New EU e-payments rules to make shopping safer.

The revised payment services directive, adopted Monday by the EU Commission, is designed to provide consumers with more convenient and innovative payment solutions, whether buying in shops or online.

The new rules rules implement the EU’s recently-revised Payment Services Directive (PSD2) which aims to modernise Europe’s payment services so as to keep pace with this rapidly evolving market and allow the European e-commerce market to blossom.

The rules allow consumers to use innovative services offered by third party providers, also known as FinTech companies, while maintaining rigorous data protection and security for EU consumers and businesses. These include payment solutions and tools for managing one’s personal finances by aggregating information from various accounts.

A key objective of PSD2 is to increase the level of security and confidence of electronic payment. In particular, PSD2 requires payment service providers to develop strong customer authentication (SCA). Today’s rules therefore have stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users’ financial data, especially relevant for online payments. They require a combination of at least two independent elements, which could be a physical item – a card or mobile phone – combined with a password or a biometric feature, such as fingerprints before making a payment.

PSD2 also establishes a framework for new services linked to consumer payment accounts, such as the so-called payment initiation services and account information services. These innovative services are already on offer in many EU countries but thanks to PSD2 they will be available to consumers across the EU, subject to strict security requirements. The rules specify the requirements for common and secure standards of communication between banks and FinTech companies.

Following adoption of the Regulatory Technical Standards by the Commission, the European Parliament and the Council have three months to scrutinise them. Subject to the scrutiny period, the new rules will be published in the Official Journal of the EU. Banks and other payment services providers will then have 18 months to put the security measures and communication tools in place.

MEPs adopt new e-Privacy rules.

A decision adopted by the European Parliament’s Civil Liberties Committee to revise the European Union’s e-privacy rules was backed by the plenary. It was approved by 318 votes to 280, with 20 abstentions.

Parliament will start the talks with member states on the new e-Privacy regulation as soon as member states have agreed on their own negotiation position.

“The European Parliament today made the right choice and stood firm against the industry lobby over control of individuals’ communications,” said Parliament’s lead MEP Marju Lauristin (S&D, ET). “It is a basic right of individuals to know how their information is used. Freedom from tracking is vital to democracy.”

Parliament’s mandate sets high standards of privacy, confidentiality and security in electronic communications across the EU.

Among the parliament’s priorities is a ban on “cookie walls”, which block access to a website if users do not agree to their data being used by the site. Snooping on personal devices via cookies or software updates, or tracking people without their clear approval through public hotspots or WI-FI in shopping centres, should also be prohibited, said MEPs.

MEP Marju Lauristin, who is the parliament’s negotiator for the e-privacy legislation, said the vote is “a victory for citizen’s rights over the lobbying efforts of big business”.

“The e-privacy regulation is designed to adapt the rules on the confidentiality of communication for the reality of the 21st Century,” added Lauristin, a member of the Progressive Alliance of Socialists and Democrats (S&D) Group. “It covers new forms of private communication, such as WhatsApp or Skype, which did not exist when these laws were first introduced. It gives citizens much greater control over how their confidential information can be used by private companies.”

S&D Group spokesperson for civil liberties, justice and home affairs, Birgit Sippel, said: “The e-Privacy regulation aims to put users back in control of their communication data and wants to ensure that they are able to decide how this information is being used.”

British government accused of spying on millions of social media accounts.

A leak of government documents suggests that the British spy agency GCHQ is monitoring, collecting, and processing data from millions of British citizens.

In a press release on Tuesday, the Non-Governmental Organization Privacy International suggests that GCHQ has gained access to the databases of private social media agencies (Bulk Personal Datasets and Bulk Communications Data)..

Moreover, it appears that GCHQ was acting without the knowledge of its supervising authority (the Investigatory Powers Commissioner).

It remains unclear what aspects of private communication was the spy agency monitoring, collecting, and processing. However, these seem to include categories such as “biographical details”, “commercial and financial activities,” “communications,” “travel data,” and “legally privileged communications.”

What’s more worrying, there is evidence to suggest some of this data was shared with third parties, including foreign governments.

Are Internet companies complicit in promoting hateful and harmful content?

Child pornographers, human traffickers, cyber-criminals, terrorists and extremists have weaponized the Internet. Technology companies have been slow to recognize, admit to, and respond to the illegal activities on their platforms that have resulted in devastating consequences.

Over the past few weeks, European Institutions and national governments have been calling on these companies to do more to rein in these abuses. Most recently, UK Prime Minister Theresa May told the United Nations General Assembly that technology companies need to go “further and faster” in developing technological solutions to automatically reduce the length of time that terror-related material remains online and eventually prevent it from appearing at all.

