Windshift: Malware Recycled

A recently published deck (PDF) by Abu Dhabi-based DarkMatter’s Taha Karim draws an interesting conclusion: that an Indian cybersecurity group called Appin, active a few years ago, was either targeted by an advanced APT group (and its tools stolen), or its tools stolen by a rogue employee, or that its tools were sold to a third party. The reason: Karim found evidence of Appin’s tools and infrastructure in covert hacks into governments by a group with overlaps to several existing APT actors, some with links to Russia.

The groups that Karim’s report finds overlaps with (either modus operandi, infrastructure, similarities in coding practice etc) are:

The possible connection with Appin is in a likely rewrite of surveillance malware called Hack Back aka KitM OSX: DarkMatter found the exact helper function re-used, the same C&C servers and some other similarities.

DarkMatter calls the APT it has discovered Windshift and says it is currently targeting government using Appin tools. It does not attempt to offer attribution, says it’s been operating since at least January 2017, goes after specific individuals (judging from the screenshots, Gulf states) using “versatile, sophisticated and unpredictable” spearphish, and is still active.

Appin was an Indian cybersecurity company blamed in some accounts for cyberespionage attacks back in 2013. The company fiercely denied the reports. Not much has been heard of the company since though reports of its tools appearing elsewhere have surfaced from time to time. Last Year a company called Cymmetria believed it saw a connection with Appin in an attack it called Patchwork that was aimed at South Asian and Southeast Asian targets, and appeared to be ‘pro-Indian’:

Carefully, we feel obligated to note that further evidence suggests potential links between this threat actor and the operations known as Hangover/Appin, but this possible link is still being researched and is far from conclusive.

Appin has been out of the public eye for a few years now, but its CEO, Rajat Khare has recently resurfaced as an investor, via his Boundary Holding company, in a Singapore video analytics startup called XRVision.

Microsoft, never sexy, grows up

By Jeremy Wagstaff

We didn’t really notice it but the past week or so has seen the passing of an era. We are no longer in a world where Microsoft wants to peer through our Windows, as it were. As Ben Thompson noted in his Stratechery newsletter, the company’s recent Ignite Conference passed largely unnoticed by the wider world, in part because it was aimed squarely at “information technology professionals”. All the talk was of cloud, AI, office.

This is the market for Microsoft these days, not consumers. No more queuing up round the block for the next version of Windows. No more bossing you around to get Microsoft’s own browser to be the default on your computer. Well, actually, that’s not completely true. In September, Microsoft did try to prod Windows 10 users away from Google’s Chrome or Firefox browsers but later thought better of it. Bad habits die hard.

It’s not that Macs have taken over PCs, though if you attend any geek fest, or give a lecture, you’re bound to be struck by how many Macbooks there are. Macbooks are about the 4th biggest brand of notebook out there — all the rest run Windows. But of course people aren’t usin notebooks, or laptops, or whatever we call them, as much anymore. We use smartphones. In the last quarter there were 350 million smartphones shipped. In the same quarter there were 62 million PCs shipped. (And as smartphones get bigger and more powerful, they are also nudging out tablets of which only 33 million were shipped in the quarter, its 15th straight decline.)

The stark reality: Microsoft, which you may recall once owned Nokia, is no longer in the consumer mobile phone business, and is in full and open retreat. Last month it said it would not update its Office Mobile apps, which had been designed for its Windows Phone and smaller Windows 10 tablets. Tellingly, and perhaps humiliatingly, it’s continuing to develop versions of the app for Android and Apple’s iOS.

This doesn’t mean that Microsoft is out of the consumer world. Its Surface devices get good press, some more are about to be announced, and 700 million PCs are running the latest version of Windows. But the world has changed and Microsoft has woken up to it. Apple now produces the devices we like to stroke; Google produces the operating system every manufacturer of a mobile device will happily install; others will sit happily somewhere in between. Microsoft, under Nadella, has realised that sitting on the device at your workplace, and increasingly in the cloud behind it, is not a bad place to be. If it can also be one of the main apps that you use on your Galaxy or iPhone all the better.

