Your Digital Footprint

What is PII (Personal Identifiable Information)

United States General Services Administration defines PII as

“any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person.

Why is this important to you:

A company as the obligation to keep your name safe and secure from thieves (crooks, hackers, the bad guys).

Depending on the type of information lost/stolen, an individual may suffer social, economic, or physical harm. If the information lost is sufficient to be exploited by an identity thief, the person can suffer, for example, from a loss of money, damage to credit, a compromise of medical records, threats, and/or harassment. The individual may suffer tremendous losses of time and money to address the damage. Other types of harm that may occur to individuals include denial of government benefits, blackmail, discrimination, and physical harm.

Because of the power of modern re-identification algorithms (aka data science), the absence of PII data does not mean that the remaining data does not identify individuals.

Home devices and your digital data.

NOTE – there is no way I can list every device that collects data in your home. But I’ll list the ones I use. You can add or delete to your list.

A digital device is one that has memory, via hardware/software. The memory can be local/internal or connect to external services via wi-fi, blue tooth, etc.

Data stored can be all sorts of information. From how often it is on to what settings. Something simple would be your home thermostat. If it may have connected to a website or mobile app.

My iPhone. Any smart phone.
My iPad. Any tablets, game consoles, laptops.
AT&T Digital life – aka my alarm system. Depending on the various components connected to your system, it knows when you are home, how often you leave the house. Commonly used doors and windows.
- Don’t let your guard. The alarm system is for my physical wellbeing. Which has a digital component, a website and app. So I only have cameras on the outside of the house. I also keep a sticker over my cameras on my MAC, laptop and tablets.
At&T internet and cable TV, And all streaming entertainment (Hulu, Netflix, YouTube). They know when you are watching, how long you are watching, what time you are watching, type of device you are using.
- There are some viewing devices that use voice commands and motion sensor, and would be able to determine when the room is occupied and the activities.
My Buick and OnStar. Besides the GPS information, where you go, how often and when, your vehicle’s diagnostics system collects; tire pressures and other engine conditions.
Alexa (aka Echo). This devices is always on and listening. FYI – all request you make to Alexa are captured in history within the Echo app (accessed online). Echo is an Amazon product, marring online shopping and at home activity into an individual’s profile.
GoPro and other digital cameras/videos. Time and location are stored in the memory with the photos. A camera that uses 35 mm film may have some memory within the camera software itself.
Printers. Did you know that trapped deep in the printer memory is a copy of everything that has been scanned and printed. There is a tiny memory chip that compresses the files to achieve. This chip allows the system to recall the last X copies and other fun features.
FitBit and other health monitors.
Craftsman Garage Opener. Wireless keypad and accessible via mobile app.
Roku
Wii and other gaming consoles.

That is a good list, considering I claim to be low tech (maybe I’m medium tech). I’m not an early adopter, but I am curious. It takes me time to commit to purchasing new tech gadget, but I do have a collection of digital devices.

You may have a baby monitor, automatic vacuum, anything that connects to a mobile app, website or router.

Identity theft

With the use of digital data – we expose ourselves to digital identity theft. And it is not just your financial information. Through a couple of (fairly) easy questions a hacker can access your email. And it not just your email they now have access too, think off how often you have had to retrieve your security password for an account and they sent the link to your email. A password can be just as valuable as a financial account number to a hacker.

HOW MANY TIMES HAS YOUR DIGITAL DATA BEEN EXPOSED?

My corporate credit card number was stolen this week. All is okay, it was a card that only gets used for business expenses and the credit company is issuing me a new number and dealing with the fraudulent charges themselves. Somehow the thief was able to create a new card using my card number. Not total sure how that works, but it happened. That kind of vulnerability got me thinking, time to beef up my own security…

Change your passwords. If you have been using the same passwords for ‘years’ it is time to upgrade. When you are creating your password think bank security – strong and unique.

There are password managers out there. Some store your passwords in a digital safe. Some help you manage your logins across devices.

LEARN ABOUT TWO FACTOR AUTHENTICATION

2. Monitor your accounts online and off line. Be sure to monitor your account statements. Set up text messaging alerts for high risk accounts.

I personally purchase identify theft monitoring systems. I’ve had my house broken into and my personal laptop stolen. Although the computer itself was password protected. I’m sure if you looked hard enough I had one time downloaded a financial statement of two, and my emails accounts were ‘always’ logged-in.’ I get a monthly updated on an activity that uses my identity, such as credit reports.

