Matt Wilcox Pro

Originally posted October 10, 2017

How the U.S. government helps hackers

When you email or visit a website, your computer leaves behind a calling card in the form of its IP address. Short for “Internet Protocol,” the IP address helps devices locate and recognize each other, thus speeding communication.

People, too, can identify senders and visitors by an IP address. This can be rather inconvenient if you happen to be a cyber spy, assuming you don’t want the people you’re spying on to know that you’re spying on them, much less who you are or where your kids go to school.

So, the United States Navy set to work on a browser that would make it impossible to trace IP addresses. The result was the TOR browser, “TOR” being an acronym for The Onion Router. 

I’d hoped its name derived from the news-satire site, but a little research revealed that the “Onion” part refers to multiple layers the browser employs to mask user identities. 

The Navy released TOR for general use in 2002. It soon became apparent that TOR, like any technology, can be used for good and not-so-good purposes.

On the good side, you can use TOR to reduce your chances of being hacked, frustrate any designs Big Brother may have on monitoring your online activity, or, if you’re writing a crime novel, research topics like, say, how to defeat a burglar alarm or get away with murder without fear of landing on a watch list.

On the not-so-good side, TOR enables and allows to flourish a secret online world known as the dark web, which happens to be a fairly safe environment for conducting illegal activities. It should come as no surprise that myriad criminals use it for exactly that purpose. Stolen identities with account numbers, healthcare information, firearms, drugs, fraud, and prostitution—and worse—are all freely traded on the dark web.

We’re not talking small potatoes here. There are flagrantly illegal dark web operations that have grown so large that they offer guarantees, publish user reviews, and maintain 24-hour help lines.

More reason to educate clients on the basics of online safety

For the financial services industry, stolen identities with account numbers is the tip of the dark iceberg. Writing for Verafin a little over a year ago, financial crimes research specialist Denise Hutchings reported that a wealth of personal information belonging to U.S. Bank clients—including “usernames, passwords, physical addresses, email addresses, phone numbers and bank account numbers”—had been made readily available to dark web shoppers.

Since digital payments are traceable to bank accounts, you might think that making a purchase over the dark web would immediately reveal your identity. Perhaps it would, were it not for cybercurrency, which, like the dark web, is largely untraceable. The recent advent of Bitcoin provided the final component that criminals needed to make the dark web safe and profitable for illicit purposes.

Given the extent of the dark web’s dark side, you might wonder why the Navy opened up TOR for general use in the first place. And, since the dark web does not fund itself with the likes of pay-per-click, ad revenues, and retargeting, you might wonder why, as reported in The Guardian, TOR receives about 60% of its funding from the U.S. State Department and Department of Defense.

To answer both questions, consider TOR’s original objective: To let cyber spies spy without fear of detection. If TOR were available only to U.S. government employees, it would be pretty obvious that anyone not leaving an IP address worked for the U.S. government. Cyber spies can pass for anyone only if you let anyone use TOR.

And anyone does. As of this writing, TOR has nearly 3 million users. I want to emphasize that not all TOR users are bad guys. It has its legitimate uses. Its illicit uses, however, leave the U.S. government in an interesting predicament. It needs TOR to remain anonymous in order to keep undercover agents under cover; but the government doesn’t like enabling criminals, much less picking up most of their tab. So, the government asked TOR’s developers to create a secret way in, a request that was wisely refused. TOR works precisely because there is no secret way in; were one developed, it would sooner or later find its way to the wrong people. 

Inevitably, businesses whose raison d’être is to crack the dark web are now flourishing.

Legit uses aside, it behooves financial institutions to beware the illegitimate ones. Warning clients about potential harm can make for good policy provided it doesn’t err on the side of sowing paranoia. It might also be a good idea to check for the TOR browser on company devices. It’s one thing to use TOR at home. Unless there’s a job-related need for anonymous activity, an employee who downloads TOR onto company property may be up to no good.

As of this writing, Mark Zuckerberg isn’t budging: Facebook will still run but not fact-check political ads. Not to worry, however: it will continue suspending users for remarks and images its algorithm deems unseemly.

This isn’t the first time that Zuckerberg and his brainchild have stepped on a steaming pile of bad PR. Not to be overlooked are the 2016 election interference thing, the collecting and marketing of personal data thing, the addicted-to-Facebook thing, the ugly online arguing thing, the unwelcome ads thing, and on, and on.