It won’t be a sexy business, but Microsoft, let’s face it, was never sexy. We took their stuff, from the mid 1980s to the the late noughties, because we weren’t seriously offered anything else. We were in a way the enterprise customer of today: we accepted what we were given, and made the most of it. Installing apps seemed somehow radical, unless they were from Microsoft — and most were, let’s face it, from word processsing to encyclopedias. Microsoft was the Ford of the computer world.

But now the world is a lot different to 20 years ago, when what we saw on our desktop screens was the vista of our digital world (no mistake that the desktop background of Windows was a sloping field leading to enticing blue sky.) Microsoft could box us in because it was the only window we had onto that world: now we have a mobile phone, which while smaller, moves around with us, holding our gaze. Soon virtual, augmented and mixed realities will be the new normals. In between will sit algorithms, data, artificial intelligence, sensors, haptics, collecting, anticipating, feeling, trying to understand us better. The consumer world will move a little too quickly for some.

The enterprise, on the other hand, will be what the consumer world once was: less demanding, more uniform. Led by demands of security, compatibility, standards, efficiency. There will be overlaps, and a lot of the AI and other innovations driving the consumer world will be there in the enterprise world too. But the enterprise will be a safer bet for Microsoft, one it understands better. It may do very well.

For the tech hubs of the future, look to Asia’s smaller cities

This is an update on a piece I’d written for Reuters six years ago on remote freelancing in emerging markets. It was written in part for a new Cisco report on Technology and the future of ASEAN jobs (PDF), launched this week at WEF.

 

Much of the disruptive change in Southeast Asia in the past five years has been been by adding formalized systems and layers to existing sectors, most of that in what broadly be called mobile commerce. Think Grab, Go-Jek, Lazada.

The investment has been concentrated, in country, sector and in companies. But the real change in skills and work in the long run may come more from the backroads of Southeast Asia, tapping into a vibrant but hidden economy of online knowledge workers.

According to data collected by Google last year, the majority of investments in Southeast Asia have targeted companies based in Singapore and Indonesia — together accounting for 92% of funds. In turn most of that money ($9 billion — 73%) found its way to unicorns — those companies with more than a $1 billion valuation — while companies worth less than $100 million got $1.9 billion and those between $100 million and $1 billion attracted $1.4 billion.

These figures are good, in the sense that it had taken some time for Southeast Asia to attract significant venture capital attention, but it illustrates how slanted the overall picture is. Those unicorns are: Go-Jek, Grab, Lazada, Razer, Sea Ltd, Traveloka and Tokopedia. All are essentially platforms for retail selling: transport, consumer goods, travel etc. All capitalize on inherent problems in the free flow of goods and people in Southeast Asia, because of inadequate infrastructure, be it physical, financial or social.

And most are now trying to extend their presence beyond the major regional cities. But I think what has been happening in these smaller cities and towns for several years may be the more significant development in the long run. Indeed, when these platform players bring their services to these cities, there may be an interesting confluence of improved infrastructure and pent-up B2C or B2B demand. It should be here that companies and governments are focusing their attention — on building infrastructure, on tapping into these self-replenishing skill pools, and hubs of quiet entrepreneurialism. In the long run these skills are going to help to even out and possibly reverse the long term trend of migration to the cities, or megacities.

Take, for example, 99designs, an Australian crowdsourcing design company. They’ve been operating for several years, providing a platform for graphic designers to submit their work and earn business. I interviewed their CEO six years ago and he told me he was awestruck by how one city in Indonesia — central Java’s Yogyakarta — consistently beat other cities for quality and contracts won. He eventually went to see for himself, and was greeted like a rock star by the city’s 99designs community — one of the biggest in the world. Those young men and women were tapping into a deep well of artistry that stretches back hundreds of years, and can still be seen in carvings, batik and other artwork around the city.

