How the National Public Data Breach Can Actually Harm You
Along With Other Innovations in Cyber Crime
![](https://www.eppresents.com/images/Yur-Data-R-Us-1a-SM.png")
1. Introduction
I have not posted to this blog since August 23, 2024, wherein I reported on the National Public Data Breach. The reason for that is best summed by the opening lyrics to The Grateful Dead song, "New Speedway Boogie." This little ditty is ostensibly about the fateful Altamont Speedway Free Festival of December 6, 1969. Among all the horrible facts of that day was a man by the name of Meredith Hunter was murdered by Hell's Angels.
The opening two lines of New Speedway Boogie are:
Please don't dominate the rap, Jack
If you've got nothing
new to say
Those two lines sum up well my own feelings about this blog and my writing of it. I really don't feel that I have anything new to say regarding issues in cyber security. Furthermore, writing the blog became a tedious and thankless chore. And, besides, the people for whom I wrote it didn't bother to read it anyway. What changed my thinking and motivated me to write today is that I can tie various seemingly disparate trends in Cybercrime and Cybersecurity together into a new thesis that hasn't already been considered by those who get paid to do this work.
When considered together, the three trends that have real potential to cause real harm to real people are:
A. National Public Data Breach
B. What I call The
Degeneration of Generative Artificial Intelligence
C. The
Exploitation of Mobile Services
2. The Real Threat That Is National Public Data Breach.
Many people, one way or another, are enrolled in some kind of personal information monitoring service. Although I personally do not put much stock into these services, since it is free, I do subscribe to Microsoft's Defender Identity Monitoring. I wrote a review of this application, 02/25/2024. Like many similar tools do lately, MS Defender has been reminding me of what personal data of mine was compromised in the National Public Data Breach. In my case, over the last ten years my life was turned upside down and inside out, leaving all the public data about me included in the breach old and useless. Of course, if your life hasn't seen the instability mine has, then chances are your data that has been compromised is very much still valid and useful to cybercrooks.
Above is my report from MS Defender, with only the last four digits of my Social Security number redacted. What is most critical here are the addresses. Where a person lives tells much about a person. Input any address into Zillow, or any other real estate website, and the market value of that property will be revealed. The Property Shark website will give up an even more detailed report about the address queried. Cybercrooks are most likely not going to find me a worthwhile target. Someone who has lived in their own home for twenty years or more might, however, be a very tempting target for cybercrooks to prey upon.
In a breached personal file there is most likely enough data for a crook to make a credit inquiry about a potential victim. And there are not any real laws preventing this type of activity. As I wrote in a post, 03/17/2024, data brokerage is a billon dollars a year enterprise with no real regulations governing what is done with our data. The cretins behind National Public Data had little real prior experience in the field; and thus the data files were stored in plain text and ripe for the taking. So, armed with the information contained in a breached file, any miscreant so motivated can leverage the info that they have to obtain more info from other sources — say like your banking information.
The no longer valid telephone number is redacted in my MS Defender report. We can only assume, however, that the telephone number will be clearly displayed in any actual breached data. Sure, you monitor your incoming phone calls. If, however, that incoming call says, "Your Bank," on the caller ID, then most likely you will answer that call. So, now we enter the very alarming world of Degeneration of Generative Artificial Intelligence.
3. The Increasing Failure of MFA and the Growing Threat Posed by The Degeneration of Generative Artificial Intelligence
Multifactor Authentication (MFA) — also known as 2FA, Two Factor Authentication — is now the standard means which banks and other entities, who are concerned with the security of its clients and customers, verify the identity of those people who wish to communicate about an account at a bank or other institution. We all know the drill. The institution sends a numeric code to the customer's phone number on file. If, however, the telephone that is to receive the code has been compromised, then the MFA code can be intercepted by cybercrooks. Forbes, September 6, 2024, posted an easy to understand article about how MFA is now often compromised.
One such method of how interception of how MFA is compromised can happen is when malware is installed on the customer's phone. Same as how a Trojan can spy on a PC, so might a Trojan spy on a smartphone. Keystroke loggers infecting a phone can also be used to intercept MFA codes. So, clearly the information included in the Public Data Breach might well give cybercrooks a running start at stealing not only your sense of security and well being, but your actual money, too.
Now entering into this crisis of information compromise is Generative Artificial Intelligence. Deepfake technology is now, not only used to make phony porn of celebrities, but AI is also being employed to trick Consumers into giving their money away. In a simpler time, say 5 years ago, that phishing phone call came with a voice of a person that was obviously not an American. So, most likely the call originated in a foreign country. Now, however, with Generative AI, deepfake phone calls come with very convincing voices.
One common technique is a telephone call that purports to be from your bank or other financial institution; and, in one way or another, the caller tells you that your account is compromised. The way to protect your account is to TEMPORARILY move your funds to an account that the caller provides. If you ever receive such a call, DO NOT PANIC. It is best to just hang up immediately, and call the financial institution in question.
