New FBI Warning Highlights Latest Ways Cyber Thieves Steal Your Identity and Money – and How You Can Stop Them The FBI is issuing a new warning that cybercriminals are now focusing on impersonating employee self-service websites – such as payroll services, unemployment programs, and health savings accounts – with the goal of stealing your money through fraudulent wire payments or redirecting payments. You might notice your service’s website on an ad, or find it in an email or a link, without noticing the slight difference in the URL that marks it as a digital clone. Such a scam site will ask you for your credentials to gain access. A self-described representative from a bank or some other service may call you to “confirm” your one-time passcode. Don’t fall for it. The FBI recommends that you take the following precautions:
Skip Sanzeri, a strategic advisor at iValt, surveys in Forbes all the reasons that you are probably insufficiently paranoid about being cleaned out by a cyber thief. “Thanks to ever-increasing online access and connectivity, AI, and quantum computing, it is increasingly difficult for legitimate businesses and sites to know the true identity of users accessing their systems. Think in terms of deepfakes, where video and audio can be created to mimic the real user. And since our daily activities, thoughts and preferences are tracked and stored, data is available everywhere on all of us. Any person or system from anywhere in the world can access nearly any information on government or corporate systems due to our pervasive use of the Internet, leading to predictions from groups like Forrester that cybercrime could cost up to $12 trillion this year alone.” Sanzeri concludes that the current system, which relies on passwords, logins, two-factor identification and even tokens, is not enough. He suggests a deeper reliance on biometrics, machine ID (mobile phones and other devices for authentication), geofencing your location, and “time-bounding,” in which you limit your access to, say, a payroll or brokerage account to a specific time, every time. All of these practices add one more data point for cybercriminals to have to know in order to be a convincing impersonator. Of course, biometrics and geofencing come at a cost to your privacy. And with advances in computing, it won’t be long before cybercriminals learn to use those as well. The dispiriting reality is that there is no way to seal off all possibility of fraud. This is a never-ending footrace between consumers and cybercriminals. But if you take every precaution, the odds are you will not be the next mark. Sen. Rand Paul (R-KY) celebrated the termination of the “Quiet Skies” surveillance program in which U.S. Marshals posed as airline passengers to shadow targets. This $200 million a year program did not, according to the Department of Homeland Security, stop a single terrorist attack. But, in the words of Sen. Paul in The American Conservative, it “was an unconstitutional dystopian nightmare.” Sen. Paul writes: “According to Department of Homeland Security documents I obtained, former Congresswoman and now Director of National Intelligence Tulsi Gabbard was surveilled under the program while flying domestically in 2024. Federal Air Marshals were assigned to monitor Gabbard and report back on their observations including her appearance, whether she used electronics, and whether she seemed ‘abnormally aware’ of her surroundings. She wasn’t suspected of terrorism. She wasn’t flagged by law enforcement. Her only crime was being a vocal critic of the administration. What an insanely invasive program – the gall of Big Brother actually spying on a former congresswoman. It’s an outrageous abuse of power … “And perhaps the most absurd of all, the wife of a Federal Air Marshal was labeled a ‘domestic terrorist’ after attending a political rally. She had a documented disability and no criminal record. Still, she was placed under Special Mission Coverage and tracked on commercial flights – even when accompanied by her husband, who is himself a trained federal law enforcement officer. She remained on the watchlist for more than three years. To make matters worse, this case resulted in the diversion of an Air Marshal from a high-risk international mission ... “Liberty and security are not mutually exclusive. When government hides behind secrecy to justify surveillance of its own people, it has gone too far." Sen. Ron Wyden (D-OR) informed his Senate colleagues Wednesday that “until recently, Senators have been kept in the dark about executive branch surveillance of Senate phones.” AT&T, Verizon, and T-Mobile failed to meet contractual obligations to disclose such surveillance with the Senate Sergeant at Arms. Sen. Wyden wrote in a letter to his colleagues that their campaign and personal phones, on which official business can be conducted under Senate rules, are not covered by this provision. He called these phones “incredibly juicy targets.” Senate Wyden recommended that