Tag Archives: web security

The Future of Digital #Payments

Yours truly at Endava's Future of Payments Event
Yours truly at Endava’s Future of Payments Event. The audience isn’t asleep – they’re tweeting insights from the presentation, or watching the football

For the past 3,000 years payments hasn’t been the most exciting industry, but in the last 5-10 years, there have been dozens of new entrants into the market.

It took 3,000 years to give us pretty much seven payment options: coins, banknotes, debit cards, Diners club, Visa, Mastercard and American Express. In the last ten years, we’ve seen an explosion of disruptive players, all driven through the adoption of the Internet and/or mobile technologies.

Yesterday we hosted an event “The Future of Digital Payments” in London at the magnificent, if slightly warm, Royal Exchange. It was one of the best attended Endava events that we’ve held, despite the World Cup and Wimbledon trying to compete with us!

Continue reading The Future of Digital #Payments

How Your Website can Handle Emergency Announcements

School Flooding Announcement on Website - what happens if the website crashes?
Flooding Announcement on a School Website – what happens if the website crashes?

Major General Patrick Sanders, assistant chief of the UK defence staff, who is currently coordinating the armed forces’ response to the UK floods has described the damage as an “almost unparalleled natural disaster”.

I listened to the Today programme on Radio 4 this morning (a treat that I rarely enjoy now that I cycle to work – and only heard it today because I took my brother-in-law to the airport), and the presenters were speaking to various spokesmen from train companies and utilities around the country.

I’ve recently been speaking to a number of not-for-profit organisations about their digital platforms. Digital is key to these organisations because it provides a direct-to-consumer communication channel (although they each have different terms for consumers) which is far cheaper than previous methods. The commercial sector which recognised this advantage a few years ago.

One specific question which keeps being raised it how to deal with emergencies announcements.

Commercials organisations can often afford robust platforms and fault tolerance because the increased digital traffic from mobile apps and websites usually translates into extra revenue or improved customer service.

However, if you are a school and want to let parents know whether the school is open today or not because of flooding, snow or other natural problems, it’s unlikely the school will be compensated for the added digital traffic. Many UK schools offer a text messaging service to parents to let them know if the school is open or not, but still they receive huge web traffic from concerned parents.

Additional web traffic can often cause website issues. There are a number of methods to ease this high web traffic, most of which are free to use. Continue reading How Your Website can Handle Emergency Announcements

How the UK government is building a global Financial Services market

Financial services companies should start planning for a new global market, and here’s how it can unfold.

It all starts with Identity

UK Government Digital Identity page
UK Government Digital Identity page

Governments have often played a central in verifying the identity of an individual. For instance, governments issue passports, driving licences and authenticate commercial organisations, mainly for tax and legal reasons. Governments are considered trusted sources of verifying identities – banks trust government documentation such as a passport or driving licence) to prove a person or company says they are who they say they are.

Continue reading How the UK government is building a global Financial Services market

How to try a Chromebook for free

I’ve been seriously considering buy a Chromebook for my kids to use at home recently, but wanted to check whether the kids can get on without Windows before buying a new laptop – so here’s how to try it before buying anything.

Chrome running as a Windows 8 app - more than a browser
Chrome running as a Windows 8 app – more than a browser

Chromebooks use an operating system from Google called ChromeOS, which is mainly based on the Chrome browser. It can’t run Windows applications (or Android) – it can only run web sites, or Chrome Extensions and Applications which you usually download through the Chrome Store.

Continue reading How to try a Chromebook for free

The FIFA 14 “Free Coins” scam

Today is European Data Protection day 2014, or ‘Privacy Day’ if you live outside of Europe. Happy EDP or PD depending on where you live.

One of these accounts asked for my email username and password to get free FIFA coins
One of these accounts asked for my email username and password to get free FIFA coins

To celebrate EDP/ PD, I thought I’d share the latest scam going around on EA Sports FIFA 14 and Twitter, mainly targeting children.

FIFA 14 has one of the best monetisation strategies of all computer games which leaves Candy Crush and Farmville well behind.

Firstly, the game costs around £40 to buy, and to play it online on the Xbox, you need to buy a subscription to Xbox Live, which is a further £40 per year. And that’s only the beginning of the journey because many online gamers have quality football ‘players’ in their squads.

There are two ways of getting decent players into your own team – either to trade players in a marketplace or buy ‘packs’ of players (a pack contains a random selection of players which are undisclosed until purchase).

