Popi arms you against abuse of your per­sonal de­tails

Your per­sonal in­for­ma­tion is up for grabs, which is why it’s good news that the Pro­tec­tion of Per­sonal In­for­ma­tion Bill has fi­nally been signed into law. At a re­cent meet­ing of the Ac­sis/Per­sonal Fi­nance Fi­nan­cial Plan­ning Club, Anna Col­lard, di­rec­tor of

Weekend Argus (Saturday Edition) - - PERSONALFINANCE - Per­sonal in­for­ma­tion Mal­ware worm ANNA COL­LARD

If gov­ern­ments are heav­ily in­vested in de­vel­op­ing spy­ware to gather in­for­ma­tion about their cit­i­zens, imag­ine what cy­ber­crooks are do­ing to get hold of your per­sonal in­for­ma­tion and how they might use it.

“In­for­ma­tion leaked to the me­dia by Ed­ward Snow­den, a for­mer em­ployee of the [ United States] Na­tional Se­cu­rity Agency, shows that na­tion states with sig­nif­i­cant per­son­nel and tech­ni­cal re­sources at their dis­posal in­vest heav­ily in cy­ber mal­ware,” says Anna Col­lard, di­rec­tor of Pop­corn Train­ing, a com­pany that pro­motes aware­ness about in­for­ma­tion se­cu­rity.

Snow­den has claimed that the US and Is­rael co- wrote the Stuxnet virus, a worm that tar­geted Siemens soft­ware used to con­trol the op­er­a­tions of nu­clear power plants, Col­lard says.

“It’s be­lieved to have been cre­ated to at­tack Iran’s nu­clear fa­cil­i­ties in 2010, and ap­par­ently in­fected a nu­clear power plant in Rus­sia this year,” she says.

Then in 2011, Duqu sur­faced. Also mal­ware thought to be re­lated to Stuxnet, it has been dubbed the “steal ev­ery­thing” virus for its abil­ity to steal just about any­thing on a com­puter sys­tem, she says.

Like Stuxnet, it would have taken many years and a great deal of re­sources to de­velop.

“The de­vel­op­ers of th­ese viruses are not your stereo­typ­i­cal young geeks work­ing in their par­ents’ garages; they’re pro­fes­sion­als.”

Or­gan­ised crime is also in on the ac­tion, Col­lard says. “Cy­ber­crime is much more lu­cra­tive than the drug trade,” she says.

Cy­ber­crooks re­lease mal­ware into the mar­ket to col­lect your

is any in­for­ma­tion that iden­ti­fies or de­scribes you, Anna Col­lard says.

The Pro­tec­tion of Per­sonal In­for­ma­tion Act de­fines per­sonal in­for­ma­tion as “all in­for­ma­tion re­lat­ing to an iden­ti­fi­able, liv­ing, nat­u­ral per­son and ju­ris­tic per­son”. All such per­sons are de­fined as “data sub­jects”.

Per­sonal in­for­ma­tion in­cludes gen­der, mar­i­tal sta­tus, age, be­lief, birth date, blood type, iden­tity num­ber, email ad­dress, phys­i­cal ad­dress or tele­phone num­ber.

Your fi­nan­cial, ed­u­ca­tional, med­i­cal and em­ploy­ment his­tory is also deemed to be per­sonal in­for­ma­tion.

Spe­cial per­sonal in­for­ma­tion is in­for­ma­tion about your chil­dren; re­li­gious or philo­soph­i­cal be­liefs; race and eth­nic ori­gin; trade union mem­ber­ship and po­lit­i­cal opin­ions; health; sex life, or crim­i­nal record.

(ma­li­cious soft­ware) is soft­ware used to dis­rupt com­puter op­er­a­tion, gather sen­si­tive in­for­ma­tion, or gain ac­cess to pri­vate com­puter sys­tems. A is mal­ware that repli­cates it­self in or­der to spread to other com­put­ers. in­for­ma­tion so that they can sell it un­der­ground, she says.

“You may have heard of ‘ran­somware’. It’s a virus that pops up on your PC as a no­tice from what ap­pears to be the po­lice or another au­thor­ity, claim­ing that you down­loaded a movie il­le­gally. You get in­structed to pay a fine, and prompted to di­vulge your bank­ing de­tails.”

Col­lard says an email ad­dress can fetch 10 US cents (R1) and your credit card in­for­ma­tion, such as your CVV num­ber could sell for be­tween US$2 and US$15 (R20 to R151), but your bank ac­count with log-in de­tails will go for any­thing from US$ 15 to US$ 850 ( R151 to R8 570) de­pend­ing on the amount in the ac­count. This is ac­cord­ing to McAfee’s 2013 cy­ber­crime re­port.

