A library of snippets
xxx
The jury at Bristol Crown Court was told the scheme went unnoticed until after the buyers had left, despite the word Monopoly written in huge letters down the middle of the bills.
The paper cash bears a slight resemblance Euro notes but the colour scheme is much lighter and the images on the bills are out of focus compared to the real deal.
From Fake MONOPOLY money which Gianni Accamo ‘used to scam dealers out of diamonds’ | Daily Mail Online
xxx
My good friend Wendy Goodman was kind enough to write about her experiences at Tomorrow’s Transactions this year (our 19th annual Forum!!) referring to it as
Tomorrow’s Transactions Forum, Dave Birch’s quirky annual event where ideas about the future of money are smashed together like particles to see what happens.
xxx
Earlier in the week I blogged about mobile banking security, and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating…
The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information.
Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking.
The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan virus in the smartphone or a device that intercepted mobile signals up to a kilometre away.
Of course, no-one who takes security seriously wanted to do things this way in the first place (which is why, for example, we used a SIM Toolkit application for M-PESA). This is hardly a new opinion.
I saw Charles Brookson, the head of the GSMA security group, make a very interesting point recently. Charles was talking about the use of SMS for mobile banking and payment services and he made the point that SMS has, to all intents and purposes, no security whatsoever.
In case you’re interested, that blog post comes from 2008 and if I remember correctly I’d made a presentation around that time drawing on a story from 2007 to illustrate that the mass market use of SMS for secure transactions might prove to be unwise despite the convenience.
Identity theft and a fraudulent SIM swap cost a children’s charity R90 000.
These are all symptoms of the fact that nobody listens to me about mobile banking security. Well, sort of. I’m sure other people have made the same point about keeping private keys in tamper-resistant hardware so that all bank-customer communications are securely encrypted and digitally-signed at all times, but since I’ve been making the same point for two decades (back to the days of the proposed “Genie Passport” at BT Cellnet) and despite the existence proof of M-PESA nothing much seems to be happening. Or at least it wasn’t. But perhaps this era is, finally, coming to an end. Here is what the US Department of Commerce’s National Institute of Standards and Technology (NIST) say about out-of-band (OOB) text messaging in their latest Digital Authentication Guideline (July 2016):
OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
I looked up “deprecated” just to make sure I understood, since I assumed in meant something other than a general disapproval. According to my dictionary: “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”. So: as of now, no-one should be planning to use SMS for authentication.
The NIST guideline goes on to talk about using push notifications to applications on smart phones, which is how we think it should be done. But how should this work in the mass market? The banks and the telcos and the handset manufacturers and the platforms just do not agree on how it should all work. But surely we all know what the answer is, which is that all handsets should have a Trusted Execution Environment (like the iPhones and Samsungs do) and third-parties should be allowed access to it on open, transparent and non-discriminatory terms. The mobile operators should use the SIM to offer a basic digital identity services (as indeed some are beginning to do with the GSMA’s Mobile Connect). The banks should use standard identity services from the SIM and store virtual identities in the TEE. There you go, sorted.
So… when the Barclays app loads up on my phone it would bind the digital identity in my SIM to my Barclays identity and use the TEE for secure access to resources (e.g. the screen). Standard authentication services via FIDO should be in place so that Barclays can request appropriate authentication as and when required..
Now… when Barclays want to send me a message they generate a session key and encrypt the message. Then they encrypt the session key using the public key in my Barclays identity. Then they send the message to the app. The only place in the world where the corresponding private key exists is in my SIM, so the app sends the encrypted session key to the SIM and gets back the key it can then use to decrypt the message itself. In order to effect the use of the private key, the SIM requires authentication, so the TEE takes over the screen and the fingerprint reader and I swipe my finger or enter a PIN or whatever.
If the bank needs step-up authentication for, say, a high-value transaction or the addition of a new payee, it can use FIDO to obtain additional authentication for input to its own authorisation processes.
Why is this all so hard? Why don’t I have an “Apple ID” on my iPhone right now?
It seems to me that there is little incentive for the participants to work together so long as each of them thinks that they can win and control the whole process. Apple and Google and Samsung and Verizon and Vodafone all want to charge the bank a dollar per log in (or whatever) and the banks are worried that if they pay up (in what might actually be a reasonable deal at the beginning) then they will be over a barrel in the mass market. Is it possible to find some workable settlement between these stakeholders so that we can all move on?
xxx
Why should anyone have more trust in a digital currency created by an anonymous group of coders accountable to no-one than in a democratically-elected government accountable to everyone? Why is an essentially feudal governance model “safer” than a democratic one?
xxx
xxx
Innovative banks are increasingly seeing their future as the stewards of identity
From How Blockchain Fits into the Future of Digital Identity | American Banker
xxx
xxx
xxx
“The total addressable market of people who want to buy bitcoin is very, very thin,”
From What a Tech Startup’s Pivots Say About Bitcoin’s Future | American Banker
Indeed. And most of them aren’t in America or any other developed market.
Over at the Ron Paul Liberty Report they are in doubt as to who is behind this sort of thing.
The War on Cash is a favorite pet project of the economic central planners. They want to eliminate hand-to-hand currency so that governments can document, control, and tax everything.
xxx
xxx
One of the concerns about Ethereum contract safety has always been the issue that even though it’s theoretically possible to check a piece of code and make sure that it does exactly what you expect it to do, in practice, outside of highly standardized contexts (ie. widely used dapps) where many people can audit the code, it’s hard for the average user to check and make sure that there is no secret bug in the program… I actually found a real live example of this on the ethereum mainnet today.
From Live example of “underhanded solidity” coding on mainnet : ethereum
I hadn’t much thought about this, although I imagine my colleagues who spend more time thinking about risk analysis had, and I once again reinforced to me the distinction between shared ledger applications (SLAPPs) and actual contracts! Would you want to use a system where,
xxx
Егор Цветков (Egor Tsvetkov), a photographer in Russia, has taken photos of random people on the subway and connected them to social media portraits and complete profiles using face matching technology.
From Subway photographer connects random photos to people’s social media profiles | Privacy Online News
Right now, he’s using some software that matches faces against the pictures on vKontakte, the Russian version of Facebook, and it is getting a 70% match rate even against photographs taken from angles and under different lighting.
Think what this means.
When I walk into a conference, my Google glasses will be able to tell me who everyone is and scan their LinkedIn profiles. I’ll get it to put green ticks next to people who influence the budgets at banks and red crosses next to mouthy but powerless middle managers such as myself. Come on, you’d all do it. It’s embarrassing enough meeting people that you’ve forgotten meeting, or remembered their names wrong or you didn’t know that they work for you (all of which have happened to me).
It would certainly be helpful for a run of the mill pervert looking at women on the subway to know whether they are single, straight, living on their own, where they work, what their address is, whether they are going out later and so on. Instead of having to do any donkey work, they’ll just iPerv or some similar app to get the details there and then.
There is no answer other than the immediate mass production of Facebook-blue burkhas for us all.
xxx
Micro investment company Acorns has accused ANZ Banking Group and other banks of telling customers they can’t share account passwords with the start-up, retarding its growth.
From Banks and fintechs at war over password sharing | afr.com
The article calls password-sharing a “grey area”, which it really isn’t, since both bank procedures and common sense security practice should tell us that giving _anyone_ a password (which ought not to be thought of as any form of security at all) to a third party is dangerous. When they get hacked, you get hacked.
Snippings