Thursday, 27 August 2015

Disabling contactless cards - paranoia or reason?

My bank sent me one of these cards, which in my opinion is about as safe as walking around with an infinite number of £20’s in your pocket to be taken by everyone walking past. So I thought I’d look into the security.

The flaw is fairly simple: they say the cards can only be read close up. However if you get a more sensitive receiver or jack up power of a transmitter, this increases the range. The TJX hack occurred from outside the shop. The card terminals were thought safe because the base unit could only pick them up within three feet or so. The hackers used a parabolic microphone hooked to a laptop that could listen in from much further away. (http://www.wsj.com/articles/SB117824446226991797)

Likewise there was an entire symposium on the ways to hack bluetooth pacemakers, which were suppose to be safe due to short range. (Read Here: http://science.slashdot.org/story/08/03/12/1232206/hacking-a-pacemaker)

Range, as has been shown repeatedly, is not a protection:
Backpack picks up all cards within 45cm: http://www.bbc.co.uk/news/technology-24743920
M&S debits cards far further away: http://www.bbc.co.uk/news/business-22545804
Fact: Detection and reporting rates for fraud are low. £2.1 Billion is estimated as undetected (http://www.almr.org.uk/undetected-fraud-growing-burden-business/).

So here’s a security test case: Case a) Direct fraud.
They have set up a card account under false details: Mike’s News and Coffee.
Each card that comes into range is debited for between 1.49 and 3.99: the price of newspaper, coffee, or snack.
How much will they make, and how many of these people will notice it on their statement?

21,000 cards x (2.74 – 1.25 (average card charges)) = £31,290 for 1 hour’s work.
Note that the bank makes £26,560 from transaction charges. They are unlikely to believe that a coffee is a fraud even if it is reported.

Case b) A TJX clone.

They simply copy the data down and walk away.
Then they can clone the cards and use to buy gift cards. They then use the gift cards to launder their takings.
How many cards will they get data from, and how much can they make before the fraud is noticed?

Now the loss to TJX itself was around £10.9 per card (http://www.zdnet.com/article/the-tjx-data-breach-why-loss-estimates-are-overblown/). Assume the same rate, and you get £228,900.

The loss to cardholders and retailers was greater. The data was passed to an $8 Million crime ring (http://www.computerworld.com/article/2544011/security0/stolen-tjx-data-used-in-florida-crime-spree.html), this one of $75 Million (http://www.informationweek.com/secret-service-busts-four-fraudsters-with-ties-to-tj-maxx-attack/d/d-id/1057036?) and worldwide. One user found a £45,000 bill, which was thankfully reversed. (http://www.wsj.com/articles/SB117824446226991797) The total loss to card holders is unknown, due to the amount of undetected fraud.

So no, I don’t think contactless cards are safe, as they make this sort of thing far too easy. A card is now vulnerable just because it exists, not only when it is used.

I wasn’t particularly happy to find out my bank no longer issue non-contactless, nor that my bank telling me last year that contactless must be enabled turned out to be rubbish. I found that out when it was debited from six feet away, making me really not happy.

I should tell you my personal experiences with my first tests.
1) Contactless cards could be read by a supermarket reader from six feet (tested in Waitrose as their card readers are easier for customers to move).
2) Contactless cards could be read by London transport readers. I have a travel pass not an oyster, and yet a contactless card in my pocket got billed for walking past the reader.
And the range one is definitely over 4 to 5 cm.
I ended up talking to a drone (most customer service staff are good: he wasn’t.) who kept telling me these things were safe and I was technophobic, and yet didn’t know any of the IT security cases I brought up.

So I’ve paid off the card. Before I close the account, I intend to do some experimentation on how easy it is to disable it.

So to conclude, in my opinion, not wanting to walk around wirelessly broadcasting your card details is not paranoid.


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling contactless cards - paranoia or reason? - http://rablogs.co.uk/tirial/2015/08/27/disabling-contactless-cards-paranoia-or-reason/ was published on August 27, 2015 at 11:00 am.

Sunday, 23 August 2015

Shoreham

For the first time in a few years I didn’t go to the Shoreham Airshow. Work and life got in the way. This afternoon, on the way back from a meeting, I saw the news.

Hawker Hunter WV372, run by Canfield Hunter, failed to pull out of a loop and crashed into the A27. At least seven people were killed on the ground, and fourteen injured. The pilot, Andy Hill, was rescued from the burning wreck and life-flighted to hospital where he remains in critical condition.