With enough in­for­ma­tion, crooks can steal your iden­tity and cre­ate fake bank ac­counts. Apart from be­ing sad­dled with the debt ac­quired in your name, you will also need to re­claim your stolen iden­tity, which can be very dif­fi­cult and ex­pen­sive, she says.

Mal­ware is not the only means used by crooks to steal your per­sonal in­for­ma­tion. “Phish­ing is the most com­mon,” Col­lard says.

Phish­ing oc­curs when you re­spond to a fraud­u­lent email that ap­pears to be from your bank or a trusted source, but is not. The email in­duces you to click on a link in the email. A win­dow pops up and you are prompted to en­ter your con­fi­den­tial bank­ing in­for­ma­tion on a fraud­u­lent web­site. This en­ables fraud­sters to glean your ac­count num­ber and pass­words.

“Spear phish­ing, which is a more tar­geted at­tack, is also wide­spread,” Col­lard says. “They find you online – per­haps on a so­cial me­dia site – and build a pro­file on you. They send you mes­sages that look le­git­i­mate and gather as much of your per­sonal in­for­ma­tion as pos­si­ble. They may also tar­get peo­ple em­ployed in a hu­man re­sources or IT depart­ment and bribe them into part­ing with the per­sonal in­for­ma­tion of em­ploy­ees.”

Col­lard says that when in­for­ma­tion is stolen in tar­geted at­tacks on a com­pany, this is known as “pud­dle phish­ing”.

Crooks also at­tack you through a “wa­ter­hole”, she says. “This is when cy­ber­crooks in­fect a pop­u­lar or top­i­cal web­site so that when you go to the site, they look for weak­nesses in your browser, and when they find them, trick your browser into down­load­ing and run­ning mal­ware silently to steal your per­sonal in­for­ma­tion.”

With your per­sonal in­for­ma­tion so valu­able, com­pa­nies that have le­git­i­mate rea­sons for col­lect­ing and stor­ing such in­for­ma­tion have a re­spon­si­bil­ity to en­sure that it doesn’t fall into the wrong hands.

If this does hap­pen, Col­lard says that Popi af­fords you sig­nif­i­cant pro­tec­tion. The Act will reg­u­late the col­lec­tion and pro­cess­ing of per­sonal in­for­ma­tion by both pri­vate and pub­lic en­ti­ties. It will im­pose on them the fol­low­ing prin­ci­ples:

◆ Con­sent. Com­pa­nies and pub­lic bod­ies have to ob­tain your con­sent to col­lect, re­tain and share your per­sonal in­for­ma­tion.

◆ No­ti­fi­ca­tion. You must be in­formed if in­for­ma­tion about you is col­lected.

◆ Pur­pose. In­for­ma­tion must be used only for the law­ful and stated pur­pose.

◆ Ac­cess. You, as a data sub­ject, will be al­lowed ac­cess to the in­for­ma­tion that is kept about you.

◆ Ac­cu­racy. The in­for­ma­tion about you must be ac­cu­rate.

◆ Safe­guard. Com­pa­nies have to safe­guard your per­sonal in­for­ma­tion. Popi makes this a le­gal re­quire­ment.

◆ Breach of no­ti­fi­ca­tion. Com­pa­nies must no­tify you and the reg­u­la­tor should your per­sonal in­for­ma­tion be breached.

◆ Ac­count­abil­ity. Non-com­pli­ant en­ti­ties can be fined up to R10 mil­lion or 10 years in jail. Col­lard says a di­rec­tor or in­for­ma­tion of­fi­cer could face 10 years’ im­pris­on­ment for ob­struct­ing the ac­tiv­i­ties of the reg­u­la­tor, and up to 12 months for other vi­o­la­tions of Popi.

The Act ap­plies to all, Col­lard says, from sup­pli­ers to con­sumers or cus­tomers – in­clud­ing mem­bers of re­tire­ment funds, med­i­cal schemes, pol­i­cy­hold­ers and con­sumers who en­ter into a home loan or any other credit agree­ment.

The law also pro­tects “prospects” by reg­u­lat­ing how com­pa­nies can con­tact you, as a prospec­tive cus­tomer. This has far-reach­ing im­pli­ca­tions for di­rect mar­keters. If you haven’t given the com­pany prior con­sent, it tech­ni­cally may not use any of your per­sonal in­for­ma­tion.

“The Con­sumer Pro­tec­tion Act has an opt-out prin­ci­ple, which says com­pa­nies can con­tact you pro­vided you haven’t opted out. But Popi says you have to opt in. In other words, a com­pany may not use your per­sonal in­for­ma­tion to make con­tact with you un­less you opted in – and gave con­sent to use your in­for­ma­tion to com­mu­ni­cate with you.”

Col­lard says that Popi will al­low di­rect mar­keters to con­tact you by post only and not elec­tron­i­cally – ex­cept once to ask you for your con­sent to col­lect in­for­ma­tion.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.