Monday, November 27, 2017

Smartwatches - Spying on Kids

German Telecoms regulator the Federal Network Agency has banned the sale of smartwatches to children and asked parents to destroy any that they already have.

Danger To Children - Spying and Tracking


The reason why the regulator has taken the step is over concerns that children wearing the watches could be, in theory, spied upon and tracked. These risks have been identified because the watches are internet-connected and are thought to be poorly secured e.g. no encryption of any transmitted data. This could mean that they could be hacked and taken over, and also the GPS tracking in the watches could be used by unauthorised persons to track the child.

Demographic

Smartwatches like the ones that have been banned in Germany are generally aimed at children aged between five and twelve, and this could be considered to be a demographic that is particularly vulnerable if data from the watches fell into the wrong hands.

App

Smartwatches have a Sim card, limited telephony function, and are linked to an app.
Parents can use the app to access their child’s smartwatch, and thereby listen to what is happening in the child’s environment, and it has been reported that the German Federal Network Agency has evidence that parents have used this feature to listen to teachers in the classroom. This ‘unauthorised transmitting’ and the surrounding privacy concerns have led to schools being warned to be on the lookout for the watches.

Similar Case In Norway

This is not the first time that concerns have been raised about the security and privacy aspects of smartwatches. Back in October, the Norwegian Consumer Council (NCC) reported that some children's watches had flaws such as transmitting and storing data without encryption. Among the dangers identified were concerns that watches could have been hacked using basic techniques and the (child) wearer could have been tracked, or made to appear to be in a different location.

Internet-Connected Gifts / Toys Fear


Only last week there were news reports that Consumer watchdog Which? identified toys such as Connect, the i-Que robot, Cloudpets and Toy-fi Teddy as having a security vulnerability because no authentication is required, and they could be linked with via Bluetooth.

Also in the US, back in July this year, the FBI issued an urgent announcement describing the vulnerability of internet-connected toys to such risks, explaining steps to take to minimise the threat. The main concern appeared to be that young children could tell their toys private information, thinking they’re speaking in confidence. This information could be intercepted via the toy, thereby putting the child and family at risk.

What Does This Mean For Your Business?

Many tech and security commentators agree that a lot more care needs to be taken by manufacturers of Internet-connected / smart toys, gifts, and other home and business products to make sure that they are secure when they are sold, and that any information they do transmit is encrypted.

It is very worrying that, children particularly, may be at risk now due to vulnerabilities in smart toys. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted by many commentators that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products, who don’t run checks and audits, it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

Your Keystrokes Being Tracked

A new study from Princeton University has suggested that your keystrokes,
mouse movements, scrolling behaviour, and the entire contents of the pages you visit may be tracked and recorded by hundreds of companies.

What??


The study revealed that no fewer than 480 websites of the world's top 50,000 sites are known to have used a technique known as ‘session replay’, which, although designed to allow companies to gain an understanding of how customers use websites, also records an alarming amount of potentially dangerous information.

The researchers found that companies are now tracking users individually, sometimes by name.

The Software

The session replay software offered by seven firms, and detected in the study was FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex.

The research showed that companies using the software (on 492 sites) were sharing information about individuals with one or more of the seven replay companies, and that the percentage of sites giving information to the software companies was likely higher, because the software companies only track just a sample and not the total of visits to a website.

Companies Using The Software


As indicated in the research, some companies believed to be using session replay software include the Telegraph website, Samsung, Reuters, Home Depot (US retailer) and CBS News.

What’s The Risk?

As pointed out by the researchers, this kind of software is like someone looking over your shoulder, and that the extent of the data collected may far exceed user expectations, without any visual indication to the website visitor that such monitoring is taking place.

Security commentators have noted that among the general browsing data collected by these third-party replay scripts, they are also capable of collecting some very sensitive and personal information e.g. medical conditions and credit card details. Depending on how this data is transmitted and stored (where and how securely?) this could expose people to risks such as identity theft and online scams.

The research also raised the question of whether state-sponsored surveillance is being carried out with session replay software, when it was noted that Yandex (one of the session replay software companies) is also Russia’s largest search engine.

What Does This Mean For Your Business?


Creeping surveillance and monitoring for multiple purposes is now part of our daily lives and includes e.g. CCTV, monitoring / surveillance of behaviour and Internet use at work, tracking via our mobile phones, EPOS / supermarket recording of our purchases, storage of our browsing history as part of the Investigatory Powers Bill / ‘Snooper’s Charter’, social media monitoring, and government attempts to gain back-doors into and stop end-to-end-encryption of popular platforms like WhatsApp.

Keystroke monitoring in itself is nothing new, but the difference now is that cyber-crime is at a high, data protection has become a more public issue with data breach reports in new regulations on the way in (GDPR), and the fact that the latest session replay software is capable of recording so much detail including our most sensitive data and interests.
For businesses, session replay software could be an asset in understanding more about customers and making marketing more effective and efficient. As consumers, we could be forgiven for having cause for concern, and with things like ad-blockers only capable of filtering out only some replay scripts, we remain somewhat vulnerable to the risks that they may pose.

57 Million Data Breach Concealed By Uber - Hackers Paid

It has been reported that Uber concealed a massive data breach from a
hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.

More Than Two Years Ago?

Reportedly, the hacking of ride-hailing service Uber’s stored data took place more than two years ago. Instead of reporting the breach to regulators and going public with the news, Uber are now accused of concealing the breach.

What Actually Happened?


Reports indicate that back in 2016, two hackers were able to access a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. This information is believed to have been stolen by the hackers, and the hackers are then reported to have emailed Uber asking for money.

Hackers Paid

Almost as shocking as Uber keeping quiet about the breach for 2 years or more is their reported decision to pay the hackers $100,000 to delete their copy of the data, and to keep quiet about the breach. At the time of the hack, in November 2016, Uber was negotiating with U.S. regulators (Federal Trade Commission) who were investigating separate claims of privacy violations by the company and Uber had just settled a lawsuit with the New York attorney general over data security disclosures.

Kalanick and Sullivan

Uber’s former CEO, Travis Kalanick, who was ousted from the role earlier this year (but remained on the board), is reported to have known about the breach a month after it took place.

Joe Sullivan, outgoing security chief, also appears to be somewhat in the frame over how the hack was handled, as it was only when Uber’s board commissioned an investigation into the activities of Sullivan’s security team (by an outside law firm) that the hack and the failure to disclose it was discovered.

What Kind of Data Was Stolen?

Reports indicate that within the 57 million names, email addresses and mobile phone numbers stolen, 600,000 drivers had their names and licence details / drivers licence numbers exposed. This has led to drivers now being offered free credit monitoring protection.

History

Unfortunately, this is not the first time that poor practice has been uncovered in how Uber deals with data. For example, the U.S. has opened at least five criminal probes into the company’s activities around data, which is in addition to the multiple civil lawsuits that the company faces. The UK government has also looked at banning the service on the grounds of alleged reckless behaviour (thus losing its London licence in September).

