Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How children's fingerprints on the web could mean the end of PII Authentication as we know it


Published on

A talk at the Jisc security conference 2019 by Abigail McAlpine, PhD researcher in cyber security, University of Huddersfield.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How children's fingerprints on the web could mean the end of PII Authentication as we know it

  1. 1. Children's fingerprints on the web - the end of PII Authentication? Abigail McAlpine
  2. 2. Abigail McAlpine Cy b er S ec u rity Researc h er ( Ph D) from the Secure Societies In stitu te at Th e Un iversity of Hu d d ersfield
  3. 3. Children's fingerprints on the web - the end of PII Authentication? Abigail McAlpine
  4. 4. AM Background • Cyber Security Researcher (PhD) from the Secure Societies Institute at the University of Huddersfield • Research on Personally Identifiable Information (PII) of children aged (11-16) on Social Networking Services (SNS) focussing particularly on the most commonly used platforms according to Ofcom’s “Children and parents: media use and attitudes report 2018 • Human-based cyber security research, particularly focusing on the “what” and “where” of sharing online when it comes to children’s information • Research is still in collection, public, parents and children • My background pre-PhD was in business and marketing as a marketing manager
  5. 5. AM Brief Illustrated Guide to a PhD • Imagine a circle that contains all of human knowledge:
  6. 6. AM Brief Illustrated Guide to a PhD • By the time you finish elementary school, you know a little:
  7. 7. AM Brief Illustrated Guide to a PhD • By the time you finish high school, you know a bit more:
  8. 8. AM Brief Illustrated Guide to a PhD • With a bachelor's degree, you gain a specialty:
  9. 9. AM Brief Illustrated Guide to a PhD • A master's degree deepens that specialty:
  10. 10. AM Brief Illustrated Guide to a PhD • Reading research papers takes you to the edge of human knowledge:
  11. 11. AM Brief Illustrated Guide to a PhD • Once you're at the boundary, you focus:
  12. 12. AM Brief Illustrated Guide to a PhD • You push at the boundary for a few years:
  13. 13. AM Brief Illustrated Guide to a PhD • Until one day, the boundary gives way:
  14. 14. AM Brief Illustrated Guide to a PhD • And, that dent you've made is called a Ph.D.: @mattmight
  15. 15. AM The Secure Societies Institute (SSI) • “Research staff and students from across the seven Schools work collaboratively to address global security challenges as diverse as terrorism, modern slavery, child sexual abuse and cyber crime.” – Prof Rachel Armitage • Nearly 100 staff and post-graduate researchers from The University of Huddersfield working on a variety of inter-disciplinary research projects in the hopes of addressing security topics nationally and internationally. 15
  16. 16. AM Contents • What is PII? • What PII is collected by SNS? • Marketing vs Security • Ofcom report • Parental awareness • SNS Timeline • Features on SNS • Sharenting • Fraud • Why PII is used • Actions for tech/users 16
  17. 17. AMWhat is Personal Identifiable Information (PII)? • Personal data is information that relates to an identified or identifiable individual. • What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data. •
  18. 18. AM What is PII? • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual. • When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual. • It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller. 18
  19. 19. AM What are SNS? • SNS – Social Networking Services • These include Facebook, Twitter, Instagram and more • Discord/Slack other messaging services Add a footer 19
  20. 20. Children's fingerprints on the web - the end of PII Authentication? Who is the girl on the left?
  21. 21. AM Marketing potential • We can guess her age is probably between 11-14 (Wider guess of 10-16) • We can reasonably articulate an idea of her assigned gender • We can see her uniform – idea of location, confirmation of age group • We can see she has her own phone – she seems very attached
  22. 22. AM In marketing this would be seen as rich data – worth investing time and money into… • With this information we could curate a customer persona, we could adjust marketing, we could curate a timeline of potential sales funnels to pitch. • This information is still very valuable to us • We don’t need to know her identity 22
  23. 23. AM In security • There’s potential to use this information in future fact finding to collate a bigger picture of her identity • Basic OSINT (Open-source intelligence) tools can track her and build on the information provided • It’s the potential of future information that will cause issues to her identity 23
  24. 24. AM Ultimately • The ability and tools to collate more information about an individual (regardless of age) exist in both marketing and cyber security industries • The skills to take the information we have and turn into viable information are already in the room, a lot of the tools and methods to do so are very established, be it in technology or simply observing an individual • These cases will always exist, it is justifiable for the existence of data collection around children online for marketing purposes – whether directly through children’s use, or through a third party or parent’s use or purchasing data points. 24
  25. 25. AM The real issue.. • Some of the largest datasets on children in the world are owned by Social Networking Services (SNS) • They have this information, it’s usually attached to an identity. • Encouragement of PII sharing, location data, connecting with more users, spending more time on the platforms 25
  26. 26. Looking at the numbers 26
  27. 27. AM Ofcom Report (12-15) • 83% of 12-15 year olds have their own smartphone • 50% of 12-15 year olds have their own tablet • 99% of 12-15 year olds go online for 20 ½ hours per week • 69% have a social media profile 27Children and parents: Media use and attitudes report 2018
  28. 28. AM Ofcom Report (8-11) • 35% of 8-11 year olds have their own smartphone • 50% of 8-11 year olds have their own tablet • 93% of 8-11 year olds go online for 13 ½ hours per week • 18% of 8-11 year olds have a social media profile 28Children and parents: Media use and attitudes report 2018
  29. 29. What happens when children’s data is breached online?