Surely the time would seem ripe for Adam Smith’s invisible hand to intervene, first by raising up a suitable challenger, and second by moving FB customers to it. And indeed, there has been no shortage of challengers: WT.social, Google+, DailyBooth, iTunes Ping, Meerkat, Friendster, YikYak, to name a few. Haven’t heard of some of them? Perhaps that’s because most are floundering or, worse, have foundered.

Apps like Twitter, Instagram (which Facebook purchased in 2012 for $1 billion), and Pinterest have only somewhat dented Facebook’s numbers, having overall proved more supplemental than threatening. As The Financial Brand staff writer Craig Guillot has pointed out:

No one truly thinks Facebook will go the way of Myspace. It has immense legacy power in the world of social media and is used by three-fourths of the U.S. adult population to connect with friends and family, read the news, share ideas, and learn about products and services. And the fact that Facebook owns Instagram rules out the idea of a direct head-to-head war for users and advertising revenues.

This is not to say that Facebook is topple-proof. As I have written before, no giant is.

But for now, it seems that Facebook has managed to tie Smith’s invisible hand behind his back. A look at how and why—and at how to do it better—may prove useful in today’s digital banking world.

“Sticky” products and services are “sticky” in that they’re more inconvenient to exit or replace than to keep. In banking, there is no more classic example than salary paid via direct deposit. Once you’ve set it up, it’s easier to keep the receiving account than to take the steps and brave the potential foul-ups involved in moving it. Hence, many people “stick” with their bank, or at least with the account in question, like it or not.

Facebook is a lot like that. To defect to another app, frequent Facebook users would have to persuade their hundreds of Facebook friends to move with them, which, given inertia and other impediments, is a long shot. They would have to master the new app, which, user-friendly and self-explanatory though it may be, can daunt in the face of an app they already know well. They would have to bid farewell to their groups. They would need to believe that they won’t regret switching, that they won’t miss Facebook features they have come to enjoy. It’s simply easier to continue with Facebook.

Last year, PRI asked users why they don’t defect from Facebook. 

We got dozens of responses, with most of you telling us you’re sticking with Facebook for one or more of four reasons: keeping in touch, using the “groups” feature, using it for work or fear of missing information, events or birthdays.

PRI cited some revealing comments:

“I want to disconnect entirely from the divisive, egocentric and artificially idealized culture Facebook has fostered, but not at the price of being disconnected from the people I care about.” … “I have taken breaks, but it sometimes has cost me jobs.” … “I view it as a tremendous negative spot in my life, otherwise, but like an unhealthy relationship, I keep coming back for the good parts, even though it mostly brings me down.” … “Yes, I want to quit Facebook! My productivity tanks when I am on it but they have brilliantly tapped into the human instinct to ‘connect.’ Plus FOMO is so successfully triggered by this platform as well.” 

Here’s how Vox put it:

… the growing pressure that many people feel to abandon Facebook altogether fails to take into account both Facebook’s position in modern society and the stakes involved for anyone who chooses to leave a network that has spent more than a decade trying to make leaving it impossible.

So it is that Facebook prevails. But here’s the thing about sticky products.

Whether we’re talking Facebook or banking, sticky products prevail not by virtue of a loyal user base but by virtue of being damned difficult to leave. They don’t win customers. They mire them. 

That’s all well and good—assuming one thinks it’s all well and good to have unhappy customers as long as they’re stuck—until someone comes along with a convenient way out of the mire. In digital banking, ways out of the mire are coming fast. You can set up a digital banking relationship and transfer funds from your old accounts to your new in minutes. Myriad posts (like this one, for instance) exist to guide you and help you avoid pitfalls. Digital banks like Simple facilitate switching with a few clicks. 

You have to wonder if it’s only a question of time before an app lets you move everything with a single click. Among others, Monzo appears headed that way. When sufficiently simplified account-switching arrives, even the stickiest financial institutions may be in for a mass exodus. When it comes to savings accounts, for instance, The Financial Brand’s Bill Streeter reported that “among those consumers surveyed [by Consumer Bankers Association and Novantas] who are already comfortable with online-only providers, four out of five (79%) would consider saving with a big tech company if they could.”

I suggest that stickiness is fast wearing out the welcome it never had. I’d share some examples of great things some financial institutions are doing to earn-not-entrap, but Jim Marous has already done that in a piece he wrote for The Financial Brand.[1] I recommend giving “Reinventing the Retail Banking Experience in a Digital World” a read now, while it’s on your mind.

While public transit lets riders save on gas and turn commute time into reading, work, or Candy Crush time, it lets fraudsters test stolen data.