What Does This Mean For Your Business?


How companies store and handle data is, in today’s society, important to consumers, and to governments. The introduction of GDPR next year and the potentially severe penalties for businesses / organisations that don’t comply is evidence of how Europe and the UK are determined to force businesses / organisations to be more responsible, transparent, and follow practices that will ensure greater security. If companies really want to destroy their reputation and brand and risk being closed down, there are few better ways than [a] having a significant data breach (or being a repeat offender), and [b] failing to disclose that breach until being forced to do so.

Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users' accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.

This story should help to remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities), and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.

Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, and no GitHub-style routes are offering cyber-criminals easy access. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.
The reported behaviour of Uber is clearly poor and likely to inflict even more damage on the reputation and brand of the company. The hack is also a reminder to businesses to maintain updated and workable Business Continuity and Disaster Recovery Plans.

Prison Sentences Demanded For Unauthorised Data Usage

The Information Commissioner’s Office (ICO) has said that it backs the idea
that anyone accessing personal data without a valid reason or without their employer’s knowledge is guilty of a criminal offence, should be prosecuted, and prison sentences should be an option.

Recent Case

A recent case involving a nursing auxiliary at Newport’s Royal Gwent Hospital has re-ignited the ICO’s calls to get tough on personal data snoops. In the case of 61-year-old Marian Waddell of Newport, she was found to have accessed the records of a patient who was known to her, on six different occasions between July 2015 and February 2016, without having a valid business reason to do so and without the knowledge of the data controller (at the Aneurin Bevan University Health Board). The data controller is the person who (alone or jointly or in common with other persons) who determines the purposes for which and the manner in which any personal data is to be processed.

In this case, Nursing auxiliary Waddell was found guilty of a section 55 offence (of the 1988 Data Protection Act) and was fined £232, ordered to pay £150 costs, and was ordered to pay a £30 victim surcharge.

Fines ... For Now

Section 55 offences of this kind are currently only punishable by fines, and such fines and costs have totalled £8,000 this year for nine convictions.

Section 55 of the Data Protection Act 1998 refers to the unlawful obtaining etc. of personal data, and it states that “a person must not knowingly or recklessly, without the consent of the data controller - obtain or disclose personal data or the information contained in personal data, or - procure the disclosure to another person of the information contained in personal data.”

The ICO, however, would like to see tougher penalties for data snooping. For example, a blog post by ICO enforcement group manager and head of the ICO’s criminal investigations team, Mike Shaw, highlighted the fact that offenders not only face fines, payment of prosecution costs, but could also face media (Internet) coverage of their offences, and damaged future job prospects. Mr. Shaw also stated that the ICO would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.

Not Just An NHS Problem

The ICO have been quick to point out that data snooping and convictions for doing so are not confined to the NHS. Prosecution cases this year have also been brought against employees in local government, charities and the private sector.

Motives for data snooping vary, from sheer nosiness to seeking financial gain.

What Does This Mean For Your Business?

With GDPR soon to be introduced and with the ICO now pushing for possible prison sentences for certain data offences, businesses now need to (if they haven’t done so already) make data protection and compliance with data protection law a priority. This story is should remind anyone in any business or organisation that, if you have access to personal data, that data is actually out of bounds to you unless you have a valid and legal reason for looking at it.

Businesses can help to make all staff aware of the rules and regulations for handling and processing data through staff training and education.

New, Free Secret Browsing and Cyber Security Service



Quad9 is a new, free service that will allow users to keep their
Internet browsing habits secret and their data safe from malicious websites, botnets, phishing attacks, and marketers.

What’s The Problem?

When you browse the Internet, your Domain Name System (DNS) is likely set to whatever your ISP would like it to be (unless you have changed it). DNS services monitor your traffic data, and this information is often resold to online marketers and data brokers. We all face the security threat of unknowingly visiting domains that are associated with things like botnets, phishing attacks, and other malicious internet hosts. Many businesses also have to go to the trouble of running their own DNS blacklisting and whitelisting services.

Quad9

The new Quad9 free public Domain Name Service (DNS) system addresses all of these threats. The service promises not to collect, store, or sell any information about your browsing habits, thereby freeing the user from receiving even more unwanted attention from marketers in the future.

Also, a large part of the value of the service is that it will block domains associated with botnets, phishing attacks, and other malicious internet hosts, and relieve businesses of the need to maintain their own blacklisting and whitelisting services.

How Does It Work?

The Quad9 system, so-named because of its 9.9.9.9 Internet Protocol address, draws upon IBM X-Force's threat intelligence database which is made up of 40 billion+ analysed web pages and images. The Quad9 service also draws upon 18 other threat intelligence feeds including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.

Quad9 uses its intelligence feeds and database to keep an updated whitelist of domains never to block, using a list of the top one million requested domains. It also keeps a "gold list" of safe providers e.g. Microsoft's Azure cloud, Google, and the like.

Amazon Web Services

All of this means that, when a Quad9 user browses the Internet and visits a website, types a URL into a browser, or follows a link, Quad9 checks the site against its databases and feeds to make sure its safe. If it isn’t safe, access to it will be blocked, thus protecting the users from possible security threats.

Not For Profit

The Quad9 service is the result of a non-profit alliance between IBM Security, Packet Clearing House (PCH), and The Global Cyber Alliance, an organisation founded by law enforcement and research firms.

What Does This Mean For Your Business?


This service offers businesses another useful and free tool in the fight to maintain cyber security and resilience in an environment where threats seem to be around every corner. This service has some credible contributors with serious critical mass, and has a presence in over 70 locations across 40 countries, with plans to double its global presence over the next 18 months. This means that Quad9 could add real value to business efforts to deter threats that can come from anywhere in the world. It could also save businesses the time and trouble, and extra risk of having to compile their own (often inadequate) blacklisting and whitelisting services, and can help businesses to defend themselves from evolving threats. This kind of service also helps protect against all-too-common human error by blocking threats automatically.

Businesses hoping to use the service simply need to change the DNS settings in their device or router to point to 9.9.9.9. Installation videos and guides are also available online.

Monday, November 20, 2017

Ofcom has announced that broadband and landline customers will
be automatically able to get money back from their providers when things go wrong, without having to make a claim for it.

Review Brings ‘Automatic Compensation’ Agreement

After a review and intervention in the broadband market by Ofcom, BT, Sky, TalkTalk, Virgin Media and Zen Internet, who collectively serve around 90% of landline and broadband customers in the UK, have agreed to introduce automatic compensation, which should reflect the harm consumers suffer when things go wrong. Plusnet and EE have also indicated that they may also join the scheme.

£142 Million

Compensation is currently only paid in approximately one in seven cases (15%) where landline or broadband customers have suffered slow repairs, delayed installations or missed engineer appointments. The actual amount of compensation paid in these cases is also widely recognised to be small.

With the new automatic compensation, the amounts paid are predicted to be around nine times higher with customers set to receive an estimated £142 million in payouts.

