Tuesday, October 17, 2017

“Real” ID


The other day I jumped in a friend’s car for a quick errand. Doing the quick pocket check I noticed that all I had was my cell phone. Oh well, where we were going didn’t require the need for money or identification. If I did need money I could probably use the mobile pay feature. The thought did cross my mind though,  “What if I needed to identify myself to authorities”? Would security officers or the police accept the personal contact card on my phone as my identity?

Without a government issued ID isn’t your phone just like a wallet full of credit, library, reward cards, etc.? Lots of stuff with your name on it but no official identification. For the most part I doubt any police officer would accept information about you on a phone in your possession as a positive ID. They’d probably take it into consideration and just do it old school. Get all of the pertinent details and run a computer check to verify your identity.

Driver’s licenses as ID

When automobiles started roaming the countryside they and their operators were unregistered. In 1901 New York was the first state to require automobiles to be registered. Many states followed suit and required licenses for autos but not the drivers. Massachusetts and Missouri required the first personal U.S. driver’s licenses in 1903. Since that time driver’s licenses have been used not only as an affirmation that the state approved the holder to operate an automobile, but also as a form of personal identification.
Since the U.S. has no national identification cards, the driver’s license has filled that void.

Digital driver’s licenses, to be displayed on phones, are being considered in several states, Maryland being one of those. Security and privacy issues are at the forefront of these considerations. In the Apple v FBI standoff we saw how difficult it is for law enforcement to unlock and/or view information on a persons phone. So until your state adopts a digital driver’s license using your phone to identify yourself probably wouldn’t be taken as official.

Security? Using your phone probably a definite no, as you need a government issued photo ID to get in to facilities and to travel. Airlines accept digital boarding passes when backed by government issued photo DI’s. Even your standard driver’s license is changing. To combat fraud and counterfeits states have been updating licenses and the way they are issued. Although many states took up the license issue themselves, Congress ensured that all states would have to get on board passing the REAL ID Act in 2005.

REAL ID Act

The REAL ID Act set the benchmark for personal forms of identification establishing minimum security standards for driver’s license issuance and production. Further, the act prohibited federal agencies like the TSA from accepting driver’s licenses from states that do not meet the standards. The deadline set by the act is January 22, 2018. After that date residents of all states will need a Real ID Act compliant driver’s license or a passport to pass through airport security.

The act requires that driver’s licenses include all the identification features you would assume but also digital photographs, physical security features that prevent tampering or counterfeiting, and machine readable technology (barcodes/magnetic stripers). As the concept of digital driver’s licenses is being studied, the effective date of the REAL ID Act in 2018 will either extend or quash those studies.

List of REAL ID compliant states can be found on the Department of Homeland Security page, REAL-ID 

While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane. Probably better to add “license” to your pocket checklist.

Read the blog archives for another post about personal identification.
Can I see some ID? February 2014

Monday, October 2, 2017

Backup Safety


There was another report of a family member backing up in the driveway, running over, and killing their own child. When a parent loses a child the pain must be unfathomable. To be the cause through an accident is beyond imagination.

The child safety advocacy KidsandCars.org reports that over fifty children are backed over every week in the U.S., resulting in an average 232 fatalities. In 70% of the incidents a parent or close relative is the driver.

When learning to drive we were taught a safety checklist before turning the key. Over the years we become hurried, preoccupied, complacent. We drive the same cars every day. The seat and mirrors are always in the same place. Just start and go. Years of driving experience and familiarity with our surroundings blind us to what is right in front of us. Or behind. The safety checks become forgotten- second nature. Just like you can obscure a motorcycle with your thumb, KidsandCars.org has an interesting example of thirty children standing and sitting behind a SUV-All out of the view of the driver.

Children playing behind vehicles have no idea of the dangers. Bigger SUV’s and trucks that have high clearances can create a welcoming, shady, private area for a child to play. Electric and hybrid vehicles exacerbate the hazards, as they create little to no sound.

Children being left in cars are yet another issue that is increasingly in the news. Sometimes it is forgetfulness. Some are purposeful in the sense, “It’s only for a minute”. If casinos are nearby the chances go up. Maryland covers approximately 12,400 square miles with a population of about six million, with six casinos spread throughout the State. According to a March 2017 Baltimore Sun article, Gamblers leave their kids in cars almost everywhere there are casinos, Kidsandcars.org have chronicled more than 300 cases of child abandonment at casinos nationwide since 2000. There have been fourteen incidents of children abandoned outside casinos in Maryland over the last two years.

As responsible adults we need to stop and review our driving habits and preparations. It takes less than a second to check behind your vehicle before getting in. Checking the surrounding area and the interior before getting in the car should be part of a personal security/safety check anyway.


Simple changes to our routines, education and awareness, go a long way. They may literally save a young life.

Monday, September 18, 2017

Is your business ready for wild weather?


FEMA Photo library-Liz Roll

Note: This post was originally published in 2012 and has been updated with current information.

The last two weeks Mother Nature has unleashed her fury on the southern U.S. and eastern Mexico with three hurricanes and a major earthquake. As of this posting, two more hurricanes have the potential to strike the Eastern seaboard. Millions have lost homes and businesses. Between hurricanes Harvey and Irma everyone seemed to know at least one person, if not more, directly affected by the storms. Our prayers continue to be uplifted.