In 2016, Facebook, Google, Microsoft, and Twitter announced that they would work together to develop new technology to quickly identify and remove extremism-related content from their platforms. Despite some progress, serious problems remain. For example, the ISIS video “The Religion of Kufr is One,” which shows multiple executions by firearms and a hanging – clear violations of YouTube’s terms of service – has been uploaded and removed from YouTube at least six times since May 31, 2016. Analysts at the Counter Extremism Project (CEP) most recently found this video on September 11, 2017, where it already had 42 views. Technology companies must do better. I advocate for a multi-pronged approach to reining in online abuses.

First, we need a fast and effective method to remove content. Once content has been identified, reported, and determined to be illegal or in violation of terms of service, it should be immediately removed (Prime Minister Theresa May is calling for a maximum of two hours from notification to take-down). Past and future uploads of the same content should also be eliminated. While the initial takedown may require human reporting, the expunging of the content from past and future uploads can be fully automated. Robust hashing technology extracts a distinct digital signature from digital content that can be used to automatically, efficiently and accurately identify this same content. This technology is well understood and a version of it – photoDNA – has been in deployment for nearly a decade in the fight against the global distribution of child pornography. I worked with CEP to develop the next generation of robust hashing technology – eGlyph – that extends the reach of photoDNA from images to video and audio recordings. There is no technological, legal, or policy hurdle to the broad deployment of this type of robust hashing technology.

Second, we need to cooperate. The deployment of robust hashing technology requires collaboration between companies and non-governmental agencies to share the signatures of extremist content. This type of shared database will cast a wide net and prevent extremist content from simply migrating from one platform to another.

Third, we must innovate. It is essential to continue to develop new technologies to find and eliminate the most heinous and harmful content from being uploaded and shared online. This should include the development of machine-learning based algorithms that can accurately, automatically, and efficiently flag and remove content.

Fourth, we need to invest in human resources. While advances in machine learning hold promise, these technologies – as technology companies will admit – are not yet nearly accurate enough to operate across the breadth and depth of the internet. There are more than a billion uploads to Facebook each day and 300 hours of video uploaded to YouTube each minute of the day. This means that any machine-learning based solution will have to be paired with a significant team of human analysts that can resolve complex and often subtle issues of intent and meaning that are still out of reach of even the most sophisticated machine learning solutions.

On October 17-18 in Brussels, CEP is hosting a two-day conference, Building Alliances—Preventing Terror, that will bring together representatives from a range of European institutions as well as esteemed academics, government officials, and technology companies. As a senior advisor to the CEP, I am looking forward to presenting the eGlyph technology and new technologies that we are developing, and taking part in important discussions on the role of the EU in combatting and preventing extremism, disrupting the financing of terrorist activities, and grassroots efforts at preventing radicalization.

It is clear there is a political drive for Europe to take action and steer the fight against illegal and harmful content. Technology companies, academics, non-governmental and government agencies must work together to rein in online abuses and return the Internet to its original promise – a place where great ideas can be disseminated, discussed, and debated.

EU-U.S. Privacy Shield: First review shows it works but implementation can be improved

European Commission publishes its first annual report on the functioning of the EU- U.S. Privacy Shield, the aim of which is to protect the personal data of anyone in the EU transferred to companies in the U.S. for commercial purposes.

Commission Vice-President for the Digital Single Market, said: “The Commission stands strongly behind the Privacy Shield arrangement with the U.S. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality stated: “Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”

When it launched the Privacy Shield in August 2016, the Commission committed to reviewing the Privacy Shield on an annual basis, to assess if it continues to ensure an adequate level of protection for personal data. Today’s report is based on meetings with all relevant U.S. authorities, which took place in Washington mid-September 2017, as well as input from a wide range of stakeholders (including reports from companies and NGOs). Independent data protection authorities from EU Member States also participated in the review.

Overall the report shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. The U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals. Complaint-handling and enforcement procedures have been set up, and cooperation with the European Data protection authorities has been stepped up. The certification process is functioning well – over 2,400 companies have now been certified by the U.S. Department of Commerce. As regards access to personal data by U.S. public authorities for national security purposes, relevant safeguards on the U.S. side remain in place. 

Recommendations to further improve the functioning of the Privacy Shield

The report suggests a number of recommendations to ensure the continued successful functioning of the Privacy Shield. These include:

• More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
• More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
• Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
• Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
• To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

Next Steps

The report will be sent to the European Parliament, the Council, the Article 29 Working Party of Data Protection Authorities and to the U.S. authorities. The Commission will work with the U.S. authorities on the follow-up of its recommendations in the coming months. The Commission will continue to closely monitor the functioning of Privacy Shield framework, including the U.S. authorities’ compliance with their commitments.