Shoreham police have put out a request for all video or photos of the event. If you have any, please send it to: shoreham.aircrash2015@sussex.pnn.police.uk

My thoughts can only be with the casualties, and hopes and prayers that there are not more. The people I know in the area have checked in. Others won’t have been so lucky.

It is the first time since 1952 that spectators on the ground have been killed at an airshow in Britain. Proportionately more spectators have died in soccer matches than at airshows. (The second deadliest sport for spectators is racing driving).

I will not link to video of the crash. There’s enough of that on any news channel. The Sea Vixen flew one unrecorded fly-by in tribute. The video I will link is the Avro Vulcan, in its last display season, performing one slow fly past to a minute’s silence for the fallen.

"I know you will understand why we do this but I would like you to please pause a moment while the Vulcan flies through." Mr Terence Henderson, Shoreham announcer.

Shoreham Herald, Vulcan Flypast Tribute

In the meanwhile all there is to offer are prayers for all those involved, and a fervent, probably futile, hope that there are no more casualties to find and the death toll grows no higher.


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Shoreham - http://rablogs.co.uk/tirial/2015/08/23/shoreham/ was published on August 23, 2015 at 1:51 am.

Tuesday, 11 August 2015

Ant-man? Is actually really good...

I haven’t posted for a while, but I have seen the Ant-man movie.

It’s great. Go see it. Get it on Blu-ray/DVD – you’ll want to freeze-frame the Easter eggs.

This is the first film in twenty years I’m going to see twice at the cinema. The one before that was Terminator 2.

Raving aside, seriously, aside from a slightly weak villain, it’s really good. It benefits from being a heist movie not a superhero movie, it has an excellent script and supporting cast, and best of all it is fun. A few squeamish moments don’t detract from the tone, it doesn’t take itself entirely seriously even though it is played straight, and it has a great ending.

A few tropes are heavily subverted, particularly the ones about women in superhero films. The Wasp’s cameo made me cheer, just because so often women with children suddenly become useless with everything in movies and she was still an obviously-capable superhero. Hope van Dyne (Yes, I know it’s Hope Pym) was intelligent, made only one slip I saw in the whole film and it’s made a plot point, and even though she isn’t in the suit she’s still vital to the heist (and possibly in more danger because she’s not in the suit). The mid-credits was great.

Slight spoiler: The supporting cast aren’t bumbling and useless, everything ties together from early shots to Chekov’s Guns you won’t see without a freeze-frame but still remember when they fire, and frankly it has one of the best depictions of a blended family seen on screen. There’s a nice touch at the beginning which establishes Scott Laing as not the best judge of character when he is whining about his ex’s new husband. If you take a step back from following the hero, its pretty obvious he’s extremely biased by his views of the guy. Overcoming this is one of the major arcs, and works so well.

If you can catch it on it’s last week do. If not, get the DVD.

Dear Marvel,
Can we have another film like this? Please?
Regards,
Tirial



This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Ant-man? Is actually really good... - http://rablogs.co.uk/tirial/2015/08/11/ant-man-is-actually-really-good/ was published on August 11, 2015 at 5:14 pm.

Saturday, 23 May 2015

EUVAT - Amazon's coping method.

I was going to post my reason for being furious with VATMOSS today, but I saw this in the paper in the supermarket and thought it needed to be said.

In a case study for a client in February I pointed out that there was one very simple reason VAT would hit smaller businesses disproportionately. That was because multi-nationals could afford to set up subsidiaries in each country and route VAT through them, so only need to deal with one VAT rate per office and removing the requirements to store customer details. Small businesses rely on the same website supplying every country, so need to split the sales down by country, record and store customer details etc. which creates a huge admin overhead.

And what is in the Mail today?
Amazon sets up UK subsidiary to handle UK sales
The Mail have given it a nice spin of “they’ re finally paying tax”, without mentioning the laws that would have forced them to pay the VAT anyway. Note, this neatly takes Amazon UK out of VATMOSS.

Now if a company the size of Amazon would rather set up a new subsidiary than handle VATMOSS admin requirements, what chance do small businesses have?


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  EUVAT - Amazon's coping method. - http://rablogs.co.uk/tirial/2015/05/23/euvat-amazons-coping-method/ was published on May 23, 2015 at 10:50 am.