When this particular post was written in 2012 the Mid Atlantic was preparing for another storm as we patiently watched the track of hurricane Sandy. While Sandy made more of an impact farther north, the Mid-Atlantic region had experienced some past wild weather. There were three blizzards in one winter, two back to back. In 2011, there were back to back tropical storms. In 2012, we experienced a derecho storm. A derecho type of storm and the name itself being new to the area. Going back to 2003 we all remember the massive flooding associated with Isabel. All of these weather events caused power outages, some for several days or a week plus. 

Getting back to business

In 2012, as now, you see businesses staying open as long as possible to service their communities. After the storm they open as quickly as possible to resume operations. Sometimes a business is lost. In addition to ensuring that their family and homes are safe, small business owners must also protect their businesses, which in many cases are their livelihoods.

We become so accustomed to having electricity we forget all that is electric dependent, e.g.-gas pumps, ATMs, cash registers and credit card machines to list a few. We also become complacent as to how dependent our businesses are to electricity.

Power outages are reported in number of customers without power, not business loss. So there is not one source to determine how small businesses suffer. There are few businesses that can operate without power. Depending on your product you may be able to conduct some business with cash transactions. In the current economic climate any business loss is crucial. Add to that the possibility of losing inventory due to damage or loss of refrigeration and small businesses can really be hurt.

Preparation for business restoration

No different than a home, business owners should prepare for storms and power outages. The logistics of preparing your business for a storm and the loss of power after the storm can be complicated. Having a written plan of action can make the task easier. Take the lessons learned from past outages and make a simple outline. The adage of “being prepared” is true and can significantly reduce either your loss or time your business is down.

Depending on your location and the type of storm you may need to prepare your facility for flooding. This may include boarding windows, sandbagging, moving inventory and equipment. Your business has many unique facets that have to be examined when developing your plan. Here are a few operational items that should be considered.
  • Purchase generators or ensure generators are in place and operational.
  • Be prepared for cash transactions.
  • What type of telephone system do you use? Newer systems do not work without power or have limited hours battery backup.
  • What type of security do you have? As with the telephone system, security systems often have only limited hours backup. 
  • Backup computer business files. Sudden and/or prolonged power outages can result in data loss. When complete, store the files offsite. 
  • Review insurance policies and coverage’s annually with your provider. Update as necessary.
  • Make sure insurance and business documents are easy to locate and safe from harm.
  • In the winter, prepare for safe ways to provide heat to your business.  


The biggest mistake business owners can make is not heeding warnings and being caught off guard. We can all learn from the recent storms and past winters heavy snows. Having a recovery plan of action to protect your business assets may be the some of the cheapest insurance available.

Monday, September 11, 2017

Cleaning Up Your Online Presence


Ever been asked at checkout for your phone number? You haven’t been in the store for a long time, if ever by your recollection, but the clerk wants to know if you’re in the system. You provide a phone number and surprise surprise you are in there! Phone number, name, and address. It’s probably not a retail conspiracy to create a super database of shared data. What it does reveal is how our lives and personal data are intertwined within the world of information.

When information was written on paper there was less of it and it was more fragile. Tear it up, burn it, poof it’s gone. Carbon paper, mimeographs, and copy machines (Younger readers will have to look those up) changed that. Documents were being copied and filed in triplicate. Computers, of course, made it all easier but it wasn’t until the ol’ World Wide Web came along that hiding in plain sight became difficult.

In the old days it was easy to disappear. You simply moved to another town. Started using a new name and slowly built your new persona. As technology progressed information began being stored on computers. Those computers could be accessed for information stored about you, but only for the specific information the entity had stored. Once computers became connected one entity could access another’s information. Then they began sharing information between each other and saving the data locally. The more digitally involved you are the bigger your online presence. As young people enter adulthood they have little to no digital footprint in the context of financial databases. What they do have is a social footprint, more on that later.

Google yourself

Have you ever searched your name? If not, give it a try. You might be surprised what pops up or how many of you are out there. The more you are in the public eye the more information that is going to be out there and, thus, the harder to clean up your online presence. A regular Joe should have limited occurrences as the result of a search. But even regular Joe’s can have an online presence depending on their interaction with social sites and images associated to their name. And that is what you need to be controlled.

Information for sale

Think about the seed system of a watermelon. You can take out a portion from the middle, but there are going to be all those strands extending throughout the melon. That is how it is in the digital world. Things truly do live forever on the Internet. You can have a record expunged from a database, but any reference to or sharing of that record in other databases is going to give it new life. Data has become a big commodity. Everything is for sale on the Internet. Data is being collected on every interaction you have on the Internet. The data collected by brick and mortar businesses is sought after. Once government databases went online (real estate, court information, etc) information brokers snatched up this data. All of this information is bought and sold and resold. The original purveyor of the data may have deleted it but the new entity has it saved and published it their own way.

Everyone that has data is looking for revenue sources, especially governments. Data mining companies buy data from phone companies (landline and wireless) and the government (real property and court records). The information is legitimately offered for sale on the Internet through pay sites or resold. Ever get those mailings and wonder how Joe Realtor knows how long you’ve lived in your house and what you can sell it for?

