, we could adjust
marketing, we could curate a timeline of potential sales funnels to pitch.
•This information is still very valuable to us
•We don’t need to know her identity
G3C 2019 - Abigail McAlpine 23
AM
In security
•It still has value but this information is arguably seen as not being overly
personal
•There’s potential to use this information in future fact finding to collate a
bigger picture of her identity.
•It’s the potential of future information that will cause issues to her
identity
G3C 2019 - Abigail McAlpine 24
In security
•It still has value but this information is arguably seen as not being overly
personal
•There’s potential to use this information in future fact finding to collate a
bigger picture of her identity.
•It’s the potential of future information that will cause issues to her
identity
G3C 2019 - Abigail McAlpine 24
AM
Ultimately
•The ability and tools to collate more information about an individual
(regardless of age) exist in both marketing and cyber security
industries
•The skills to take the information we have and turn into viable
information are already in the room, a lot of the tools and methods to
do so are very established, be it in technology or simply observing an
individual
•These cases will always exist, it is justifiable for the existence of data
collection around children online for marketing purposes – whether
directly through children’s use, or through a third party or parent’s
use or purchasing data points.
G3C 2019 - Abigail McAlpine 25
Ultimately
•The ability and tools to collate more information about an individual
(regardless of age) exist in both marketing and cyber security
industries
•The skills to take the information we have and turn into viable
information are already in the room, a lot of the tools and methods to
do so are very established, be it in technology or simply observing an
individual
•These cases will always exist, it is justifiable for the existence of data
collection around children online for marketing purposes – whether
directly through children’s use, or through a third party or parent’s
use or purchasing data points.
G3C 2019 - Abigail McAlpine 25
AM
The real issue..
•Some of the largest datasets on children in the world are owned by Social
Networking Services (SNS)
•They have this information, it’s usually attached to an identity.
•Encouragement of PII sharing, location data, connecting with more users, spending
more time on the platforms
G3C 2019 - Abigail McAlpine 26
The real issue..
•Some of the largest datasets on children in the world are owned by Social
Networking Services (SNS)
•They have this information, it’s usually attached to an identity.
•Encouragement of PII sharing, location data, connecting with more users, spending
more time on the platforms
G3C 2019 - Abigail McAlpine 26
AM
Ofcom Report (12-15)
•83% of 12-15 year olds have their own smartphone
•50% of 12-15 year olds have their own tablet
•99% of 12-15 year olds go online for 20 ½ hours per week
•69% have a social media profile
G3C 2019 - Abigail McAlpine 27Children and parents: Media use and attitudes report 2018
Ofcom Report (12-15)
•83% of 12-15 year olds have their own smartphone
•50% of 12-15 year olds have their own tablet
•99% of 12-15 year olds go online for 20 ½ hours per week
•69% have a social media profile
G3C 2019 - Abigail McAlpine 27Children and parents: Media use and attitudes report 2018
AM
Ofcom Report (8-11)
•35% of 8-11 year olds have their own smartphone
•50% of 8-11 year olds have their own tablet
•93% of 8-11 year olds go online for 13 ½ hours per week
•18% of 8-11 year olds have a social media profile
G3C 2019 - Abigail McAlpine 28Children and parents: Media use and attitudes report 2018
Ofcom Report (8-11)
•35% of 8-11 year olds have their own smartphone
•50% of 8-11 year olds have their own tablet
•93% of 8-11 year olds go online for 13 ½ hours per week
•18% of 8-11 year olds have a social media profile
G3C 2019 - Abigail McAlpine 28Children and parents: Media use and attitudes report 2018
AM
Privacy Pin-Ups
•“We take your privacy and security seriously.”
•“Your privacy matters to us.”
G3C 2019 - Abigail McAlpine 29
Privacy Pin-Ups
•“We take your privacy and security seriously.”
•“Your privacy matters to us.”