The currency for these transactions are FIFA points. You can buy FIFA points with real cash or through trading players. A brief survey of my kids’ friends revealed that the average amount of money spent on FIFA coins is around £10 per month. Playing FIFA is a £200 per year hobby.

The trading option provides the perfect environment for scammers – it’s the combination of naïve children who constantly want more FIFA Coins.

There are dozens of websites and Twitter accounts setup offering ‘free’ or cheaper coins. Remember that we’re dealing with children who want more coins quickly. So these websites ask for personal details in return for the coins. These personal details appear logical to a child.

I saw a Twitter scam as follows:

  1. The ‘Free coins’ account asks the gamer to follow them in return for coins. The reason for asking a gamer to follow the account is because following a Twitter account enables both parties to Direct Message (DM) each other. This means that further communication can’t be publicly viewed.
  2. The ‘Free coins’ account now DMs the gamer, dangles the carrot of ‘Thanks for following, do you want 100K or 500K coins?’
  3. The gamer responds
  4. The ‘Free coins’ account now asks for the FIFA team name and the Xbox Live account name. Both appear reasonable and are easily justified as “I need to know who to send the coins to.”
  5. The gamer replies.
  6. Now the clever part… the free coins account claims the transaction didn’t work correctly. They will ask the gamer to re-confirm their details. It builds the frustration and emotion for the gamer.
  7. The free coins account now explains there must be some sort of technical problem and asks for the gamer’s email account and password.

At this point, the DM conversation may have taken under 5 minutes from the gamer following the account. Once any hacker has control of a person’s email account, they have an open door to many other services because they can visit other sites and press ‘Forgotten password’, and keep resetting these services. And of course, the hacker’s first job is to change the email password and backup email account/ phone number.

Remember that we’re mainly dealing with children who undervalue security.

There are two steps to prevent this scam:

  1. Explain to your child the importance of never giving away their email password to anyone, no matter what the ‘offer’ is. It’s the online equivalent of giving a stranger your house keys.
  2. Explain no one on the Internet is likely to give you something for nothing, especially just for following them on Twitter. Back to the first analogy, it’s like someone on the street offering to buy you some chocolate for free, but they need your house keys to leave the chocolate in the fridge.

Parents of children who have fallen for this scam are rightly upset. The psychological impact is that a stranger has managed to break into the family home and steal from the children, all without parents noticing.

With more apps and games offering freemium options and monetised gamification, these scams will become more common.

Have a happy European Data Protection day.

2014 Digital Media trends/ predictions now on Slideshare

Here’s the Slideshare presentation for my 2014 Digital Media trends (click on that link to see the description for each trend).

Agree or disagree with them? Feel free to comment below.

Digital Media predictions for 2014

In 2014 we'll see television change significantly
In 2014 we’ll see television change significantly (Credit: National Museum of American History on Flickr)

Every year I forecast a number of predictions in the Digital Media/ Internet world, and at the end of the year I score those predictions to see whether they came true or not. Here are links to 2010, 2011, 2012 and 2013 predictions.

For the coming year, here are my predictions:

  1. TV will change. In the next couple of years, television is going to change significantly in both content and technology terms.
    In the latter front, I reckon we’ll see 3D disappear altogether (bye-bye 3D channels), Ultra HD become production ready, Xbox One will become the central home entertainment device, and with television sets growing every year, we’ll see more transparent TV technologies for when the box is switched off.
    In content terms, Sky have lost the TV rights to the Champions League from the 2015/6 season. This will mean the next round of Premiership rights bidding will be huge, because Sky can’t afford to lose the Premier League. Unless they start significantly boosting the awareness of another sport, similar to what they’ve done with darts and cycling. The bad news for consumers is that TV is going to become fragmented – think multiple subscriptions from different providers to see all the TV content that your family wants to watch.
    The next two years of TV will see massive change.
  2. Investment post-recession. Remember Facebook buying Instagram for a billion dollars? Or Google buying Waze for almost a billion dollars? As the world (minus Spain and Greece) dusts itself down and emerges from the recession, we’ll see the spending spree continue. I’d expect to see TV broadcasters and newspapers lead in this area.
  3. We’ll see the pace of consumerisation speed up. Large companies will produce their own app stores, many more companies will move to BYOD (Bring Your Own Device) and finally improve the usability of their in-house apps. Across businesses, staff will demand more touch screens to work with Windows 8[.1]. All of this will mean that the business (i.e. non-IT departments) will be buying what we have always called ‘the technology’. And this will be challenging for established IT departments.
  4. Security is going to move to the top of the agenda, specifically with Trust and Identity. This will become the big item agendas for IT departments. Historically we’ve seen hacking groups held up as revolutionaries and small time geeks who are bored. This public and media perception will change as more people’s identities are cloned and security costs for hacking intrusions are passed on to end customers.
  5. From Mobile to Wearable. IT and marketing departments have focused on mobile devices for the last couple of years. We’ll see the focus shift to wearable devices as Google Glass, Samsung watches and Apple somethings all become mainstream. SMAC (Social, Mobile, Analytics and Cloud) will be replaced by SWAC (Social, Wearable, Analytics and Cloud).
  6. 2014 will be the year of the wallet. Visa released V.me at the end of 2013. PayPal already provides a wallet, and we’ll also see banks and payment systems releasing them. The good news is that it’s going to be easier to pay by card online – you’ll only need a username and password rather than your credit card number. The bad news is that we could end up with a number of wallets and many passwords. It will become a race for the first wallet.
  7. Speech recognition to become more mainstream. I use speech recognition for Google searches on my phone and laptop. It gets my search correct most of the time, and for the other occasions, Google usually second guesses what I was trying to search for and gives those results instead. With Google’s speech API, almost any app can use speech recognition, and the more it’s used, it will become better quality.
  8. Integration between services. When I received Google Glass in December I was impressed that as soon as you log in with your Google account, it shares phone numbers held on my Android phone together with my Google+ profile and so on. I saw a demo of Sharepoint 2013 recently with excellent integration between Yammer, Sharepoint, Lync, Exchange and Outlook. To date, social integration has been about finding Facebook friends on a new service or asking them to build new farms and vegetables. We’ll start seeing more clever implementations between applications – why does both Strava and my health insurance app need to follow me around when they can share data?

Using your bank for Single Sign On

Where do you store your important documents?
Where do you store your important documents?

I’ve been writing about the need for a trusted Single Sign On system across the web for some time now and I think I’ve seen it start to emerge.

My concept of the Single Sign On solution is similar to Facebook Connect, but from a trusted, strong, long term brand. Facebook still needs to prove its credibility in the trust arena. I only use Facebook Connect for some personal sites where I want to reduce, or even avoid, the time it takes to register.

Would I use Facebook Connect for tax returns, or my road tax, or my company’s payroll system? Nope.

I do a fair amount of travel and seem to need my passport number (and sometimes other passport details) from time to time. I once scanned my passport and I keep it as a digital image on some secure digital storage where I know I can access it everywhere (interestingly the UK Government also recommends to store it online using a secure data storage site). The same goes for my National Insurance card, photos of my bikes’ frame numbers and stuff like that. When I speak to other people about this, they have similar solutions, and I know some people who keep these solely as photos on their phone. We all have different levels of security that we’re comfortable with, but I really wouldn’t advise the phone method.

Last week I heard about a new service from Barclays Bank called Cloud It. Cloud It enables, well actually it encourages, users to upload important documents. It then adds additional functionality such as alerts for expiring documents, or regular renewals (e.g. MOT certificates and insurance).

I have no proof whether Barclays Cloud It is any more or less secure than say, BT, Google, Microsoft or Dropbox, but the fact that a bank is storing your document ‘feels’ more secure.

The next step of Cloud It really should be Single Sign On. I would trust my bank to authenticate me into other services.

Trust a bank?

I spoke about this concept of a bank offering Single Sign On at a conference earlier this year. Over lunch afterwards I was asked whether people really trust banks after the recession, and the bad press that bankers often receive. One person on the table categorically stated that he wouldn’t trust his bank.

My answer to this is simple: people still keep their money, one of our most valuable day to day assets, in banks once they’ve been paid and they still go to banks to borrow money for their houses and cars. Conversely, if people didn’t trust banks, we’d be hearing a lot more about mass withdrawals after being paid. But people don’t withdraw their money based on lack of trust (except Cyprus), and this proves that people do trust them, and in the future we’ll be trusting them to log in to all sorts of systems across the Internet.

A double family hack

Hacked Mac
Credit: Willy López on Flickr

In a rather odd coincidence, both my mum and mother-in-law’s computers have been hacked in the last couple of weeks.