Your Job image

Younger people may not be in databases for real estate or financial institutions but they are using social media and sharing the media. Even someone with little life experience will pop up in a simple Google search, most likely under images. This is what haunts the 20-somethings when they start their job searches. Over the last few years’ different surveys have revealed that 40% of college admission offices and 40% of HR professionals research social media regarding applicants. Staying aware of your online presence is especially import when trying for a job.

Cleaning up online presence

You’re first step should be stop the flow of information. Review and change your social media privacy settings. Remove information from online shopping and other accounts that are old or unnecessary.

Whether it’s the garage, the basement, or the Internet before starting any clean up job you have to assess the situation. Start by searching your name and then different variations with your name, town, occupation, and any other identifier that you feel has a strong attachment to your name. Would suggest using Google as it is the most powerful, but using other search engines wouldn’t hurt. You’ll probably get different results.

Make note of the sites in which you pop up and what they are referencing. Find the source of the material you want removed and contact the source directly. Many will want sound reasoning why the post/picture should be removed. May want to read the companies privacy statements before you make the call to know where you stand and/or how to make the request.

Even though the source removes the post once it has been shared it lives on in other sites. You’ll have to track the posts digital trail and contact those companies as well. The tedious part is finding every link that’s associated with your name and going through the process each time. As with any situation where you are fighting an issue Document Document Document. Keep copious notes of your efforts in case you need to prove your attempts later or make subsequent requests.

After all that you are still going to be able to “find yourself” on government public access sites like real property and courts. People search sites and phone number search sites sell the information you are trying to keep private. Matters of public record like newspaper articles in which you’ve been mentioned are going to pop up.

To get your name removed from marketing lists there are organizations that can help. Similar to the national do not call registry, these services allow consumers to opt of marketing offers. You would be adding your name to another database, which may be counterproductive to what you’re trying to accomplish, but it does keep marketers from contacting you. Maybe. Who knows if it really works?

One such service is run by the Direct Marketing Association and allows consumers to have their names and addresses removed from direct marketing mailing lists. There is a fee-$2 for 10 years if you register online. The site can be found at www.dmachoice.org. The second removes the consumer from credit card and insurance offers. The service is provided in a joint venture between Experian, Equifax, Innovis, and Transunion. The site can be found at www.optoutprescreen.com.

You won’t be able to eradicate everything. If you’re serious about removing yourself from the Internet you’ll have to have as much as possible redacted. The rest will have to get buried in the voluminous amount of data filling the Internet. The less that is out there the more specific the search will have to be to find you. Not gone but harder to find.

Your personal information may be in myriad retail databases but at least you can try to keep what others read about you to a minimum. You can’t just completely disappear but can clean up your online presence so that you’re not easily searched.


See our blog archive for more posts about online presence.

Monday, August 28, 2017

Ideologies in the workplace


Watching what unfolded in Charlottesville in mid August I noticed one of the protestors wearing clothing marked with the Verizon logo, their uniform. Later Verizon issued a statement stating that the company in no way supports the white supremacist groups or the hate and bigotry associated with the groups. It may be sometime, if at all, when we hear if this person was an actual employee and was disciplined or terminated. Obviously, this person, whether an employee or not, put Verizon in an awkward position.

Publicly representing the company for which one works does limit what an employee can do in their off duty hours. Some businesses have policies specifically stating that employees cannot express political views while representing the company. What the employee does off duty when not representing the company and whether the company can control these activities has come under court scrutiny. Most notably in the use of medical marijuana. (Smoke ‘em if you got ‘em {Marijuana in the workplace})

If an employee is wearing the company uniform and participating in activities that go against the company values the company may have legal precedent to terminate or discipline the employee. The question that came to mind is what if the employee keeps the off duty activity anonymous? They do not espouse their ideologies at work and is a solid employee/coworker. Somehow their off duty activities are exposed and now the workplace becomes a hostile environment. Are there grounds to terminate that otherwise productive employee?

What are employer’s rights?

Allen Smith, J.D., wrote an excellent article for the Society For Human Resource Management website, Can or Should Employers Fire Employees Who Participate in Hate Groups? Smith reinforces what I have found, that the answer is not clear. When what employees do off duty creeps into the workplace several legal precedents have to be considered before an employee can be fired. Allen Smith makes the following points.
No federal law is violated if a worker is fired for being a member of a hate group or verbally expresses beliefs. Courts have rejected KKK members claim of religious protection under Title VII of the Civil Rights Act of 1964. Freedom of speech protections under the First Amendment does not apply to private employers.
Most states are work at will states meaning that employees can be terminated for any lawful reason. California, Colorado, New York, and North Dakota have laws protecting workers against being discriminated against while participating in lawful activity outside of work. However, if it becomes known at work that an employee was participating off duty in a hate-based protest, an employer may choose to terminate. Basing their action on violations of non harassment policies.
When dealing with customers who are offended by an employee’s ideologies, businesses have to consider the impact on the business. If the person continues to be employed will that affect business? Or is firing the employee at the risk of being sued better for the company?

Human resource issues are not cut and dried. Even though similar issues may have arose in the past, each case must be examined on their own. Always contact an employment law attorney before making termination decisions.

