A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

July 08, 2019 • Issue 19:07:01

Privacy and social media: a delicate balance

By Dale S. Laszig

In a hyperconnected world of one-click checkouts and same-day deliveries, the race is on to provide seamless, frictionless commerce. Consumers share buying experiences and reviews on social media, encouraging or discouraging others who contemplate similar purchases. Merchants thank positive reviewers and beg critics for a second chance. Service providers bundle reputation management with processing, helping merchants engage with customers in the always-on, virtual marketplace.

And mostly hidden from view, fraudsters package datasets from social media and mobile apps for quick sale on the Dark Web.

Marc Punzirudu, vice president, security consulting services at ControlScan, said consumers sometimes unwittingly expose sensitive data when interacting on social and mobile channels. Criminals can easily defeat typical security questions such as your mother's maiden name, where you attended high school or favorite pet just by looking at your online profile, he stated.

They can scrape your geolocation and time stamps from uploaded photos, unless you modify settings. Armed with publicly available information and open-source intelligence (OSINT), criminals can access online accounts and steal identities. This makes it imperative to understand and properly configure the media platforms you use.

"Facebook and Google don't make money unless they are getting data," he said. "Are your default privacy settings more supportive of you or the organization that uses your data?"

Who owns your data?

"I don't feel I have any privacy when using social media," said Dale Cardarelli, vice president, enterprise sales at Citizens Bank Merchant Services/Worldpay. "We live in an-enter-at-our-own-risk era. Whether I post or my friends post, the world of social media knows who we are."

Cardarelli's daughter, Olivia, is a college co-ed who uses Instagram and Snapchat to keep in touch with friends, relive memories, follow favorite influencers and stay up to date on pop culture. She is careful about what she shares online. Social media platforms "are not safe, and they listen to what you are searching for," she said. "Also, they can see through the camera screen and see what you look like, what you wear and how you style yourself. I keep all of my accounts private; therefore, I keep my own privacy." 

APIs and endpoint technologies can be backdoors for cybercrime, according to security analysts. To illustrate this point, Dan Salmon, a computer science student, scraped 7 million transactions from peer-to-peer payments app Venmo and published the dataset on GitHub in June 2019. Anyone can grab the data, Salmon warned, without even using an API key. "There is some very valuable data here for any attacker conducting OSINT research," he wrote on GitHub.

Sam Bakken, senior product marketing manager at OneSpan, observed that Venmo intentionally made its default settings public to enable users to share their purchase activities. Bakken feels that while users can decide whether their transactions are shared publicly, with friends or not at all, Venmo should default to private settings. He questioned why anyone would want to make their Venmo transactions an open book, as "attackers might potentially find such information valuable as fuel for social engineering schemes or maybe even blackmail."

Pete Philomey, national sales manager at South Seas Data, has transacted on Venmo with friends but said he doesn't get the allure of the app's shared buying experience. "I don't really care that you paid your cleaner $100," he said. "Whatever! I have the app's social shut off because who I pay is my business."

Dimitri Akhrin, president of IRIS CRM, concurred, stating that scrapers sometimes extract and use data in ways that companies didn't intend when they made those sources available. As a Venmo user, he noticed Venmo profiles are public unless users toggle back the settings. Not every user realizes this; consequently, there's a lot of aggregated data floating around, he noted.

Separate true from fake

Akhrin has also seen plenty of fake information on the Internet. "Businesses need to weed out the bad actors behind today's content overload," he said. "When bad information comes in, employees lose time verifying email and phone numbers, attempting to schedule appointments and pursuing fake leads. Two-factor authentication, such as sending a code to a mobile phone, would mitigate many of these issues."

Anybody can submit garbage on a form, and not everyone does it with bad intent, Akhrin noted. People who want to download a report or access a video may enter bogus contact information when prompted to avoid being contacted later. Companies spend a lot of money for these leads, but without using proper validation, they can end up spinning their wheels, he said. A validation process would raise the quality score of the leads.

When customers fill out forms or download ebooks, effective lead generation programs route their details to CRMs, enabling agents to begin working those leads right away, Akhrin said. PCI Level 1 compliant programs can transfer, store and push encrypted data into accounting software and other platforms throughout an enterprise, while also generating real-time reports.

Fail safe, fail secure

"The U.S. is constantly poking at privacy legislation, mostly having to do with opting in and opting out and the right to be forgotten," Punzirudu said. "But there is a lot of information out there. Consumers need to learn about themselves and take ownership of their online accounts."

For example, qualified security assessors and hackers can use OSINT research to scrape up to 30 sites at a time. Simply typing an email address on a search site will confirm if a user ID was used on a site. "I could go online and search for you and see the last two places where you lived," Punzirudu added. "The privacy argument is big, but there's a lot of data that you have little control over."

"Fail safe" describes a feature or practice that responds in a way that will cause no or minimal harm if a specific type of failure occurs. "Fail secure" typically means that if the power is interrupted or fails, the door stays locked. When applied to security, these principles ensure that when something breaks, it doesn't cause harm, Punzirudu stated. Lock your doors to prevent intrusion, but not so securely that you're stuck inside if there's a fire.

Punzirudu proposed the following fail safe/fail secure approaches to protecting consumer and business data:

  1. Be diligent about your online identity. Use tools to spot your Internet impersonators and fake accounts. Delete Me, an online subscription service, removes your information from 150 sources.
  2. Be aware of what's going on around you. Assume someone already is pretending to be you. If you're concerned about physical security, install vehicle dash cams and home surveillance cameras.
  3. Subscribe to a credit bureau or similar service that notifies you when accounts are opened in your name.
  4. Evaluate and protect data. Business owners: if you don't need data, don't accept it. Consumers: stop reusing passwords online and in mobile apps.

Privacy versus sharing

A recent study by Statista found that Instagram, the photo-sharing app owned by Facebook, grew from 800 million users in 2017 to 1 billion in 2018. "The business community has embraced Instagram, Facebook and Twitter as a way to market their wares," Philomey said. "These platforms enable companies to be responsive to their customers. For example, companies react quickly to complaints about their products or services on Twitter."

Philomey pointed out that support reps deal one-on-one with customers by phone but can manage up to 10 people at a time on Twitter. Compared with direct mail campaigns that get one response out of a thousand, social media platforms elicit immediate, measurable responses that are easy for marketers to quantify, he said.

When asked about Facebook's plans to launch the cryptocurrency Libra in 2020, Philomey asked why we need another payment method. "I can use so many P2P services and tap my phone or card or watch at the POS," he said. "What rewards option or value proposition will make Libra a top-of-wallet brand?"

Olivia Cardarelli also wasn't keen to give Libra a try. "I would not use it because I don't want my information out there," she said. "Also, Apple Pay is easy to use. I don't need another place to use money and [share personal details with] other companies."

Dale Cardarelli was more open to the new cryptocurrency, stating, "As long as it works outside of Facebook, I would engage with Libra." While she hasn't used digital currency, she likes Apple Pay, because it eliminates keying in card data. "Anywhere the payment checkout experience can be frictionless, I am all-in," she added.

As social commerce adoption grows, balancing cybersecurity with privacy will be complicated, Punzirudu concluded. Stakeholders must evaluate their data sensitivity and delete or disguise information that would have adverse effects if stolen. "If you don't have the resources to analyze your data inventory, enlist a third party with expertise and get it done the right way," he said. "Large cloud vendors can make things inherently secure by default, but remember that 'cloud' is just someone else's computer." end of article

Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content development specialist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing