The RISKS Digest
Volume 30 Issue 72

Tuesday, 12th June 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Another risk of driverless cars
Emirates looks to windowless planes
180,000 Voters accidentally left off LA County polling place rosters
Irfan Khan
Ontario election results Not a Number
Tony Marmic
Florida skips gun background checks for a year after employee forgets login
Naked Security
All accredited journalists at the #KimTrumpSummit get a free USB fan
Israelis nabbed in Philippines are tip of iceberg in alleged fraud gone global
The Times of Israel
Sweden Tries to Halt Its March to Total Cashlessness
Cryptocurrencies Lose Billions In Value After An Exchange Is Hacked
"Cryptocurrency theft malware is now an economy worth millions"
Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand
Charlie Osborne
The Spanish Liga uses the phone microphone of millions of fans to spy on bars
El Diario
Navy Contractor Hacked: Reams of Secret Documents Taken
G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug defense
"Password reset flaw at Internet giant Frontier allowed account takeovers"
Zack Whittaker
Why a DNA data breach is much worse than a credit card leak
The Verge
"Facebook gave some companies extended access to user data"
Stephanie Condon
Facebook bug made up to 14 million users' posts public for days
"Cisco fixes critical bug that exposed networks to hackers"
Zack Whittaker
"Meet Norman, the world's first 'psychopathic' AI"
Charlie Osborne
Should We Always Trust What We See in Satellite Images?
Scientific American
The NSA Just Released 136 Historical Propaganda Posters
Unproven facial-recognition companies target schools, promising an end to shootings
The Zip Slip vulnerability: what you need to know
Naked Security
All the people Apple just pissed off to better protect your privacy
Fast Company
Recounting 'Horror Stories' Over Guitar Center's Warranties
Add Bryan Colangelo to the long list who have been burned by social media
Microsoft, Github, & distributed revision control
How the body could power pacemakers and other implantable devices
Charles Q. Choi
Having better risk-based analysis for your banks and credit cards
David Strom
Phil Smith III
Re: Securing Elections
Chris Drewe
Info on RISKS (comp.risks)

Another risk of driverless cars

"Peter G. Neumann" <>
Mon, 11 Jun 2018 9:27:18 PDT
NPR reported today that Waymo is buying a slew of cars to create a
driverless taxi fleet with no human overseer required in the car.  Emergency
takeover would be done by a fleet of well-trained remote admin personnel,
*via cell phone*.

There seem to be some massive flaws in that reasoning.  One is the need for
real-time response.  Another is unavailable cell-phone coverage.

I recall the case of someone who used his cellphone to start his car at
home, and then drove into Red Rock Canyon Park, parked, and later tried to
start his car (with the presence of his cellphone).  Unfortunately, he had
left his wireless unlocking/starting dongle at home, and there was no cell
coverage in the canyon.  His wife climbed up out of the canyon, called a
neighbor who could get the remote dongle out of their house, and bring it to
them so that they could drive home.

Just one more example of short-sightedness and lack of awareness...

Emirates looks to windowless planes (

Richard M Stein <>
Wed, 06 Jun 2018 19:44:30 -0700

Aviation safety expert Professor Graham Braithwaite of Cranfield University:

  “Cabin crew need to be able to see outside the aircraft if there is an
  emergency.  Being able to see outside the aircraft in an emergency is
  important, especially if an emergency evacuation has to take place.  Flight
  attendants would need to check outside the aircraft in an emergency, for
  example for fire, before opening a door and commencing an evacuation - and
  anything that needed power to do this may not be easy to get certified by
  an aviation safety regulator.''  Prof Braithwaite said the main obstacle
  in a windowless aircraft would be passenger perceptions of the

  However, aviation regulator the European Aviation Safety Agency said: "We
  do not see any specific challenge that could not be overcome to ensure a
  level of safety equivalent to the one of an aircraft fitted with cabin

In addition to emergency evacuation slides, perhaps an emergency "peep hole"
to supplement camera or screen failure?

  [Perhaps the pilots would not need windows either, because everything is
  computer controlled?  PGN]

180,000 Voters accidentally left off LA County polling place rosters (Irfan Khan)

"Peter G. Neumann" <>
Wed, 6 Jun 2018 5:50:18 PDT
(Irfan Khan / Los Angeles Times)
Mercado de Los Angeles in Boyle Heights on Tuesday.
Poll worker Shannon Diaz puts up signs as voting begins at El Mercado de
Los Angeles in Boyle Heights on Tuesday.