Background

The EU-U.S. Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes as well as bringing legal clarity for businesses relying on transatlantic data transfers.

For instance when shopping online or using social media in the EU, personal data may be collected in the EU by a branch or business partner of a participating American company, who then transfers it to the U.S. For example, a travel agent in the EU may send names, contact details and credit card numbers to a hotel in the U.S. which has registered to the Privacy Shield.

324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Around 324,000 users have likely had their payment records stolen either from payment processor BlueSnapor its customer Regpack; however, neither of the company has admitted a data breach.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments.

The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap.

The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate.

Payment Card Data Including CVV Codes Leaked

The data contains users’ details registred between 10 March 2014 to 20 May 2016 and includes names, email addresses, physical addresses, phone numbers, IP addresses, last four digits of credit card numbers, even CVV codes, and invoice data containing details of purchases.

According to Hunt, who owns ‘Have I Been Pwned‘ breach notification service, some evidence like file names containing ‘BlueSnap’ and ‘Plimus’ in it suggests that the data comes from BlueSnap.

Plimus is the original name of BlueSnap, which was rebranded after private equity firm Great Hill Partners acquired it for $115Million in 2011.

However, since April 2013, Regpack has been using BlueSnap’s payment platform, it could be possible that the stolen data has come from Regpack.

“We have got 899 totally separate consumers of the Regpack service…who send their data direct to Regpack who pass payment data onto BlueSnap for processing,” Hunt explained in a blog post. 

“Unless I am missing a fundamental piece of the workflow… it looks like accountability almost certainly lies with one of these two parties.”

Whatever the source is, but the primary concern here is that more than 320,000 stolen users financial information is floating around the web.

Although the payment data does not contain full credit card numbers, as Hunt stressed, cyber criminals can still misuse the compromised information, particularly the CVV codes that are highly valuable payment data, which can be used to conduct “card not present” transactions.

Also, the last four digit of any user’s credit card number can also be used for identity verification that’s very useful in conducting social engineering attacks.

Hunt contacted BlueSnap as well as Regpack, but they both denied suffering a data breach. He has also loaded as many as 105,000 email addresses into Have I Been Pwned, so you can search for your address on the site to check whether you are impacted by the breach

Malaysian data breach sees 46 million phone numbers leaked

A massive data breach has seen the customer data of more than 46 million mobile subscribers in Malaysia leaked on to the dark web.

The leaked information includes mobile numbers, unique phone serial numbers, as well as home addresses.

Personal information from multiple Malaysian public sector and commercial websites was also stolen.

The Malaysian Communications and Multimedia Commission (MCMC) is now investigating.

The data breach was first discovered by Malaysian technology news website Lowyat.net.

The website was informed that someone was trying to sell huge databases of personal details for an undisclosed amount of Bitcoin on its forums.

Stolen data

The individual was trying to sell a huge amount of private customer information from at least 12 Malaysian mobile operators:

• Maxis
• DiGi
• Altel
• Celcom
• Enabling Asia
• Friendimobile
• MerchantTradeAsia
• PLDT
• RedTone
• TuneTalk
• Umobile
• XOX

A huge amount of personal data was also stolen from Jobstreet.com and the:

• Malaysian Medical Council
• Malaysian Medical Association
• Academy of Medicine Malaysia
• Malaysian Housing Loan Applications
• Malaysian Dental Association
• National Specialist Register of Malaysia

Lowyat.net says it reported the incident to Malaysia’s communications watchdog on 18 October, and that the MCMC initially made the website take its story down.

However, the MCMC confirmed the data breach a day later in a press statement released on Facebook, and then on Monday confirmed that 46.2 million mobile subscribers were affected by the data breach.

Entire country affected

It is believed that the entire country – Malaysia has a population of 32 million – might have been affected by the breach, as well as foreigners who were on temporary pre-paid mobile phone numbers.

Under Malaysian law, service providers are required to keep customers’ personal data secure, so there will probably be legal repercussions.

Dr Mazlan Ismail, the chief operating officer of the MCMC, told the Malay Mail Online that it had met with all of the country’s telecommunications companies to work out how the data breach had occurred.

“This is to ensure that they understand what is happening now, especially when the police, through the Commercial Crime Investigation Department, visit them to investigate,” said Dr Ismail.

“Communications services cannot escape the security aspects, [service providers] must work together, and safety features are important to gain the trust of consumers.”