his colleagues switch their campaign and personal phones to providers willing to make such disclosures. The purpose of such surveillance might be to protect senators from cyber threats and foreign intelligence, but this is far from clear. For example, Sen. Wyden outlined two breaches that occurred last year, one foreign and one domestic. In the Salt Typhoon hack, Chinese intelligence intercepted the communications of specific senators and their senior staff. The other breach came from the U.S. Department of Justice, which conducted a leak investigation by collecting phone records of Senate staff, including national security advisors to leadership, as well as staff from the Intelligence and Judiciary Committees. Democrats and Republicans were targeted in equal numbers. Sen. Wyden wrote: “Together, these incidents highlight the vulnerability of Senate communications to foreign adversaries, but also to surveillance by federal, state, and local law enforcement. Executive branch surveillance poses a significant threat to the Senate’s independence and the foundational principle of separation of powers … This kind of unchecked surveillance can chill critical oversight activities, undermine confidential communications essential for legislative deliberations, and ultimately erode the legislative branch’s co-equal status.” Perhaps we have, as Elvis sang, suspicious minds. But we find it odd that three major telecoms would all fail to meet their disclosure obligations in a contract with the U.S. Senate unless they were encouraged to do so. Writer Alex Klaushofer reports on a perfectly ordinary development in surveillance – the installation of cameras in the UK’s Sainsbury grocery store chain to ensure that every customer checks every item. This prompted Klaushofer to think back to her experience in Albania, which is still dealing with the psychological toll of its communist past when one in three people in the capital worked for the secret police. She writes in the British Spectator: “The poverty and under-development of Albania thirty years after the collapse of the regime were obvious to me. But I was puzzled by the behavior of some of the Albanians I got to know; there was a guardedness and often an indirect way of talking. Then Ana Stakaj, women’s program manager for the Mary Ward Loreto Foundation, explained the psychological effects of surveillance and it started to make sense. “‘Fear, and poverty and isolation closed the mind, causing it to go in a circle and malfunction,’ she told me. ‘In communism, people were forced even to spy on their brother, and the wife on their husband. So they learned to keep things private and secret, especially thoughts: your thoughts are always secret.’ “I wonder whether we’ve learnt the lessons offered by the authoritarian regimes of the last century: or the living lesson provided by China’s tech-authoritarianism. Do we really understand where using all this new technology so freely is taking us?” Rep. Anna Paulina Luna (R-FL) recently introduced the American Privacy Restoration Act, which would fully repeal the USA Patriot Act, the surveillance law hurriedly passed in 2001 shortly after the 9/11 attacks. Rep. Luna declared: “For over two decades, rogue actors within our U.S. intelligence agencies have used the Patriot Act to create the most sophisticated, unaccountable surveillance apparatus in the Western world. My legislation will strip the deep state of these tools and protect every American’s Fourth Amendment right against unreasonable searches and seizures. It’s past time to rein in our intelligence agencies and restore the right to privacy. Anyone trying to convince you otherwise is using ‘security’ as an excuse to erode your freedom.” What is so wrong about the Patriot Act? Judge Andrew Napolitano spells it out in a recent piece in The Washington Times. Judge Napolitano writes: “Among the lesser-known holes in the Constitution cut by the Patriot Act in 2001 was the destruction of the ‘wall’ between federal law enforcement and federal spies. The wall was erected in the Federal Intelligence Surveillance Act of 1978, which statutorily limited all federal domestic spying to that which the Foreign Intelligence Surveillance Court authorized. “The wall was intended to prevent law enforcement from accessing and using data gathered by America’s domestic spying agencies … “In the last year of the Biden Administration, the FBI admitted that during the first Trump Administration, it intentionally used the CIA and the National Security Agency to spy on Americans about whom the FBI was interested but as to whom it had neither probable cause of crime nor even articulable suspicion of criminal behavior …” Even if Rep. Luna’s bill to repeal the Patriot Act does not pass, reform is still possible. Judge Napolitano writes: “With a phone call, President Trump, who was personally victimized by this domestic spying 10 years ago, can stop all domestic spying without search warrants. He can re-erect the wall between spying and law enforcement.” With the passing of Pope Francis, it seems appropriate to reflect on his statements regarding surveillance, privacy, and human rights. In his 2024 World Day of Peace message, the pontiff declared:
