The dark web has its dark side.
How the U.S. government helps cover the overhead of people trying to hack your bank
When you email or visit a website, your computer leaves behind a calling card in the form of its IP address. Short for “Internet Protocol,” the IP address helps devices locate and recognize each other, thus speeding communication.
People, too, can identify senders and visitors by an IP address. This can be rather inconvenient if you happen to be a cyber spy, assuming you don’t want the people you’re spying on to know that you’re spying on them, much less who you are or where your kids go to school.
So, the United States Navy set to work on a browser that would make it impossible to trace IP addresses. The result was the TOR browser, “TOR” being an acronym for The Onion Router.
I’d hoped its name derived from the news-satire site, but a little research revealed that the “Onion” part refers to multiple layers the browser employs to mask user identities.
The Navy released TOR for general use in 2002. It soon became apparent that TOR, like any technology, can be used for good and not-so-good purposes.
On the good side, you can use TOR to reduce your chances of being hacked, frustrate any designs Big Brother may have on monitoring your online activity, or, if you’re writing a crime novel, research topics like, say, how to defeat a burglar alarm or get away with murder without fear of landing on a watch list.
On the not-so-good side, TOR enables and allows to flourish a secret online world known as the dark web, which happens to be a fairly safe environment for conducting illegal activities. It should come as no surprise that myriad criminals use it for exactly that purpose. Stolen identities with account numbers, healthcare information, firearms, drugs, fraud, and prostitution—and worse—are all freely traded on the dark web.
We’re not talking small potatoes here. There are flagrantly illegal dark web operations that have grown so large that they offer guarantees, publish user reviews, and maintain 24-hour help lines.
More reason to educate clients on the basics of online safety
For the financial services industry, stolen identities with account numbers is the tip of the dark iceberg. Writing for Verafin a little over a year ago, financial crimes research specialist Denise Hutchings reported that a wealth of personal information belonging to U.S. Bank clients—including “usernames, passwords, physical addresses, email addresses, phone numbers and bank account numbers”—had been made readily available to dark web shoppers.
Since digital payments are traceable to bank accounts, you might think that making a purchase over the dark web would immediately reveal your identity. Perhaps it would, were it not for cybercurrency, which, like the dark web, is largely untraceable. The recent advent of Bitcoin provided the final component that criminals needed to make the dark web safe and profitable for illicit purposes.
Given the extent of the dark web’s dark side, you might wonder why the Navy opened up TOR for general use in the first place. And, since the dark web does not fund itself with the likes of pay-per-click, ad revenues, and retargeting, you might wonder why, as reported in The Guardian, TOR receives about 60% of its funding from the U.S. State Department and Department of Defense.
To answer both questions, consider TOR’s original objective: To let cyber spies spy without fear of detection. If TOR were available only to U.S. government employees, it would be pretty obvious that anyone not leaving an IP address worked for the U.S. government. Cyber spies can pass for anyone only if you let anyone use TOR.
And anyone does. As of this writing, TOR has nearly 3 million users. I want to emphasize that not all TOR users are bad guys. It has its legitimate uses. Its illicit uses, however, leave the U.S. government in an interesting predicament. It needs TOR to remain anonymous in order to keep undercover agents under cover; but the government doesn’t like enabling criminals, much less picking up most of their tab. So, the government asked TOR’s developers to create a secret way in, a request that was wisely refused. TOR works precisely because there is no secret way in; were one developed, it would sooner or later find its way to the wrong people.
Inevitably, businesses whose raison d’être is to crack the dark web are now flourishing.
Legit uses aside, it behooves financial institutions to beware the illegitimate ones. Warning clients about potential harm can make for good policy provided it doesn’t err on the side of sowing paranoia. It might also be a good idea to check for the TOR browser on company devices. It’s one thing to use TOR at home. Unless there’s a job-related need for anonymous activity, an employee who downloads TOR onto company property may be up to no good.
Oct 17
3
Digital is hot but don’t
close your branches yet
close your branches yet
Read my new article in
The Financial Brand
Consumers approach their personal banking in many ways, using different channels for different types of transactions. The use of both basic and advanced digital banking channels is increasing, as customers become familiar with new technologies and capabilities.
Though branches still offer some value for consumers, comfort with using automation and non-traditional financial firms for banking transactions continues to gain traction. This change in consumer behavior requires attention from the banking community, especially those firms that hope that the movement to digital solutions will either slow or stop altogether. This isn’t going to happen.