ON AN ODD NOTE: A friend of mines knows the passwords to her son’s accounts (he is over 21 and graduating from college this spring). I’m guessing he doesn’t know he is being stalked by his own mother. She has access to his Facebook account, both school and personal emails and uses Apple’s Track My iPhone app regularly to know where he is at all times.

It is probably never safe to allow your device to safe your password or auto login. But I have to admit I do it, who has time to re-enter this information every day. If your device is lost/stolen it only takes accessing the device to enter/access private sites.

So take a couple of minutes this week to reconsider how you create and save your password and account information. And then create your password strategy:

Create a couple of different passwords to use.
Use two factor authentication when available.
Update your contact details on old accounts.
Delete old accounts not being used.
Spend some time looking at security applications provided by the products you use today.

Yahoo has a process to create an app password that enables a Second Sign-In Verification. Apple has iCloud Keychain. And there are numerous free apps that provide password management tools.

Now go and create a digitally secure world for yourself.

Credit Card Charges – Part I

money on trees — Balancing your credit card statement

Not many people balance their credit card statements. (Not sure who balances their checkbook today, besides my mom – she says it is therapeutic?!??!) I have always given my credit card statements a quick glance, looking for charges I didn’t make. But recently I met someone who religiously balances his charge statements, in a course of one year, he found approximately $500 in overcharges, not in his favor. (Oh, of course there were some charges that were in his favor – he didn’t bother to correct these.)

So I started watching my credit card charges more carefully. Here are the 3 mistakes I caught in 3 months:

Continue reading Credit Card Charges – Part I

What data should you provide to a retailer at checkout?

It can get tricky getting out of a checkout line. You have to show your id, the back of the credit card and possibly your loyalty/rewards card. But what information is for your protection and what information is for the retailers back end analysis?

Policies are created differently by state. As well as the vast differences in the retailer’s own polices and equipment. So each retailer may require a different process for credit validation, loyalty update or simple enrollment into their loyalty/rewards card.

Here is my recent story that I thought I should share. As a customer I was confused as to the way I was being treated. As a customer data expert I was concerned as to the use of my data. Why was it being captured, how was it being stored/used AND most importantly was I being put at any risk?

I was shopping a couple days ago at the mall. (Somerset in Troy, MI) , I was asked for my driver’s license for my transaction using my Macy’s credit card (cashier Shirley) . During this time the cashier collected my driver’s license number and entered into the register. I requested that this information not be captured. She informed me that it was only used to validate I am who I am. After I walked out of the store, I begin thinking, validate against what? Macy’s uses my last 4 social and zip code to validate over the phone. And I don’t believe I ever gave Macy’s my driver’s license number (as this is not usual a required piece of information for credit). I called the call center number on my card and asked (to Gerard) the question – how is Macy’s using my driver’s license number? is it a requirement to use Macy’s credit, and what do they plan on use this for in the future? The call center could not answer any of these questions. I began questioning if there is concern to be alarmed. Did the cashier (Shirley) do something fishy? So I returned to the store to talk to the store manager (Judy) , she was unsure of why this particular transaction required a confirmation with a driver’s license number. She called (I assume the call center) privately. After a short time, she handed me the phone and explained the call center wanted to explain to me Macy’s credit policy. He (Mario) informed me that it is Macy’s policy to have a valid driver’s license number on file to use a Macy’s credit card. When I hung up the phone I asked the store manager of this is true? Does Macy’s require 100% of all Macy’s charge customers to have a valid and updated driver’s license number on Macy’s files in order to use the card? (She could not look me straight in the face) And said if that is what the call center said it must be true. And then said good night, turned her back and walked away.

No one at Macy’s could tell me their policy on collecting, using or storing data. Their call center and store manager were willing to do what ever it took to get me to leave them alone. All the while I still confused on Macy’s policy. And disturbed that one single company can have so much personal information on one single person.

FYI – my overall experience shopping at Macy’s has been poor. From the credit card payment errors, badly marked prices/signs, to poor customer service in the store. On the same note; friendly, smiling faces does not equal great customer experience. Helping the customer is great customer experience. Your staff at Somerset knows how to smile, but not how to help.

Your car, your car’s data and you.

Today’s vehicles are collecting data, whether it is validating that the vehicle is operating to standards, monitoring the drivers’ habits, or providing navigation. Some of this information is required by federal law and some is personally data to help you maintain your vehicle.

