Bank scammers get smart(er)

By | June 1, 2018
0 Comment

Scammers still love the telephone. It’s the best way to scam people because you have got them there, in the palm of your hand, so to speak. Banks are slowly getting to grips with this and warning customers not to give personal details over the phone to anyone claiming they’re from a bank. Check the number, they warn, and ensure it’s one that is recognisably the bank’s.

Of course, scammers can get around that by changing the displayed number, but there’s another way too. Smart customers would usually google the number the call is coming from before accepting it. These might be listed on websites like Truecaller, which are basically vast databases of users’ phone numbers, a sort of global phone directory.

Some are dedicated to identifying fake or scammy phone numbers to warn others. (In fact, this is one of Truecaller’s main selling points.)

Scammers are taking the next obvious step: adding their fake numbers to these services so the alert user who uses them to check whether it’s really their bank calling them might be hoodwinked into thinking the phone number is legit.

This is nearly what happened to me today. The phone number on display showed up in three different databases as an HSBC credit card call center, and it took me about 30 minutes on the phone to the real bank to confirm that it was in fact fraudulent.

I’m not quite sure what banks should do about this. They have gotten better about warning customers not to hand out personal details over the phone, but there are still too many legitimate calls and emails that could have been faked, or contain links that direct to a site other than their main banking site (usually promotionally tracker URLs.)

I think banks probably need to add an extra layer of security by allowing users to demand a key word be included on the bank’s part that is known only to the bank and the customer, so that the absence of such a key word should provide a warning to the customer to hang up. I also think that banks need to have better one stop shops to work with their customer — too many times I get a response of ‘oh this is about a credit card, that’s a different department.’

It inconveniences the customer but more important gives the impression that the customer should expect communications from different departments. If it’s one bank, it should be a single communicator. One point of failure, as it were, rather than several.

Of course, using phones when we could be using more secure channels is pretty absurd in 2018. But then banks look pretty anachronistic anyway, and so don’t get me started on that.

Update June 1 2018: I have since discovered that in fact the number was a legitimate bank number, despite staff there telling me it wasn’t. It kinda confirms my point about the need for a one stop shop in a bank. So I was crediting the scammers with being smarter than they are.

Nevertheless, something worked which I didn’t expect to: the bank caller was responding to a request I had made via secure email to contact me by phone, and I had asked that they use a specific word to confirm their identity. (I must confess I. had forgotten about this, so I probably should have realised the call was about this.)

So that bit worked. And it might be a good idea in future to adopt this practice: if companies, especially banks, insist on calling you back, then you should leave them a specific code word they must use to authenticate themselves. They’ll ask you to authenticate yourself, but short of hanging up and calling back a number on their website or on the back of your credit card, there’s not much you can do.

Bike Fencing

By | March 8, 2018
0 Comment

Some interesting stuff going on in Singapore’s world of bike sharing.

They’re approaching the problem of errant bike-parking by regulating the companies via a licensing regime, which will begin later this year, according to Today.

From what I can make of it, operators must
– be licensed, or face a S$10,000 fine and/or six months in jail
– be responsible for the parking of bikes within designated parking locations, or lose their licence or find their fleet size reduced

Users will also be watched, under a geo fencing scheme that will require them to scan a QR code at the designated parking locations before ending their trip. Failure to do so will mean they’ll be charged continuously — I guess meaning the meter will keep running (not sure how this would work with the flat monthly rates all three operators are currently offering).

Readers have already pointed out potential flaws:
– what happens if there’s no space at the designated area?
– what happens if someone moves the bike after the user has scanned their code?

And Today pointed out in a piece that there need to be more designated areas to make this work. It’s fine picking up and parking a bike at a subway station or a bus stop, but what about when you’ve pedaled back to your home?

Singapore, as ever, is taking a positive but cautious approach to the sharing economy. I quite agree that companies are so far not incentivised to distribute their bikes with consideration, or to monitor them after they’ve been deployed. So something has to change. But also the usefulness of these bikes is going to decline rapidly if users aren’t able to leave the bikes within a few meters of their home for fear of draining their digital wallets.

More importantly, Singapore needs to consider what more it can do to encourage bike usage — by rapidly expanding its bike paths, by offering guidance to users about how and where they can use the bikes, and generally rewarding their use. As China has found, the more these bikes are used, the more other people feel comfortable using them and the quicker a social code of conduct emerges about their usage.

 

Disrupting Travel Disruption

By | January 24, 2018
0 Comment

easyJet seem to be taking an interesting, if not pioneering, approach to disruptive tech. While fintech has mostly absorbed the wave of startups that went after the financial industry from about 2011, travel startups initially went after the middlemen, creating a host of algorithm-based disintermediators, and put a lot of travel agents out of business. 

