The Office of Technology Research and Investigation (OTech) is located at the intersection of consumer protection and new technologies. As a trusted source for research and information on technology’s impact on consumers, the Office conducts independent studies, evaluates new marketing practices, and provides guidance to consumers, businesses and policy makers. It also assists the FTC’s consumer protection investigators and attorneys by providing technical expertise, investigative assistance, and training. The Office is housed in the Bureau of Consumer Protection and its work supports all facets of the FTC’s consumer protection mission, including issues related to privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, fraud, big data, and the Internet of Things.
For additional technology-related content, please visit the Tech@FTC blog.
Help protect consumers through research. The FTC welcomes researchers to inform us of their latest findings by emailing papers to email@example.com. Please note that the FTC does not offer compensation of any kind to research submitters and that submitted research may be made public by the FTC. If your research reveals a security vulnerability or otherwise contains information that could pose a risk of harm to the public, before submitting the research to the FTC, please contact Dan Salsburg, Chief Counsel of OTech, at firstname.lastname@example.org or 202-326-3402.
Checkout Checkup: Misuse of Payment Data from Web Skimming
What happens to consumers’ payment credentials when they are used to purchase items from online storefronts infected with web skimming code? The answer to this question can be found in a research paper OTech’s Phoebe Rouge presented on November 18, 2020 at the peer-reviewed eCrime 2020 Symposium on Electronic Crime Research. The paper, “Checkout Checkup: Misuse of Payment Data from Web Skimming”, describes a study in which Phoebe identified 50 web sites whose shopping carts appeared to be compromised by web skimming code that would send purchasers’ payment credential information to malicious actors. Over an 11 month period, thieves used 15 of the payment cards. But, they didn’t use the cards immediately. The initial fraudulent use of the 15 payment cards ranged from 16 to 240 days after the cards were entered into the compromised web site’s shopping cart. The moderately long delay between exposure of credit card data and misuse of that data suggests that the impact of web skimming may not be apparent for an extended period following an incident.
Misuse of two-factor authentication phone numbers
On August 7, OTech’s Min Hee Kim presented “Secondary Education: Measuring Secondary Uses of 2FA Phone Numbers” at the peer-reviewed WAY 2020 conference. The paper examines whether top online merchants that offer SMS-based two-factor authentication send marketing messages to the 2FA phone numbers provided by consumers. Min Hee and her colleagues in OTech examined web traffic for evidence that sites share numbers with third parties when the user enrolls in 2FA and monitored the phone numbers for a two-month period after enrollment. They did not observe either the transfer of phone numbers in the web traffic or any marketing calls or messages, suggesting a consistent norm against sending marketing messages to phone numbers that consumers only provide for 2FA purposes.
Joe Calandrino wins Best Reviewer Award at IEEE Symposium on Security and Privacy
OTech’s Research Director, Joe Calandrino, was awarded the Best Reviewer Award at the 41st IEEE Symposium on Security and Privacy. This award is given to the top reviewer of papers submitted to this preeminent conference on security and privacy research. Joe will also be chairing the symposium’s session on Web Privacy and is the co-chair of ConPro, the consumer protection research workshop that is co-located with the IEEE Symposium.
You Don’t Say: An FTC Workshop on Voice Cloning Technology
Advances in artificial intelligence and text-to-speech (TTS) synthesis have allowed researchers to create a near-perfect voice clone with less than a five second recording of a person’s voice. These technologies could help people with tracheotomies and other conditions use TTS systems using voices derived from their previously-recorded audio samples. These technologies, however, could also cause substantial harm when used to impersonate a trusted person. On January 28, 2020, OTech and the Division of Marketing Practices hosted a workshop that examines the promise of voice cloning technologies, the serious risks these technologies pose, and whether there are ways to ensure that these technologies are not abused.
Guiding to Safety: How Technical Documentation Writers Can Encourage Software Security
This piece aims to assist writers of formal developer documentation, such as a detailed programming language reference or tutorials on programming for a platform. The Federal Trade Commission has more than twenty years of experience in protecting consumer privacy and security. For this piece, we consulted with experts on documentation for developers. Based on those discussions, we suggest ways that documentation writers can guide software developers toward more secure practices.
Last updated: 11/3/2020