My mum has a Mac and once the hacker got in (we think it was through an email attachment in Hotmail), they changed the computer system settings and the language – which was quite clever because my mum just left the computer on, clicking around trying to get the language back to English. I suspect the longer the computer was left on, the longer the hacker had to make more changes on the system.

Once the hacker had control of her Hotmail account, they sent out emails saying my parents were abroad and in distress, and required some cash to get them out of trouble. The email looked 80% genuine – good enough for some of my parents’ friends to call me and ask if they were OK.

Unfortunately for my mum, I don’t know very much about Macs, let alone being able to look at an Arabic version of Mac OS and get it back to English. She had to call a computer trainer to come over and help return her computer back to normal, including installing some security software.

Hackers managed to get into my mother-in-law’s Gmail account. We still don’t know how they did this. The first we knew of it was when hackers sent an email to my wife (they didn’t email everyone in the contacts – for instance I didn’t get the email). The email didn’t look like computer generated spam, so my wife phoned her mum and recommended she change the password straight away. The password was already complex – I had set it up originally, including a capital letter, numbers and letters, punctuation and a decent length.

My mother-in-law then called a few days later to say she hadn’t received any emails since the incident. I looked at her laptop and the hackers had set up a Gmail rule redirecting all email into the Bin straight away. This was clever because it meant that for all the emails sent from her account, if someone replied to ask whether it was genuine, the reply would have gone straight to the Bin without my mother-in-law seeing it.

I guess the key takeaways are to keep changing the password regularly, and keep it complex. Never ever open attachments in emails unless you really are expecting something and it looks genuine.

The operating system vendors, Apple and Microsoft, and now mobile operating system vendors too, have a tough balancing act. They have to provide a marketplace for third parties to produce security software, but they also have a duty of care to make their systems secure for users. The argument is that if say, Microsoft, bundled anti-virus software with Windows, the third parties would be out of business within days.

However the email providers don’t have such a balancing act, and really should be prohibiting certain attachments to emails, or checking their contents properly.

Five Key Internet Megatrends: 5. Trust

Credit: http://www.flickr.com/photos/brenda-starr/3509344100/
The quest for identity management continues
Credit: http://www.flickr.com/photos/brenda-starr/3509344100/

Key points:

  • We need a Single Sign On across the web, from a truly trusted brand
  • Sellers need to know who customers are, just as much as we need to identify real retailers
  • Web sites that build a reputation score will need to transfer their data

To give you an idea of how ridiculous passwords have become, let’s look at my bank. My bank is one of the most technically advanced banks, and has created some great innovations.

I use their website banking, which uses a log in process that has been designed to deter users from using the service. It takes two screens, a physical device to generate a random number, and various other forms of identity.

And then take their mobile app. With a simple 5 digit numerical passcode, I can do almost anything I can do via the website equivalent. Either the security department went on holiday when the mobile app was released, or they came to their senses to make it easier for customers to access their account. I hope it was the latter but it was probably the former.

Passwords are one of the biggest nuisances of the Internet. Another nuisance is multiple accounts. The number of accounts we have, and continue to keep creating, has got out of control. Not only is it out of control, but we then have security experts telling us not to use the same password on multiple sites. And personally I won’t use a password manager because I fear they are all run by some spotty (but clever) teenager from his bedroom, and one day he’ll have access to lots of people’s accounts and go on a spending spree at Amazon.

If I see a website offering to use my Facebook or Twitter credentials to register or login to a website, I’ll always take the offer. It’s so much easier.

The problem with websites offering Facebook or LinkedIn or Twitter is that the social network gets to keep the customer data, not the website we’re registering with. And also, whilst I’m happy to use a social network to log me on to various websites, I’m not sure I would use Facebook connect for my healthcare or pension site.

We need a Single Sign On system across the internet from a trusted party. It needs to be trusted by both users and website owners – from my bank to the Inland Revenue (whose authentication system is extremely rigid).

Once we have the Single Sign On system, it needs to keep a track of our various reputation scores. I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or AirBandB, that eBay should count for something.

As the Internet continues to become more complex, retailers need to know their customers are who they say they are, and can be trusted. We’ve been using SSL security certificates on the Internet for a long time now, and as a means of ensuring we are buying from a company who is who they say they are. It’s now time for the other way round – for customers to prove who they are.

This type of system is called VRM (Vendor Relationship Management). It’s all about making the Internet a level playing ground, establishing trust that we take for granted in the real world, and migrate it to the virtual one. All with the aim of being treated as a real human being rather than an IP address and cookie jar.