Entitlement


The new automatic compensation scheme will apply to fixed broadband and landline telephone services. Customers will be able to receive the compensation if:
  • Services have stopped working and are not fully fixed after two full working days. In these cases, customers will be entitled to £8 for each day it is not repaired.
  • An engineer doesn’t turn up for the scheduled appointment, or if the appointment is cancelled with less than 24 hours' notice. In these cases customers should receive £25 per missed appointment.
  • A provider promises to start a new service on a particular date, but fails to do so. In this case, customers will be able to claim £5 for each day of the delay, including the missed start date.

Not For 15 Months

According to Ofcom, the complexity of launching the first ever automatic compensation scheme for telecoms customers, and the changes to providers’ billing systems, online accounts and call centres that will be required to implement the system will mean that it won’t come into effect for 15 months.

What Does This Mean For Your Business?

Ofcom’s own research shows that nine in ten adults report going online every day and three-quarters of internet users say it is important to their daily lives. For businesses, a fast and reliable broadband connection is vital to operate and compete effectively in today’s marketplace. Problems with broadband services can be very costly and frustrating for businesses, and many businesses feel that they shouldn’t have to fight for compensation on top of the problems caused by poor broadband services, and that current levels of compensation are too low, and don’t come close to reflecting the harm caused. Automatic compensation at higher levels is, therefore, good news, although there are still 15 months to wait before the scheme starts.

The new automatic compensation scheme is particularly good news for small businesses because one-third of small and medium-sized enterprises (SMEs) choose residential landline and broadband services, and around half (49%) of SMEs don’t know if they’re entitled to compensation when service falls short (Ofcom figures).

It is also reassuring to know that the main providers are on board with the scheme, and that Ofcom plans to monitor its implementation, review it after one year, and step in if it's not working well enough for customers.

1 In 4 Law Firms Ready For GDPR

A report by managed services provider CenturyLink Emea, shows that despite

the threat of up to €20m fines or 4% of annual global turnover for serious data protection failings, only 25% of more than 150 legal sector IT decision-makers said their firms were GDPR ready.

Why Not?

If any sector looks likely to be prepared for the introduction of GDPR next year, you could be forgiven for thinking that the legal sector would be at the forefront, given that companies and individuals will be seeking the advice, help and services of law firms with compliance and enforcement matters.

According to the report, however, the legal sector is saying that three quarters of law companies are not ready, and not achieving higher levels of privacy and data security because of challenges relating to human mistakes (50%), dedicated cyber attacks e.g. distributed denial of service (DDoS) attacks and ransomware or SQL injection (45%), and lost documentation and devices (36%).

The report shows, for example, that 1 in 5 law firms have experienced an attempted cyber attack in the past month, and less than one-third (31%) of IT directors believe their firm is compliant with cyber-security legislation.

Shadow IT Worries


One other interesting area of confusion for law firms appears to be Shadow IT. This term describes the apps and services that employees bring in to company systems without going through the approved channels, and how employees use them in their own way to solve specific work problems. Many companies see it as a threat to control, security and the strategy of the business as well as being strength in some situations.

The CenturyLink Emea report shows that 11% of law firms have no shadow IT policies at all, and although one-third (33%) of firms don’t officially permit bring your own device (BYOD) or bring your own apps (BYOA), in reality 43% of IT decision-makers at law firms trust their IT teams to “do the right thing” for their business.

Not The First Negative GDPR Report

This is certainly not the first GDPR report with less than positive news. Only last month, a study by DMA group (formerly the Direct Marketing Association) revealed that more than 40% of UK marketers said their business is not ready for changes in the forthcoming General Data Protection Regulation (GDPR). One of the main issues highlighted in that report was confusion over issues of consent in GDPR. Some commentators have said that focusing too much on consent as a basis for data collection could mean that companies miss other options and issues, and end up not being ready and compliant in time.

What Does This Mean For Your Business?

The findings of this report are surprising in some ways, partly because in September last year, media reports indicated that the legal profession was already preparing itself for the introduction of GDPR in terms of how to build a market for litigation as well as ensuring that they fully understand the many different aspects of the Regulation and its implications. It appears, however, that legal firms are experiencing the same challenges many other companies in other sectors. To some extent, the news that law firms are apparently not up to speed with GDPR is likely to be somewhat of a relief to many businesses.
Law compa
nies also face an added risk to their reputation e.g. if they are hacked and there is a data breach due to non compliance. This is the reason why many law firms and other companies are now taking steps towards greater security by moving away from legacy, on-premise IT systems to private or public managed cloud arrangements. Outsourcing IT infrastructure to providers can offer a secure environment to support digital transformation initiatives, and managed services can minimise the risk posed by external attacks, and free up internal resources to focus on innovative IT and business initiatives.

With GDPR, one of the key challenges for all companies in addition to getting an understanding of consent issues is making sure the technology is in place to help deal with data in a compliant way. Some technology products are now available to help deal effectively with data, and many tech commentators believe that developments in AI and machine pattern learning / deep learning technologies will be able to be used by companies in the near future to help with GDPR compliant practices.

At this late stage, legal firms and those in other sectors clearly need to press on quickly with, and get to grips with GDPR and its implications. Ordinarily, one piece of advice for companies would be to seek professional advice to at least highlight which areas are most legally pressing, but in the light of this report, it seems that some law firms may be struggling to see how GDPR applies to themselves, let alone their customers.

Google's Scary Hack Stats

With more than 15% of Internet users reporting takeovers of their email or social
networking accounts, new research by Google and the University of California, Berkeley has shed light on how passwords are stolen and how accounts are hacked.

Tracking Black Markets

The research, which took place between March 2016 and March 2017, and focused on password stealing tactics, tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging.

This tracking identified a staggering 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.

Findings

Google’s summary of the research was that enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets. This means that many of us are (unknowingly) at risk of suffering a takeover of our accounts.

For example, the research found that 12% of the exposed records included a Gmail address serving as a username and a password, and, of those passwords, 7% were still valid due to reuse.

Google Accounts - Targeted By Phishing and Keyloggers


The research showed that phishing and keyloggers frequently target Google accounts, and that 12-25% of attacks of their attacks yield a valid password. In fact, Google concluded that the 3 greatest account takeover threats are phishing, followed by keyloggers, and finally third-party breaches.

Password Alone Not Enough

With greater security being applied to many different types of accounts e.g. two-factor verification and security questions, the research acknowledged that a password is rarely enough to gain access to e.g. a Google account. This explains why attackers now have to try to collect other sensitive data, and the research found evidence of this in the 82% of blackhat phishing tools and 74% of keyloggers that now attempt to collect a user’s IP address and location, and in the 18% of tools that collect phone numbers and device makes and models.

What Does This Mean For Your Business?


It is worrying for all businesses that so much information and so many hacking tools are available to criminals on the black market, and that attackers are becoming more sophisticated in their methods.