Tuesday, August 22, 2017

Smoke 'em if you got 'em? {Marijuana in the workplace}


Florida recently passed a medical marijuana bill becoming the twenty-ninth state to do so. State by state the legalization of marijuana for medical purposes is gaining ground. Eight states have decriminalized marijuana, allowing recreational use. (Alaska, California, Maine, Massachusetts, Nevada, Oregon, and Washington) However, the drug still remains illegal under Federal law. In fact, it remains a schedule I drug alongside opiates and synthetics drugs. The court battles that were expected with the U.S. Justice department after Colorado legalized marijuana have not occurred. The chances of employees being high at work are definitely increasing. Businesses are scrambling to adapt.

A survey of 10,000 California cannabis users revealed 58% of working professionals use daily and 31% consume while working. (Eaze Insights) Some businesses not only allow the consumption of marijuana at work, they encourage it. Those that do say that it helps employees with stress and anxiety promoting longer work days and creativity. These businesses are mainly in the legal cannabis industry or tech fields.

What is at odds are company drug policies and making accommodations for those with disabilities. Companies want to be inclusive but want to maintain standards as well as workplace safety. Medical marijuana users are looking to the American Disabilities Act for protection.

American with Disabilities Act

The American with Disabilities Act  (ADA) was signed into law in 1990. Succinctly, the ADA prohibits employers from discriminating against those who are disabled and requires employers to provide reasonable accommodations to a qualified individual with a disability to perform the essential duties of their job. Illegal drug use is not covered as a disability. However, the ADA does allow for the use of drugs taken under the supervision of a health care professional. Marijuana may be legally prescribed under a state law but remains illegal Federally. Then there’s the Drug Free Workplace Act of 1988 requiring that Federal contractors provide drug free workplaces as a condition of receiving a contract.  The ADA states that employers can require employees to conform with the Drug Free Workplace Act. Further, under the ADA drug testing is not considered a medical examination, allowing employers to test for the use of illegal drugs.

With state law in conflict with Federal law regarding the legality of marijuana, tests of the ADA are definitely heading to the courts.

Court challenges

Rights of the employer and the employee vary state by state. As examples: Arizona, Connecticut, Illinois, Minnesota, and New York laws prohibit employers from discriminating against employees who use medical marijuana and must make accommodations, some further citing-unless the employee is under the influence at work. Florida’s recently passed law does not require an employer to accommodate on site medical marijuana use. California passed Proposition 64 in 2016, which allows for the recreational use of marijuana. However, the law protects an employer’s rights to enforce workplace drug policies. Rhode Island’s law protects the employer’s right against accommodations for on site consumption but protects the medical marijuana cardholder against hiring discrimination.

A 2017 Rhode Island court case ruled that employers could not refuse to hire medical marijuana cardholders even though the person would knowingly not pass the employer’s pre employment drug test required of all applicants. (Callaghan v Darlington Fabrics Corp., No. PC-2014-5680, Rhode Island Superior Court, May 23, 2017)

Another twist to the saga is the off site or off duty use of marijuana which may be legal in the specific state but against company policy. In one of the first court cases of off site medical marijuana use the Colorado Supreme Court heard the case of Coats v Dish Network in 2010. The court upheld the firing of a man who failed an employer random drug test for marijuana use. Briefly, in 2010, Dish Network fired a telephone operator who was also a medical marijuana patient after he failed a random drug test. Although the employee claimed that he never used marijuana at work nor was he ever impaired while at work. The case was the first to look at whether off duty marijuana use, legal under Colorado state law, is protected by Colorado’s Lawful Off Duty Activities Statute. The statute states that employers cannot fire employees for doing legal activities while not at work. Although medical marijuana use is legal in Colorado, the court ruled that its use is still illegal under Federal law. The ruling supported employer rights to enforce their drug policies. Since this case, courts in California, Oregon, and Washington have also ruled against employees.

The most recent case regarding this issue occurred in July 2017 and went against the employer. In Barbuto v Advantage Sales and Marketing, LLC the Supreme Judicial Court of Massachusetts ruled in favor of an employee to use medical marijuana outside of work. The employee claimed that since they have an ADA qualified disability (Crohn’s disease) the employer must make accommodations for employee to use medical marijuana off duty. The ruling was based on the state’s anti discrimination law. The court rejected the employer’s argument that marijuana is illegal under Federal law and to allow accommodations would be unreasonable.

Maryland

Maryland is still getting going on its version of medical marijuana. The law was passed in 2013 and took effect in 2016. However, there have been legal challenges to the dispensary licensing process that has slowed implementation. Maryland decriminalized possession of less than 10 grams of marijuana in 2014.  Marijuana is still considered illegal but possession of smaller amounts will result in a civil citation rather than arrest. Each year since there have been bills introduced to further decriminalize marijuana. In 2016, a law passed making possession of paraphernalia a civil offense. In 2017, those convicted of marijuana offenses may petition to have their records expunged.

What to do, what to do…

Confused? Don’t feel bad. It’s a tricky topic that is evolving almost monthly. Employer’s need to have hiring policies as well as policies to guide employees. These policies have to be living documents and open to change. Having employees and dealing with human resource issues is difficult, especially for small businesses. The rules are constantly changing. There will always be challenges to any policy or rule. You have to stay ahead of the curve and aware of what’s taking place.