G3C 2019 - Abigail McAlpine 29
AM
Huge changes in Facebook
•Encrypted end-to-end messages through the messenger app
•Reducing Permanence – deleting long term information as standard
(undefined) March 2019
•Right to be forgotten/ The right to erasure – GDPR 2018. Doesn’t limit the
sharing of information primarily
•Suspension of tens of thousands of applications (69,000) in Sept 2019
made by about 400 developments
G3C 2019 - Abigail McAlpine 30
Huge changes in Facebook
•Encrypted end-to-end messages through the messenger app
•Reducing Permanence – deleting long term information as standard
(undefined) March 2019
•Right to be forgotten/ The right to erasure – GDPR 2018. Doesn’t limit the
sharing of information primarily
•Suspension of tens of thousands of applications (69,000) in Sept 2019
made by about 400 developments
G3C 2019 - Abigail McAlpine 30
AMParental Awareness of
Minimum Age Requirement
(13)
•Facebook 32%
•Instagram 28%
•Snapchat 15%
G3C 2019 - Abigail McAlpine 31Ofcom Children and parents: Media use and attitudes report 2018
Minimum Age Requirement
(13)
•Facebook 32%
•Instagram 28%
•Snapchat 15%
G3C 2019 - Abigail McAlpine 31Ofcom Children and parents: Media use and attitudes report 2018
AM
Children lie about their age
•EU Kids Online conducted studies
between 2011 and 2014 in 22
different countries
•1 in 4 of the 9-to-10-year-olds and 1
in 2 of the 11-to-12-year-olds were
using Facebook already
•4 in 10 gave a false age.
G3C 2019 - Abigail McAlpine 32
Children lie about their age
•EU Kids Online conducted studies
between 2011 and 2014 in 22
different countries
•1 in 4 of the 9-to-10-year-olds and 1
in 2 of the 11-to-12-year-olds were
using Facebook already
•4 in 10 gave a false age.
G3C 2019 - Abigail McAlpine 32
AM
How many children on SNS?
•In 2011 there was an estimated 20 million minors use Facebook,
according toConsumer Reports; 7.5 million of these are under
13.
•These estimates are no longer in date and the possibility of
establishing an accurate number has been significantly
decreased as more children lie to get past age verification
systems
G3C 2019 - Abigail McAlpine 33
How many children on SNS?
•In 2011 there was an estimated 20 million minors use Facebook,
according toConsumer Reports; 7.5 million of these are under
13.
•These estimates are no longer in date and the possibility of
establishing an accurate number has been significantly
decreased as more children lie to get past age verification
systems
G3C 2019 - Abigail McAlpine 33
AM
If we take everything at face value
Removing potential FUD – lets say:
•Social networking services care about your privacy
•Physical information gathering/safety will always be an issue
•We can’t control children lying about their age to interact on social media
G3C 2019 - Abigail McAlpine 34
If we take everything at face value
Removing potential FUD – lets say:
•Social networking services care about your privacy
•Physical information gathering/safety will always be an issue
•We can’t control children lying about their age to interact on social media
G3C 2019 - Abigail McAlpine 34
AM
Timeline
A timeline of SNS as we know it today;
•1997: First SNS – “Six Degrees” and AOL Messenger
•1999: MSN Messenger and Yahoo Messenger Launch
•2001: Six Degrees Shuts Down
•2002: Friendster launches
•2003: LinkedIn and Myspace launch
•2004: Facebook launches
•2005: Reddit, Bebo, YouTube launch
•2006: Twitter Launches Facebook releases newsfeed feature
G3C 2019 - Abigail McAlpine 35
Timeline
A timeline of SNS as we know it today;
•1997: First SNS – “Six Degrees” and AOL Messenger
•1999: MSN Messenger and Yahoo Messenger Launch
•2001: Six Degrees Shuts Down
•2002: Friendster launches
•2003: LinkedIn and Myspace launch
•2004: Facebook launches
•2005: Reddit, Bebo, YouTube launch
•2006: Twitter Launches Facebook releases newsfeed feature
G3C 2019 - Abigail McAlpine 35
AM
Timeline
A timeline of SNS as we know it today;
•2010: Pinterest and Instagram launch
•2012: Snapchat Launches Facebook acquires Instagram
G3C 2019 - Abigail McAlpine 36
Timeline
A timeline of SNS as we know it today;
•2010: Pinterest and Instagram launch
•2012: Snapchat Launches Facebook acquires Instagram
G3C 2019 - Abigail McAlpine 36
AM
Features of SNS
Some examples of features that have rolled out in the last 20 years or so.
Some in real time/ some pre-emptive.
•Location data
•Event tagging
•Friend tagging
•Facial recognition features (photo tagging)
•Messenger
•Announcements
•Life Events
G3C 2019 - Abigail McAlpine 37
Features of SNS
Some examples of features that have rolled out in the last 20 years or so.
Some in real time/ some pre-emptive.
•Location data
•Event tagging
•Friend tagging
•Facial recognition features (photo tagging)
•Messenger
•Announcements
•Life Events
G3C 2019 - Abigail McAlpine 37
AM
Who knows what this is?
G3C 2019 - Abigail McAlpine 38
https://www.telegraph.co.uk/technology/0/snapchat-map-do-use-safe-children/
Who knows what this is?
G3C 2019 - Abigail McAlpine 38
https://www.telegraph.co.uk/technology/0/snapchat-map-do-use-safe-children/
AM
Snapchat Map
•SnapMap was a feature automatically rolled out in a June 2017
Snapchat update that tagged users location on a map in real time to
all their “friends” on Snapchat
•Snapchat had already established a young user group, there was a
reward system in place for snapchat streaks resulting in points for
users, the more “friends” users made, the more streaks could be
established, the points could be gained
•There were different settings for how users could find each other –
some transparently – public/private profiles. Others, including how
you could find friends such as the apps access to your contacts, have
become better communicated over time.
G3C 2019 - Abigail McAlpine 39
Snapchat Map
•SnapMap was a feature automatically rolled out in a June 2017
Snapchat update that tagged users location on a map in real time to
all their “friends” on Snapchat
•Snapchat had already established a young user group, there was a
reward system in place for snapchat streaks resulting in points for
users, the more “friends” users made, the more streaks could be
established, the points could be gained
•There were different settings for how users could find each other –
some transparently – public/private profiles. Others, including how
you could find friends such as the apps access to your contacts, have
become better communicated over time.
G3C 2019 - Abigail McAlpine 39
AM
TikTok
•Is one of the worlds most downloaded applications, one of the top 10
globally
•TikTok stated users must be over 13 but asked for no proof
•Known previously as Musically, utilised Snapchats successful model
and Vine’s demise to carve a niche for themselves with younger
users.
•Public profiles by default – public comments by default
•If the profile was public the application had an open messaging
feature which resulted in children receiving private messages from
strangers
G3C 2019 - Abigail McAlpine 40
TikTok
•Is one of the worlds most downloaded applications, one of the top 10
globally
•TikTok stated users must be over 13 but asked for no proof
•Known previously as Musically, utilised Snapchats successful model
and Vine’s demise to carve a niche for themselves with younger
users.
•Public profiles by default – public comments by default
•If the profile was public the application had an open messaging
feature which resulted in children receiving private messages from
strangers
G3C 2019 - Abigail McAlpine 40
AMSNS are targeting children with
marketing
•We know this because of the tailored products and services they are
marketing towards their users based on data collection and analysis
•They are rolling out features without any care or consideration for
children’s/users safety
G3C 2019 - Abigail McAlpine 41
marketing
•We know this because of the tailored products and services they are
marketing towards their users based on data collection and analysis
•They are rolling out features without any care or consideration for
children’s/users safety
G3C 2019 - Abigail McAlpine 41
AM
Childrens Sharing
•Children are sharing more content about themselves than ever before
to bigger audiences
•They are more vulnerable to peer pressure at various ages
•Some of children have more understanding of SNS than their parents or
educators
G3C 2019 - Abigail McAlpine 42
Childrens Sharing
•Children are sharing more content about themselves than ever before
to bigger audiences
•They are more vulnerable to peer pressure at various ages
•Some of children have more understanding of SNS than their parents or
educators
G3C 2019 - Abigail McAlpine 42
AM
Parents Sharing
•“Sharenting” – is the term being used for parents who share a lot of
information about their children online
•Some parents have been over-sharers from the beginning with no
prompts
•However, the introduction of Facebook and features such as the
newsfeed, announcements, timeline, memories have prompted users
to share more about their lives and their children
•A lot of the PII information required can be found about users
independently, but control of the sharing about third parties who
haven’t necessarily consented to the sharing of the information still
accumulate
G3C 2019 - Abigail McAlpine 43
Parents Sharing
•“Sharenting” – is the term being used for parents who share a lot of
information about their children online
•Some parents have been over-sharers from the beginning with no
prompts
•However, the introduction of Facebook and features such as the
newsfeed, announcements, timeline, memories have prompted users
to share more about their lives and their children
•A lot of the PII information required can be found about users
independently, but control of the sharing about third parties who
haven’t necessarily consented to the sharing of the information still
accumulate
G3C 2019 - Abigail McAlpine 43
AM
Fraud - Trends
•The theft of personal and financial data through social
engineering and data breaches was a major
contributor to fraud losses in 2018.