In a survey fielded by Fiserv, it was found that most consumers are split on their preferred mode of interaction with their primary financial institution. While over half of consumers (click here to continue on The Financial Brand website)
Sep 17
27
Staying true to the brand
versus being stubborn
versus being stubborn
ANECDOTES ABOUND of companies that prosper by sticking to brand promises.* That’s great when brand promises are relevant. Sticking to promises no one gives a hoot about isn’t so much a show of brand integrity as a show of stubbornness.
For a look at how clinging to “because that’s our brand” isn’t always a good thing, I invite you to travel back in time to 1983 Milan, Italy, when a fellow by the name of Howard Schultz happened into a coffee house and emerged with a cup of espresso and an epiphany.
Never had Schultz had a coffee experience like that one. The intimate surroundings, the aroma, the barista’s expertise and showmanship, the dark, rich flavor of the espresso—all of these things fueled his imagination. He returned to the U.S. with a new vision for the company he’d recently bought into. No longer would Schultz be content with a company that only roasted and sold coffee beans. He was going to open coffee houses everywhere so his customers could bask in the same experience that overwhelmed him in Milan.
His partners were unmoved, so they parted ways. They would launch and make a success of Peet’s Coffee, with which you’re undoubtedly familiar. Remaining behind, Schultz set about raising capital in order to morph a one-location coffee roasting company, Starbucks, also with which you’re undoubtedly familiar, into a chain of Italian-style coffee houses.
From the get-go, Schultz showed an intrinsic understanding of brand substance. He was passionate about recreating in the U.S. the experience that had captured him in Milan. We do it the way the do it in Italy proved a great guiding principle for delivering a consistent, quality product in a consistent, pleasing setting.
But sometimes the flipside—If they don’t do it in Italy, neither will we—proved something of a millstone.
One instance of the flipside came in the form of refusing to accommodate a growing demand for nonfat lattes. For one thing, Schulz didn’t like how nonfat lattes tasted. For another and more important, no self-respecting Italian barista would serve a nonfat latte, so therefore neither would Starbucks. The issue mushroomed into one of the company’s most heated internal debates. What eventually brought Schultz to his senses was seeing, first-hand, a customer abandon Starbucks for a competitor rather than drink what Schultz thought she should drink. Americans, it seems, don’t always care how it’s done in Italy. And they for sure don’t care whether Schultz agrees with their taste.
Another instance of brand-as-millstone came courtesy of Schultz’s nose. Besides lattes, there was growing demand for sandwiches in coffee houses. Schultz would have none of it. When nostrils walked into Starbucks, he wanted them filled with the rich aroma of fresh-roasted coffee, not cold cuts. Besides—you guessed it—you wouldn’t smell cold cuts in an Italian coffee house, so therefore you won’t smell them at Starbucks, either. Once again, consumers followed their tastes instead of Schultz’s. Perhaps you’ve noticed: Now you can order sandwiches at Starbucks.
There’s a lesson in both anecdotes. Before rejecting a new idea or clinging to an old one, it’s wise to find out what the market cares about. “Because it’s our brand” makes for good guiding principles but lousy ironclad rules.
Sticking to brand values because they’re brand values can be mindlessly circular, tantamount to saying “We do things this way because this is the way we do things.” That’s not brand commitment. It’s stubbornness.
*As I have harped in this blog before, a brand is the experience you deliver. Things like a logo, look, and slogan are not the brand, but brand trappings. Their job is not to be the experience, but to symbolize it.
Sep 17
22
Silver lining behind
the Equifax hack
the Equifax hack
Oops.
PERHAPS YOU HEARD: Equifax was hacked on September 7.
There are some who would reassure us by pointing out that 143 million accounts is less than half the number of MySpace accounts and less than one-third the number of Yahoo accounts that were hacked.
I have two reactions.
My first reaction is that would-be reassurers could do with a lesson in false equivalency. Greater numbers don’t necessarily make lesser ones okay; there were more hacked accounts than there are American households, so you should assume your data is compromised; and names, addresses, SSNs, credit card numbers, and driver’s license numbers are a good deal more than what bad guys typically obtain from social media accounts.
My second reaction is, MySpace is still around?