It is good, however, that Google has made a serious attempt with the research to understand the scale, nature, and sources of the risks that their customers face. The real value to businesses will come from Google and other companies using the findings of the research to tighten account security, close loopholes, and try to keep one step ahead of cyber-criminals. Google has, for example, stated that it has already applied the insights to its existing protections with Safe Browsing now protecting more than 3 billion devices (alerts about dangerous sites / links), monitoring account logins for suspicious activity and requesting extra verification where needed, and regularly scans of activity across Google products. Google states that the scanning of its products enables it to prevent or undo actions attributed to account takeover, notify the affected user, and help them change their password and re-secure their account into a healthy state.

Google’s 2 key pieces of advice to customers to help prevent account takeover are to:
  1. Visit Google’s ‘Security Checkup’ to make sure you have recovery information associated with your account, like a phone number.
  2. Allow Chrome to automatically generate passwords for accounts and save them via Smart Lock.

Huddle Leaked Business Documents

A flaw has been discovered in the collaboration tool Huddle that is believed to have left private company documents able to be viewed by unauthorised persons.

What is Huddle?

Huddle is cloud-based and ‘secure’ software system for collaborative work, file sharing and project management. It can be accessed through mobile and desktop apps, and can be integrated with enterprise tools such as Microsoft Office, Google Apps for Work, SharePoint and Salesforce.com.

Used By Government Agencies

What makes this recent discovery more worrying and embarrassing is the fact Huddle publicly claim that more than 80% of UK Central Government agencies use the Huddle system and that it has administrative, technical and physical safeguards, and yet a simple login flaw appears to have exposed clients to potentially serious security risks.

What Happened?

The security flaw is reported to have been discovered by a journalist who tried to log in and access a shared diary for their team, but was instead logged in to a KPMG account, and was able to view a directory of private documents and invoices, and an address book.

Huddle also discovered later that an unauthorised person (unknown) had accessed the Huddle of BBC Children's programme Hetty Feather, but had not opened any of the private documents.

Why?


Huddle’s reported explanation of the problem is that because two users arrived at the login server within 20 milliseconds of each other they were both given the same authorisation code. This duplicate code was then carried to the security token process, and whoever was fastest to request the security token was logged in to the system, and was therefore able to see another company’s files.

Rare

A statement from Huddle appeared to play down the seriousness of the discovery by pointing out that the bug had only affected six sessions out of 4.96 million log-ins between March and November.

Now Fixed

Huddle users will be relieved to hear that Huddle has now fixed the bug by making sure that a new authorisation code is generated every time the system is invoked.

What Does This Mean For Your Business?


The important point for businesses to take away from this story is that even trusted, popular, market leading 3rd party systems are likely to have some undiscovered bugs in them - no system is perfect, and the chances of them being discovered and exploited are very small. It is also a good (and lucky) thing that a responsible person (the journalist) discovered and reported the bug so that it has now been fixed.

Critics, however, have highlighted the fact that it is surprising and worrying that a global leader in secure content collaboration that is supposed to offer a world-class service, and publicises how its system is trusted with sensitive government information could have its system so easily compromised, without the need for any hacking or illegal activity.

For the companies whose details have been accessed, it’s unlikely to be the rarity of such an event that concerns them, but more the fact that they trusted a 3rd party with their company security, and have suffered a potentially damaging breach as a result. It is also likely to damage trust in the Huddle service, raise questions about how rare such an event really is, and tempt some companies to switch suppliers, or to perhaps to use the system for less sensitive projects.

Xmas Toys - Security Concerns

With Christmas just around the corner, consumer watchdog Which? has asked
retailers to stop selling some popular internet-connected toys which have "proven" security issues that could allow attackers to take control of the toy or send messages.

Toys At Risk


Consumer watchdog Which? has identified toys such as Connect, the i-Que robot, Cloudpets and Toy-fi Teddy as having a security vulnerability because no authentication is required, and they could be linked with via Bluetooth.

Children At Risk

The main worry is that children and the privacy / security of all members of a household could be put at risk because manufacturers have cut costs, been careless, or rushed their products to market without building-in adequate protection against taking over / hacking and reverse engineering e.g. to conduct surveillance.

Toy Makers Say

In the light of the Which? research, Hasbro, the manufacturer of Furby Connect has pointed out that it would take a large amount of reverse-engineering of their product, plus the need to create new firmware for attackers to have a chance to take control of it.

Vivid Imagination, which makes I-Que is reported as saying that although it would review Which?'s recommendations, it is not aware of any reports of these products being used in a malicious way.

Old Fears


The idea that a toy could pose a security risk in this way dates back to 1998, when a small robot ‘Furby’ was banned by the US National Security Agency.

Also in the US, back in July this year, the FBI issued an urgent announcement describing the vulnerability of internet-connected toys to such risks, explaining steps to take to minimise the threat. The main concern appeared to be that young children could tell their toys private information, thinking they’re speaking in confidence. This information could be intercepted via the toy, thereby putting the child and family at risk.

Other Types of ‘Toy’

There was also news this week that Hong Kong-based firm Lovense had to issue a fix to the app in its remote (Bluetooth) controlled sex toy (vibrator) after a Reddit user discovered a lengthy recording on their phone which had been made during the toy’s operation.

This prompted more concerns about where the audio files (recorded via a user’s smartphone microphone) are being stored. The company is reported as saying that the audio files are not transmitted from the device, and that problem was caused by "a minor bug" limited to Android devices, and that no information or data was sent to its servers.

Not The First Time


This is not the first time that concerns have been raised about IoT sex toys. Back in March, customers of start-up firm Standard Innovation, manufacturers of IoT ‘We-Vibe’ products, were left red-faced and angry after the company was judged by a court to have been guilty of covertly gathering data about how (and how often) customers used their Wi-Fi enabled sex toy.

What Does This Mean For Your Business?

These reports have re-ignited old concerns about the challenge of managing the security of the many Internet-connected / smart / IoT devices that we now use in our business and home settings.

Where businesses are concerned, back in July 2016 a Vodafone survey showed that three quarters of businesses saw how they use the Internet of Things (IoT) as being a critical factor in their success. Many technology commentators have also noted that the true extent of the risks posed by IoT device vulnerabilities are unknown because the devices are so widely distributed globally, and large organisations have tended not to include them in risk assessments for devices, code, data, and infrastructure.
It has also been noted by many commentators that not only is it difficult for businesses to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

Businesses, therefore, may wish to conduct an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible.

Security experts also suggest that anyone deploying IoT devices in any environment should require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to some kind of specific and measurable criteria.

Microsoft has also compiled a checklist of IoT security best practice. This highlights the different areas of security that need to be addressed by the organisations involved throughout the lifecycle of an IoT system e.g. manufacturing and integration, software development, deployment, and operations.

Monday, November 13, 2017

Cuts Mean Fewer ATMs But More Cashless Payments

Banking industry group LINK has warned that a plan to cut the fees that fund their cash machines could mean that more ATMs will be axed.

What Fees?


