Category: Technology

American bankers/retailers cheap out on improving security


Adding a PIN is so difficult, eh?

New technology about to be deployed by credit card companies will require U.S. consumers to carry a new kind of card and retailers across the nation to upgrade payment terminals. But despite a price tag of $8.65 billion, the shift will address only a narrow range of security issues.

Credit card companies have set an October deadline for the switch to chip-enabled cards, which come with embedded computer chips that make them far more difficult to clone. Counterfeit cards, however, account for only about 37 percent of credit card fraud, and the new technology will be nearly as vulnerable to other kinds of hacking and cyber attacks as current swipe-card systems, security experts say.

Moreover, U.S. banks and card companies will not issue personal identification numbers (PINs) with the new credit cards, an additional security measure that would render stolen or lost cards virtually useless when making in-person purchases at a retail outlet. Instead, they will stick with the present system of requiring signatures…

Chip technology has been widely used in Europe for nearly two decades, but banks there typically require PINs. Even so, the technology leaves data unprotected at three key points, security experts say: When it enters a payment terminal, when it is transmitted through a processor, and when it is stored in a retailer’s information systems. It also does not protect online transactions.

American corporations inside the retail purchasing loop are perfectly willing to expand that to four key points.

Retailers and security experts say it would make more sense for the United States to jump instead to a more secure system, such as point-to-point encryption. This technology is superior to chip-and-PIN, which first was deployed about 20 years ago, because it scrambles data to make it unreadable from the moment a transaction starts.

But the newer technology would cost as much as twice what the chip card transition will cost…

Moreover, some security experts say that mobile payment services such as Apple Pay, a service from Apple that stores data on the cloud, have the potential in coming years to secure payments without the need to swipe or tap a card at all…

Rick Dakin, who is advising a group of banks on payment security, said no industry standard exists for the newer point-to-point encryption systems, and banks and card companies are hesitant to make large-scale investments before the standards are set.

Apparently, 20 years isn’t sufficient time to adopt standards in the United States.

Banks and card companies said a chip card alone can make stolen data less useful for hackers and the technology has worked in reducing counterfeit card fraud in Europe and elsewhere.

Security experts said the shift cannot prevent massive consumer data breaches of the sort that recently hit Target and Home Depot. But the technology will make it more difficult to use stolen data.

The installation of 15 million payment terminals that can read chip cards in the U.S. will cost approximately $6.75 billion. Banks are expected to spend some $1.4 billion to issue new cards and another $.5 billion to upgrade their Automated Teller Machines according to Javelin Strategy & Research.

Beancounters live and die on hindsight – and this is another case of crap decisions being worthless.

What would this conversion have cost in 1995 dollar$? How many billion$ have been lost to fraud, counterfeit credit cards and identity theft? All it took in the first place was a willingness to make security a priority.

Apple offers great security with Apple Pay — banks aren’t doing as well

too big, too stupid

Apple Pay has proven to be a venue of convenience for criminals focusing on identity fraud, a new report suggests, with many fraudsters taking advantage of lax customer verification controls put in place by Apple’s partner banks to make brick-and-mortar purchases using stolen credit cards via the growing mobile payment service.

Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers’ identity when adding a card to Apple Pay.

When adding a card, banks can reportedly choose to accept it immediately — using a so-called “green path” — or require additional verification, via a “yellow path.” Apple provides the banks with contextual information, such as the name of the device Apple Pay is being configured on, the device’s current location, and data about the length of iTunes transaction history, during setup to help identify cases where more stringent checks are required.

The yellow path processes have apparently been found lacking in some cases, with unnamed partner banks asking only for relatively easily-obtainable information, such as the last four digits of the customer’s social security number. Once approved, criminals can then use Apple Pay to purchase products at retail, later selling them for cash — with Apple retail stores apparently a particularly attractive target…

As part of their Apple Pay agreements, issuing banks agreed to accept liability for fraud through the platform. Thus far, that amount is thought to have risen into the millions of U.S. dollars, and banks are working on fixes.

You might think that banks – especially the big banks first on board with Apple Pay – might have something as basic as authentication of their own customers down pat. You’d be wrong.

Obviously, Apple figured banks might drop the ball. That’s why issuing banks have to accept the liability for fraud.

Meanwhile, Apple Pay works so well that crooks love it. Guaranteed to be another whine from the NSA and FBI next time they hand out press releases begging Congress to make Apple weaken security.

Tim Cook won’t back down — opposes terrorism, selling data, and snooping

image
During an unannounced visit to Apple’s Covent Garden store

Following comments regarding Apple Watch specifications and an upcoming Apple Store revamp, Cook spoke with the Telegraph in an extensive interview covering data privacy, government snooping, terrorism and more.

The Apple chief is cognizant of the amount of customer information being “trafficked around” by corporations, governments and other organizations, saying data sharing is a practice that goes against Apple’s core philosophies. He said consumers, however, “don’t fully understand what is going on” at present, but “one day they will, and will be very offended.”