For financial institutions, the breach can be a bad thing with a silver lining. I can sum up the bad-thing part with three words: “Shaken consumer confidence.” The silver-lining part comes in the form of a marketing opportunity. Clients like being leveled with. They like information. And they like being empowered to keep themselves safe. Supplying useful information will do all of the above. Better still if your competitors remain silent, which I bet most will, for you will brand yourselves as the confident, trustworthy ones, the people with nothing to hide.
In short, the foolish thing to do in the wake of the Equifax breach is to be silent and hope clients didn’t hear about it. Trust me, they heard. The smart thing to do is to provide prompt, thorough information about what the breach entailed, how it happened, how clients can check for free to see if they have been compromised, and, most important, what they can do right now to protect themselves. (This piece from USA Today can provide you a good starting point.) If you have generous policies that protect clients, this is a great time to reiterate them. You should do so even if competitors offer similar protections, since your clients may not know they do.
This is not the time to send out impenetrable copy. I apologize if that came across as tactless. Here, let me try it again, this time with more tact:
FOR HEAVEN’S SAKE, DON’T LET ATTORNEYS OR COMPLIANCE WRITE THE DARNED THING.
Of course you have little choice but to let them review it—you would be unwise not to—but don’t let them rewrite or edit. Ask them to explain their concerns until you understand them well enough to repeat them back in plain, real-person English. You know you’re good to go when they roll their eyes and say, “Yes, that’s correct, but it doesn’t sound very professional.” Then put your best copywriter on it. Time’s a-wasting.
Sep 17
14
Upgrades at point-of-sale:
Financial aid for merchants
Financial aid for merchants
IF YOU were going to pick an exciting time to work in the payments business, today would make for a good choice. At times it feels as if each day brings a software or hardware innovation, each bringing in turn faster speeds, surer security, easier access, and greater convenience.
For merchants in particular, payment technology advances can mean more business, more customers, and, therefore, more growth and revenues. What’s not to like?
Actually, there’s plenty not to like, at least in the form of the cash outlay. Keeping up with innovation means acquiring and installing new equipment, software, or both at the point of sale, and being prepared to update or replace it yet again the moment obsolescence sets in. And these days obsolescence doesn’t take as long as it used to.
Perhaps that’s why Visa is offering selected businesses $10,000 apiece for updating their digital technology.
I feel for merchants. The original method of collecting payments—calculating and recording sales by hand—required no capital outlay beyond paper, pen, and cigar box. It was time-consuming and error-laden, but it was affordable. The mechanical cash register was a vast improvement. One of those newfangled devices circa 1878 would have set you back $75, about $1800 in today’s dollars, but the machines proved their worth in speeding transactions, improving accuracy, keeping funds secure, and record-keeping. They became all but standard by 1915.
But it wasn’t long before improved mechanical registers rendered older models obsolete, and electronic models rendered those obsolete. Then embossed credit cards gained widespread use, forcing merchants to invest in manual credit card imprinters. IBM introduced cards with magnetic stripes to the market in 1969. (At the suggestion of his wife, Dorothea, IBM engineer Forrest Parry affixed the first mag stripe by use of a clothes iron.) That, in time, necessitated that merchants invest in mag stripe readers. Soon after that came readers that could communicate with a host, followed by chips and chip readers, and, today, contactless payment options via smartphone. And, not to be overlooked, merchants with more than one checkstand must multiply upgrade costs accordingly.
In an environment where new equipment is all but obsolescent even as it’s being installed, it’s understandable that merchants might be reluctant to upgrade too quickly or too often.
But help is on the way.
Last month USA Today reported:
Visa is looking to push more small businesses into updating their digital payment technology, offering up to $10,000 each to 50 U.S.-based small business owners that are committed to going cashless …
… because …
… Going completely cashless often requires upgrades to current point-of-sale systems, which remains an impediment for many small businesses, which is largely where cash remains king.
Fifty out of nearly 30 million U.S. small businesses—about 0.0001666 percent—hardly overwhelms. But Visa plans to expand the program. Perhaps they’re experimenting with incentives and cost-benefit ratios. After all, the article continues,
Visa isn’t doing this for charity. The world’s largest processor of credit and debit cards takes a small fee from every payment that runs on its network. The more payments done through them, the more revenue Visa gets.
We can only hope that this is a toe in the water. Depending on the temperature of the water, perhaps next they’ll proceed to a foot, a leg, and, finally, the whole body. If more players in the payments industry follow suit, we’ll see POS technology leap forward at record speed.
(dark) web we weave