The whole essay is worthy of our attention. It contains frank criticisms of the breakneck development of AI, as well as an important acknowledgement of China’s insidious “social credit” system, whereby its citizens are monitored and their behaviors graded. Pope Francis himself had sufficient reason to be wary of surveillance states. Just a few weeks ago, the Vatican revealed that several of the pontiff’s senior aides discovered that foreign spy agencies had infected their smartphones with Pegasus spyware. Harvard fellow Timothy Massad recently told Congress that policymakers need to “creatively rethink” how to fold in cryptocurrencies into the surveillance of the Bank Secrecy Act and its reporting requirements of customers’ transactions to the government. Nicolas Anthony in a CATO blog notes: “The problem dates back to the 1970s. The Supreme Court dealt a major blow to privacy with what is now commonly called the third-party doctrine. In short, the court held that so long as a third party is involved (e.g., a bank or credit union), customer records are not protected by the Fourth Amendment. However, to the extent third parties are not present, the Fourth Amendment should still apply. “This detail is important because there is no third party involved if a cryptocurrency is decentralized and exchanged with a self-hosted wallet. Given that Supreme Court justices have expressed concern over their original considerations of both the Bank Secrecy Act’s reporting requirements and the third-party doctrine, it’s hard to imagine how surveilling of transactions between two individuals without a warrant does not run afoul of the protections guaranteed by the Fourth Amendment. “It may seem like a fine line, but Congress should keep this distinction in mind. Financial surveillance should be pared back, not extended further. And in the end, that means strengthening financial privacy for both traditional finance and emerging finance, alike.” United States v. Hasbajrami As we reported earlier this year, Judge LaShann DeArchy Hall of the U.S. District Court for the Eastern District of New York ruled that when the government searches for the communications of U.S. persons in data collected under FISA Section 702 authority, such searches are subject to the Fourth Amendment. Such searches must either be conducted after the issuance of a warrant, or meet stringent exceptions to the warrant requirement. Here is a declassified version of Judge Hall’s ruling. In a recent piece in Just Security, David Aaron, Noah Chauvin, and Courtney Otto explore the implications of this ruling for the Second Circuit and the FISA Court. They also explore the impact Judge Hall’s ruling is likely to have in Washington, D.C. “The opinion will likely also be viewed as significant in the halls of Congress, which must decide by April 2026 whether and in what form to reauthorize Section 702. During the last round of reauthorization, an amendment requiring a warrant for U.S. person queries failed in the House by a tie vote (A modified version of the amendment was voted down in the Senate by a wider margin). A key theme in the resistance to the warrant requirement, both inside and outside of Congress, was that no court to reach the merits of the issue had ever ruled that warrantless U.S. person queries violated the Fourth Amendment. Now that is no longer the case, members will face more pressure to impose a warrant requirement by statute.” Let us hope that many Members of Congress will look to Judge Hall’s bold declaration in favor of the Constitution to take a bold step of their own – to require warrants before Section 702 data can be used to spy on Americans. A letter released earlier this week from dozens of former high-ranking intelligence officials, including former National Security Advisor Robert C. O’Brien and acting Director of National Intelligence (DNI) Richard Grennell, made the case for Senate confirmation of Tulsi Gabbard to be the next DNI. They wrote: “Her service as DNI will begin undoing the gross politicization that has come to characterize intelligence bureaucracies, which has been to the great detriment of the freedom and security of the United States and its citizens. “Lt. Col. Gabbard’s experience more than qualifies her for this important position. A military officer with more than 20 years of honorable service, she undertook multiple combat deployments and risked her life in defense of the United States. In Congress, she served on numerous national security committees and was an outspoken champion for America’s warriors and for our cherished constitutional freedoms. In both these roles, she experienced first-hand how intelligence, when used as intended, provides critical support to America’s military and political leaders.” They