Readers of this blog are doubtless aware that no shortage of account numbers, complete with names, passwords, maiden names, SSNs, PINs, fingerprints, and other personal data, are available for sale on the Dark Web. 

Still, not every illicitly obtained account number is good. To avoid the inconvenience and embarrassment of a declined fraudulent transaction, thieves are well advised to verify that a pilfered account has not been suspended, closed, or otherwise compromised well before they attempt to go hog-wild with it. 

Lucky for them, account verification is nothing new. The trick is to conduct a quick, initial test transaction so negligibly small that, should it happen to bounce, few are likely to notice, and those who do notice aren’t like to raise much of a ruckus. 

Mass transit payment systems, with their typically low fares, can provide just such testing environment for fraudsters. This was brought to my attention last week by a Salt Lake Tribune article reporting that GoRide, the payment app used by Utah Transit Authority (UTA) is “… a favorite testing site for stolen credit cards.” 

It wasn’t account holders that brought the problem to the attention of authorities. It was an alert UTA analyst. Per the Tribune:

… investigations started when a fare operations analyst noticed a high number of chargebacks from banks … UTA figures thieves were using the GoRide app to test whether stolen credit card numbers were still active because low-cost charges for transit rides may not raise concern by credit card companies and owners initially, perhaps allowing thieves to go on spending sprees for other items with the working numbers.

The affidavits said UTA identified more than a dozen problematic accounts and was able to identify several people and their electronics and financial accounts suspected of using stolen credit card numbers. They said the agency found fraudulent activity dating back to last July.

Not incidentally, the GoRide app is smartphone-based. According to travel rewards website Upgraded Points, smartphones provide the “initial point of contact” for fraudsters 77 percent of the time.

Post script on personal security measures

Though hacking transit transactions for purposes of verifying pilfered accounts may be new, most of the techniques fraudsters use for stealing credit card data are not. This month, creditcards.com shared “10 identity theft techniques to watch out for in 2020.” Some making the list were of the higher tech variety, such as viruses that pilfer information from online shopping carts. But most, such as phishing scams and lifting data that people unwisely share on social media, were lower-tech and have been around for years.

Some merchants may be unwitting allies in credit card fraud. Chargebacks911 states:

The difficulty of identifying fraud online leads some businesses to adopt a defeatist posture. In fact, 47% of online sellers believe fraud is inevitable in the eCommerce environment. A further 20% think it costs too much to control; instead, it’s best to just maximize sales and hope to outpace the fraudsters.

While I have no desire to throw cold water on the development of high-tech and AI-driven fraud prevention, it seems that personal vigilance remains vital and has the power to take a big chunk out of payments fraud. 

Financial institutions can provide a needful and loyalty-building service by educating clients on everyday security measures anyone can and should take. Some ill-informed PR advisors may warn their bank clients from so much as bringing up fraud. But, as I wrote nearly three years ago, “Perhaps paradoxically, the proper presentation of information on staying safe from hackers can increase client confidence by conveying that a financial institution is knowledgeable and cares about its customers.”

Originally posted on October 31, 2013

Here’s a macabre thought to start your day: Older customers will die sooner than younger ones.

It’s a fact of life that has many a financial institution concerned. Rightly so.

I wouldn’t dream of suggesting that bankers’ concern is only for the bottom line. Surely many wish their customers a long life out of pure altruism. Yet even the most altruistic understand that a bank’s life expectancy is tied to that of its customers. A bank that hopes to outlive older customers must attract younger ones.

The problem lies in how to go about trading the outdated image that appealed to prior generations for a new, more with-it image that appeals to younger ones.

CUT TO: THE BRAINSTORMING SESSION. “I have it!” someone says. “Let’s quit making tellers cover their tats!” (“What’s a tat?” asks the CEO.) Someone else suggests decorating branches à la the young person’s hangout. Another wonders aloud what it would cost to hire Justin Bieber or Miley Cyrus as a spokesperson. (“Who?” asks the CEO.) Yet another, who happens to be a Garage Band enthusiast and wannabe rock star, thinks a rockin’ jingle will do the trick. A techie suggests overhauling the website with state-of-the-art animation, games, great colors, hot music, and downloadable tunes and videos. The advertising manager wants to shoot commercials telling viewers that the bank has been misjudged, that in reality no one is more hep. (“What’s hep?” asks the youngest person in the room.)

Were I in the room—come to think of it, I have been, more than once—I would point out that the discussion started off on the wrong foot. Contrived cosmetics do not make a brand. Substance does. If you are cool—whatever that means—it will be manifest in your look and messaging. If you are not, pretending will only make you look pathetic, like a boor who thinks changing his shirt rather than his approach will make people like him.