“None of us should accept that the government or a company or anybody should have access to all of our private information,” Cook said. “This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering or to people who fundamentally don’t understand the details…”

The publication also asked about implications of terrorism, especially government surveillance operations created with the intent of aiding law enforcement agencies. Cook took a hard-nosed stance on the topic, saying the issue is a non-starter in his book because terrorists use proprietary encryption tools not under the control of U.S. or UK governments.

“Terrorists will encrypt. They know what to do,” Cook said. “If we don’t encrypt, the people we affect [by cracking down on privacy] are the good people. They are the 99.999 percent of people who are good.” He added, “You don’t want to eliminate everyone’s privacy. If you do, you not only don’t solve the terrorist issue but you also take away something that is a human right. The consequences of doing that are very significant…”

The executive reiterated Apple’s mantra of making products, not marketing consumers as products. Every device and service that comes out of Cupertino is designed to store only a minimal amount of customer information, Cook said.

Finally, Cook talked about privacy as it applies to Apple Pay, the fledgling payments service Apple rolled out in October. Unlike other payments processors, Apple designed Apple Pay to reveal little to no information to outside parties, including itself.

“If you use your phone to buy something on Apple Pay, we don’t want to know what you bought, how much you paid for it and where you bought it. That is between you, your bank and the merchant,” Cook said. “Could we make money from knowing about this? Of course. Do you want us to do that that? No. Would it be in our value system to do that? No. We’ve designed [Apple Pay] to be private and for it to be secure.”

I love the privacy of Apple Pay. I haven’t stopped smiling since the first time a checkout clerk exclaimed…”It doesn’t even tell me your name!”

This is excerpted from a long interview in the TELEGRAPH – worth reading.

Biobattery plant turns a wide range of biomass into energy, consumables

Researchers at the Fraunhofer Institute for Environmental, Energy and Safety Technology have developed a “biobattery” in the form of a highly efficient biogas plant that can turn raw materials like straw, scrap wood and sludge into a variety of useful energy sources including electricity, purified gas and engine oil. The new plant design, currently being put to the test in a prototype plant in Germany, is said to be highly modular and economically viable even at the small scale.

The production of biogas  –  gas created by the breakdown of organic matter, by fermentation or through the action of anaerobic bacteria  –  is an interesting complement to other sources of renewable energy since it can not only generate electricity at little cost to the environment, but also create biofuel, fertilizer and engine oil. One issue, however, is that these plants only accept few organic substances as raw materials.

A new biogas plant developed at the Fraunhofer Institute could solve this problem by taking a number of materials that would normally have to be disposed of at great cost – like industrial biomass waste, sewage sludge, straw, scrap wood or manure – and process them with high efficiency into a more useful output, all through a highly modular, flexible design…

The end products can be used in various ways: the oil can be turned into fuel for ships or airplanes; the gases are used to produce electricity in a combined heat and power plant; and the biochar can be used as fertilizer.

Besides the flexibility that comes from accepting multiple raw materials and producing multiple outputs, another crucial advantage to the biobattery is that, according to the scientists’ financial analysis, even a small-scale plant requiring a small investment would be financially profitable. Because of the built-in modularity, the plant could then be gradually upgraded to process more materials with higher efficiency.

In their own way, the Fraunhoher Institute is as interesting a source for advancing life on this wee planet as the Max Planck Institute. Though not as dedicated to basic research as the latter, Fraunhofer turns out more practical science and engineering than most of their peers in the Western world.

This is one more example. RTFA for another few paragraphs of detail. Living as we do on a planet dominated by a species whose progress in economics and commerce is generally accompanied by an inordinate amount of waste – and wastefulness – Fraunhofer’s efforts are more than welcome.

Portland to generate electricity as part of its water system


LucidPipe installation — a turbine visible inside the pipe

There’s a lot of water constantly moving through the municipal pipelines of most major cities. While the water itself is already destined for various uses, why not harness its flow to produce hydroelectric power? Well, that’s exactly what Lucid Energy’s LucidPipe Power System does, and Portland, Oregon has just become the latest city to adopt it.

LucidPipe simply replaces a stretch of existing gravity-fed conventional pipeline, that’s used for transporting potable water. As the water flows through, it spins four 42-inch (107-cm) turbines, each one of which is hooked up to a generator on the outside of the pipe. The presence of the turbines reportedly doesn’t slow the water’s flow rate significantly, so there’s virtually no impact on pipeline efficiency.

The 200-kW Portland system was privately financed by Harbourton Alternative Energy, and its installation was completed late last December. It’s now undergoing reliability and efficiency testing, which includes checking that its sensors and smart control system are working properly. It’s scheduled to begin full capacity power generation by March.

Once up and running, it’s expected to generate an average of 1,100 megawatt hours of energy per year, which is enough to power approximately 150 homes. Over the next 20 years, it should also generate about US$2 million in energy sales to Portland General Electric, which Harbourton plans on sharing with the City of Portland and the Portland Water Bureau in order to offset operational costs. At the end of that period, the Portland Water Bureau will have the right to purchase the system outright, along with all the energy it produces.

Something cities like Albuquerque and Santa Fe, New Mexico, should consider. The rush of population growth and concurrent water system expansion took place right after World War 2. The mediocre piping installed now fails on a regular basis. Cripes, in Abq it’s weekly, even daily.

