For fans of digital data security, last week might not have been the best week to recruit new members to the fan club. In fact, it was a really bad time, as hackers cracked the NY Fed, researchers cracked fingerprint scanning, Amex admitted to a breach and the world found out that encryption may remain elusive to Android phones.
Which, of course, is also why we’re balancing that with some good news. We’d rather not totally ruin your Monday.
Great Adventures In Digital Insecurity
Writing a list of what didn’t go wrong with data security last week might actually be shorter — though not nearly as colorful. But here goes anyway.
Fun At The Fed
The biggest news, as far as security fails go, last week came out of the Federal Reserve Bank of New York — allegedly, the home of $101 million stolen from the Bangladeshi central bank.
Reports suggest that $81 million was taken from the New York Fed and stashed into a personal bank account in the Philippines. The remaining $20 million was routed to a Sri Lankan bank.
Additional reports indicate that Bangladesh banking officials and a representative of the Ministry of Finance are naming cybercriminals who have reportedly been involved with 35 transfer requests through the interbank SWIFT messaging system in February.
SWIFT uses a multi-layered authentication process for financial institutions, which involves sending and receiving millions of messages each day between one another.
Officials say that whoever was behind the fraudulent transfers has the SWIFT codes necessary to put in the request for payment during a weekend. Bangladesh’s finance minister has questioned the Fed’s ability to detect an incident as irregular as this when it occurs over a weekend.
The Fed has announced it is working with Bangladesh to investigate the matter but notes that its security systems have not been compromised; the hackers behind the fraudulent transfer used valid codes and passed through an authentication system. No one from the New York Fed has publicly commented on the matter, nor would anyone provide comment about if an event like this had occurred before.
And the fun just kept coming.
American Express’ Security Problem
The good news: Amex didn’t actually get breached last week. Nope, it got breached in 2013 and just got around to telling its members about it last week.
Amex disclosed a data breach that occurred in Dec. 2013 and encouraged members to monitor their accounts for fraud. The size and breadth of the breach remains undisclosed at this time.
According to reports, account numbers, names and card expiration dates may be among the data compromised.
Amex published a letter this month on the California attorney general’s site confirming that it is “aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system.”
The third-party provider remains unnamed at this time.
“It is important to note that American Express-owned or -controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” Stefanie Ash, chief privacy officer at American Express, wrote in the letter.
Cardholders are advised to monitor their accounts for the next 18–24 months. On the upside, given the number of hacks over the last several years, it is likely most consumers were already monitoring all their accounts anyway.
But we’re not quite done yet.
Android Phone Resists Encryption
While encryption may be somewhat controversial these days, thanks to Apple and the FBI’s war over it, there are few who doubt that it is a fine security tool. The debate is whether or not the government should be given open access to a backdoor around it.
However, while this debate is raging about iOS, it might just be moot for an awful lot of Android phones. While iPhones come, more or less, encrypted out of the box, Android phones, on the whole, tend to break the other way.
Google/Alphabet would like that to be different — it encrypts the Nexus devices it sells — but Android’s OS is on a lot of phones. Many of those handset manufacturers, particularly of the less expensive Android models, aren’t enthused about encryption, which they claim can diminish function. Google hasn’t forced the issue in the past for fear of alienating device makers who have helped get Android popularized all around the world.
“There is a push and pull with what Google wants to mandate and what the [manufacturers] are going to do,” said Andrew Blaich, lead security analyst at Bluebox Security Inc., which helps secure mobile apps. In some ways, Google is “at the mercy of the larger [manufacturers], like Samsung and LG, that are driving the ecosystem.”
Google has, of late, started ramping up the pressure on those larger device makers. The latest instantiation of the OS, Marshmallow, requires makers to encrypt phones with high-powered processors, meaning all high-end Android phones will come encrypted going forward.
But, as of yet, only 2.3 percent of Android devices run Marshmallow, while almost 80 percent of iPhones run the most current iOS (9), despite the fact that the OS upgrades were released within a month of each other. That means that, as of now, 10 percent of Android phones are encrypted; 90 percent are not.
Ready for a smile?
Pay By Selfie
Well, maybe with Amazon, you might soon be able to pay with one.
Amazon already notched a big payments win with 1-Click back in 1995, and now, it seems it’s going for the gold again. With selfies.
A new patent application indicates that Amazon may have some plans to upgrade one-click buying. The new version could allow consumers to authenticate their purchase with a picture or video of themselves to make a payment instead of entering a password. This goes with a similar patent filed that allows Amazon to authenticate user accounts.
“The entry of these passwords … can require the user to turn away from friends or coworkers when entering a password, which can be awkward or embarrassing in many situations,” the patent reads.
The patent also specifies that users can conduct the transaction through a phone or computer and “can prompt the user to perform certain actions, motions or gestures, such as to smile, blink or tilt his or her head.” That security feature eliminates the risk that a hacker could authenticate a purchase using a picture of the user.
Amazon hasn’t officially commented on this patent.
Score one for security last week.
Visa Upgrades Checkout
And, in payments news, Visa is introducing a new upgrade to Checkout that is aimed at making the digital “swipe” a bit more familiar.
LIterally referred to as a digital “swipe” button, the feature allows shoppers to see a virtual image of their debit, credit or prepaid card on the screen when selecting the digital checkout option.
“Visa Checkout’s new interactive button is yet another way we are designing the future of online checkout and delivering on our promise to bring the simplicity of the swipe to any device,” said Sam Shrauger, SVP of Visa’s digital solutions. “This new experience brings digital payments one step closer to the ease, trust and familiarity that consumers have long valued from Visa in the physical world.”
Visa says that 11 million consumers have signed on to use Checkout — a system that lets consumers pay online, using any device and any card, without being taken off a merchant’s app or site.
Visa reports that pilot tests demonstrate that customers who use the new button are twice as likely to convert a purchase. That is beyond the 86 percent conversion rate Visa claims that the Visa Checkout experience already provides for its merchants.
“This design-led innovation is proven to increase conversion, helping merchants reach new customers — especially millennials, who are increasingly using their mobile devices to make purchases,” Shrauger said.
So, what did we learn last week?
Digital security has a long, long way to go, as hackers are getting better at navigating the systems meant to lock them out. But, on the upside, perhaps someday, security will be a selfie away, until hackers also learn to become masters of disguise. Meanwhile, Visa continues its push to make online payments easier and issuers more visible.