See the blog archive for other posts regarding workplace discrimination and medical marijuana.
Which came first... February 2017
Ban the Box update August 2016



Tuesday, August 8, 2017

Skimmers


We’re not talking about water bugs, tools to clean your pool, or skipping rocks. These skimmers steal your financial identity. The news had reported that skimmers were discovered on a local gas station’s pumps. This particular station consistently has problems with pump maintenance and just the overall condition of the pumps seems to be “beat up”.  It was not a surprise that skimmers had been installed. Not that the owners had any involvement, but meaning that the owners/operators are not paying attention to the condition of the pumps. Or what is going on at the pumps. This station is also known to allow third party vendors to sell their goods on the lot and accost customers at the pumps. Big personal security peeve-Do not approach me while I’m using a gas pump or ATM. These little things add up and go back to not being surprised. The condition and environment of a business can be both a determent and invitation to criminals.

Not everyone may know exactly what a skimmer is or the extent of the problem. I thought some background might help us from becoming victims. A little education goes a long way.

Skimmers

So what are skimmers?  Credit card skimmers or skimmers are electronic devices that are attached to machines with credit card slots. Mostly ATM’s or gas pumps. The parasite device usually fits over top of the original slot so that the customer believes they are inserting their card into the machine’s card slot. When in reality the card is swiping through the criminal’s device. The device retrieves the credit card data from the magnetic strip and stores it until the criminal retrieves the device. Newer, more sophisticated devices attach internally to the machine’s card slot or transmit the data via Bluetooth.

Although criminals can make use of debit card information, it is much easier with the associated PIN. To gather this information there will also be a camera attached somewhere to video the customer entering the PIN on the keypad. Or a fake keypad accompanies the slot reader and records the keystrokes. Most times the operation of the machine is not affected. If the machine fails to work, you may have already become a victim.

History of skimmers

The idea of the use of credit card skimmers was mostly urban myth. In the late 1990’s, we were just getting use to personal computers, let alone tiny devices that could steal data from a magnetic strip. Nobody believed that such things existed or could work.

The skimmer myth also gained notoriety in restaurants. Wait staff would be issued a small skimming device to carry with them. They covertly slide the card through the device to collect the data from the magnetic strip on the way to cash register. The device holds all of the data until the end of the shift when they pass off device and are paid for their efforts. The victims then start seeing charges on their cards.

If you think about it, a restaurant is the only place you hand a stranger your credit card and let them walk out of sight.

Gizmodo.com featured a good 2014 article on skimming history, The Evolution of ATM Skimmers 

Here is a synopsis:
2002- A CBS report confirmed the existence of skimmers when they reported devices that could record the names, account numbers and other identifying information from credit card magnetic stripes.
2008-Naples Police Department investigated a rudimentary device jammed over an ATM's actual reader. The thief inserted a "micro camera" under a plastic sheet to capture the victims' keypad strokes. This was one of the first times a device had been recovered.
2009-Skimming really takes off as the devices, in different shapes and sizes began being discovered on ATM’s.
Over the next few years the technology progressed. The Internet allowed for distribution networks to manufacture devices and kits that were identical to the machine the criminal hoped to crack. 
            2011-ATM manufacturers began cracking down on skimming by installing anti-skimming devices on their machines. These consisted of translucent, circular casings over the card reader, which the criminals quickly learned to replicate.
2012-Skimmers become too small to be detected. Some being paper thin and inserted into the card slot.
2013-Gas pumps became targets.  A series of scams in Oklahoma saw thieves take home $400,000 from a chain of Murphy's gas stations before they were eventually caught. The thieves used a card skimmer and fake PIN pad overlay to obtain the necessary information. Even more eye opening, these skimmers used Bluetooth enabled devices that sucked power from the pumps themselves allowing them to run indefinitely, and allow remote access to the data. ; once it was installed, the thieves would never need touch the skimmer again.

How it works

The devices used come in all shapes and sizes. Most fit over the card slot. Some actually are big enough to replace the machine face. The closer to resembling the original card slot the less chance of being detected. Home 3D printers are making these deceptions a lot easier. As with everything else electronic, these devices are getting smaller everyday. Some skimming devices are so small and thin, they slide inside of the card slot itself. Newer devices attach to the internal wiring of the card slot. These are mostly used on gas pumps. How do criminals get inside the pumps you ask? Universal keys are available that open the pump faces exposing the card readers. The criminal will have one or more accomplices to block camera/attendant views while they install the device. Victims never know what hit them.

Once collected, the numbers are used in different ways depending on the criminal. Some are sold on the Internet for around $50 a piece (+/-).  Some criminals use the collected numbers to make counterfeit cards, which they use to purchase items, usually electronics, for resell. (Similar to Melissa McCarthy in the movie Identity Thief) The more advanced organizations use the cards to purchase gas. They drive around in specially outfitted passenger vehicles filling up covert gas tanks. This gas is then off loaded into tanker trucks and sold to less than scrupulous gas stations. 

There are thousands of iterations of card skimmers. If you’d like to see what they look like just search “credit card skimmers” in Google images.