Of course, rebuilding infrastructure – especially with an eye on future requirements and additions – ain’t exactly part of being an American politician, nowadays.

It ain’t paranoia if they’re really watching you!

Screen Shot 2015-02-17 at 9.12.07 AM
Click to enlarge

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers…

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran’s uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.

Another opportunity to confirm which politicians and pundits are serious about protecting individual privacy and which consider kissing government spy-butts more important. Let’s see who lines up on which side in coming days discussing this latest revelation.

Meanwhile, our government will continue to tell us the biggest cyber-dangers are script-kiddies dwnloading movies and crooks raiding ATMs. Just ignore wholesale spying on everyone on the planet who owns a computer or a cellphone.

If the NSA gets their way, the Internet of Everything will have your refrigerator telling American spy agencies what you plan to have for lunch.

Apple signs on to Obama’s cybersecurity framework — but…


“History has shown us that sacrificing our right to privacy can have dire consequences”

Apple is among more than a half-dozen major U.S. corporations that have agreed to integrate the White House’s Cybersecurity Framework into their operations, but the iPhone maker will not share security information with the federal government…

While the extent to which the framework will influence Apple’s security practices is unclear, it appears that the company will not take the extra step of sharing security-related data with the Department of Homeland Security’s new National Cybersecurity and Communications Integration Center. Such information sharing is a tentpole of Obama’s cybersecurity strategy.

While a few notable security vendors have signed up, none of Silicon Valley’s major consumer-focused companies are participating, and Apple CEO Tim Cook was the only well-known corporate executive at the summit. The Valley maintains a deep distrust for the federal government in the aftermath of the Edward Snowden spying revelations, a point which Cook drove home during his speech.

“If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money,” Cook said. “We risk our way of life.”

“We must get this right,” he added. “History has shown us that sacrificing our right to privacy can have dire consequences. We still live in a world where all people are not treated equally. Too many people do not feel free to practice their religion, or express their opinion, or love who they choose.”

Personal privacy is especially important “in a world in which that information can make the difference between life and death,” Cook said.

Uncle Sugar – led by the President of these United States – is stepping up to deal with a question of security deeply rooted in the structure of the Internet. And as the Web, the Cloud, the constant value of communications and access to information becomes more a part of everyone’s life – that question of security increases as threat and value.

I don’t doubt the President considers his proposal to be something of value. On its own. But, his continuation of the Bush/Cheney cabal, his extension of the NSA and FBI as the thought police of the world absolutely corrupts the process. It is a refutation of the standards set by our constitution as imperfect as that document may sometimes be.

So, I credit Tim Cook for not sulking in a Silicon Valley McMansion – but, showing up to address problems that need to be addressed while continuing to question the intellectual dishonesty, the hypocrisy that characterizes every aspect of our government. It doesn’t matter if it’s Congress or the White House. This nation deserves better.

Tim Cook signs onto the framework, the concept of developing cybersecurity that works for everyone. But, he will not cooperate with turning private data over to the government.

Keep on rocking in the Free World.

Space telescope capable of images 1,000 times sharper than Hubble


Aragoscope – artist’s conception

The Hubble space telescope has given us decades of incredible images, but it’s reaching the end of its service life and the question is, what will come after? One possibility is the Aragoscope from the University of Colorado Boulder, which uses a gigantic orbital disk instead of a mirror to produce images 1,000 times sharper than the Hubble’s best efforts.

The Aragoscope is named after French scientist Francois Arago who first noticed how a disk diffracted light waves. The principle is based on using a large disk as a diffraction lens, which bends light from distant objects around the edge of the disk and focuses it like a conventional refraction lens. The phenomenon isn’t very pronounced on the small scale, but if the telescope is extremely large, it not only becomes practical, but also extremely powerful.

When deployed the Aragoscope will consist of an opaque disk a half mile in diameter parked in geostationary orbit behind which is an orbiting telescope keeping station some tens to hundreds of miles behind that collects the light at the focal point and rectifies it into a high-resolution image…

The new orbital telescope was selected last June by NASA as one of 12 proposals for its NASA Innovative Advanced Concept (NIAC) program – each of which received US$100,000 to fund nine-months of research for projects ranging from capturing asteroids to sending submarines to the lakes of Titan. The Aragoscope is now up for being one of six projects that will receive an additional US$500,000 in April.

The team sees the Aragoscope as a way to penetrate farther into the universe to observe phenomena like black hole event horizons, or turned on the Earth to pick out objects the size of a rabbit. The next phase of the project involves testing the concept. This will involve laboratory work using a one-meter disk set several meters from a telescope. If this is successful, a more dramatic demonstration will use a disk set on a mountain top while a telescope mounted on a helicopter tries to focus on the star Alpha Centauri.

“Pick out objects the size of a rabbit”, eh? I recall a scientist cautioning me BITD when the US and USSR were involved in a race to develop spy satellites with the finest resolution. He told me if I was going to have sex outdoors – make sure it was under a tree.

I hope someone offers an app which automatically notifies everyone whenever our government turns the Aragoscope around to face Earth instead of deep space.