But airlines? Well there was this kind of thing, which I reported on a year or so ago. But what about the airlines themselves? EasyJet are taking the approach of incubating companies that complement its business, adding layers and businesses on the edge of what it does — which is ferry people around in the air. 

Today, for example, it announced that it had adopted a new raft of startups into its accelerator programme: 

– WeTrip an online, group travel booking platform which sells holiday packages to small groups. Their algorithm is connected to distinctive activity suppliers comparing endless combinations of components to build real-time offers, according to the preferences of the group. Payment is also made simple as group members can pay separately.

– Car and Away a peer-to-peer car sharing community where car owners make money out of their parked vehicle whilst they are away on their travels. 

FlightSayer  uses sophisticated simulation algorithms and machine learning to better predict flight delays hours, days, and weeks before departure. With a $1.75m grant from NASA, the company’s technology is being used in the US by corporations, airlines and travel management companies to improve travel experience and increase efficiencies with plans to adapt to the European airspace.

TrustedHousesitters, a global community of pet sitters.

So none of these detract from easyJet’s business, but enhance it. None are disrupters, per se, although Car and Away does eat into car rentals. Instead easyJet uses these startups to add value to its own service: 

– easyJet and TrustedHousesitters have partnered up to allow passengers  to choose a free house sitter for their pet or find free accommodation as a house or pet sitter when booking flights at easyJet.com.

Previous graduates of the program have already partnered up — FLIO, an airport app, is working on integrating its content with the easyJet Travel App. LuckyTrip are also working on something similar. 

Behind all this: Founders Factory, a sort of innovation factory backed by corporates from six sectors:  easyJet (Travel), L’Oréal (Beauty), Aviva (Fintech), Holtzbrinck (Education), Guardian Media Group (Media) and CSC Group (Artificial Intelligence).

 

Investigators – New Kids on the Blockchain

By | December 4, 2017
1 Comment

Here’s a Reuters piece I wrote on a hitherto uncovered area of blockchain potential — helping law enforcement and others collaborate and collect evidence better, among other things. 

For security agencies, blockchain goes from suspect to potential solution

By Jeremy Wagstaff, Byron Kaye

(Reuters) – Police and security agencies have so far only taken an interest in blockchain – the distributed ledger technology behind cryptocurrencies like bitcoin – for tracking criminals hiding illegal money from banks.

But that’s changing as some civilian, police and military agencies see blockchain as a potential solution to problems they have wrestled with for years: how to secure data, but also be able to share it in a way that lets the owner keep control.

Australia, for example, has recently hired HoustonKemp, a Singapore-based consultancy, to build a blockchain-based system to record intelligence created by investigators and others, and improve the way important information is shared.

“They’ve been trying for years to come up with a centralized platform, but people are reluctant to share information,” said Adrian Kemp, who runs the consultancy, which was awarded a A$1 million ($757,500) grant by AUSTRAC, Australia’s financial intelligence agency, and the Australian Criminal Intelligence Commission.

Blockchain’s appeal for data sharing is threefold.

Its ledger, or database, is not controlled by any single party and is spread across multiple computers, making it hard to break. Once entered, any information cannot be altered or tampered with. And, by using so-called smart contracts, the owner of information can easily tweak who has access to what.

It’s a sign of how far blockchain technology has come within a decade since the publication of a pseudonymous paper describing bitcoin and the blockchain ledger that would record transactions in it.

Bitcoin has since become the preferred currency not only of libertarians and speculators, but also of criminal hackers. The bitcoin price is volatile, and hit record peaks late last month.

Governments are already exploring ways to store some data, such as land records, contracts and assets, in blockchains, and the financial industry, too, has experimented with blockchain technologies to streamline transactions and back-office systems, though with limited success.

SECURING SHARED DATA

The closest most law enforcement agencies have come to the blockchain has been working with start-up firms to analyze it for evidence of criminal deals.

But in the past year or so that attitude has begun to change.

The United States Air Force (USAF) has funded research into how blockchain could ensure its data isn’t changed. In May, the Defence Advanced Research Projects Agency (DARPA) awarded a grant to ITAMCO, the company behind an encrypted chat program to make a secure messaging service based on the blockchain.

Amendments to a recent U.S. Senate defense bill require the government to report back on “the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies” and how foreign governments, extremists and criminals might be using them.

Britain, too, is exploring several uses of the blockchain, say consultants and companies working for several departments.