concluded that Tulsi Gabbard has “the integrity, and moral courage, to restore objectivity and professionalism to the nation’s intelligence agencies.” Gene Schaerr, PPSA general counsel, details in The Washington Examiner how the National Security Agency is stonewalling our Freedom of Information Act (FOIA) request for records showing how much money that agency spent to acquire Americans’ digital data, the size of the datasets purchased, and the sources of this data. PPSA is now suing because the NSA issued a Glomar response, a rule that allows the government to refuse to disclose “the existence or non-existence of the requested information.” Schaerr writes: “This is a judicially created doctrine first issued when a Los Angeles Times reporter broke a story in the mid-1970s that the CIA had retrieved chunks of a sunken Soviet nuclear submarine using a bespoke crane ship, the Glomar Explorer … our filing doesn’t concern a secret CIA program to recover a Soviet submarine with cryptographic machines and nuclear-tipped torpedoes. We seek topline facts the American people and Congress should know – how much is NSA spending on collecting Americans personal information, and who is selling it to them?” Americans deserve to know the basics of the government’s collection and warrantless inspection of our most personal and intimate data. PPSA urges the 119th Congress to hold hearings to examine how the unrestrained use of the judge-created Glomar doctrine is killing a law, the Freedom of Information Act, meant to shed light on government operations. A suspicious husband or wife can now examine the route history of a family car or the location data of a smartphone to track a spouse’s movements. We tend to think of location history surveillance as a uniquely 21st century form of snooping. In an amusing article in the MIT Press Reader, Dartmouth scholar Jacqueline D. Wernimont writes that such surveillance is older than we think. For example, The Hartford Daily Courant in 1879 reported: “A Boston wife softly attached a pedometer to her husband when, after supper, he started to ‘go down to the office and balance the books.’ On his return, fifteen miles of walking were recorded. He had been stepping around a billiard table all evening.” In a twist worthy of today’s spy agencies, Wernimont also reports that a U.S. admiral in 1895 gave junior watch officers common pocket watches with pedometers hidden inside. The results showed that the ensigns had been asleep or resting most of the night. A night watchman at a railroad yard was given a pedometer to track his movements. It was later discovered that the night watchman evaded his responsibilities by sleeping while the pedometer was attached to a moving piston rod. The use of pedometers was an early precursor of surveillance tools used today by employers to track the movements, browsing, communications, and daily routines of their workers. Wernimont writes: “As the pedometer became a vector for surveillance by those in power, people who were able quickly developed hacks designed to frustrate such efforts.” The problem with modern technology is that it is much harder to thwart, or even anticipate when and how one is being watched. No piston rod will save us. Ever have the uncanny feeling that as soon as you voice an interest in a consumer item – a vacation destination, a tie or a scarf, an exotic coffee – an ad for that very item appears in your social media feed? Are our phones listening to us and reporting what we say in private conversations to advertisers? The Electronic Frontier Foundation explores this question in this short video along with a factsheet. While EFF says our phones are probably not listening to us, the mechanisms behind this phenomena of coincidental ads are no less disturbing: As EFF observes, it isn’t just advertisers that are buying our digital lives from data brokers. The federal government is also buying this same intrusive data gleaned from our social media interests and apps. This is the worst violation of our privacy, one that comes from a federal government that has the power to raid our homes and charge us with crimes on the basis of personal information acquired without a warrant. All the more reason to urge your U.S. Senators to follow the example of the U.S. House of Representatives and pass The Fourth Amendment Is Not For Sale Act, which would require federal intelligence and law enforcement agencies to obtain probable cause warrants – as required by the U.S. Constitution – before examining our purchased data. Supreme Court Justice Oliver Wendell Holmes observed that anyone “who respects the spirit as well as the letter of the Fourth Amendment would be loath to believe that Congress intended to authorize one of its subordinate agencies to sweep all our traditions into the fire to direct fishing expeditions into private papers on the possibility that they may disclose evidence of crime.” A century after Justice Holmes delivered that warning, the U.S. Securities and Exchange