The 38 Card issuers (banks and building societies) have proposed a cut in funding (the interchange fee) that they pay to ATM operators over the next 4 years, from around 25p to 20p per cash withdrawal.

ATM operators such as LINK rely upon these fees to help them fund their network of free-to-use cash machines. Less funding could, therefore, mean that a reduction in the number of ATMs will be necessary.

Cuts - Where Multiple Machines Close Together

It has been reported that LINK will seek to minimise the impact upon users of their ATMs by only axing ATMs in areas where there are multiple cash machines close together.

One In Five Lost Says Lobby Group


The industry lobby group, the ATM Industry Association has, however, warned that as many as one in five of the 55,000 ATMs from which we withdraw cash could disappear, thus creating “ATM deserts” across the UK, with providers shutting unprofitable machines in deprived areas first.

LINK Deny Massive Cut In ATM Numbers

LINK reportedly disagree with the ATM Industry Association’s predictions and have pointed out that, despite a decline in the use of cash, and the inevitable closure of some cash machines with the fee cut, there are still 5,000 more free-to-use ATMs than three years ago.

Bigger Picture - Decline of Cash and Rise of Contactless

Many tech commentators see this development as simply another step in an ongoing and unstoppable, global move away from the use of cash (in developed economies) in favour of contactless payments.

Back in May, for example, projected figures from payments industry trade body ‘Payments UK’ showed that by as soon 2018, more payments could be made using debit cards than using cash. Payment commentators have also predicted that contactless debit card payments could account for more than 25% of payments by 2026.

A decline in the use of cash has been a clear pattern for some time now. A British Retail Consortium's (BRC) Payments Survey found for example that cash was used for fewer than half of all retail transactions across the UK in 2015, and this amounted to 20% fewer transactions made with cash than in 2011. Debit cards now make up around 40% of transactions in the UK, and 54% in terms of overall value of retail sales.

Contactless Cash Machine

The signs are that the remaining ATMs will be updated and developed to provide other types of services. For example, back in November 2016, Barclays conducted a trial of a new system which allowed customers to use their normal PIN in combination with leaving their smart-phone handset near to the bank machine, thereby enabling "contactless" near-field communication (NFC) transmission for cash withdrawal.

Also, in Portugal for example, ATMs are now part of a fully integrated cross-bank network and offer customers a range of other bank-related functions and services e.g. cash and cheque deposits, purchasing cinema and concert ticket purchases, tax payments, bill payments, and mobile phone top-ups. It has also been predicted that ATMs could be made self-service and more like tablet computers e.g. with swipe, pinch and zoom functions, and that drive-through ATMs could be developed to allow people to complete withdrawals or transactions that they started on their phones.

What Does This Mean For Your Business?

Many retail businesses will already know that consumers use less cash and prefer the convenience and speed of contactless. This is why businesses have had to invest heavily in new payments technology in order to make it easier and quicker for customers to securely complete transactions in-store. Retailers have, however, benefited from cost and time savings (and having to deal with less cash). Contactless payments can mean increased average transaction values (ATV), more footfall, a reduction in the costs and hassle of handling cash, and reduced business risks due to having a clear audit trail and assured payment.

For all of us, however, a sudden loss of one in five ATMs could prove to be very inconvenient in the meantime, and there is a view that the money saved by a tiny number of banks, could actually be at the expense of already hard-pressed consumers.

Art Galleries And Dealers Defrauded Through Email Hack

Art galleries and dealers in the UK have lost hundreds of thousands of pounds
after being targeted by email hackers.

Monitor, Intercept and Replace

The social engineering scam, known as a 'man-in-the-email' (man in the middle / MITM) attack, which has also worked on US art dealers, involves hacking into the email account of targets - in this case, London art dealers. The hackers have then monitored the email correspondence with the gallery’s clients, and intercepted and diverted payments from clients. This involved intercepting real PDF invoices sent to customers, and swapping them with fraudulent invoices with instructions to send payments to a different account.

It has also been reported that the hack has been used to steal payments made by galleries to their artists. After the money was received by the hackers, it is believed that that it was moved to untraceable locations.

At Least Nine Victims

Reports indicate that at least art galleries and art dealers in the US and now
in London have fallen victim to the hackers, and although no exact figure has been put on the losses, the nature of the products that the victims deal in indicates that they could run from tens of thousands to millions of pounds to date.

Warned

The Society of London Art Dealers is reported to have previously warned its members about email fraud, and has released further cyber-security materials following this latest scam.

Initial Steps To Prevent More Fraud

The London Evening Standard reported that one way that the Mayfair gallery (Simon Lee), and Thomas Dane Gallery in St James's have responded to this latest attack is by overhauling their invoicing procedures e.g. Simon Lee's gallery now issues a standard warning about cyber fraud with every invoice, and the dealer’s accountant confirms banking details with clients over the phone.

What Does This Mean For Your Business?


Online fraud has been on the increase for some time now. Netcraft figures (2016) show that 95% of servers are lacking HSTS security features and are prone to MITM attacks. MITM is also spreading from desktop connections to mobiles, and even to IOT space.

Spyware and malware programs (often arriving by email) are two of the prime causes of MITM attacks and companies can, therefore, seek to insulate themselves against these types of attacks with initial measures such as being proactive in renewing antivirus programs and patches, and conducting regular scans for malware. It is also important to raise awareness among staff and to educate them about the dangers of opening unknown emails. Other measures that companies can take to help themselves include:
  • Introduce multi-stage authentication processes.
  • Have a (verification / authentication / authority) procedure in place for any requests for bank details, payments, money transfers etc.
  • Empower and encourage staff to ask questions and conduct checks wherever suspicions are aroused.
  • Avoid visiting or exchanging information across any websites that do not have the security of HTTPS.
  • Make sure you have the latest version of your server and disable old security protocols versions.
  • Avoid using Free Public Hotspots, and if there is no option but to use them, use a Virtual Private Network or a SSL plugin.
  • Implement Certificate-Based Authentication for all employee machines and devices.

Quarter of UK Workers Deliberately Breach Confidentiality

Research by commissioned by data privacy and risk management firm Egress
Software Technologies has revealed that a quarter of UK workers have purposefully shared confidential business information outside their organisation.

Sharing Confidential Business Information

The findings of the OnePoll on behalf of Egress research, which involved 2,000 UK workers who regularly use email as part of their jobs, make worrying reading for UK businesses and highlight the common, but often overlooked security vulnerabilities of ‘insider threat’ and human error.

The research showed that not only have 24% of workers purposely shared info with other companies, but nearly 50% have received an email by mistake. This has meant that almost half (46%) of respondents in the research admitted to having received a panicked email recall request.

Malicious

In the case of ‘malicious’ insider threat, it is worrying that the research indicates that 24% of workers have purposely shared information with competitors or new and previous employers and other entities. This amounts to a data breach that it is difficult for companies to protect themselves against. These kinds of leaks and breaches can undermine company efforts to comply with data protection laws and protect competitive advantage, and can leave companies open to huge financial risks, loss of customers, and damage to their brands.