I asked 99designs for an update, and they told me the trend has only increased: 95% of the Indonesian designers on the platform live outside Jakarta. Nearly 70% of them live outside the country’s top five cities. This is not just an Indonesian phenomenon: In fact the numbers are higher in the Philippines and India, two other big contributors to 99designs.

I checked Upwork, one of the main providers of freelance services and I lost count of the number of services being offered by freelancers based in Yogyakarta (and in other Indonesian cities like Makassar and Medan.) These services are not basic, either: they range from Ruby developers to 3D rendering artists.

Another important thing to note about these freelancers is that they are constantly taking on new skills. For this piece I caught up with a Philippines librarian I had met when I wrote my story six years ago. Back then Sheila was using her library skills to work with clients in Australia and the U.S. to enter metadata as they digitised their libraries. Now, she tells, me she’s taken some online courses in personnel management and is now working as a project management for a startup. Freelancers are well-motivated to acquire skills and their clients are keen to help them do it because they like working with them.

The implications are clear. As technologies emerge and develop more quickly so will companies have to look elsewhere for skills. This benefits freelancers like Sheila because they can more readily and rapidly identify what skills they should acquire and position themselves. The top fastest growing skills on Upwork in Q2 2018, for example, included blockchain, Google Cloud, ecommerce software volusion, risk management and rapid prototyping. While most of these skills are likely to be found in the U.S., they can also be found in Southeast Asia, where rates are significantly lower: rapid prototyping in Southeast Asia fetches mostly $10-30 an hour, whereas in the U.S. evenly between $10-$30 and 30-60 and 60 and above). Of course there are many more in the U.S. offering that skill, but expect that to change.

This hidden economy is growing, and is impressively independent. But it could do with support. This will come in part as Go-Jek and others further expand beyond the big cities, bringing improved transportation and better support services. But governments too, could lend a hand. Internet connectivity is still patchy in some parts, and a lot of those hoping to switch from a long commute to working at home often find it hard to get that first job. If those who do succeed can be encouraged to help build out these communities and share their skills, a whole new generation of home-based knowledge workers could lift towns like Yogyakarta and even further afield into hubs of the future.

Solving the Tragedy of the Commons

 

(edited for clarity)

Bike sharing has become something of a plague for those who don’t appreciate its advantages. Even for those who do, the sight of bikes lying all over the place, broken, is jarring in a place like Singapore. But the solution is not obvious. First off, you need to have a mechanism for policing errant bikes and the companies that own them. You need to find a way for users to report them. Then to punish the offending companies.

But wouldn’t that just encourage companies to damage or mislay their rival companies’ bikes? I am pretty sure that’s already happening — I see lots of slashed seats and vandalized bikes, which I’m willing to bet are not all caused by deviant residents.

The result: the old problem of the tragedy of the commons, where common resources, in this case space, is damaged for all by those who choose to externalise their costs. In this case that’s the bike companies, who have no clear incentive to keep their bikes tidy and shipshape. So the supposed ‘commons service’ they’re offering — cheap, available, healthy personal transportation — in fact is a downgrade for those people who appreciate their public spaces — sidewalks, parks, verges — clean.

So I have a solution:

* instead of fining each company for transgressions of their bikes, you fine all companies equally for each bike that is out of place, broken, or obstructing. Three bike companies, say, get the same fine for any bike misplaced, whichever company owned the bike.
* Each company would be required to include in their app a standard method of reporting broken or misplaced bikes. This information would go to the company — but would also go through to a central repository managed by whatever government agency oversees the bike companies. Individuals reporting a case that is subsequently found to be accurate are rewarded by the bike company in question — free rides, or whatever. If the bike company can resolve the incident within 24 hours there will be no fine.
* Fines are collected by the agency and pay for the inspection teams and for publicity.
* A tally is kept. If one company is clearly more egregious than the others, action might be taken by the agency.

In the long run I think a better system would be to use LoRa or another narrowband technology to better monitor the location of bikes and theitr state. But for now this might just be enough. I’ll write a more detailed proposal on that later.