If you are a registered voter in Los Angeles County and poll workers say
they can't find your name on the roster at the polling place when you go to
vote, don't worry—you can still cast a provisional ballot.

Some Angelenos needed a bit of reassurance that their votes would be counted
in Tuesday's primary election after 118,522 voters' names were accidentally
left off rosters due to a printing error, according to L.A.  County
Registrar Dean C. Logan.

About 2.3% of L.A. County's 5.1 million registered voters and 35% of the
county's 4,357 precincts were affected by the error, according to figures
provided by the registrar-recorder/county clerk's office, which was still
trying to determine the reason for the printing error. Voters whose names
are missing are being encouraged to file provisional ballots, which are
verified by vote counters later.

Ontario election results Not a Number

Tony Harminc <>
Fri, 8 Jun 2018 16:42:48 -0400
Early in the counting for the Ontario provincial election on Thursday
evening 2018-06-07, I noticed the CBC election site displayed this dynamic
table of popular vote numbers:

Party    Votes    Vote Share
PC      389,435    40.45%
NDP     333,475    34.63%
LIB     174,446    18.12%
GRN      48,022     4.99%
OTH      17,467      NaN%

The "NaN%" survived several on-the-fly updates to the numbers.

When I checked on Friday morning, with final results in, the table was

Party    Votes    Vote Share
PC      2,322,422    40.63%
NDP     1,925,574    33.69%
LIB     1,103,283    19.30%
GRN       263,987     4.62%
OTH       100,058     1.75%

It's not obvious to me why the first set of numbers should lead to a NaN for
the "OTH" parties vote share rather than 1.81%. The page is still there at if anyone cares to
investigate the code, but I don't know how long it'll last.  One trusts that
this code is purely for display on the CBC website, and has nothing to do
with actual vote tallying...

In passing, this election was conducted with paper ballots hand marked and
scanned by machine, with the ballots retained for hand recount if necessary,
so pretty much Best Practice as I understand it. I don't believe any such
recount has been called for.

Florida skips gun background checks for a year after employee forgets login (Naked Security)

Gabe Goldberg <>
Tue, 12 Jun 2018 11:52:23 -0400
In Florida, the site of recent mass shootings such as at the Stoneman
Douglas High School and the Pulse nightclub, more than a year went by in
which the state approved applications without carrying out background
checks. This meant the state was unaware if there was a cause to refuse a
licence to allow somebody to carry a hidden gun—for example, mental
illness or drug addiction.

The reason is dismayingly banal: an employee couldn't remember her login.

All accredited journalists at the #KimTrumpSummit get a free USB fan (YCombinator)

Lauren Weinstein <>
Mon, 11 Jun 2018 16:04:31 -0700
[Nothing to worry about!]

Oh yeah. Just plug it into your computer. For sure.

Israelis nabbed in Philippines are tip of iceberg in alleged fraud gone global (The Times of Israel)

Gabe Goldberg <>
Tue, 12 Jun 2018 13:01:51 -0400
As police raid Israeli-operated boiler rooms in Asia and Eastern Europe,
local law enforcement has yet to indict a single operative from an industry
that has stolen billions

Sweden Tries to Halt Its March to Total Cashlessness (Bloomberg)

Lauren Weinstein <>
Mon, 11 Jun 2018 17:53:32 -0700
via NNSquad

  The move is a response to Sweden's rapid transformation as it becomes one
  of the most cashless societies in the world.  That's led to concerns that
  some people are finding it increasingly difficult to cope without access
  to mobile phones or bank cards. There are also fears around what would
  happen if the digital payments systems suddenly crashed.

Cryptcuorrencies Lose Billions In Value After An Exchange Is Hacked (NPR)

"Peter G. Neumann" <>
Mon, 11 Jun 2018 21:59:28 PDT
Coinrail virtual currency exchange was breached, and lost only $40M.
Ethereum dropped, and the end result was an estimated $40B lost over the
weekend to cryptocurrencies overall.  (PGN-ed)

"Cryptocurrency theft malware is now an economy worth millions" (Charlie Osborne)

Gene Wirchenko <>
Fri, 08 Jun 2018 20:23:45 -0700
Charlie Osborne for Zero Day (7 Jun 2018)
Carbon Black research suggests that as interest in cryptocurrency rises,
so does the market for weapons to steal it.

selected text:

The researchers estimate that over the past six months alone, a total of
$1.1 billion has been stolen in cryptocurrency-related thefts, and
approximately 12,000 marketplaces in the underbelly of the Internet are
fueling this trend.