An example of insider threat that has been in the news (again) recently is the case of the disgruntled former Morrisons employee who stole and leaked the personal details of almost 100,000 staff to national newspapers, and on data-sharing websites. This resulted in a £2 million clean-up bill at the time, and now 5,518 former and current Morrisons employees are suing the company in the High Court.

Accidental


The Egress research appears to show, however, that a more likely risk that most companies face is accidental email misuse. The research revealed that the biggest human factor in sending emails in error is listed as ‘rushing’ (68%), and auto-fill technology, meanwhile, caused almost half (42%) to select the wrong recipient in the list.

8% of those workers involved in the research even admitted to alcohol being involved with wrongly sent emails.

Sensitive Attachments

The research showed that almost one in ten (9%) of staff had accidentally leaked sensitive attachments e.g. bank details or customer information, thereby putting customers and their own company at risk.

What Does This Mean For Your Business?

Accidental misuse of email clearly represents a real and prevalent risk to businesses that could leave them open to a variety of potentially serious financial, legal, and market risks. High pressure, busy business environments can make it more difficult for employees to always make the correct checks on emails before they press the send button, but highlighting the issue and reminding people to be extra-careful with email checks can be a good starting point.

The research also shines an important light on insider threat. Crowd Research Partners, for example, have found that 74% of organizations are vulnerable to insider threats, and 75% of survey respondents estimated insider threats cost their companies at least $500,000 in 2016.

There are many well-documented (see online) behavioural indicators of insider threat, the most common one being a lack of awareness e.g. employees with savvy IT skills creating workarounds to technology challenges, or employees using personal devices to access work emails.

Companies can help protect themselves by adopting a holistic and layered approach to user behaviour analytics to help spot potential risks. Companies need to pay attention to security infrastructures, and to adopt a comprehensive, risk-based security strategy that includes:
Awareness, education and training - compliance with security best practices, employee training and security monitoring.
  • Behaviour monitoring for detecting and mitigating insider threats.
  • Implementing appropriate procedures when employees terminate their employment e.g. denying them further access to IT system.
  • Information governance to provide the intelligence that drives security policies and controls.
  • User-based analytics to provide detection and predictive measures.
  • Development of an incident response program to consider internal and external breaches.
  • Being clear on legal and regulatory considerations.
  • A cross-organisational effort (people, processes and technology) to gain a detailed understanding of the organization’s assets and security posture.

Supermarket Voucher Scam Via WhatsApp

WhatsApp is being used by ‘phishing’ fraudsters to circulate convincing links
for supermarket vouchers in order to obtain your bank details.

How Does The Scam Work?

The WhatsApp messenger app is being used to send messages purporting to be from well-known supermarkets such as Asda, Tesco and Aldi that contain a link to an online survey. The message tempts the receiver into completing the survey with the offer of hundreds of pounds worth of shopping vouchers.

In order to complete the survey, victims must give financial information, and have to send the link to 20 contacts in order to receive the vouchers. This helps to legitimise the scam as the contacts are likely to recognise and trust the sender.

Small Differences In Letters

The bogus supermarket link has been able to fool more than 30 people so far because a very subtle, difficult to spot substitution of certain letters with similar characters. For example, the d in Aldi was swapped with a ḍ (notice the small dot underneath), which is actually a Latin character. Also a đ, known as a ‘crossed D’ (or dyet) has been used instead of a normal lower case d in order to fool potential victims.

Unclear

As yet, it is unclear whether just clicking on the link itself does something malicious like downloads malware, and there have been reports that doing so on social media has meant that the message was shared without the consent of contacts.

Brand Used Twice This Week

This is the second time in a week that the value and trust of the WhatsApp brand has been exploited by fraudsters. Earlier this week there were reports that a fake version of the WhatsApp messaging service for smartphones was distributed to more than one million unsuspecting people after it was put on Google Play store. In that case, the bogus app was used to spread spam adverts.

Bad Timing


The association of the WhatsApp brand with scams is damaging anyway, but the timing is particularly bad with the announcement only last month that WhatsApp is about to launch ‘WhatsApp Business’, with a free version for small businesses, and a paid-for version (a chance for WhatsApp to monetise its services) for enterprises with a global customer base.

WhatsApp has also suffered from bad PR, again by association, after it was announced that WhatsApp had been used by London terror attacker Khalid Masood minutes before he killed and injured multiple people back in March. This, in turn, led to Home Secretary Amber Rudd campaigning to abolish end-to-end encryption in social media platforms and to enable ‘back doors’ to be built into them for use by the authorities.

What Does This Mean For Your Business?

This is another example of how fraudsters are using the powerful combination of the trust placed in brands, very convincing messages, and apparent referrals from friends to commit socially engineered fraud. Cyber-criminals are becoming ever-more sophisticated and devious in their methods, and our use of social media platforms and mobile devices, and the lack of time and attention that we can give to individual messages, are helping criminals to carry out fast and successful scams.

It should be remembered, however, that a social media / messaging platform is simply the medium, and not all messages posted therein can be trusted. As advised by Action Fraud, people should avoid unsolicited links in messages, even if they appear to come from a trusted contact.

Fake WhatsApp - 1 Million Downloads

A fake version of WhatsApp, the free, cross-platform instant messaging service for
smartphones, was downloaded from the Google Play store by more than one million unsuspecting people.

Discovered By Reddit Users

Keen-eyed users of Reddit, the US-based social and web discussion forum spotted that the "Update WhatsApp Messenger", available for download in the Google Play store, wasn’t all that it seemed to be.

Clue in Developer Name

The fake WhatsApp was identified because it was made by using a special unicode character called a “Space” instead of an actual space. Concerned Reddit users were then able to take a screenshot of the subtle difference in the developer name and post it on the Reddit forum to alert others.

Although news of the fake app was then quickly circulated among online tech news channels, one million people had already downloaded the fake app.

What Does It Do?

According to tech commentators who have installed and decompiled the app, it is an ad-loaded wrapper (with minimal Internet access / permissions) which contains some code to download a second apk, also called “whatsapp.apk”. The fake app hides itself by not having a title and having a blank icon.

The result for those who have downloaded and tried to use the app is that they receive spam adverts, and are unable to detect and delete the app.

Google Play Fooled, Again


What has shocked and angered many victims and tech commentators is that Google Play was fooled into offering the fake, spamming app as a download. Unfortunately, it’s not the first time that something like this has happened with Google Play. Back in 2015, Google had to block a malicious app submitted to its Play store that spoofed BatteryBot Pro. The fake app was able to send premium-rate text messages, and block people from deleting it.

What Does This Mean For Your Business?

Most people place trust in well-known brands and perceived reliable ‘expert’ sources so, in this case, quite apart from the upset and trouble that the fake app has caused, there has been a sense of shock and anger that consumers were left exposed to risk by the brand platform that they had placed their trust in. Although the obvious advice would be to always check what you are downloading and the source of the download, the difference in the fake app from the real thing (in this case) was so subtle that users (and perhaps Google) could be forgiven for making a mistake.