Commission is doing just that. This agency is methodically sweeping all our traditions into the fire to direct fishing expeditions that treat every investor as a criminal suspect. The good news is that the constitutionality of the SEC’s program is on trial in a case now before a federal judge in Waco, Texas. Here’s the background: Historically, when the SEC has suspected someone of insider trading, it had to issue an investigative subpoena. Then in 2010, the market suffered the “flash crash” – a trillion-dollar decline caused by technical glitches that lasted for 36 minutes. The SEC responded to this technical glitch by proposing Rule 613, which established the Consolidated Audit Trail (CAT), a database that collects not just investors’ trades, but also their privately identifiable information. This “solution” had nothing to do with the crash, but it perfectly illustrates former Chicago Mayor Rahm Emmanuel’s dictum that “you never want a serious crisis to go to waste.” Rule 613 requires self-regulatory organizations, like private stock exchanges, to collect every detail about trades in securities on a U.S. exchange. It also includes confidential data on more than 100 million private investors, making it the largest database outside of the National Security Agency. This database includes investors’ names, dates of birth, taxpayer identification numbers, Social Security numbers, and more. Now two Texas investors, in affiliation with the National Center for Public Policy Research, are suing the SEC for this massive violation of privacy. Their lawsuit, represented by the New Civil Liberties Alliance, could be required reading for law students seeking to understand the application of our constitutional rights, beginning with the Fourth Amendment. This lawsuit makes the case:
The lawsuit makes a convincing case that the U.S. Supreme Court’s 2018 Carpenter decision – which held that the government violates the Fourth Amendment whenever it seeks a suspect’s cellphone location history without a warrant – should make this case against CAT a slam-dunk. After all, the plaintiffs assert that unlike the issue in Carpenter, “with Rule 613 SEC does not need an investigative predicate, much less a court order, to obtain and analyze private information, nor is the information limited to any particular person or time frame.” Even if a federal judge declares CAT to be unconstitutional, however, it will only strike down one of many intrusive violations of Americans’ financial privacy by federal agencies. These include a new requirement of all business owners to file “beneficial ownership” forms, for which any American business owner can face two years in prison for a clerical mistake, and the U.S. Treasury’s Financial Crimes Enforcement Networks snooping into Americans’ financial transactions with the coerced cooperation of 650 private financial institutions. Once the election is over, Congress should pass the “Protecting Investors' Personally Identifiable Information Act,” introduced by Sen. John Kennedy, (R-LA), and Rep. Barry Loudermilk, (R-Ga.), which would allow the SEC to obtain personally identifiable information only by requesting it on a case-by-case basis. As the risks of the SEC’s reckless program become clearer, more Members of Congress should embrace another Holmes dictum: “State interference is an evil, where it cannot be shown to be a good.” The Securities and Exchange Commission is tracking the 61 percent of Americans who buy and sell stocks, from the trades they make to their personal identifying information. Some 3,000 SEC bureaucrats now have ready access to this database containing every single stock in the United States in a database called the Consolidated Audit Trail. Marc Wheat of Advancing American Freedom in The Washington Examiner writes: “The database is a disaster for the privacy of millions of people. In terms of the amount of information collected, only the National Security Agency’s data-collection program is larger, and that database is not focused on people. What is worse, these types of databases are not secure. In 2016, hackers made off with over $4 million by trading on at least 157 nonpublic earnings releases from the SEC’s very own Electronic Data Gathering, Analysis, and Retrieval system. “A commission that cannot protect a filing system that processes 1.7 million filings every year cannot be trusted to maintain the security of what will likely become a 100 million data point database. It is only a matter of time before it is breached, leaking people’s personal information to nefarious actors.” Larry Ellison, the founder of Oracle, said thanks to AI-enabled public surveillance, “citizens will be on their best behavior because we are constantly recording and reporting everything that’s going on.” Matthew Guariglia and Lisa Femia of the Electronic Frontier Foundation push back on the common sentiment from surveillance advocates that you are wrong to have an expectation of privacy when you go about in public.