In total, there are roughly 34,000 products and services on sale that are
related to cryptocurrency theft, ranging from just over a dollar in price to
$224, with an average cost of around $10.

"The available dark web marketplaces represent a $6.7 million illicit
economy built from cryptocurrency-related malware development and sales,"
the researchers say.

Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand (Bloomberg)

Gabe Goldberg <>
Sun, 10 Jun 2018 18:06:14 -0400
Hydro-Quebec will temporarily stop processing requests from cryptocurrency
miners so that it can continue to fulfill its obligations to supply
electricity to the entire province.

Canada's biggest electric utility is facing unprecedented demand from
blockchain companies that exceeds Hydro-Quebec's short- and medium-term
capacity, according to a statement Thursday. In the coming days,
Hydro-Quebec will file an application to the province's energy regulator
proposing a selection process for blockchain industry projects.

Hydro-Quebec has been courting cryptocurrency miners in recent months in a
bid to soak up surplus energy from dams in northern Quebec. Power rates in
the province are the lowest in North America, both for consumers and
industrial customers.

Always risky, getting what you want.

Then, there's this...

...which one commenter somewhere suggests should be used to mine bitcoins.
Besides petaflop ratings, we need potential kWh/bitcoin comparisons.

The Spanish Liga uses the phone microphone of millions of fans to spy on bars (El Diario)

Jose Maria Mateos <>
Sun, 10 Jun 2018 21:01:19 -0400
Original article (in Spanish):

Automated translation:

The Liga de Fútbol Profesional, the body that runs the most important
sports competition in Spain, is using mobile phones of football fans to spy
on bars and other public establishments that put matches for their
clients. Millions of people in Spain have this application on their phone,
which accumulates more than 10 million downloads, according to data from
Google and Apple.

All of these people can become undercover informants for La Liga and the
owners of football television broadcasting rights. If they give their
consent for the app to use the device's microphone (which is common in many
applications), they are actually giving permission for La Liga to remotely
activate the phone's microphone and try to detect if what it sounds like is
a bar or public establishment where a football match is being projected
without paying the fee established by the chains that own the broadcasting
rights. In addition, use the geolocation of the phone to locate exactly
where that establishment is located.

Navy Contractor Hacked: Reams of Secret Documents Taken (WashPo)

Mark Rockman <>
Fri, 8 Jun 2018 17:10:09 -0400
*The Washington Post* reports "Chinese government hackers have compromised
the computers of a Navy contractor, stealing massive amounts of highly
sensitive data related to undersea warfare - including secret plans to
develop a supersonic anti-ship missile for use on U.S. submarines by 2020,
according to American officials. "  Gee.  Do you think connecting secret
documents to the Internet is wise?  Good thing the Manhattan Project only
had a Russian spy in their midst.  Otherwise the Soviets may have stolen
nuclear secrets and got the bomb before 1949.

  [Also noted by Jose Maria Mateos.  PGN]

G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug defense (TechBeacon)

Lauren Weinstein <>
Thu, 7 Jun 2018 07:50:14 -0700
via NNSquad

  People keep misconfiguring G Suite to leak their companies' private
  data. An estimated 10,000 or more organizations are affected.  Google
  denies it's a bug, passive-aggressively telling people to RTFM. But that's
  not the point, is it? Given the scale of the problem, shouldn't la GOOG be
  fixing an obvious admin UX problem?

When you blame the users in situations like this, you've already lost the

"Password reset flaw at Internet giant Frontier allowed account takeovers" (Zack Whittaker)

Gene Wirchenko <>
Fri, 08 Jun 2018 20:28:37 -0700
Zack Whittaker for Zero Day (8 Jun 2018)
Password reset flaw at Internet giant Frontier allowed account takeovers
A two-factor code used to reset an account password could be easily bypassed.

opening text:

A bug in how cable and Internet giant Frontier reset account passwords
allowed anyone to take over user accounts.