•The stolen data is used to commit fraud both directly
and indirectly.
•www.ukfinance.org.uk
G3C 2019 - Abigail McAlpine 44
Fraud - Trends
•The theft of personal and financial data through social
engineering and data breaches was a major
contributor to fraud losses in 2018.
•The stolen data is used to commit fraud both directly
and indirectly.
•www.ukfinance.org.uk
G3C 2019 - Abigail McAlpine 44
AM
Fraud - Trends
•Recession fraud
•In 2009, it was announced that fraud had increased threefold in the
previous year as a result of the recession
•Cases through British court alone accounted for more than £1.1bn worth
of fraud
•April 2018, a report in America (Javelin Strategy & Research) on child
fraud reported that more than 1 million children were victims of identity
theft or fraud in 2017.
•Two-thirds of those victims were age 7 or younger.
•Six in 10 child victims personally know the perpetrator.
G3C 2019 - Abigail McAlpine 45
Fraud - Trends
•Recession fraud
•In 2009, it was announced that fraud had increased threefold in the
previous year as a result of the recession
•Cases through British court alone accounted for more than £1.1bn worth
of fraud
•April 2018, a report in America (Javelin Strategy & Research) on child
fraud reported that more than 1 million children were victims of identity
theft or fraud in 2017.
•Two-thirds of those victims were age 7 or younger.
•Six in 10 child victims personally know the perpetrator.
G3C 2019 - Abigail McAlpine 45
AM
Why is this used?
CIA Triad
•Confidentiality through preventing access
by unauthorized users.
•Integrity from validating that your data is
trustworthy and accurate.
•Availability by ensuring data is available
when needed.
G3C 2019 - Abigail McAlpine 46
www.ibm.com
Why is this used?
CIA Triad
•Confidentiality through preventing access
by unauthorized users.
•Integrity from validating that your data is
trustworthy and accurate.
•Availability by ensuring data is available
when needed.
G3C 2019 - Abigail McAlpine 46
www.ibm.com
AM
Why is this used?
•The 3 A’s of cyber security
•Authentication, Authorization, and Accounting (AAA)
Authentication, authorization, and accounting (AAA) is a term for a
framework for intelligently controlling access to computer resources,
enforcing policies, auditing usage, and providing the information necessary
to bill for services.
These combined processes are considered important for effective network
management and security. - searchsecurity.techtarget.com
G3C 2019 - Abigail McAlpine 47
Why is this used?
•The 3 A’s of cyber security
•Authentication, Authorization, and Accounting (AAA)
Authentication, authorization, and accounting (AAA) is a term for a
framework for intelligently controlling access to computer resources,
enforcing policies, auditing usage, and providing the information necessary
to bill for services.
These combined processes are considered important for effective network
management and security. - searchsecurity.techtarget.com
G3C 2019 - Abigail McAlpine 47
AM
PII used as authentication?
•SMS and/or Email Based 2FA: Whether the site offered a SMS (text
message) or email based 2FA. Sites that offered this method earned 1
point.
•Software Token 2FA: Whether the site allowed you to perform 2FA using
a software authenticator. Popular software authenticators include
Authy, Google Authenticator, or Microsoft Authenticator. Sites that
offered this method earned 1 point.
•Hardware Token 2FA: Whether the site allowed you to use a hardware
token to perform 2FA. Popular hardware tokens include YubiKey and
Google Titan. Sites that used this method earned 3 points.
G3C 2019 - Abigail McAlpine 48
PII used as authentication?
•SMS and/or Email Based 2FA: Whether the site offered a SMS (text
message) or email based 2FA. Sites that offered this method earned 1
point.
•Software Token 2FA: Whether the site allowed you to perform 2FA using
a software authenticator. Popular software authenticators include
Authy, Google Authenticator, or Microsoft Authenticator. Sites that
offered this method earned 1 point.