Cambridge Consultants, a UK-based consultancy, said it had worked with the Defence Science and Technology Laboratory, a UK Ministry of Defence (MoD) agency, on using a blockchain to improve the trustworthiness of a network of sensors on, for example, security cameras.

The UK’s justice ministry is looking at proving that evidence – video, emails, documents – hasn’t been tampered with by registering it all on a blockchain, according to a blog post on its website.

Marcus Ralphs, a former soldier and now CEO of ByzGen Ltd, which makes blockchains for the security sector, said he was working on projects with the MoD using blockchain to track the status and level of individuals’ security clearance. Other work included helping the Foreign and Commonwealth Office (FCO) improve the way work permits are issued and records stored.

“PASSING THE BUCK”

These are early days.

Kemp says there’s no guarantee his project will be deployed more widely. And some who have worked with AUSTRAC are skeptical, saying such projects have more to do with agencies turning to the private sector because they’re running low on resources and ideas.

“The government is just looking to pass the buck on to private industry,” said Simon Smith, a cyber private investigator who has worked on cases involving AUSTRAC.

Many police forces and armies aren’t ready for the technological and mental leap necessary.

The Police Foundation, a UK think-tank focusing on policing and crime, is pushing British police to explore the blockchain, but its director, Rick Muir, said “we are still at the stage of ‘what is blockchain?’.”

Neil Barnas, a USAF major who last year wrote a thesis on the potential of blockchain in defense, said U.S. military and security agencies were slowly waking up.

The problem, he says, is that military minds are more inclined towards centralized systems than the decentralized ones that blockchain’s distributed ledger embraces.

That said, blockchain’s association with the criminal underworld has not dented its appeal to those who see its potential, said ByzGen’s Ralphs.

“The negative narrative around it has not at all watered down or diluted interest of the people we’ve been engaging with,” he said.

($1 = 1.3201 Australian dollars)

The Internet of Things Could Kill You, Or At Least Jab You With A Screwdriver

By | November 27, 2017
0 Comment

 

2017 08 21 18 25 05

Lucas and his killer robots. Photo: JW

(This is the transcript of my BBC World Service piece which ran today. The original Reuters story is here.) 

I’m sure you’ve seen those cute little humanoid robots around? They’re either half size, or quarter size, they look like R2D2, and if you believe the ads, they could play with your kids or hold a screwdriver while you fix something under the sink. Some of them under $1,000. Nice, right?

Well, maybe not. The problem with these robots is that, a lot like everything else connected to the internet, they’re vulnerable to hackers. Lucas Apa, a researcher from ioactive, brought a couple into my office recently to show just how easy it is. These robots connect through wifi so you can control them, but that connection is really easy to hack, he showed. He says there’s very little if any security involved at all. In short, a bad guy could take over control of the robots and make them move, or monitor you — what you’re saying, what you’re doing — and send that back out to people. Or attack you. 

To prove it he made one of the robots wander around as if he were drunk, while another, mimicking the ad, jabbed a screwdriver viciously while reciting lines from horror movie doll Chucky. These things, frankly, are scary enough with their unblinking eyes and the way they tilt their head to face you, even if you move.  But Chucky’s voice and the screwdriver really freaked me out. 

Lucas’ demonstration was just that: this is what could happen, he says, if we allow these things into our home and let kids play with them. He says there’s no evidence so far anyone has actually done this. The scariest thing, though, was that he’d been in touch with the half-dozen manufacturers of these things, some based in the US, some in Asia, for months and for the most part they’d either ignored him or said it wasn’t a problem. I got back to him recently and asked him whether things had improved when he’d gone public . No, he says; the companies that say they’ve addressed the problems haven’t. 

For those of us watching the internet of things this is a familiar refrain. There are so many things connecting to the internet these days it’s not surprising that there are problems.  There are dozens of devices in a home connecting, or trying to connect, to the wifi network. A senior cybersecurity guy told me he had found a bug in his wifi-connected barbeque that could theoretically have allowed someone to start a fire remotely. 
In short. the people making these devices do not treat security as a priority, and indeed may not understand it.

The irony is that these are physical devices, not just computers, and so they could actually do more real-world damage, if not cause us physical harm, than a computer sitting in the corner. Sure, the latter contains credit cards and personal data, but we rely on these connected devices to feed us, carry us, clean us, protect us from intruders. 

As Lucas showed with his Chucky-esque robot, this is not something we should be doing without a) thinking hard about how useful this is and b) quizzing the companies — hard — about how secure their devices are.  I’m not convinced we’ve really thought this all the way through.