Tuesday, 20 October 2015

Search Engine issues

So, Google has now added a new feature.

Originally in the dim and distant past, Google was a search engine.  Then it started collecting details from users’ searches and serving ads. It could charge more based on these details. So it bought other sites, like youtube, and then tried to make users put everything under one sign-in, which creates ad profiles which can be sold for even more money.

And in the last few days the inevitable happened. If you don’t have a google account and don’t give them permission to track you, good luck using their search engine.

google-2015-10-22  Over the last few days I’ve been through this a few too many times.

Let my summarise it:

  • Click next
  • Get told that it will take your data, so click Other options
  • Click edit settings under search customisation and turn search off
  • Click edit settings under ad preferences and get a 302 error.
  • Click edit settings under youtube and turn off.
  • Click edit settings under Privacy and get asked to download Googles code. Non, no, no.
  • click back.
  • Get told that you still have to agree to let it track you to get to the search screen.
The really good thing, of course, is that after turning all this off I went to youtube. You know google claims that its default settings are child safe, and if you see porn its your fault? Nope. With history on I see tech demos and science vids. With history off I get lots of half-naked women. Unless they’re bio-roids with spec info, I’m really not interested.

But what can you do?

Oh yeah, you can
  • Use duckduckgo.com to get a google search without giving google your data.
  • Use altavista
  • Use yahoo.com
Because seriously, given the poor quality of google’s recent search results (and before this screen came up I was averaging one report a day under their feedback of just how inaccurate their results were, and then having to go to duckduckgo anyway) and don;t see any reason to pay them for poor performance.

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Search Engine issues - http://rablogs.co.uk/tirial/2015/10/20/search-engine-issues/ was published on October 20, 2015 at 9:46 am.

Thursday, 10 September 2015

Disabling Contactless Cards

Contactless card security – or the lack of it – is back in the media. There are three main items that the card firms say make these cards secure. Sadly I would disagree with each.

1) Short Range.
Which said that while industry standards specify a maximum magnetic-field strength for card readers of 5cm, some may be able to read cards at greater distances. Their test rig read it from 45 cm. (http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which)

"It may be possible for a small percentage of cards to be read 15 to 20cm from the reader," he said. "Even if this was to occur in 0.1% of cases, with more than 300m transactions taking place last year, many consumers could be affected."

So the only limit on how far a card can be read from is whether the person building the reader wants to stay within the guidelines. People planning to break the law by stealing credit cards will, of course, follow guidelines rigidly.

So your safety with a contactless card depends entirely on the honesty of the person who plans to steal it.

2) That the amounts are so small no one would be interested.
I’m going to use an actual live case that I observed here, regarding an online site and its payment. Squidoo was an article site that paid monthly for articles with the most traffic. As its monthly payment increased, so did the amount of click-fraud etc.

When the payment for a top article on squidoo was $10, fraud was very low.
When the payment was $30, coders built and sold tools just to get the payment, and sold them for $50 (e.g. SquidooBlaster).
When the payment reached $50, it was hard to get that payment without fraud.

Likewise, when the payment for a contactless card was £10 no one bothered. Now it’s £20, and they want to make it £30. At what point does it become worth the outlay for a cheap phone and wide range receiver – less than £100?

With Squidoo there was a cap – only the top 10,000 lenses got that type of royalty. With credit cards, they could get that many in an hour walking around a city street or station.

3) That after a certain number of transactions, you have to use your PIN.
Not only do they still get the funds for the first transaction, but this is where long term cons get nasty.
Once they’ve got your data, they can make a number of transactions and then get locked out.
If they’ve made small transactions, so transport or whatever else, they simply have to stop using your card, wait for you to use it and unlock it, and then they can harvest £20 off it again the next day.
£20 every day for a month is around £600 per card. The equipment for Which? cost under £200. Think the fraud is worth it yet?

And since thieves often s tore the cash by buying gift-vouchers, which are hard to trace, it provides an ongoing benefit.

The final safeguard: Insurance
If all of these safeguards fail and your card is used without your consent, the banks state they will refund you. There are a lot of issues here.
From the user’s point of view, they refund from the point where the user tells them there’s an issue. Unlike a physical card where you notice you’ve lost it, with contactless you could lose quite a bit before you get a statement or indication that something is wrong. 

However from a societal point of view there’s another issue. In the TJX case one woman lost $45,000. She reported it. The card firm refunded her. The firm then either claimed insurance, or reclaimed it from the retailer, who then claimed on their insurance.

The thieves still had the original $45,000. They still benefited, so there was no reason for them not to con tinue to steal credit cards, which in fact they did. If insurance means the theft can be seen as stealing from banks and insurance, not retailers and little people, it might even encourage it – you might have noticed the number of online groups spelling ‘bankers’ with a ‘w’.

And then more recently, the possibility of a whole new field of fraud was opened up.