Protection

Criminals and the technology they use are getting more sophisticated. The Internet provides enough intelligence that consumers can protect themselves. But criminals are sharing information as well. Once law enforcement or consumers defeat one strategy, criminals learn and improve their methods. So what can you can do.

Some gas stations are installing seals to cover the seams that hold the payment box. A broken seal is obvious, but multiple seals overlaid is a clue and, of course, enterprising thieves can replicate seals. Another clue can be the condition of the machine in which you are about to slide your card. If the payment box area is not maintained or appears to have been forced open, be wary. Inspect the card slot. Give it a tug. If anything is out of sorts or the slot comes off in your hand report it to the station and the police.

If your transaction attempt doesn’t work, don’t keep trying. Stop and perform an inspection. The skimmer may be causing a malfunction.

Some habits to get in to help protect your card security:
  • Use Pumps/ATMs near attendants. Less chance they were compromised.
  • Pay inside
  • Pause before you swipe, inspect car slot, look for security seal
  • Feel for difficulty inserting or sliding card
  • Wiggle slot housing. Don’t have to break it. Criminals aren’t going to install anything that takes time or is permanent
  • Check nearby pumps, compare slots for differences
  • Guard the card number
  • Use Apple/Samsung/Android pay whenever possible
  • Check accounts regularly

Any suspicions report to the business owner, the police, and the issuing bank.

This post focused mainly on gas pumps. Another area of concern is the new style parking meters that allow you to swipe at the meter. Seems like easy targets. Get back to you on those.

Please feel free to share. See the blog archive for more articles on personal security


Wednesday, July 26, 2017

Employee implants



In 1985, Dr. Hannis Stoddard invented an injectable microchip based pet recovery system. In the last decade Hollywood picked up on the theme by injecting humans with microchips. Who knows what goes on in the secret world of the military and espionage? This week a Wisconsin company made the news when it announced that employees had been offered microchip implants to use as a method for building access and food purchases. This is something that’s happening and is going to change the workplace.

What are Microchips?

Microchips are rice-sized radio frequency identification devices that use passive Near Field Communication (NFC) technology to transmit data when held a few inches away from readers. Passive meaning that the microchips hold data that the reader recognizes but the devices cannot receive data. The devices were popularized in the 1990’s for recovery use in pets, being injected under the skin in the neck/shoulder area.

The technology was tested for office uses in 1998 when British scientist Kevin Warwick experimented with microchip implants to open doors, and switch on lights. The technology has been experimented with since that time for commercial and medical uses with little success or popularity.

In January 2015, the Swedish company Epicenter began offering voluntary implants to its employees. The chips are used as a replacement for magnetic key cards to access secure areas and for use as payment in company stores. For human use in this manner, the microchip is inserted in the fleshy area between the thumb and forefinger. Three Square Market, a Wisconsin technology company, have partnered with the same Swedish company who conducted the inserts for Epicenter and plans on using the technology in the same manner.  This is the first time the technology has been used in a broad setting tagging workers.

Microchipping issues

All new technology brings concerns of privacy and security, which begets legal debate and regulation. In this instance the technology also raises religious concerns.

According the National Conference of State Legislatures, nineteen states have some law referencing microchipping. Five of those states (California, Missouri, North Dakota, Oklahoma, Wisconsin) have specific laws prohibiting the mandatory implantation of microchips. Some states currently use tag/bracelet based RFID technology to track prisoners. After some recent high profile escapes there has been legislative debate to use tracking implants on prisoners.

Mark Gasson is a British scientist who is a proponent of enhancing humans through the use of implanted technology. In 2009, Gasson inserted a microchip into his own hand and went on to demonstrate that not only could the device be hacked but could receive a computer virus. This and other experiments raise security concerns. Implanted microchips have the potential to store personal and health data. As with any data storage device, the implants would have to be protected against hacking.

Wearable technology is not new to the workplace. Watch like and other devices are used to track employees throughout their day. The November 2016 post, Employee monitoring, gave an overview of wearable tech in the workplace. The concerns raised were legality of employer access to health data as well as monitoring outside of the workplace. With implanted devices the concerns are the same except in this instance the employee cannot be separated from the monitoring device.

Another issue is of a religious concern. Christians believing that this type of technology is another step closer to the writings in the book of Revelation. The EEOC has ruled in favor of Christian employees in past cases where a company has implemented fingerprint scanning.

The few people I've spoken to have said no way. The Swedish company, Epicenter, has parties celebrating an employee's decision to be implanted. The Wisconsin company, Three Square Market, already has fifty employees agreeing to the implants.

Employers considering this or any type of employee tracking devices should do considerable research. Definitely work with an attorney to develop policies and updates to employee handbooks.
Technology is ever changing our world. Whenever any new piece of technology or approach to employee monitoring is introduced there will be legal issues. How the devices are deployed, what they are used for, how data is collected and stored, and what the data is used for will all present legal challenges.

George Orwell is probably very happy.

Read other posts regarding employee monitoring and privacy. Please feel free to share and like.
Employee monitoring November 2016

Tuesday, July 18, 2017

Frequently Asked Questions



During my time providing investigative services to businesses the same questions regarding pre employment screenings and background checks were repeatedly asked. To address those questions, we developed a list of frequently asked questions, which are shared below. I hope this will help answer questions you may have and guide you through the hiring process.