The fact that many of us now store most of our personal lives on our smartphones makes incidents such as these all the more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents.

To minimise the risk of falling victim to damage caused by fake apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone's service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.

Monday, November 06, 2017

New System To Collect Biometrics Of All EU Visitors

The European Parliament is reported to have approved the introduction of a new
system which will collect biometric information about all non-EU visitors to the EU.

EES
Under the EU’s newly approved entry/exit system (EES), which is also part of ‘Smart Borders’ package, anyone travelling to an EU country from a non-EU country (e.g. post-Brexit UK), will need to provide some biometric information.

Whilst the term ‘biometric’ implies some kind of intrusion or sampling, what it will actually mean is the need to have a digital photo taken and a fingerprint scan, and for these ‘biometrics’ to be stored in a central database, along with travel documents and information about place of entry, exit and entry refusal.

Why?
The stated aims for the introduction of the new system are to reduce irregular migration of over-stayers, to fight organised crime and terrorism, and to speed up border checks by replacing the manual stamping of passports.

Who?
The new system will apply to every third-country national, even visa-exempt travellers travelling to and from the EU Schengen area. The Schengen area consists of most EU States, except for Bulgaria, Croatia, Cyprus, Ireland, Romania and the United Kingdom (Bulgaria and Romania are in the process of joining).

How Long?
The information collected by the EU with its new entry / exit system will be stored on the central EES database for least three years, or five years for over-stayers.

Access
Those who can access the information in the EU’s database will include border, visa and national enforcement authorities, and Europol. It has been reported that the information stored on the EES database can be consulted to prevent, detect or investigate terrorist offences, or other serious criminal offences.

The information will not be accessible to national asylum authorities.

Not New
Biometrics being used as an immigration control is not new. The UK government, for example, already operates its own biometric residence permit (BRP) system whereby those planning to stay longer than 6 months, or apply to settle in the UK need a biometric permit. This permit includes details such as name, date and place of birth, a scan of the applicant's fingerprints and a digital photo of the applicant’s face (this is the biometric information), immigration status and conditions, and information about access public funds (benefits and health services).

What Does This Mean For Your Business?

Since the UK is still in the EU, business travellers to the EU will not be subject to the new system just yet, but post-Brexit this will have to change. This could initially mean that UK travellers to the EU are subject to longer delays and greater scrutiny on entry / exit. There are also extra privacy / security concerns for UK citizens based around where (and how securely) very personal data is being stored, who has access to it, and worries about the results of hacking of the data e.g. we assumed that NHS systems and credit systems were safe until they were both subject to malware and hacking.

Some UK citizens may also be concerned about the apparent increasing need for states to gather information about citizens and their activities / movements e.g. this news border rule, US border checks that can require checks of social media, and the UK’s own storing of the browsing history of its citizens under the ‘Snooper’s Charter’.

The assumption is that, at some point, all information about one person collected in several locations could be pulled together, stored and cross-referenced in a way that feels too intrusive, and too much like ‘big brother’. For some, the argument that ‘if you have done nothing wrong, you’ve nothing to fear’ is sufficient, but others object to this being used as an excuse for states to gradually erode rights to privacy.

Election Concerns Over Facebook Influenced by Russians

Facebook has released figures ahead of a Senate hearing showing that Russia-based operatives have uploaded 80,000 posts to Facebook in the last 2 years.

Big Influence?
Ahead of Facebook, Twitter and Google’s Senate hearing on Monday, Facebook’s revelation about posts published between June 2015 and August 2017, means that 29 million Americans are believed to have seen them directly, but it is possible that 26 million American users have seen, and perhaps been influenced by liked and shared messages and comments that could have originated in Russia.

Kremlin-Linked Company
The implication is that, because the messages / posts are believed to have been posted by a created by a Kremlin-linked company, they may be state-sponsored. One of the key concerns is that many of the posts may have been sent around the time of the US election, and may, therefore, have had an unknown degree of influence on the opinions and choices of some American voters, and, therefore, on the outcome of the election itself.

This is particularly pertinent, given the accusations that have been circulating for some time now that President Trump’s campaign may have received help from Russia.

Two More Stories
The news from Facebook is even more timely and relevant because on Monday, the world’s media was buzzing with two more Trump-linked stories. The first was that President Trump's former campaign manager, Paul Manafort, and aide Rick Gates are facing money-laundering charges (unrelated to the 2016 election campaign). The second was that one of Mr Trump’s advisers (in a volunteer capacity, George Papadopoulos) has pleaded guilty to lying to the FBI over his contacts with Russia.

Not Violations, But Deleted
It has been reported that although many of the posts said to have originated in Russia did not actually breach Facebook’s guidelines, the company still went against its mission of building community by deleting 170 Instagram accounts, which posted about 120,000 pieces of content.

Also, Google’s YouTube

Google has also reported the posting of more than 1,000 political videos on YouTube on 18 different channels by Russian trolls, although it is not believed that they were targeting American viewers specifically.

Twitter Too

News has come from Twitter about the company suspending 2,752 accounts that it had tracked to the Russia-based Internet Research Agency.

What Does This Mean For Your Business?
The bigger picture is that election results (i.e. which party / candidate wins) haves a big effect on the business environment as well as on society. It is not a surprise that one country could seek to influence events in another, but it is a surprise to some that tech companies and social media companies are still able to offer a voice and a channel to all.

The challenge that tech companies such as Facebook and Google (with YouTube) face is that they need to protect the idea that they reject censorship (and interference from governments), while still being seen to be acting responsibly and proactively, while protecting their brands and monetising elements of their business at the same time. It is clearly frustrating to some governments and politicians, both in the US and the UK, that they don’t have more of an influence over social media and tech companies e.g. with the end-to-end encryption debate in the UK, and that they often only come up against lawyers for these companies rather being able to be seen to be publicly grilling the owners of these tech giants themselves.

As for the story about possible Russian influence over the US election result, it still has a good way to run and it is likely that we have only witnessed the start of many twists, turns and revelations.

Businesses Use Facebook Collaboration In Droves

Not only has Facebook’s Workplace Collaboration Tool exceeded expected take-up numbers by businesses, but it now getting a desktop app for group chats.

What Workplace Tool?
Facebook's Workplace platform app was introduced in October 2016 to enable businesses to have their own social network while allowing Facebook to compete in the same collaborative and communications business tool market as Microsoft’s Yammer, Slack and Google’s Cloud. Slack is the current market leader with 4 million daily users.

The Workplace platform supports features such as live video and instant messaging and can be used by businesses internally to replace tools such as email. Previously known in its testing phase under the working title of ‘Facebook at Work’ the Workplace platform is an all-in-one integrated structure and incorporates many of Facebook’s best elements.