Bank scammers get smart(er)

Scammers still love the telephone. It’s the best way to scam people because you have got them there, in the palm of your hand, so to speak. Banks are slowly getting to grips with this and warning customers not to give personal details over the phone to anyone claiming they’re from a bank. Check the number, they warn, and ensure it’s one that is recognisably the bank’s.

Of course, scammers can get around that by changing the displayed number, but there’s another way too. Smart customers would usually google the number the call is coming from before accepting it. These might be listed on websites like Truecaller, which are basically vast databases of users’ phone numbers, a sort of global phone directory.

Some are dedicated to identifying fake or scammy phone numbers to warn others. (In fact, this is one of Truecaller’s main selling points.)

Scammers are taking the next obvious step: adding their fake numbers to these services so the alert user who uses them to check whether it’s really their bank calling them might be hoodwinked into thinking the phone number is legit.

This is nearly what happened to me today. The phone number on display showed up in three different databases as an HSBC credit card call center, and it took me about 30 minutes on the phone to the real bank to confirm that it was in fact fraudulent.

I’m not quite sure what banks should do about this. They have gotten better about warning customers not to hand out personal details over the phone, but there are still too many legitimate calls and emails that could have been faked, or contain links that direct to a site other than their main banking site (usually promotionally tracker URLs.)

I think banks probably need to add an extra layer of security by allowing users to demand a key word be included on the bank’s part that is known only to the bank and the customer, so that the absence of such a key word should provide a warning to the customer to hang up. I also think that banks need to have better one stop shops to work with their customer — too many times I get a response of ‘oh this is about a credit card, that’s a different department.’

It inconveniences the customer but more important gives the impression that the customer should expect communications from different departments. If it’s one bank, it should be a single communicator. One point of failure, as it were, rather than several.

Of course, using phones when we could be using more secure channels is pretty absurd in 2018. But then banks look pretty anachronistic anyway, and so don’t get me started on that.

Update June 1 2018: I have since discovered that in fact the number was a legitimate bank number, despite staff there telling me it wasn’t. It kinda confirms my point about the need for a one stop shop in a bank. So I was crediting the scammers with being smarter than they are.

Nevertheless, something worked which I didn’t expect to: the bank caller was responding to a request I had made via secure email to contact me by phone, and I had asked that they use a specific word to confirm their identity. (I must confess I. had forgotten about this, so I probably should have realised the call was about this.)

So that bit worked. And it might be a good idea in future to adopt this practice: if companies, especially banks, insist on calling you back, then you should leave them a specific code word they must use to authenticate themselves. They’ll ask you to authenticate yourself, but short of hanging up and calling back a number on their website or on the back of your credit card, there’s not much you can do.

Bike Fencing

Some interesting stuff going on in Singapore’s world of bike sharing.

They’re approaching the problem of errant bike-parking by regulating the companies via a licensing regime, which will begin later this year, according to Today.

From what I can make of it, operators must
– be licensed, or face a S$10,000 fine and/or six months in jail
– be responsible for the parking of bikes within designated parking locations, or lose their licence or find their fleet size reduced

Users will also be watched, under a geo fencing scheme that will require them to scan a QR code at the designated parking locations before ending their trip. Failure to do so will mean they’ll be charged continuously — I guess meaning the meter will keep running (not sure how this would work with the flat monthly rates all three operators are currently offering).

Readers have already pointed out potential flaws:
– what happens if there’s no space at the designated area?
– what happens if someone moves the bike after the user has scanned their code?

And Today pointed out in a piece that there need to be more designated areas to make this work. It’s fine picking up and parking a bike at a subway station or a bus stop, but what about when you’ve pedaled back to your home?

Singapore, as ever, is taking a positive but cautious approach to the sharing economy. I quite agree that companies are so far not incentivised to distribute their bikes with consideration, or to monitor them after they’ve been deployed. So something has to change. But also the usefulness of these bikes is going to decline rapidly if users aren’t able to leave the bikes within a few meters of their home for fear of draining their digital wallets.