•Hardware Token 2FA: Whether the site allowed you to use a hardware
token to perform 2FA. Popular hardware tokens include YubiKey and
Google Titan. Sites that used this method earned 3 points.
G3C 2019 - Abigail McAlpine 48
AM
Is 2FA/MFA a fix?
G3C 2019 - Abigail McAlpine 49
Researcher Piotr Duszyński published a tool called
Modlishka (Polish: “Mantis”) capable of automating
the phishing of one-time passcodes (OTPs) sent by
SMS or generated using authentication apps.
Jan 2019
Is 2FA/MFA a fix?
G3C 2019 - Abigail McAlpine 49
Researcher Piotr Duszyński published a tool called
Modlishka (Polish: “Mantis”) capable of automating
the phishing of one-time passcodes (OTPs) sent by
SMS or generated using authentication apps.
Jan 2019
AM
Is Biometric Authentication a fix?
•There have already been a significant number of data breaches
since the mass introduction of biometric authentication
•Biostar 2 lost more than a million
•OPM lost 20 million
G3C 2019 - Abigail McAlpine 50
Is Biometric Authentication a fix?
•There have already been a significant number of data breaches
since the mass introduction of biometric authentication
•Biostar 2 lost more than a million
•OPM lost 20 million
G3C 2019 - Abigail McAlpine 50
AM
Facebook’s Timeline is 13 years old
•In 3 years time – children who have had every significant moment of
their life shared online – nearly all potential PII authentication answer.
16 years old and old enough for a debit account/card
•In 5 years time - children who have had every significant moment of
their life shared online – nearly all potential PII authentication
answers. 1 years old and old enough for lines of credit, many products
pushed in their direction will be highly likely to be targeted at low
credit
•Most will be venturing into the professional world, with everything
associated with it, including loans, linkedin profiles, historic social
media profiles
G3C 2019 - Abigail McAlpine 51
Facebook’s Timeline is 13 years old
•In 3 years time – children who have had every significant moment of
their life shared online – nearly all potential PII authentication answer.
16 years old and old enough for a debit account/card
•In 5 years time - children who have had every significant moment of
their life shared online – nearly all potential PII authentication
answers. 1 years old and old enough for lines of credit, many products
pushed in their direction will be highly likely to be targeted at low
credit
•Most will be venturing into the professional world, with everything
associated with it, including loans, linkedin profiles, historic social
media profiles
G3C 2019 - Abigail McAlpine 51
AM
Right to forget
•Doesn’t mean that other users will forget
•Doesn’t mean that children are protected online
•Doesn’t mean that children’s information is not being shared
•Doesn’t educate users/parents/children about the dangers of oversharing PII online
•Doesn’t fix the problem
G3C 2019 - Abigail McAlpine 52
Right to forget
•Doesn’t mean that other users will forget
•Doesn’t mean that children are protected online
•Doesn’t mean that children’s information is not being shared
•Doesn’t educate users/parents/children about the dangers of oversharing PII online
•Doesn’t fix the problem
G3C 2019 - Abigail McAlpine 52
AM
Potential actions moving forward
•Tackle education of users around the availability of this
information
•Attempt to limit the scope of the issue – through historic
deletion on SNS (this probably won’t happen)
•We change the infrastructure of how we secure accounts – if
these security questions are to remain then there should be
additional steps involved to reset a password or gain access to an
account
•We attempt to tackle this in a way that doesn’t cause additional
issues – i.e Netflix asking for photos of passports through email
to confirm identity
G3C 2019 - Abigail McAlpine 53
Potential actions moving forward
•Tackle education of users around the availability of this
information
•Attempt to limit the scope of the issue – through historic
deletion on SNS (this probably won’t happen)
•We change the infrastructure of how we secure accounts – if
these security questions are to remain then there should be
additional steps involved to reset a password or gain access to an
account
•We attempt to tackle this in a way that doesn’t cause additional
issues – i.e Netflix asking for photos of passports through email
to confirm identity
G3C 2019 - Abigail McAlpine 53
Thank You
Abigail McAlpine
Twitter @abigailmcalpine
Abigail McAlpine
Twitter @abigailmcalpine
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 54
- Age 525 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
31 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
32 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
31 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
33 views