  30. 30. AM Privacy Pin-Ups • “We take your privacy and security seriously.” • “Your privacy matters to us.” 30
  31. 31. AM Huge changes in Facebook • Encrypted end-to-end messages through the messenger app • 18.4 million reports of child sexual abuse worldwide in 2018, a staggering 12 million trace back to Facebook Messenger. • Reducing Permanence – deleting long term information as standard (undefined) March 2019 • Right to be forgotten/ The right to erasure – GDPR 2018. Doesn’t limit the sharing of information primarily • Suspension of tens of thousands of applications (69,000) in Sept 2019 made by about 400 developments 31
  32. 32. AMParental Awareness of Minimum Age Requirement (13) • Facebook 32% • Instagram 28% • Snapchat 15% 32Ofcom Children and parents: Media use and attitudes report 2018
  33. 33. AM Children lie about their age • EU Kids Online conducted studies between 2011 and 2014 in 22 different countries • 1 in 4 of the 9-to-10-year-olds and 1 in 2 of the 11-to-12-year-olds were using Facebook already • 4 in 10 gave a false age. 33
  34. 34. AM How many children on SNS? • In 2011 there was an estimated 20 million minors use Facebook, according to Consumer Reports; 7.5 million of these are under 13. • These estimates are no longer in date and the possibility of establishing an accurate number has been significantly decreased as more children lie to get past age verification systems 34
  35. 35. AM If we take everything at face value Removing potential FUD (Fear, Uncertainty and Doubt) – lets say: • Social networking services care about your privacy • Physical information gathering/safety will always be an issue • We can’t control children lying about their age to interact on social media 35
  36. 36. Building a timeline of SNS S oc ial Networkin g S er vic es
  37. 37. AM Timeline A timeline of SNS as we know it today; • 1997: First SNS – “Six Degrees” and AOL Messenger • 1999: MSN Messenger and Yahoo Messenger Launch • 2001: Six Degrees Shuts Down • 2002: Friendster launches • 2003: LinkedIn and Myspace launch • 2004: Facebook launches • 2005: Reddit, Bebo, YouTube launch • 2006: Twitter Launches, Facebook releases newsfeed feature 37
  38. 38. AM Timeline A timeline of SNS as we know it today; • 2010: Pinterest and Instagram launch • 2012: Snapchat Launches Facebook acquires Instagram Facebook releases newsfeed feature (2006) 38
  39. 39. AM Features of SNS Some examples of features that have rolled out in the last 20 years or so. Some in real time/ some pre-emptive. • Location data • Event tagging • Friend tagging • Facial recognition features (photo tagging) • Messenger • Announcements • Life Events 39
  40. 40. AM Who knows what this is? 40
  41. 41. AM Snapchat Map • SnapMap was a feature automatically rolled out in a June 2017 Snapchat update that tagged users location on a map in real time to all their “friends” on Snapchat • Snapchat had already established a young user group, there was a reward system in place for snapchat streaks resulting in points for users, the more “friends” users made, the more streaks could be established, the points could be gained • There were different settings for how users could find each other – some transparently – public/private profiles. Others, including how you could find friends such as the apps access to your contacts, have become better communicated over time. 41
  42. 42. AM Snapchat Issues • SnapLion (IOS and Android) a play on (LEO) and “Law Enforcement Officer” • SnapLion’s purpose is to extract data from user accounts in the aid of legal processes and investigation • It’s essentially a backdoor exploit to the application • Vice (May 2019) had internal emails discussing staff abusing and circulating the images/account communications 42
  43. 43. AM TikTok • Is one of the worlds most downloaded applications, one of the top 10 globally • TikTok stated users must be over 13 but asked for no proof • Known previously as Musically, utilised Snapchats successful model and Vine’s demise to carve a niche for themselves with younger users. • Public profiles by default – public comments by default • If the profile was public the application had an open messaging feature which resulted in children receiving private messages from strangers 43
  44. 44. AMSNS are targeting children with marketing • We know this because of the tailored products and services they are marketing towards their users based on data collection and analysis • They are rolling out features without any care or consideration for children’s/users safety 44
  45. 45. AM Childrens Sharing • Children are sharing more content about themselves than ever before to bigger audiences • They are more vulnerable to peer pressure at various ages • Some of children have more understanding of SNS than their parents or educators 45
  46. 46. This is just children’s sharing
  47. 47. AM Parents Sharing • “Sharenting” – is the term being used for parents who share a lot of information about their children online • Some parents have been over-sharers from the beginning with no prompts • However, the introduction of Facebook and features such as the newsfeed, announcements, timeline, memories have prompted users to share more about their lives and their children • A lot of the PII information required can be found about users independently, but control of the sharing about third parties who haven’t necessarily consented to the sharing of the information still accumulate 47