More importantly, Singapore needs to consider what more it can do to encourage bike usage — by rapidly expanding its bike paths, by offering guidance to users about how and where they can use the bikes, and generally rewarding their use. As China has found, the more these bikes are used, the more other people feel comfortable using them and the quicker a social code of conduct emerges about their usage.

 

Disrupting Travel Disruption

easyJet seem to be taking an interesting, if not pioneering, approach to disruptive tech. While fintech has mostly absorbed the wave of startups that went after the financial industry from about 2011, travel startups initially went after the middlemen, creating a host of algorithm-based disintermediators, and put a lot of travel agents out of business. 

But airlines? Well there was this kind of thing, which I reported on a year or so ago. But what about the airlines themselves? EasyJet are taking the approach of incubating companies that complement its business, adding layers and businesses on the edge of what it does — which is ferry people around in the air. 

Today, for example, it announced that it had adopted a new raft of startups into its accelerator programme: 

– WeTrip an online, group travel booking platform which sells holiday packages to small groups. Their algorithm is connected to distinctive activity suppliers comparing endless combinations of components to build real-time offers, according to the preferences of the group. Payment is also made simple as group members can pay separately.

– Car and Away a peer-to-peer car sharing community where car owners make money out of their parked vehicle whilst they are away on their travels. 

FlightSayer  uses sophisticated simulation algorithms and machine learning to better predict flight delays hours, days, and weeks before departure. With a $1.75m grant from NASA, the company’s technology is being used in the US by corporations, airlines and travel management companies to improve travel experience and increase efficiencies with plans to adapt to the European airspace.

TrustedHousesitters, a global community of pet sitters.

So none of these detract from easyJet’s business, but enhance it. None are disrupters, per se, although Car and Away does eat into car rentals. Instead easyJet uses these startups to add value to its own service: 

– easyJet and TrustedHousesitters have partnered up to allow passengers  to choose a free house sitter for their pet or find free accommodation as a house or pet sitter when booking flights at easyJet.com.

Previous graduates of the program have already partnered up — FLIO, an airport app, is working on integrating its content with the easyJet Travel App. LuckyTrip are also working on something similar. 

Behind all this: Founders Factory, a sort of innovation factory backed by corporates from six sectors:  easyJet (Travel), L’Oréal (Beauty), Aviva (Fintech), Holtzbrinck (Education), Guardian Media Group (Media) and CSC Group (Artificial Intelligence).

 

Investigators – New Kids on the Blockchain

Here’s a Reuters piece I wrote on a hitherto uncovered area of blockchain potential — helping law enforcement and others collaborate and collect evidence better, among other things. 

For security agencies, blockchain goes from suspect to potential solution

By Jeremy Wagstaff, Byron Kaye

(Reuters) – Police and security agencies have so far only taken an interest in blockchain – the distributed ledger technology behind cryptocurrencies like bitcoin – for tracking criminals hiding illegal money from banks.

But that’s changing as some civilian, police and military agencies see blockchain as a potential solution to problems they have wrestled with for years: how to secure data, but also be able to share it in a way that lets the owner keep control.

Australia, for example, has recently hired HoustonKemp, a Singapore-based consultancy, to build a blockchain-based system to record intelligence created by investigators and others, and improve the way important information is shared.

“They’ve been trying for years to come up with a centralized platform, but people are reluctant to share information,” said Adrian Kemp, who runs the consultancy, which was awarded a A$1 million ($757,500) grant by AUSTRAC, Australia’s financial intelligence agency, and the Australian Criminal Intelligence Commission.

Blockchain’s appeal for data sharing is threefold.

Its ledger, or database, is not controlled by any single party and is spread across multiple computers, making it hard to break. Once entered, any information cannot be altered or tampered with. And, by using so-called smart contracts, the owner of information can easily tweak who has access to what.

It’s a sign of how far blockchain technology has come within a decade since the publication of a pseudonymous paper describing bitcoin and the blockchain ledger that would record transactions in it.