“Today’s technology can effortlessly track your location over time, collect sensitive intimate information about you, keep a retrospective record of this data that may be stored for months, years, or indefinitely. This data can be collected for any purpose, or even for none at all. And taken in the aggregate, this data can paint a detailed picture of your daily life – a picture that is more cheaply and easily accessed by the government than ever before. “Because of this, we’re at risk of exposing more information about ourselves in public than we were in decades past. This, in turn, affects how we think about privacy in public. While your expectation of privacy is certainly different in public than it would be in your private home, there is no legal rule that says you lose all expectation of privacy whenever you’re in a public place.” In fact, EFF notes that the 2018 landmark Supreme Court opinion in Carpenter v. United States, the Court wished to preserve “the degree of privacy against government that existed when the Fourth Amendment was adopted.” Neil C. Hughes has a compelling piece in cybernews.com describing an Orwellian reality that, unfortunately, is not a matter of science-fiction. It is already part of our daily lives. Hughes writes:
“The constant tracking from our devices, websites, social media platforms, CCTV, and even your employer might be leaving you feeling like you are trapped inside a personalized version of The Truman Show.” At home, images and data from digital assistants, Ring Doorbell surveillance partnered with police departments, smart appliances, heart rate monitors, and even washing machines produce information that “could be used against you by digital forensics teams should you find yourself accused of a crime.” At work, you are tracked by productivity tools, and on the streets by cameras and facial recognition. Banks monitor our “every transaction to monitor for fraud or money laundering.” Hughes adds: “After you finally return home and collapse in your favorite chair to unwind, you are not necessarily paranoid if you question whether you’re watching your TV or if it’s watching you. Some new smart TVs have cameras typically hidden in a bezel at the top of the TV screen, leaving many to think there is nowhere to hide from the watchful eye of cameras and algorithms.” Are the Charges Against Telegram CEO Pavel Durov Meant to Lead the World to Outlaw Encryption?9/3/2024
For days after the arrest of Telegram CEO Pavel Durov by French authorities at Le Bourget Airport near Paris, the world civil liberties community held back.
The impulse to rush to the defense of a Russian dissident/entrepreneur was almost overwhelming. Durov had refined his skills with the creation of VK, a social media website that allowed dissidents, opposition politicians, and Ukrainian protesters to evade Vladimir Putin’s emerging surveillance state as late as 2014. After Durov fled Russia with his brother Nikolai, they created the encrypted messenger service Telegram, which allows users not only to communicate in secrecy, but to also set their messages to disappear. Across Asia, Africa, Latin America, and our own country, Telegram enables dissidents, journalists, and people in fear of cartels or abusive spouses to communicate without making themselves vulnerable. So civil libertarians were naturally poised to rush to Durov’s defense. But they didn’t. There was the matter of the 12 charges approved by a French judge this week, including “complicity” in crimes such as aiding in the distribution of international narcotics and child sex abuse material. The many devils in this case lurk in its many details, some of which are far from well understood. At this point, however, we can at least pose preliminary questions. Some answers must come from the French government. Some must come from every person who cares about privacy, including the almost 1 billion users of Telegram.
We can already highlight at least one aspect of this case that should concern civil libertarians and free speech advocates around the world. Thanks to an insightful analysis by Kevin Collier and Rob Wile in Slate, we know that two of the 12 charges involve a purported obligation of providers of cryptological services to require their users to register with their real identities. Another count declares it a crime to import such an encrypted service “without prior declaration.” Collier and Wile write that this latter provision, which at first sounds like a matter of bureaucratic form-filling, actually implies that “France sees the use of internationally based, unregulated ‘encryption’ service as a crime all its own.” If so, will France get away with criminalizing private encryption services? And if that happens, might this become EU policy? We are already seeing Europe employ illiberal interpretations of the recently enacted Digital Services Act. The EU’s top digital regulator, Thierry Breton, threatened X with legal action if it ran Elon Musk’s full interview with Donald Trump. While Breton’s threat was later disowned by his boss, EU President Ursula von der Leyen, it was still breathtaking to see in Europe today that a powerful regulator believes the European public would be well served by censoring the words of a major party nominee to lead the United States. It is not a stretch to imagine such people also wanting to stamp out private communications. Is France now using possibly legitimate charges about Telegram’s operation to undermine the very idea of encryption? Everyone who cares about privacy should watch how this case unfolds. After all, thanks to Telegram, we know that there are at least one billion of us. Nafees Syed and Kamel El Hilali, fellows at the Information Society Project at Yale Law School, wrote in CNN.com.
“The Reforming Intelligence and Securing America Act (RISAA) passed by Congress last month did anything but reform a system that subjects Americans to unconstitutional government surveillance … “While the law includes exemptions for some public facilities, such as restaurants and community centers, the number of businesses and entities that offer a Wi-Fi connection means that intelligence agencies may compel places such as airports, train stations, transport companies (trains, subways, buses) and shopping malls to convey their customers’ communications data to intelligence agencies upon presentation of a directive requiring them to cooperate. “This provision transforms a law intended to target non-US persons abroad into a domestic surveillance tool.” |
Categories
All
|