The vulnerability, found by security researcher Ryan Stevenson, allows a
determined attacker to take over an account with just a username or email
address. And a few hours worth of determination, an attacker can bypass the
access code sent during the password reset process.

Why a DNA data breach is much worse than a credit card leak (The Verge)

"Matthew Kruk" <>
Mon, 11 Jun 2018 10:04:32 -0600

"Facebook gave some companies extended access to user data" (Stephanie Condon)

Gene Wirchenko <>
Fri, 08 Jun 2018 20:31:02 -0700
Stephanie Condon for Between the Lines (ZDNet), 8 Jun 2018
Facebook's acknowledgement of these agreements is the latest incident to
shed light on the way the company has shared user data in ways users are
unlikely to understand.

opening text:

In the latest revelation about Facebook's data-sharing practices, the social
media giant acknowledged Friday that it gave certain companies extended,
special access to user data in 2015—data that was already off limits to
most developers.

Facebook bug made up to 14 million users' posts public for days (WiReD)

Lauren Weinstein <>
Thu, 7 Jun 2018 13:39:07 -0700
via NNSquad

  FACEBOOK HAS FOUND itself the subject of another privacy scandal, this
  time involving privacy settings. A glitch caused up to 14 million Facebook
  users to have their new posts inadvertently set to public, the company
  revealed Thursday.

"Private" posts that turned out to be public. Pretty much a worst case

"Cisco fixes critical bug that exposed networks to hackers" (Zack Whittaker)

Gene Wirchenko <>
Fri, 08 Jun 2018 20:21:00 -0700
Zack Whittaker, ZDNet, 7 Jun 2018
The bug had a rare 9.8 out of 10 score on the common vulnerability
severity rating scale.

opening text:

A "critical"-rated bug in one of Cisco's network access management devices
could have allowed hackers to remotely break into corporate networks.

"Meet Norman, the world's first 'psychopathic' AI" (Charlie Osborne)

Gene Wirchenko <>
Fri, 08 Jun 2018 20:34:03 -0700
Charlie Osborne for Between the Lines (ZDNet) 7 Jun 2018
While you see flowers, Norman sees gunfire.

selected text:

Researchers at the Massachusetts Institute of Technology (MIT) have
developed what is likely a world first—a "psychopathic" artificial
intelligence (AI).

Norman is an AI system trained to perform image captioning, in which deep
learning algorithms are used to generate a text description of an image.

However, after plundering the depths of Reddit and a select subreddit
dedicated to graphic content brimming with images of death and destruction,
Norman's datasets are far from what a standard AI would be exposed to.

The results are disturbing, to say the least.

In one inkblot test, a standard AI saw "a black and white photo of a red and
white umbrella," while Norman saw "man gets electrocuted while attempting to
cross busy street."

Should We Always Trust What We See in Satellite Images? (Scientific American)

Richard M Stein <>
Tue, 5 Jun 2018 06:21:03 -0700

The author argues that an "on the ground" confirmation is a wise precaution
to verify imagery content. Image processing algorithms can render misleading
impressions which affect major decisions.

"One example of the misuse of remotely sensed data was in 2003, when
satellite images were used as evidence of sites of weapons of mass
destruction in Iraq. These images revealed what were identified as active
chemical munitions bunkers and areas where earth had been graded and moved
to hide evidence of chemical production. This turned out not to be the

"Trust but verify" remains a wise precaution to follow when analyzing
satellite imagery.

The NSA Just Released 136 Historical Propaganda Posters (Motherboard)

Gabe Goldberg <>
Tue, 12 Jun 2018 13:20:23 -0400

Unproven facial-recognition companies target schools, promising an end to shootings (WashPo)

Richard M Stein <>
Fri, 08 Jun 2018 06:56:43 -0700

  "Although facial recognition remains unproven as a deterrent to school
  shootings, the specter of classroom violence and companies intensifying
  marketing to local education officials could cement the more than 130,000
  public and private schools nationwide as one of America's premier testing
  grounds—both for the technology's abilities and for public acceptance
  of a new generation of mass surveillance."