While RFID Journal says that the contactless chip does not contain the entire data for the card (http://www.rfidjournal.com/blogs/rfid-journal/entry?7870), InfoSecurity Journal states that it does, and that they have accessed it through a legacy profile (https://www.infosecurity-magazine.com/magazine-features/how-secure-are-contactless-payments/).

Now if this is true, it re-opens a whole field of card cloning. The security issue is simple – the RFID contactless chip contains the same details as the magstripe. This is enough for someone who scans the details to clone the card for signature use with a generated magstrip. Put a faulty chip on the cloned card and most card readers revert to the magstrip. Then the person who created the cloned card just has to swipe and sign the slip – like they signed the cloned card fifteen minutes before… It might not match the real owner’s signature, but that won’t be revealed until the slip reaches the bank in a few days.

So, no, the more I look into it, the less happy I am about the security on contactless cards. Many of the more complex technical security solutions seem to assume that a fraudster will never acquire a physical card from that bank to reverse-engineer it (because, you know, thieves never have or steal real physical cards…).

Then Visa asked to be able to track cardholders movements and transaction locations by their phones “for security” (https://nakedsecurity.sophos.com/2015/02/ 18/visa-asks-to-track-your-smartphone-to-help-sniff-out-credit-card-fraud/). And that data about where you are at what times of day every day couldn’t be abused at all, could it?

So when the bank refused to replace mine with a non-contactless card, I have just field-tested disabling my card’s contactless. My solution works. 

I’ll post it here in a few days.

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling Contactless Cards - http://rablogs.co.uk/tirial/2015/09/10/disabling-contactless-cards/ was published on September 10, 2015 at 9:47 am.

Thursday, 3 September 2015

EUVAT - a last thought

I’m not going to define EUVAT again (daft legislation that even the EU admit was not thought out and is killing small business, but may not fix for 2 years), but I was going throw out a last thought before the EUVAT Symposium in September. The problem with the proposed solution of adding a turnover threshold to EUVAT is that VAT thresholds vary country to country. A threshold was already rejected when it was originally proposed, so it won’t go through this time. So why not link EUVAT to company behaviour, so that only companies acting against the European Digital Single Market get hit? Small firms sell online by Paypal button or similar low cost one-click option. They offer the same thing to all countries and rarely even know where the customer is based. Large firms like Amazon select by country, offer different or restricted services in each country, and block users from accessing their content outside that country. So why not link EU VAT directly to this? If a company geo-selects within Europe on services, they pay EUVAT rates – i.e. they have to pay VAT at the point of supply: the customer’s location since they are obviously already collecting enough data to know this. However, if a company is using a single click payment option and not changing their offering by country, all sales are counted as domestic and VAT is paid at the rate of the company’s home location. Since few (virtually no) larger firms use PayPal or single-click payment processors that aren’t linked to an account with details and customer location, this would effectively remove small businesses from EUVAT. The benefits:
  • This removes small businesses from EU VAT, saving time and hassle without needing a threshold.
  • It encourages larger firms to provide identical cross-border content, promoting the DSM, and penalises those that don’t.
  • It makes it harder for multi-nationals to dodge VAT.
  • It makes it unnecessary to have a turnover threshold.
The disadvantage is proving that the offering is identical, but that should be easily done just by visiting the website from multiple countries’ IP addresses. If prices (not including shipping) change and products vary significantly, that’s EUVAT liability. Yes, this may be borderline for larger bookshops etc. or DVD and game sellers due to the issues of licences and overseas rights. However, since it is not illegal to sell a printed book or DVD created in one region to another, just to mass-produce or mass-retail them in a third party country without rights, most should be unaffected. Larger sites that might escape it are Flattr and Patreon, but then both are a way of moving funds directly to small creators, and they don’t care where the donors or creators are based. It’s better than people being threatened with extradition of 5p, and grannies selling knitting patterns having to pay VAT.

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  EUVAT - a last thought - http://rablogs.co.uk/tirial/2015/09/03/euvat-a-last-thought/ was published on September 3, 2015 at 8:53 am.

Thursday, 27 August 2015

Disabling contactless cards - paranoia or reason?

My bank sent me one of these cards, which in my opinion is about as safe as walking around with an infinite number of £20’s in your pocket to be taken by everyone walking past. So I thought I’d look into the security.

The flaw is fairly simple: they say the cards can only be read close up. However if you get a more sensitive receiver or jack up power of a transmitter, this increases the range. The TJX hack occurred from outside the shop. The card terminals were thought safe because the base unit could only pick them up within three feet or so. The hackers used a parabolic microphone hooked to a laptop that could listen in from much further away. (http://www.wsj.com/articles/SB117824446226991797)

Likewise there was an entire symposium on the ways to hack bluetooth pacemakers, which were suppose to be safe due to short range. (Read Here: http://science.slashdot.org/story/08/03/12/1232206/hacking-a-pacemaker)

Range, as has been shown repeatedly, is not a protection:
Backpack picks up all cards within 45cm: http://www.bbc.co.uk/news/technology-24743920
M&S debits cards far further away: http://www.bbc.co.uk/news/business-22545804
Fact: Detection and reporting rates for fraud are low. £2.1 Billion is estimated as undetected (http://www.almr.org.uk/undetected-fraud-growing-burden-business/).