Of course, you may say that this would never happen to you. It is common enough though that on March 5, 2024, the Federal Trade Commission published a Consumer White Paper, titled, "Never move your money to “protect it.” That’s a scam." When the call derives from AI, the voice will be convincing. Furthermore, it is possible to a have a "conversation" with an AI chatbot. Given that the scammer behind the fake call might already know much about its intended victim because of prior data breaches, the scam call can seem to have greater authenticity.
The FTC website cited above offers information and guidance on the various types of common financial scams most prevalent today. Here is the list with the relevant links.
What’s a verification code and why would someone ask me for it?
Will your bank or investment fund stop a transfer to a scammer? Probably
not
Sure ways to spot a scammer
Did you get a call or text about a suspicious purchase on Amazon? It’s a
scam
New tech support scammers want your life savings
Did someone send you to a Bitcoin ATM? It’s a scam
4. The Exploitation of Mobile Services
A lawsuit filed in New Jersey has laid bare the inherent dangers that Location Services, Advertising IDs, and other common smartphone features now pose to Consumers. The lawsuit was filed against a company that does business under the DBA Babel Street. Babel Street offers location tracking of cell phones to law enforcement, government employees, and contractors who claim they work for those agencies.
Babel Street also offers free trials of their tools and services. As reported by KrebsOnSecurity, in a post titled, "The Global Surveillance Free-for-All in Mobile Ad Data, dated October 23, 2024, an investigator for the Plaintiff in the suit, Atlas Data Privacy Corp, obtained access to their software by simply telling Babel Street that the investigator was intending to be hired as contractor for an allowed agency.
As Brain Krebs, cited above, reported, The Babel Street platform called, LocationX, allows its users to:
...draw a digital polygon around nearly any location on a map of the world, and view a slightly dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area.
Furthermore, the software in question
... also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices.
Mobile Advertising ID is the data that advertisers purchase to push relevant ads to smartphone users.
The data collected can be used to locate "mosques, synagogues, courtrooms and abortion clinics," according to the Krebs report. In another story about this platform reported by 404Media (subscription required), the LocationX platform was used to track a smartphone around Alabama; go outside Alabama; stop for 2 hours at an abortion clinic; and then return to Alabama. In Alabama it is illegal now to travel outside of the state in order to obtain abortion services. This uses and abuses of this technology is endless.
ArsTechnica, October 23, 2024, in an article titled, "Location tracking of phones is out of control. Here’s how to fight back," published a good summary of the reporting by different outlets about Babel Street and its LocationX platform. The ArsTechnica article offered suggestions on how to turn off the smartphone services the LocationX platform exploits in order to track Consumers. Different smartphones and different Operating Sytems on smartphones can make turning off these features a challenge. So any piece of advice on how to do this may not apply to a different phone. I turned my advertising ID off; but it took some hunting around to succeed at that.
Of course, in so many ways enhanced security also causes a loss of convenience. Each Consumer must decide for him or her self whether reducing the risk of random tracking is more important than finding a pizza joint in an unknown town.
The question I must ask is what controls does Babel Street employ to prevent this powerful software from being compromised by cybercrooks? The question is simply rhetorical. Nonetheless, if the crooks can take over Microsoft servers, then it seems not inconceivable that they can breach this system, too.
5. Conclusion
What has been the history and evolution of computer technology is every new innovation brings countless benefits to Consumers. Each innovation also brings new risks to its users. The extent and severity of the breach of the National Public Data database can be a limitless source of useful information for any cybercrook who may want to cause anyone harm. Artificial Intelligence is making it increasing difficult to discern what's real from what's fake. The convenience that smartphones offer Consumers offers that same convenience to any crook who may wish to exploit it. Nothing happens in a vacuum. These three situations discussed herein show how the means to prey and torment anyone are readily available. And the situation only gets worse with each new innovative technology comes along.
What Alexander Hamilton wrote in Federalist 51 (1788), still applies today — maybe even more so. "If men were angels, no government would be necessary." Nothing proves that old maxim true than does the sorry state of cybersecurity.
Our government needs to step up to its role and protect its citizens by passing meaningful regulations that govern how our data is used and stored. Those behind the National Public Data Breach had no prior experience in data management or computer security. Experts in and out of IT, including some of those who had brought the technology into being in the first place, have been warning in strident terms about what might be the dangers of Artificial Intelligence if no controls are placed upon its application. If a powerful piece of surveillance software like LocationX is only intended for use by law enforcement, then limit its distribution only by law enforcement.
This Congress, however, cannot even pass the Kids Online Safety Act. If they don't think kids are worth protecting from online predators, then where does that leave your average Consumer? Fair game for cybercrooks is the answer. And it is this reporter's opinion that that is a damn shame.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||