Mass shootings at schools in the US, while statistically rare compared to
other gun-related deaths (suicide, for instance), are horrifying events. A
set of companies are pitching facial recognition technology as a bromide and
deterrent, though they are coy to explain how their software stacks function
or enable deterrence. Exploiting fear and anxiety are long-practiced sales

The Zip Slip vulnerability: what you need to know (Naked Security)

"Peter G. Neumann" <>
Wed, 6 Jun 2018 20:30:31 PDT
  Thanks to SRI's Steven Cheung for spotting this one.

A fun vulnerability that uses zip files to overwrite files

All the people Apple just pissed off to better protect your privacy (Fast Company)

Gabe Goldberg <>
Fri, 8 Jun 2018 12:29:03 -0400
When Apple previewed the upcoming iOS 12 and MacOS Mojave at this week's
WWDC keynote,

The killer new features that got both developers and users most excited were
the ones you'd would expect: the visually stunning Dark Mode on MacOS, the
insanely customizable Memojis on iOS, FaceTime group-calling features on
both platforms, massive improvements to Siri, and Apple's all-new Screen
Time digital health tracking tools.


All those features deserved the applause they got from the crowd.  But it
was other updates—definitely less sexy and headline-grabbing—that set
Apple apart from other technology giants.  I'm talking about the new privacy
features built into both iOS 12 and MacOS Mojave that make it so much harder
for other parties to get at your personal information.

Recounting 'Horror Stories' Over Guitar Center's Warranties (NYT)

Monty Solomon <>
Fri, 8 Jun 2018 13:40:11 -0400

Former employees and customers at the giant music retailer described
problems with how it sells protection plans, particularly in Puerto Rico.

Add Bryan Colangelo to the long list who have been burned by social media (ESPN)

Monty Solomon <>
Fri, 8 Jun 2018 13:41:23 -0400

Microsoft, Github, & distributed revision control (Medium)

John Ohno <>
Tue, 5 Jun 2018 10:27:01 -0400
Originally posted here:

Microsoft, Github, and distributed revision control

People legitimately criticize Github for creating artificial centralization
of open source software & having a dysfunctional internal culture, and for
being a for-profit company. Microsoft's acquisition may not make any of
these things worse, & won't make them better. But, there's a really specific
& practical reason people not already boycotting github have begun to
consider it in response to the Microsoft acquisition: Microsoft's history of
using deals, acquisitions, & standards committees as anticompetitive tools.

Github was never going to do much of anything beside host your projects, and
since hosting your projects is its main business, it's not going to do nasty
things like delete them. Microsoft, however, is absolutely willing to do
that kind of thing if they decide they can get away with it. History bears
this out—some of it recent. Microsoft hasn't been able to do it to the
likes of IBM or Netscape since the 90s, but only because their complacency
over the PC market has prevented them from being able to successfully branch
out into phones or servers; however, they have been happily performing their
embrace-extend-exterminate tactic on open source projects for the past
fifteen years.

(Note: If Github got as big as Microsoft & had side hustles as profitable,
they would do the same thing. This isn't about particular organizations
being evil—capitalism forces organizations to act unethically and
illegally by punishing those unwilling to break the law.)

People concerned about open source software distribution being centralized
under the aegis of unreliable for-profit companies have been boycotting
Github & Gitlab for years, and Google Code and Sourceforge before that.
They've also been working on alternatives to central repositories.

Named data networking goes beyond simply ensuring that the owner of the
hostname is not a for-profit company (liable to throw out your data as soon
as they decide that it'll make them money to do so). Instead, DNS as a
single point of failure goes away entirely, along with reliance on data

If you're considering migrating away from Github—even if the recent news
merely reminded you of problems Github has had for years—take this
opportunity to migrate your repository to git-ssb or git-ipfs, instead of
moving to another temporary host-tied third party thing like gitlab or
bitbucket.  Your commits are already identified by hashes, so why not switch
to hashes entirely & use an NDN/DHT system? That way, there's no third party
that could take down your commits if it goes down. The entire DNS system
could die permanently & it wouldn't interrupt your development.

How the body could power pacemakers and other implantable devices (Charles Q. Choi)

"Peter G. Neumann" <>
Mon, 11 Jun 2018 16:54:09 PDT
  [From ocean wave motions to lungs!  Great idea.  PGN]

Charles Q. Choi, *The Washington Post*, 9 Jun 2018

In I Sing the Body Electric, poet Walt Whitman waxed lyrically about the
action and power of beautiful, curious, breathing, laughing flesh.  More
than 150 years later, MIT materials scientist and engineer Canan Dagdeviren
and colleagues are giving new meaning to Whitman's poem with a device that
can generate electricity from the way it distorts in response to the beating
of the heart.