More Than 30,000 + New Features.
One year on, Facebook’s Workplace, which was a late arrival in the market, now has 30,000 organisations signed up to it, which is more than double the number announced just six months ago. The platform has been given some new performance-boosting features such as screen sharing, and (the upcoming) group video chat support for up to 50 people per conference call.

Initial Worries Unfounded

The large numbers of businesses now using Facebook’s Workplace mean that initial fears by the company that it could be difficult to sell have proven to be unfounded. It was, for example, thought that the platform’s appearance and how it’s used could be too similar to, and could be seen as encouraging the use of social media at work that many companies had been seeking eradicate.

App
It has been announced that Facebook’s Workplace will also soon be augmented with a desktop version of its app for group chats, and an update in the not-too-distant future should mean that this app will support video calls.

With the extension of the app and the new features of the platform, Facebook has picked up on the value that users have been placing on messaging for real-time, reliable communication wherever they are (mobile or in the office).

What Does This Mean For Your Business?

Businesses are now realising that an effective, easy, low cost, and high-tech means of collaborative working and communicating (in real time) can bring greater effectiveness, efficiency and competitive advantage.

Facebook’s Workplace app provides businesses with a way to benefit from the use of a fully integrated social network, and another of its key advantages is that it offers a degree of familiarity because of its similarity to Facebook’s social platform.
Although Workplace was a relatively late market entrant, it was tested for years and already has over tens of thousands of subscribers, thus helping it to iron out any faults. Workplace’s special appeal and credibility is also helped by the fact that it comes from what most people would consider the definitive social networking expert company.

Half Of Us Don’t Check Contactless Amount

A new study by money management app Yolt has found that nearly half of UK s
hoppers (48%) don’t always check the amount before they tap to pay via contactless.

Switch To Contactless
The implications of the findings of the study are so significant because the UK has seen a significant shift away from cash to contactless. For example, British Retail Consortium figures show that contactless payments now account for a third of all card transactions in the UK.

Yolt Figures from the new study show that 76% of Britons have used contactless payments, and 40% make half or more of their card payments using contactless.

An average 416.3 million contactless payments are made each month totalling £3.913 million (UK Finance figures), and this is an increase of 147.6% on 2016 figures. At the same time, projected figures from payments industry trade body ‘Payments UK’ have shown that by as soon as next year, more payments will be made using debit cards (with contactless) than using cash.

London Especially

Transport for London (TfL) figures, for example, show that 40% of public transport customers in London are now paying for their journeys with contactless payment cards (rather than using pre-paid cards), and 82% of Londoners have used contactless payments, making it the most popular city in the UK for this type of transaction.

It should also be noted that, according to this latest study, only 38% of Londoners said they always checked the amount before using contactless to pay.

Young People Least Likely To Check
The new Yolt study also revealed that young people (18 to 34) are the least likely to check the amount before paying via contactless, with only 39% doing so every time they pay. In contrast, 62% of those aged over 55 in the study said they check the amount every time they use contactless.

What Does This Mean For Your Business?
As far as businesses are concerned e.g. in retail, the rise of contactless has meant the need to invest heavily in new payments technology in order to make it easier and quicker for customers to securely complete transactions in-store. Retailers have, however, benefited from cost and time savings (and having to deal with less cash). The fact that consumers aren’t checking shows a degree of trust in the contactless system, which is again good news for retail businesses, provided that systems are functioning properly.

This story is also an example of how daily contact with technology, and a lack of negative reinforcement in many situations has led to an increase of our trust in it. Some would say however, that too much trust can lead to lack of basic checks, and a dangerous suspension of basic reasoning and judgement. A study by the Georgia Tech Research Institute in March 2016, for example, showed how humans trusted robots in an emergency, even though the machines had shown themselves to have behaved unreliably just a short while earlier. In the experiment, a pre-programmed robot lead visitors to the wrong room, and took them around in circles, and yet, when a fire was staged shortly after, people ignored clearly marked exits and followed the robot deeper into the building.

With the decline of cash as a worldwide trend, we are likely to continue using contactless regularly, and card issuers are likely to continue happily driving the change in customer behaviour. We do need, therefore, to remember that human error is commonplace e.g. typing in wrong amounts for purchases, prices may be entered in systems wrongly, and that technology and systems of all kinds can go wrong, and can be interfered with by cyber criminals. Keeping up the habit of making basic visual checks could save us time, trouble, and money, and could help us to use technology more safely.

AI Cracks Captcha

An Artificial Intelligence (AI) algorithm has been developed that can fool the Captcha
website security check system by mimicking how the brain processes images and visual clues.

CAPTCHA
Most of us will be familiar with the Captcha system that requires us to prove that we’re not robots by recognising and entering a series of apparently random letters and numbers into a field i.e. solving visual puzzles to complete a login process.

Captcha, which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart", was developed in the late 1990s as a counter-fraud measure, and to stop automated bots accessing and using websites and other online resources. If Captchas are not used, some of these bots can post spam comments in blogs, sign up for thousands of email accounts every minute e.g. on Yahoo, buy multiple tickets from ticket sites, gather email addresses (written in text) from web pages, distort online polls, and launch dictionary attacks on password systems. The use of Captchas can also offer full protection to pages that you don’t want indexed by search engines, and offer worm and spam protection.

Up until now, Captcha tests have been sufficient to separate humans from robots, and statistics show that the test is so complicated that even humans only pass it 87% of the time.

New System Beats Captcha

Details of the new Captcha-beating system have been published in the Journal of Science. The system was developed after research by Californian artificial intelligence company ‘Vicarious’, funded by Amazon founder Jeff Bezos and Facebook's Mark Zuckerberg.

Rather than using ‘neural networks’ that would require large networks of computers in layers and extensive training of those computers to solve problems, the new, simpler, algorithm based-system from Vicarious has been designed to imitate how the human brain responds to visual clues.

Little Training, Good Results
Reports of the results of tests with the new Recursive Cortical Network (RCN) show that by being able to actually pick out distorted letters and digits from images, it can beat the Captcha system with minimal training (other AI programs have needed 50,000 times more training).

The RCN algorithm works by recognising contours, edges, shapes, and textures of an image, and analysing the pixels to try and find a match with the outline of an object.

Tests to date have shown that the new algorithm can accurately guess a Captcha image 66% of the time, and can correctly guess an individual character with 81% accuracy.

What Does This Mean For Your Businesses?
The Captcha system has helped businesses by providing an easy way to deter potentially costly, disruptive and damaging bot attacks and spam. Many tech commentators, however, believe that the Captcha system (which dates back to 2000) is now outdated, and at the very least, needs to be improved. Now that a new algorithm has been developed that can beat Captcha, many tech and security commentators fear that it will now only be a matter of months before a similar system is being used to attack Captchas on websites, which can only spell bad news for businesses.

Two-factor authentication has proven itself to be an effective security gateway for websites, and many see this as the way forward.

Given the big tech names involved in the development of the Captcha-beating algorithm, you could, however, be forgiven for thinking that they may have an idea about (or already have another system) that could replace it.