Thursday, 21 May 2015

A few thoughts on EUVAT - a right VAT Mess

So today I am writing about #EUVAT, a daft and damaging law written by a government so disconnected from its electorate that it didn’t remember small businesses exist. I’m not kidding, they’ve admitted it. (“Only 7% of businesses sell overseas” – Actually its 96%, ‘cos they forgot Paypal).

For anyone not familiar – most of the UK, as HMRC hasn’t exactly been telling people – from 1st Jan 2015 if you sell something online – an ebook, an app, an MP3, the seller has to work out and pay VAT to the government of the country where the buyer is located. For ebooks, this is 81-odd VAT rates, for 28 countries. You also have to capture two pieces of ID, which match, to confirm the country and hold them for ten years. Small businesses can’t do this, heck, even Paypal can’t do this…
 
The EU have said they will look at it again in 2016, when they will also make it cove r physical goods. 200 firms have closed so far, others are geoblocking EU customers, and some have had to switch to third parties who take a massive cut of earnings. One author quotes losing 80% of earnings to tax and fees. Many US SMEs will no longer sell to the UK. There’s a full breakdown of the damage here: 2015 EU Digital VAT (PDF)

So rather than detailing what you can do, which has been covered in detail by EUVATACTION, I thought I’d write about easy ways the EU could fix this legislation:

1) Add a Rider
Where the company or artist cannot locate the purchaser VAT on a purchase is paid as if purchased in the country of origin.
– Amazon and companies holding user accounts cannot say they don’t know the purchaser.
– Small businesses using Paypal definitely don’t.
Shipping addresses don’t count for location as the person it is shipped to may not be the purchaser. If a large company deliberately stops holding user data to avoid this, that’s tax avoidance and can be fined.

2) Add a Threshold
Microbusinesses by the EU classification pay VAT as if all sales are in country of origin
– Easily catches Amazon, Google and the large players
– As the minimum turnover is 2M euros, any firm of this size has the resources to implement a fix (est. cost £5,000/7,500 euros)
This is euva taction’s prefered option.

3) Refund Collection Costs
Allow companies to recover the cost of collecting VAT from the tax departments in question
e.g. if a person owes 1.67 euros to Spain and it costs them £180 to work out, £50 in lost business for calculation time*, and £40 in international transfers, The Spanish government owes them £270 – 1.67 euros. Cost of collection to be remitted first, so that the transfer fees can be paid.
Alternatively let it accrue, and when the debt owed reachs £500 (yes, the joy of working out currency conversion also falls on the tax dept) the government pays out. Turns EUVAT into a tax on large businesses and a subsidy for smaller ones worldwide.

* Set a base rate of minimum wage for collection time, and then allow the business to use its chargeable hourly rate if that is higher.

4) Centralise Accountability
Turn VATMOSS into a pool companies pay into at a flat rate, which then distributes payment Europe-wide.
Each VATMOSS receives payment at a flat average VAT rate (say 20%). It is then up to the VATMOSS group to work out percentages of how much was purchased from each EU country and remit a percentage of the pool to each.

Note: They don’t get to ask for purchase data, or go back to companies who have paid the flat rate and ask for more. After all, companies can’t go back to consumers to ask for more, and giving out client data like that breaches PCI DSS. The company’s obligation to digital tax ends with paying the Europe-wide MOSS rate. From there on, liuability rests with the MOSS teams, and they are the ones taken to court if it goes wrong. After all, these are people trained and paid specifcally to deal with tax. (They can use web traffic levels, etc.)

Alright, option 3 and 4 could be termed making EU VAT a nightmare for the tax departments. I view it more as shi fting the burden back where it belongs, onto the people who created the problem in the first place and civil servants who are paid specifically to deal with tax. Small businesses don’t have tax specialists or finance departments, so why does this law assume they do?

On a closing note, there are things you can do:
Lobby your MP and MEP for a country-wide exemption until the legislation is fixed. In the US, lobby your senator: no taxation without representation.
Approach industry and consumer bodies to see if they will take action
Tweet, twitter and get the word out. #EUVAT and #VATMESS are in use. I’ve put some banners on this page if you want to add one to your site.

Finally visit EuVatAction or join their facebook page for updates






This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  A few thoughts on EUVAT - a right VAT Mess - http://rablogs.co.uk/tirial/2015/05/21/a-few-thoughts-on-euvat-a-right-vat-mess/ was published on May 21, 2015 at 7:52 am.