If the rising generation favors a competitor, dig deep to find out why. Odds are you’ll discover an underlying philosophy, approach, and values that a younger market responds to. You will also find that the outward look and feel, far from contrived, are a natural expression of said underlying philosophy, approach, and values.

Only claim to be what the market wants if you first become what the market wants. Then the outward trappings will speak for themselves.

Some thieves take on smart ATMs with high tech gadgetry. Others, you could say, have a shorter fuse.

The United States Department of Justice recently sent notifications to 2,000 residents in my home state of Utah. Recipients are presumed victims of one Alexandru Cosmin Licsor, freshly extradited from Romania. The purpose of the letter was to inform them of Licsor’s Salt Lake City trial, which begins one week from today. According to KSL.com:

Authorities said 37-year-old Alexandru Cosmin Licsor would install skimmers and cameras at ATMs along the Wasatch front then wait for customers to make withdrawals before cashing in on their hard-earned money … 

“It reads the data on the bank cards and they get the pins from persons that enter their PIN. They usually have a camera and that’s how they were able to get the data and they just duplicate it,” said FBI special agent Dave Fitzgibbons … 

According to the indictment, Licsor attempted to withdraw $512,960.13 and succeeded in withdrawing $189,740.30 from ATMs belonging to other banks and as far as New Mexico … The FBI suspects Licsor is part of a larger criminal organization operating in the Netherlands, Italy, Romania and Mexico.

“ATM fraud,” said one Utah resident who prefers I omit his name, “that’s still a thing?”

Yes, Virginia, ATM fraud is still very much a thing, and it doesn’t look like it’s going away anytime soon. Fraudsters develop and install myriad high tech hacks on ATMs. A new PYMNTS.com article reports that David Phister, systems security product management director for Diebold Nixdorf, said that … 

… ATM skimming and jackpotting—where malicious code or hardware is installed at the machine to coax cash to be spit out on demand—remain among the most significant security concerns into the holiday season.

… Phister told PYMNTS that consumers should be especially vigilant about inspecting machines for “false bezels,” which are typically fixed over the card reader or other parts of the ATM, and which can house tiny “pinhole” cameras that record PINs as they are entered on keypads.

Consumers are well advised toward vigilance, but then, there’s only so much that the untrained eye can be expected to detect. False bezels are hard enough to spot, but at least they’re mounted on the ATM exterior. Data theft devices hidden inside the card slot present a bigger challenge—even to the better trained eye. PYMTS.com continues:

Another tactic involves the use of razor skimmers, which [Phister] described as part of the newest wave of fraud. They are, well, razor-thin inserts that fit within the card acceptance slot, and read the data housed within the magnetic stripe of cards inserted into the hacked ATM.

But not all ATM thieves resort to high-tech solutions. Some rely on the more traditional, Butch Cassidy-esque approach, which is to say, explosives. 

In the Netherlands, blowing open ATMs had become so prevalent that, just a few weeks ago, ABN AMRO took the drastic step of emptying and shutting down 470 ATMs. In an official press release, ABN AMRO announced that it …

… has temporarily shut down 470 cash dispensers with immediate effect. This emergency measure is needed in view of the growing number of violent ATM explosive attacks. All cash has been removed from the machines. The past few months have seen a sharp rise in violent ATM explosive attacks, particularly targeting a certain type of cash dispenser used by ABN AMRO.

The move won’t leave ABN AMRO customers entirely ATM-less, however, for only about half of its ATMs are of that “certain type.” The press release continues, “At another 400 locations, ABN AMRO has different types of cash dispensers. These will remain open for use.”

Meanwhile, other Dutch banks, preferring not to tempt explosive fate, are emptying and shutting down ATMs between 11pm and 7am. On December 19, Finextra reported that:

… the operator of the Dutch banking sector’s joint ATM network says the overnight shutdown will take effect immediately. The firm will also move any cashpoints that pose an elevated risk to nearby residents and place them in safer locations. The company is working with De Nederlandsche Bank and the police to implement new measures which will render banknotes worthless if stolen by raiders.

Also:

Over 70 people have been arrested so far this year in connection with ATM bomb attacks by special ATM Raids Units set up by the Dutch police force.

“Digital security is an arms race,” I wrote in this blog in August of 2017:

Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.

What I seem to have overlooked at the time was that, for criminals who prefer not to trouble themselves with technology, there’s always dynamite.