DATA REQUIRED BY US LAW

Clean Air Act Amendment 1990:

The EPA requires all vehicles built after 1996 must have On-Board Diagnostics (OBD). And newer vehicles have standardized computer systems (also known as OBDII). These continually monitor the electronic sensors of engines and emission control systems, including Clean Air buttons the catalytic converter, while the vehicle is being driven to ensure they are
working as designed.

Each OBD system is required to collect standard information that provides all current information and a snapshot of the same data take at the point when the last diagnostic trouble code was set.

National Highway Traffic Safety Administration (NHTSA):

Also collected driving information is the Event Data Recorder (EDR), similar to an airplane’s black box. The EDR monitors the vehicle’s network of sensors for signs of a crash and stores a few seconds of the data stream, dumping and refreshing the information constantly. The type of information collected in the EDR varies among manufacturers, but it generally includes throttle and brake-pedal position, steering angle, yaw rate (the vehicle’s rotational velocity), speed, and impact-sensor data. This information is saved permanently following an airbag deployment and can be accessed through the OBD-II port by a technician using specialized equipment. No location data is stored in EDR.

EDRs have been used since the 1990s and have recently been standardized by the National Highway Traffic Safety Administration (NHTSA). EDRs are required equipment on all cars beginning in 2013, with the aim of making their data easier to obtain for crash investigations. Lawyers have used this data in court cases to demonstrate driver behavior during an accident.

EDR

Non-regulated data from your vehicle

The diagnostics systems actually has open the field to collect all sorts of vehicle information. Allowing each manufacture to define additional modes for vehicle data collection. A modern car knows hwere you are, is constantily tracking your driving habits and may even be able to call for help if you have a crash, or your airbags deploy.

Though not part of the EPA’s OBD II standard, the diagnostic read-outs used by dealership technicians are also read through the OBD II connector. These service codes show you such things as knock sensor operation, FI pulse width, ignition voltage, individual cylinder misfires, transmission shift points and ABS brake condition. There can be over 300 readings available, depending on the vehicle manufacturer and model. Vehicles vary in the readings they will support. Scanners vary widely in the number of these signals that they can read. Some show just the basic OBD or OBD II signals, others show the full range of service codes.

Image result for dongle for your car This is the type of information that can be gathered by the auto insurances via a ‘dongle‘, (see image). Think of this a Fitbit for your car: it measures input, output, distance, etc. A combination f the OBD and 2-way communication, the system lets companies like OnStar read the data and create reports about the driving history.With the help a hardware adapter and a mobile app, you can read the vehicle data your self.

This dongle is connected to your OBD port and records your driving experience: speed, breaking habits; it will read any data the vehicle is collecting. It can tell if you are wearing your seat-belt, how many hours the car is driven, what hours it is being used and the locations it visits.

Shows real-time data. You can see everything from how fast you’re traveling, how hot your engine is, the voltage of your battery, and a bunch of other information that most people don’t really care about as you drive.
Maintains trip history. You can see a history of your trips and all the accompanying data, including how long the trip was, average mile per gallon.

Most navigation systems are separate from a car’s computer. Now a days manufactures are adding features to vehicles such as providing GPS; which can collect your routes, frequently visited locations. Most vehicles have a one-way GPS system streaming to the car. But with the additional of telematics systems in the car (think OnStar), 3rd parties now have the ability to see where you are, your driving speed. and what state your care is in mechanically.

If you think your mobile phone is the only device collecting your location, think again. Your Vehicle has the same data collection services as your smart phone (gaming console, smart watch, Go-Pro camera).

What can you do about the tracking for a new-car buyer? Not much. Pay close attention to the terms in the user agreement for any telematics (cellular connection), and opt-out of the service.

The more you know about YOUR DIGITAL DATA the more you can control.

Here is what one OEM says:

We receive information about you through vehicle sales records provided by your dealer and we may obtain, with your consent, data obtained from your vehicle’s Event Data Recorder (“EDR”) as described in your owner’s manual (i.e., how various systems in your vehicle operate, the speed and distance of your vehicle). For additional information about EDR data, please see your owner’s manual. We also may obtain information about you and your vehicle from GM affiliates, GM dealers, GM licensees for consumer merchandise, GM credit card bank partners and other sources such as companies that provide lists of potential vehicle purchasers and current owners, if such companies are permitted to share your information with us pursuant to their privacy statements.

It’s becoming apparent that vehicles also collect a lot of interesting data on drivers themselves, placing their privacy at risk. Senator Markey found that most manufacturers collect data on customers, but often drivers are “not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation”.

Is your social media impacting your credit score?