Despite tremendous technological advances, a key drawback of most wearable
and implantable devices is their batteries, whose limited capacities
restrict their long-term use. The last thing you want to do when a pacemaker
runs out of power is to open up a patient just for battery replacement.

The solution may rest inside the human body—rich in energy in its
chemical, thermal and forms.

The bellows-like motions that a person makes while breathing, for example,
can generate 0.83 watts of power; the heat from a body, up to 4.8 watts; and
the motions of the arms, up to 60 watts. That's not nothing when you
consider that a pacemaker needs just 50 millionths of a watt to last for
seven years, a hearing aid needs a thousandth of a watt for five days, a
smartphone requires one watt for five hours.

Increasingly, Dagdeviren and others are investigating a plethora of ways
that devices could make use of these inner energy resources and are testing
such wearable or implantable devices in animal models and people.

Good vibrations

One energy-harvesting strategy involves converting energy from vibrations,
pressure and other mechanical stresses into electrical energy. This
approach, producing what is known as piezoelectricity, is often used in
loudspeakers and microphones.

To take advantage of piezoelectricity, Dagdeviren and colleagues have
developed flat devices that can be stuck onto organs and muscles such as the
heart, lungs and diaphragm. Their mechanical properties are similar to
whatever they are laminated onto, so they don't hinder those tissues when
they move.

So far, such devices have been tested in cows, sheep and pigs, animals with
hearts roughly the same size as those of people.  “When these devices
mechanically distort, they create positive and negative charges, voltage and
current—and you can collect this energy to recharge batteries, You can
use them to run biomedical devices like cardiac pacemakers instead of
changing them every six or seven years when their batteries are depleted.''

Scientists are also developing wearable piezoelectric energy harvesters that
can be worn on joints such as the knee or elbow, or in shoes, trousers or
underwear. People could generate electricity for electronics whenever they
walk or bend their arms.

Body heat

A different energy-harvesting approach uses thermoelectric materials to
convert body heat to electricity.  “Your heart beats more than 40 million
times a year,'' Dagdeviren notes.  All that energy is dissipated as heat in
the body—it's a rich potential source to capture for other uses.

Thermoelectric generators face key challenges. They rely on temperature
differences, but people usually keep a fairly constant temperature
throughout their bodies, so any temperature differences found within are
generally not dramatic enough to generate large amounts of electricity. But
this is not a problem if the devices are exposed to relatively cool air in
addition to the body's continuous warmth.

Scientists are exploring thermo-electric devices for wearable purposes, such
as powering wristwatches. In principle, the heat from a human body can
generate enough electricity to power wireless health monitors, cochlear
implants and deep-brain stimulators to treat disorders such as Parkinson's

Static and dynamic

Scientists have also sought to use the same effect behind everyday static
electricity to power devices. When two different materials repeatedly
collide with, or rub against, one another, the surface of one material can
steal electrons from the other, accumulating a charge, a phenomenon known as
triboelectricity. Nearly all materials, both natural and synthetic, are
capable of creating triboelectricity, giving researchers a wide range of
choices for designing gadgets.

Nanotechnologist Zhong Lin Wang of Georgia Tech:

  “The more I work with triboelectricity, the more exciting it gets, and
  the more applications it might have.  I can see myself devoting the next
  20 years to it.''

Having better risk-based analysis for your banks and credit cards

David Strom via WebInformant <>
Mon, 11 Jun 2018 11:58:20 -0500
David Strom's Web Informant, 11 Jun 2018
  [TNX to Gabe Goldberg]

When someone tries to steal money from your bank or credit card accounts,
these days it is a lot harder, thanks to a number of technologies. I
recently personally had this situation. Someone tried to use my credit card
on the other side of Missouri on a Sunday afternoon.  Within moments, I got
alerts from my bank, along with a toll-free number to call to verify the
transactions. In the heat of the moment, I dialed the number and started
talking to my bank's customer service representatives. Then it hit me: what
if I were being phished? I told the person that I was going to call them
back, using the number on the back of my card. Once I did, I found out I was
talking to the right people after all, but still you can't be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how
they prey on your heightened emotional state. In my case, I was well into my
first call before I started thinking more carefully about the situation, so
I could understand how phishing attacks can often work, even for experienced