·      What are an employer’s legal obligations?
  • Fair Credit Reporting Act (FCRA). As of October 1, 1997 the FCRA requires that all employers who request background checks for pre employment screening purposes have a written consent from the applicant. 
  • Civil Rights Act of 1964, Title VII. Employers cannot reject or fire qualified individuals who have criminal records when the criminal history has no bearing on the individual’s fitness or ability to perform the job.
  •  Equal Employment Opportunity Commission (EEOC. The EEOC is clear in its position on employers’ use of criminal background checks for employee hiring and retention: “Using such records as an absolute measure to prevent an individual from being hired could limit the employment opportunities of some protected groups and thus cannot be used in this way.”
  • National Labor Relations Act (NLRA) was enacted in 1935. The Act allows for the National labor Relations Board to enforce laws that give employees the right to act together for improved pay and working conditions, even if they are not part of a union. 
·      What is a “National” record check?
  • We were always asked to conduct national criminal record checks. This request is difficult to explain because most people’s perception of the criminal justice system is marred by television. Simply put, there is no “national” database that houses criminal records. Records of arrests and adjudications are kept at the local courthouses and county jurisdictions. Conducting a non-law enforcement national background check would be better said as a “nationwide” check. To obtain a thorough picture of a person’s criminal past, all levels of government entities maintaining criminal records should be searched. Read our post "National" record checks, which further explains the subject.
If there is no national database, how do you get the most detailed information?
  • Look for companies that search both public and commercial databases within the Federal, State, and County jurisdictions. Analyzing the information to ensure the utmost accuracy for your screenings.

·      What is “Ban the box”?
  • Ban the box is national grassroots movement to remove the question, “Have you ever been convicted of a crime” from employment applications. Many State and local jurisdictions have passed laws removing the question from government employment applications.

·      What is Bright line hiring?
  •  “Bright line” is a clearly defined rule or standard, generally used in law, composed of objective factors, which leaves little or no room for varying interpretation. The purpose of a bright-line rule is to produce predictable and consistent results in its application. 
  • A Bright line hiring example would be to not hire someone with a criminal record. Bright line hiring practices are dangerous for any business, as you may have violated the Civil Rights Act of 1964 or EEOC guidelines.
·      Can expunged records be located?
  • Sometimes. The legal term “expunged” has different definitions in different states. Some allow for the records to be sealed and treat the case as it never happened. Some change the conviction to “dismissed”, but the other details of the case are the same. In Maryland, it means to remove from public inspection. 
  • Although records are expunged, they are filed somewhere.  Third party vendors purchase data from government entities before records are expunged. They then resell that data. Although records get expunged, they remain active through third party vendors.
·      Why should I do pre employment checks?
  • Avoid the expense of making a bad hire. Bad hires can cost as much as three times the salary of the job in question
  •  Reduce liability: Putting current employees at risk by placing a violent person in the workplace.
  • Find those with a propensity for violence. Workplace violence has been found to make up 18% of all crime.
  •  Reduce of workplace accidents
  •  Reduce resume puffing. One-third of resumes have some degree of puffery
  •  Aid the applicant. During the process other names associated with the applicants’ social security number are regularly discovered. This information may help the applicant thwart identity theft.
·      Why can’t I just do checks myself?
  • You can and many do. The Internet is a very powerful tool. The questions are: Do you have time? Do you know where to look? Do you know how to decipher the information you do find? Are you sure you are looking at the correct person?
See our blog archive and topic categories for more on this topic.
FCRwhat? March 2015

Wednesday, July 5, 2017

Public Wi-Fi for dummies


Traveling and staying in a hotel I started to use the Internet via a Smartphone. I paused, thinking data usage might be tight so better use Wi-Fi. Logging into the hotel’s Wi-Fi I paused again, knowing better than to use unsecured public Wi-Fi. Thinking I was only checking the Internet for dining options, it was safe to use pubic Wi-Fi for that purpose. Then the browser failed to load, with a warning that the server was an unsecure network. Thank you Google or Apple or whomever installed a safety feature to moderate our temptations. The tricky thought occurred to turnoff the Wi-Fi, log into the account and then switch on the Wi-Fi. After some research it was revealed that this technique would still leave you vulnerable. After switching the connectivity your phone (the app or website) would renegotiate the connection, although seamless to the user, your login information would still be exchanged and visible.

Decided to look into the pitfalls and dangers of public Wi-Fi. A simple search returned many articles on public Wi-Fi risks. Lots of experts explaining how easy it is compromise networks and for unsuspecting users to fall victim. Smartphones, tablets, and laptops have become appendages to our busy Internet connected lifestyles. Data usage has become the new “minutes” and consumers are looking for ways to save on usage and ultimately money. Public Wi-Fi is a common way to cut back on data usage. However, there is risk to online security.

Risks

Norton reported in 2013 that 68% of people using public Wi-Fi were victims of cyber crime. The Norton Cyber Security Insights Report announced that in 2015 21% of Americans had their email hacked and 12% had their financial data stolen after shopping online. Millennials are a growing victim demographic with 40% falling prey to cyber crime in 2015. Although one of the more tech savvy age groups, Millennials are more open to sharing logons and passwords that compromise their online security.