Bitcoin has since become the preferred currency not only of libertarians and speculators, but also of criminal hackers. The bitcoin price is volatile, and hit record peaks late last month.

Governments are already exploring ways to store some data, such as land records, contracts and assets, in blockchains, and the financial industry, too, has experimented with blockchain technologies to streamline transactions and back-office systems, though with limited success.

SECURING SHARED DATA

The closest most law enforcement agencies have come to the blockchain has been working with start-up firms to analyze it for evidence of criminal deals.

But in the past year or so that attitude has begun to change.

The United States Air Force (USAF) has funded research into how blockchain could ensure its data isn’t changed. In May, the Defence Advanced Research Projects Agency (DARPA) awarded a grant to ITAMCO, the company behind an encrypted chat program to make a secure messaging service based on the blockchain.

Amendments to a recent U.S. Senate defense bill require the government to report back on “the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies” and how foreign governments, extremists and criminals might be using them.

Britain, too, is exploring several uses of the blockchain, say consultants and companies working for several departments.

Cambridge Consultants, a UK-based consultancy, said it had worked with the Defence Science and Technology Laboratory, a UK Ministry of Defence (MoD) agency, on using a blockchain to improve the trustworthiness of a network of sensors on, for example, security cameras.

The UK’s justice ministry is looking at proving that evidence – video, emails, documents – hasn’t been tampered with by registering it all on a blockchain, according to a blog post on its website.

Marcus Ralphs, a former soldier and now CEO of ByzGen Ltd, which makes blockchains for the security sector, said he was working on projects with the MoD using blockchain to track the status and level of individuals’ security clearance. Other work included helping the Foreign and Commonwealth Office (FCO) improve the way work permits are issued and records stored.

“PASSING THE BUCK”

These are early days.

Kemp says there’s no guarantee his project will be deployed more widely. And some who have worked with AUSTRAC are skeptical, saying such projects have more to do with agencies turning to the private sector because they’re running low on resources and ideas.

“The government is just looking to pass the buck on to private industry,” said Simon Smith, a cyber private investigator who has worked on cases involving AUSTRAC.

Many police forces and armies aren’t ready for the technological and mental leap necessary.

The Police Foundation, a UK think-tank focusing on policing and crime, is pushing British police to explore the blockchain, but its director, Rick Muir, said “we are still at the stage of ‘what is blockchain?’.”

Neil Barnas, a USAF major who last year wrote a thesis on the potential of blockchain in defense, said U.S. military and security agencies were slowly waking up.

The problem, he says, is that military minds are more inclined towards centralized systems than the decentralized ones that blockchain’s distributed ledger embraces.

That said, blockchain’s association with the criminal underworld has not dented its appeal to those who see its potential, said ByzGen’s Ralphs.

“The negative narrative around it has not at all watered down or diluted interest of the people we’ve been engaging with,” he said.

($1 = 1.3201 Australian dollars)

The Internet of Things Could Kill You, Or At Least Jab You With A Screwdriver

 

2017 08 21 18 25 05

Lucas and his killer robots. Photo: JW

(This is the transcript of my BBC World Service piece which ran today. The original Reuters story is here.) 

I’m sure you’ve seen those cute little humanoid robots around? They’re either half size, or quarter size, they look like R2D2, and if you believe the ads, they could play with your kids or hold a screwdriver while you fix something under the sink. Some of them under $1,000. Nice, right?

Well, maybe not. The problem with these robots is that, a lot like everything else connected to the internet, they’re vulnerable to hackers. Lucas Apa, a researcher from ioactive, brought a couple into my office recently to show just how easy it is. These robots connect through wifi so you can control them, but that connection is really easy to hack, he showed. He says there’s very little if any security involved at all. In short, a bad guy could take over control of the robots and make them move, or monitor you — what you’re saying, what you’re doing — and send that back out to people. Or attack you. 

To prove it he made one of the robots wander around as if he were drunk, while another, mimicking the ad, jabbed a screwdriver viciously while reciting lines from horror movie doll Chucky. These things, frankly, are scary enough with their unblinking eyes and the way they tilt their head to face you, even if you move.  But Chucky’s voice and the screwdriver really freaked me out. 