To help cut down on these sorts of exploits, banks use a variety of
risk-based or adaptive authentication technologies that monitor your
transactions constantly, to try to figure out if it really is you doing them
or someone else. In my case, the pattern of life didn't fit, even though it
was a transaction taking place only a few hundred miles away from where I
lived. Those of you who travel internationally probably have come across
this situation: if you forget to tell your bank you are traveling, your
first purchase in a foreign country may be declined until you call them and
authorize it. But now the granularity of what can be caught is much finer,
which was good news for me.

These technologies can take several forms: some of them are part of identity
management tools or multi-factor authentication tools, others come as part
of regular features of cloud access security brokers. They aren't
inexpensive, and they take time to implement properly. In a story I wrote
last month for CSOonline
I discuss what IT managers need to know to make the right purchasing

In that article, I also talk about these tools and how they have matured
over the past few years. As we move more of our online activity to mobiles
and social networks, hackers are finding ways at leveraging our identity in
new and sneaky ways. One-time passwords that are being sent to our phones
can be more readily intercepted, using the knowledge that we broadcast on
our social media. And to make matters worse, attackers are also getting
better at conducting blended attacks that can cut across a website, a mobile
phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn't help if your bank can't respond
quickly when you uncover some fraudulent activity. Criminals specifically
targeted a UK bank that was having issues with switching over its computer
systems last month knowing that customers would have a hard time getting
through to its customer support call centers. The linked article documents
how one customer waited on hold for more than four hours, watching while
criminals took thousands of pounds out of his account. Other victims were
robbed of five and six-figure sums after falling for phishing messages
that asked them to input their login credentials.


The moral of the story: don't panic when you get a potentially dire fraud
alert message. Take a breath, take time to think it through. And call your
bank when in doubt.

Comments always welcome here:

Having better risk-based analysis for your banks and credit cards

<Phil Smith III <phsiii@gmail.>
Tue, 12 Jun 2018 15:44:00 -0400
What continues to bug me is that banks don't ask, “Did you call this number
from the back of your card?''  Those of us who did will say “Of course'',
but we aren't the ones to worry about. I've gotten calls from banks asking
me about transactions; when I said “I will call you back'', they said
“Fine, of course.''  But they SHOULD have started the call with “This is
TBTF Bank, calling about a questionable transaction on your Visa card. To
ensure that this is a legitimate conversation, please call us back at the
number on the back of your card.''

Re: Securing Elections (Shapir, R 30 71)

Chris Drewe <>
Mon, 11 Jun 2018 22:22:41 +0100
This is similar in Britain (not that I'm a constitutional expert).
Candidates stand for election in each electoral area, and we vote for which
one we want to serve as our Member of Parliament.  The winner is the one
with most votes—the 'first-past-the-post' system.  Usually one of the big
parties gets a majority of MPs so forms the government directly, but
sometimes (as at the present time) the biggest party needs a support
agreement with a smaller party to get a majority.  While this may seem like
an elected dictatorship, it's obvious who is in charge, and we get the
chance to vote them out at the next election.

By contrast, as I understand it, mainland European countries often have a
large number of small parties so coalitions are the usual arrangement.  The
problem here is that much policy-making may be hidden in behind-the-scenes
deals between parties, i.e. a party may have to support something that it
doesn't want to get something that it does, or vice-versa.  This can give
unstable governments as in Italy as the original poster said, or the
opposite when an election just changes a few of the elected representatives
and everything continues as as before.  The EU seems to be based on the
European model, with a large bureaucracy notionally governed by a small,
unfocused elected assembly, which may account for the fractious relationship
between the UK and the EU; indeed, a cynic such as myself may feel that the
aim is to create the impression of democracy rather than giving power to

As British MPs are elected regionally, there's no direct correlation between
the total number of votes gained by parties and the numbers of their MPs, so
there are periodic campaigns to adopt some kind of proportional
representation system, though this brings various other problems.  A bigger
problem is potential voter-identity fraud, a frequent topic in RISKS.
There's talk of requiring voters to show some proof of identity at polling
stations, but what, as there's no particular official UK identity document?

Please report problems with the web pages to the maintainer