  48. 48. AM Fraud - Trends • The theft of personal and financial data through social engineering and data breaches was a major contributor to fraud losses in 2018. • The stolen data is used to commit fraud both directly and indirectly. • • Recession/Economic turmoil 48
  49. 49. AM Fraud - Trends • In 2009, it was announced that fraud had increased threefold in the previous year as a result of the recession • Cases through British court alone accounted for more than £1.1bn worth of fraud • April 2018, a report in America (Javelin Strategy & Research) on child fraud reported that more than 1 million children were victims of identity theft or fraud in 2017. • Two-thirds of those victims were age 7 or younger. • Six in 10 child victims personally know the perpetrator. 49
  50. 50. AM Why is PII used? CIA Triad • Confidentiality through preventing access by unauthorized users. • Integrity from validating that your data is trustworthy and accurate. • Availability by ensuring data is available when needed. 50
  51. 51. AM Why is this used? • The 3 A’s of cyber security • Authentication, Authorization, and Accounting (AAA) Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. - 51
  52. 52. AM Facebook’s Timeline is 13 years old • In 3 years time – children who have had every significant moment of their life shared online – nearly all potential PII authentication answer. 16 years old and old enough for a debit account/card • In 5 years time - children who have had every significant moment of their life shared online – nearly all potential PII authentication answers. 18 years old and old enough for lines of credit, many products pushed in their direction will be highly likely to be targeted at low credit • Most will be venturing into the professional world, with everything associated with it, including loans, linkedin profiles, historic social media profiles 52
  53. 53. Potential for the perfect storm
  54. 54. AM PII used as authentication? • SMS and/or Email Based 2FA: Whether the site offered a SMS (text message) or email based 2FA. Sites that offered this method earned 1 point. • Software Token 2FA: Whether the site allowed you to perform 2FA using a software authenticator. Popular software authenticators include Authy, Google Authenticator, or Microsoft Authenticator. Sites that offered this method earned 1 point. • Hardware Token 2FA: Whether the site allowed you to use a hardware token to perform 2FA. Popular hardware tokens include YubiKey and Google Titan. Sites that used this method earned 3 points. 54
  55. 55. AM Is 2FA/MFA a fix? 55 Researcher Piotr Duszyński published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps. Jan 2019
  56. 56. AM Is Biometric Authentication a fix? • There have already been a significant number of data breaches since the mass introduction of biometric authentication • Biostar 2 lost more than a million files • OPM lost 20 million • Facial recognition is more of a gimmick than a security feature, not enough research completed 56
  57. 57. AM Fingerprints and Biometrics • Major breach found in biometrics system used by banks, UK police and defence firms - Fingerprints, facial recognition data and other personal information lost in the data breach from Biostar 2 (Owned by Suprema) – August 2019 • Fingerprint data is stored locally in hash on mobile devices for IOS and most Android in Trusted Execution Environment (TEE). • Facial recognition is not secure, nor tested enough on BAME users – it shouldn’t be used as a security feature 57
  58. 58. Considering everything discussed
  59. 59. AM Right to forget • Doesn’t mean that other users will forget • Doesn’t mean that children are protected online • Doesn’t mean that children’s information is not being shared • Doesn’t educate users/parents/children about the dangers of oversharing PII online • Doesn’t fix the problem 59
  60. 60. AM Potential actions for tech • Moving away from the PII Authentication Model – especially as a bypass/back up for password loss • Tackle education of users around the availability of this information • Attempt to limit the scope of the issue – through historic deletion on SNS (this probably won’t happen) • We change the infrastructure of how we secure accounts – if these security questions are to remain then there should be additional steps involved to reset a password or gain access to an account • We attempt to tackle this in a way that doesn’t cause additional issues – i.e Netflix asking for photos of passports through email to confirm identity 60
  61. 61. AM Steps moving forward for users • Change answers to PII Questions on SNS – use like new passwords, ideally 3 word combinations with number/symbol contributions and upper and lower case i.e R3dR1dingH00d! • Use passwords specific to the SNS service you’re using • 91% of people know reusing passwords is poor practice, 59% reuse their passwords everywhere – at home and at work – training is necessary - Change Email password to something unique • MFA/2FA set up where possible 61
  62. 62. Thank You Abigail McAlpine Twitter @abigailmcalpine
  63. 63. Any questions? Abigail McAlpine Twitter @abigailmcalpine