When you leave the house you are still connected. Whether you login to your accounts via the cellular network or Wi-Fi, nothing is 100% secure. While 4G cellular networks are encrypted and are far, far better than an unsecured public Wi-Fi connection, there have been incidents of cellular networks being hacked. Although the effort is usually much greater than most cyber criminals are willing to make. Public Wi-Fi is a much easier target. Both due to security weaknesses and the plethora of devices being used on those networks.

Breaches

Most public Wi-Fi breaches are through man-in-the-middle attacks. Hackers place themselves either between two victims or between the user and the app and eavesdrop on the transmissions being sent back and forth. It is important when using apps and websites in public to ensure you are logging into the correct site or app as hackers can spoof those and trick users to logging into the hacker’s site.

Just because you need a password to login to public Wi-Fi doesn’t mean it is secure. It just means that there is an authentication step before you can access the router.  Additionally, the person setting up the Wi-Fi may not have installed all the available security features.  The hacker may be logging into the same network as you, giving them access to your transmissions.

When you are browsing, HTTPS is usually a good thing to look for. It means the data transfer between your device and the website is secure-on their end. There is still a possibility that you were hacked on your end. It’s like having a phone conversation but you have your phone on speaker.
The most secure networks offer end-to-end encryption. Financial apps usually are encrypted. Most big name apps/browsers/email/social media are probably secure from man in the middle attacks as the data being exchanged is encrypted, the session can be viewed but not the data. However, we’ve all read about the big guys getting hacked. Better safe than sorry later.

Reduce your risk

Some simple rules to live by while using your mobile devices in public.
When using any network that is not your own, consider it unsecure.
Never use public Wi-Fi to login to anything that requires a password. After using any network that is not your own it is wise to change passwords.
When you do use hotel or public Wi-Fi, make sure you are, in fact, connecting to the hotel's Wi-Fi and not hacker’s site. Look-alike Wi-Fi signals use names similar the hotel or business.  If you’re not comfortable, ask before logging on.
Keep your device OS up to date.
Use COMMON SENSE.

Review our blog archive for other articles cyber security:


Monday, June 19, 2017

License to drone


It’s a bird! It’s a plane! It’s a…a… a drone. That distinctive buzz. That speck of an object in the sky, hovering, but moving slightly side to side. The popularity of flying quad copters or drones has been growing in recent years. Everyone’s heard their use for package delivery, surveillance, but they are fast becoming popular for small business promotion and an enjoyable hobby for those interested in remote control flight. As the enthusiasm grows so do sales. The FAA expects the 2.5 million drones sold in 2016 to grow to 13 million by 2020. Commercial operators could purchase another 10 million.

FAA Regulation

Popularity translates to higher percentages of a drone encounter. They are being flown in congested areas that provides for the opportunity for interference with air traffic, power lines, buildings, and crowd gatherings. Most of the larger drones have the ability to attach cameras. Which brings up the issue of privacy. Congress, state legislatures, and the FAA are scrambling to get a handle on regulating drones without trampling on citizen rights and the hobby level user. To ensure the safe operation of drones in regards to nefarious use and poor decisions the FAA released Unmanned Aircraft Systems (UAS) regulations in 2015. These rules for drone operation were updated in 2016 and include licensing and registration requirements.

Since the requirement for drone registration 760,000 hobbyists registered approximately 1.5 million drones. However, the registration rule was recently challenged in court. The rule required hobbyists with drones weighing between 0.55 pounds and 55 pounds to register their drones with the FAA. On May 19, 2017, the U.S. Court of Appeals for Washington, D.C. ruled that the FAA could not make that requirement as it violated the FAA’s own Modernization and Reform Act passed in 2012. The plaintiff successfully argued that the FAA “may not promulgate any rule or regulation regarding a model aircraft”.  The FAA is considering its appeal options, one of which is Congress taking action on the issue.

FAA licensing requirements

So. Who needs a drone license? First, the difference between recreational purposes and commercial. The FAA defines recreational as flying for enjoyment- not for work, business purposes, or for compensation or hire. If you’re being compensated the use is probably under the commercial category in the eyes of the FAA.

From the FAA-
Recreational flyers are not required to obtain a pilot certificate but may if desired. If your drone is more 0.55 pounds it must be registered with the FAA.
Basic operating rules are:
  • Fly at or below 400 feet
  •  Keep your UAS within sight
  • Never fly near other aircraft, especially near airports
  •   Never fly over groups of people
  •  Never fly over stadiums or sports events
  •  Never fly near emergency response efforts such as fires
  •  Never fly under the influence
  • Be aware of airspace requirements
To fly commercially there are different levels and requirements. Basically, the pilot must be licensed and the drone must be registered.
Commercial pilots:
  • Must be at least 16 years old
  • Must pass an initial aeronautical knowledge test
  • Must be vetted by TSA
Commercial operating requirements:
  • Class G airspace
  • Must keep the aircraft in sight (visual line-of-sight)
  • Must fly under 400 feet
  • Must fly during the day
  • Must fly at or below 100 mph
  • Must yield right of way to manned aircraft
  • Must NOT fly over people
  •  Must NOT fly from a moving vehicle

This was a synopsis of FAA requirements. Visit the FAA Unmanned Aircraft Systems (UAS)-FAQ site for complete details.