Your social media posts are now scored to determine if you deserve a good credit score. Yes, I know it sounds like Minority Report, but it is happening today.

It’s no secret that a Facebook post can get you fired from a job or prevent you from getting a job in the future. This all comes back to the first impressions, even if they are driven by social media.

Sharing your life on social media is giving insight to credit companies regarding your willingness to repay and debit. “They say a clean image on Facebook shows customers can be trusted to repay their debt, while certain pictures and posts can show they can’t be trusted”

“If you look at how many times a person says ‘wasted’ in their profile, it has some value in predicting whether they’re going to repay their debt,” Will Lansing, Chief Executive at credit rating company FICO, told the Financial Times.

See Forbes article: October 23, 2015

Your credit score can cost you money in the long run, with less favorable interest rates on car or home loans. I’m not sure there is a proven theory today that your credit worthiness can be determined by your social media likes/dislikes and posts.

Here’s the bottom line: we all create a lot of digital data, some of it is very personal some of it is fun and entertaining. But if this data is going to be available for companies to determine if you are an ideal employee or if your interest rate should be at a premium, then we as individuals need to know more about our rights and access to this data. These companies include government, retailers, insurance agencies and employers.

If this data is creating $$ for big organizations, then we as owners/creators of this data need to:

understanding what data is being captured and how it being used
own our individual data – if this data is valuable to companies and being used for/against us– then we should have a solid say in how, where, when this information is passed.

Remember – if the product is free (Twitter, Facebook, etc) then you are the product (via data that is created and captured this can include locations, likes, activities).

Zip Code + Birthday = identification

All you need is a birthdate, a zip code and your gender to go from anonymous to identify. These harmless pieces of information can give you enough information to be able to find or identify an individual.
Using these 3 pieces of information can unique identify 87% of the US population.

Our US population is 48% male and 52% female.
On the day you were born, there were approximately 11,500 other babies being born that day.
There is an average of 10,000 people in each zip code.

So in some very populated cities; New York, Chicago, you may find an individual that shares your exact information. (Or if you and your same sex twin still live together.)

Magnetic strip verse a Chip

What’s the difference between the credit card magnetic strip and the new chip?

The magnetic strip contains the exact information used to identify the card (see types of data below). The chip holds a piece of information that it doesn’t share, but that it can use to prove it has that information.

Thus, a magnetic stripe is dumb and can be copied, but since the chip doesn’t give out its secret, a vendor can’t simply copy it when you use it.

The chipped cards will be safer to use than the traditional credit, charge and debit cards that have only the familiar magnetic stripe along the back.

A magnetic stripe says “I’m credit card ABC.” when the point of sale asks the number. With a chip the point of sale says “what is your response to this random value?” and the chip gives a response that the point of sale can validate, but since the next point of sale will use a different random value, the response is useless to a thief

However, the new payment cards are not as safe as they could be. Chip cards are still vulnerable to online/card-not-present fraud.

Some of the data stored on your magnetic strip:

Primary account number(PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
Name— 2 to 26 characters
Expiration date— four characters in the form YYMM.
Service code— three characters

Service code values common in financial cards:

First digit

1: International interchange OK

2: International interchange, use IC (chip)where feasible

5: National interchange only except under bilateral agreement

6: National interchange only except under bilateral agreement, use IC (chip) where feasible

7: No interchange except under bilateral agreement (closed loop)

9: Test

Second digit

0: Normal

2: Contact issuer via online means

4: Contact issuer via online means except under bilateral agreement

Third digit

0: No restrictions, PIN required

1: No restrictions

2: Goods and services only (no cash)

3: ATM only, PIN required

4: Cash only

5: Goods and services only (no cash), PIN required

6: No restrictions, use PIN where feasible

7: Goods and services only (no cash), use PIN where feasible

Discretionary data— may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVC, 3 characters)

How many times has YOUR DIGITAL DATA been exposed?

The New York Times: How many times has your personal information been exposed to hackers?

The NYT has put together an interactive assessment tool to highlight a problem that a reader may only passively consume.

Participants answer a series of questions about jobs they’ve applied for, online services they’ve signed up for, who their health insurance providers have been, and at which retailers they’ve used credit or debit cards.
As they do that, the assessment tool dynamically updates a tally of how many times different pieces of the participant’s personal information have been exposed to hackers.

It makes the story come alive — and makes it very personal to each reader.

At the end of the assessment, The New York Times gives you links to both the stories they’ve published on each individual hacking and, more importantly, links to the announcements from the companies that were hacked, which often include remediation options for those affected.