Lucas’ demonstration was just that: this is what could happen, he says, if we allow these things into our home and let kids play with them. He says there’s no evidence so far anyone has actually done this. The scariest thing, though, was that he’d been in touch with the half-dozen manufacturers of these things, some based in the US, some in Asia, for months and for the most part they’d either ignored him or said it wasn’t a problem. I got back to him recently and asked him whether things had improved when he’d gone public . No, he says; the companies that say they’ve addressed the problems haven’t. 

For those of us watching the internet of things this is a familiar refrain. There are so many things connecting to the internet these days it’s not surprising that there are problems.  There are dozens of devices in a home connecting, or trying to connect, to the wifi network. A senior cybersecurity guy told me he had found a bug in his wifi-connected barbeque that could theoretically have allowed someone to start a fire remotely. 
In short. the people making these devices do not treat security as a priority, and indeed may not understand it.

The irony is that these are physical devices, not just computers, and so they could actually do more real-world damage, if not cause us physical harm, than a computer sitting in the corner. Sure, the latter contains credit cards and personal data, but we rely on these connected devices to feed us, carry us, clean us, protect us from intruders. 

As Lucas showed with his Chucky-esque robot, this is not something we should be doing without a) thinking hard about how useful this is and b) quizzing the companies — hard — about how secure their devices are.  I’m not convinced we’ve really thought this all the way through.

Grab’s Promotion Problems

(updated to include Grab’s response, edits)

Grab, Uber’s rival in Southeast Asia, is putting up an impressive fight against the ridesharing company. Both have deep pockets, and offer incentives to both drivers and riders.

But Grab is either struggling to phrase its promos correctly or something more sinister afoot. Today riders were in uproar when they found that a promotion that offered “$4 off 20 Grab rides next week” turned out to mean, well, not exactly that.

Those complaining that the $4 deal was cut short well before they’d used 20 rides were told that “the Terms and condition stated that the promo [has] limited .. redemptions available”. One Grab employee posted on Facebook that “We have taken your feedback and we will make it more obvious and clearer in our future communications. Stay tuned to our future promotions and happy Grabbing!”

Happy Grabbing indeed. I’ve looked at the terms and conditions and it does indeed say, at the bottom of the promo that ‘limited redemptions available’. But not all of them: see this one on my app below:

 

It’s hard to imagine, though, that this would be at the expense of the clear offer to “enjoy $4 off 20 Grab rides next week” — without any asterisk or weasel wording, at least close to the title.

I’ve reached out to Grab and they offered this:

I do want to assure you that our promos are genuine. There are terms and conditions and in this case, we had shared that the promo was for up to 20 rides, until the promo was fully redeemed (referencing the line on limited redemptions).

I’d like to be open with you on what happened. We could have been clearer on our communications. We had transparently highlighted it was limited redemptions in our eDMs and in-app notification of the promo, however in our notification when passengers had successfully redeemed the ‘4off’, it mentioned it was up to 20 rides without the additional line on limited redemptions. This was an oversight and I apologise for that. 

We’ve unfortunately disappointed some people this time around, and we have to put our hand up that we made a mistake in not repeating that there were limited redemptions. This oversight should not have happened.

I know there are questions asked about whether we had shared that there were limited redemptions – we did make sure to highlight this when we shared this promo. You’ll also see it in the notifications panel in the Grab app.

It’s not the first time I’ve wrestled with Grab’s promotion schemes. While they’re attractive, they clearly cannot be permanent, and at best I find them awkwardly implemented; at worst I find them deliberately awkwardly implemented, designed to fool the rider into believing they’ve been offered something only to find it’s something else. In the words of one Grab rider on Facebook: bait and switch.

Grab assure me that’s not the case, but I’m sure I’m not the only chump who topped up his GrabPay wallet thinking he would be enjoying a week of cheap rides. More fool me.