So here’s a security test case: Case a) Direct fraud.
They have set up a card account under false details: Mike’s News and Coffee.
Each card that comes into range is debited for between 1.49 and 3.99: the price of newspaper, coffee, or snack.
How much will they make, and how many of these people will notice it on their statement?

21,000 cards x (2.74 – 1.25 (average card charges)) = £31,290 for 1 hour’s work.
Note that the bank makes £26,560 from transaction charges. They are unlikely to believe that a coffee is a fraud even if it is reported.

Case b) A TJX clone.

They simply copy the data down and walk away.
Then they can clone the cards and use to buy gift cards. They then use the gift cards to launder their takings.
How many cards will they get data from, and how much can they make before the fraud is noticed?

Now the loss to TJX itself was around £10.9 per card (http://www.zdnet.com/article/the-tjx-data-breach-why-loss-estimates-are-overblown/). Assume the same rate, and you get £228,900.

The loss to cardholders and retailers was greater. The data was passed to an $8 Million crime ring (http://www.computerworld.com/article/2544011/security0/stolen-tjx-data-used-in-florida-crime-spree.html), this one of $75 Million (http://www.informationweek.com/secret-service-busts-four-fraudsters-with-ties-to-tj-maxx-attack/d/d-id/1057036?) and worldwide. One user found a £45,000 bill, which was thankfully reversed. (http://www.wsj.com/articles/SB117824446226991797) The total loss to card holders is unknown, due to the amount of undetected fraud.

So no, I don’t think contactless cards are safe, as they make this sort of thing far too easy. A card is now vulnerable just because it exists, not only when it is used.

I wasn’t particularly happy to find out my bank no longer issue non-contactless, nor that my bank telling me last year that contactless must be enabled turned out to be rubbish. I found that out when it was debited from six feet away, making me really not happy.

I should tell you my personal experiences with my first tests.
1) Contactless cards could be read by a supermarket reader from six feet (tested in Waitrose as their card readers are easier for customers to move).
2) Contactless cards could be read by London transport readers. I have a travel pass not an oyster, and yet a contactless card in my pocket got billed for walking past the reader.
And the range one is definitely over 4 to 5 cm.
I ended up talking to a drone (most customer service staff are good: he wasn’t.) who kept telling me these things were safe and I was technophobic, and yet didn’t know any of the IT security cases I brought up.

So I’ve paid off the card. Before I close the account, I intend to do some experimentation on how easy it is to disable it.

So to conclude, in my opinion, not wanting to walk around wirelessly broadcasting your card details is not paranoid.

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling contactless cards - paranoia or reason? - http://rablogs.co.uk/tirial/2015/08/27/disabling-contactless-cards-paranoia-or-reason/ was published on August 27, 2015 at 11:00 am.

Sunday, 23 August 2015


For the first time in a few years I didn’t go to the Shoreham Airshow. Work and life got in the way. This afternoon, on the way back from a meeting, I saw the news.

Hawker Hunter WV372, run by Canfield Hunter, failed to pull out of a loop and crashed into the A27. At least seven people were killed on the ground, and fourteen injured. The pilot, Andy Hill, was rescued from the burning wreck and life-flighted to hospital where he remains in critical condition.

Shoreham police have put out a request for all video or photos of the event. If you have any, please send it to: shoreham.aircrash2015@sussex.pnn.police.uk

My thoughts can only be with the casualties, and hopes and prayers that there are not more. The people I know in the area have checked in. Others won’t have been so lucky.

It is the first time since 1952 that spectators on the ground have been killed at an airshow in Britain. Proportionately more spectators have died in soccer matches than at airshows. (The second deadliest sport for spectators is racing driving).

I will not link to video of the crash. There’s enough of that on any news channel. The Sea Vixen flew one unrecorded fly-by in tribute. The video I will link is the Avro Vulcan, in its last display season, performing one slow fly past to a minute’s silence for the fallen.

"I know you will understand why we do this but I would like you to please pause a moment while the Vulcan flies through." Mr Terence Henderson, Shoreham announcer.

Shoreham Herald, Vulcan Flypast Tribute

In the meanwhile all there is to offer are prayers for all those involved, and a fervent, probably futile, hope that there are no more casualties to find and the death toll grows no higher.

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Shoreham - http://rablogs.co.uk/tirial/2015/08/23/shoreham/ was published on August 23, 2015 at 1:51 am.