Gooligan Hooligans

Gooligan was unavailable for a photo, so here’s Gilligan instead.

Those poor hackers. Imagine not getting credit for your work when it goes on to fame, anonymity being recommended for staying out of prison. And no matter how clever a moniker you cook up for your creation, you’d know it’s destined for oblivion, since the privilege of naming it goes to those who detect it. All you can do is hope they come up with something worthy.

I bet a certain group of hackers in China were pleased when it got back to them that California-based cyber-security firm Check Point Technologies had dubbed their baby Gooligan. You have to admit the name has a ring.

An update of a larger scam from two years earlier, so far Gooligan has infected an estimated 1.3 million Android devices. According to Check Point,

Gooligan roots devices and steals email addresses and authentication tokens stored on the device. With this information, an attacker can access a user’s Google account data within Google Play, Google Photos, Gmail, Google Drive, and G Suite.

Owners of Gooligan-infected devices have suffered no direct damages as of this writing. Gooligan, it seems, was after larger prey: Companies that shell out big-time to elevate an app’s rating, pushing it nearer the top of searches, and thus increasing the likelihood of sales. As a recent Consumer Reports article put it, Gooligan tricked …

… marketing companies such as Mobvista, Apsee, Startapp, and the Google-owned AdMob into paying for what looked like successful, legitimate efforts to boost the popularity of certain mobile apps.

The same article reports, “The Chinese hackers behind Gooligan were making as much as $500,000 a month by exploiting their access to the phones.”

Gooligan and smartphone hacking

As I wrote last month, predicted, “… as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities.” Though the article’s focus is on fraudulent credit card account use for Internet purchases, the Gooligan affair serves as a reminder of another, fast-growing danger, namely, smartphone hacking.

A recent Fiserv study showed that households banking via smartphone increased 17 percent in 2015. I wouldn’t be surprised if 2016 shows a greater increase. It would be unreasonable to think that hackers moving away from point-of-sale credit card fraud would limit themselves to online purchases. Not only are smartphones ideal hacking targets: Few users understand the need to secure their phones, and fewer bother doing so.

Financial institutions have an opportunity to provide a valuable service in the form of pointers for protecting smartphone and tablets from hackers. Suggestions might include installing vetted anti-virus / anti-malware software; using password or fingerprint protection; purchasing apps only through trusted sources like Google Play and iTunes; not accessing sites using financial or other personal data through unsecured wireless connections; accessing a website’s features and correspondence only from within and not, say, from emails; and installing operating system updates as fast as they’re released.

No need to worry about scaring clients. They’re already scared. Showing clients how to protect themselves is not so likely to alienate them as to bolster their confidence and win their appreciation for caring enough to share useful information.

Posted in Uncategorized by Matt. No Comments

Digital Newspapers:
A few rays of hope

Digital papers for sale

Perhaps you heard: Newspapers have had a tough time making the transition from print to digital. The good news is that for some papers that’s starting to turn around.

When digital publishing first became a thing, most papers made content available online for free. The idea was to supplement printed editions, the industry’s mainstay. What the industry failed to figure out in time was that printed editions wouldn’t remain the mainstay for much longer. By the time it was clear that the future lay in digital publishing, the public had grown accustomed to free digital content, and no newspaper was eager to be the first to start charging. Nor did it help that revenue from online advertising sales paled in comparison to what papers had charged for printed editions. 

The industry underwent drastic cuts as a result. Layoffs were commonplace. Investigative journalism departments were among the first to go, with fact-checking departments close on their heels. Some papers merged, some scaled down, some traded reporting for pandering, and not a few closed their doors. The Huffington Post debuted a new model: It was an online paper that had no print edition, and the bulk of its content was either aggregated or contributed by unpaid writers. At the same time, everyone else who wanted to publish a news blog or aggregation site could easily do so—and pretty much everyone did. None of these developments did much for the quality, much less the reliability, of reporting. 

But legit digital news publishing is starting to turn around, for a number of reasons. Some of the reasons are positive, and some are disconcerting.

I’ll start with the positive reasons. Over time, newspapers have figured out how to charge for digital content. Whether or not you’re a fan, The Washington Post provides a good case study. The Post gambled that there were still people out there who would pay for its style of reporting. To help those people along, the Post began letting readers click to a limited number of articles per month at no charge. On, say, the tenth click-through, readers were asked to register and, in time, fork over for a subscription. And in a tactic lifted directly from the old print days, the Post offered free, limited-time digital subscriptions in hopes readers would like the content and pay to continue receiving it. 

The Post received a considerable a boost when Jeff Bezos purchased it in 2013. For one thing, Bezos had a bit of capital to work with. For another, you probably know that Bezos has connections with, and he used them to extend tempting Post offers to Amazon Prime members. At the same time, he gave Kindle owners and Kindle app users a free six-month Post subscription. To keep impatient readers from bailing, he cut page-load time by 85 percent. More recently, the Post has begun publishing all of its articles to Facebook’s Instant Articles, which quickly uploads articles to Facebook mobile apps. 

All of which appears to be working. Post subscriptions are on the rise. Meanwhile, other papers are taking note and show promise of rebounding

There is now a growing opportunity in the form of people uninterested in a full subscription but willing to pay, say, 25 cents for an article here or there.

Until now, per-article sales for digital publications haven’t been financially viable, however, applications like Blendle offer hope. Business Insider reports: 

There are reasons for optimism—many publishers have bought into an app called Blendle, which aggregates content and makes payment more frictionless. And Blendle has seen modest gains since launch, which indicates that micropayments could gain traction under the correct circumstances. If a giant, like Apple, Google, Facebook, or another platform where customers both have existing news and payment relationships, were to take the challenge on, its value could begin to increase. 

On the more disconcerting side is the thought that digital journalism’s rebound may in part be due to the rise of fake news and irresponsible headlines. Increasing awareness of fake news may be driving a growing number of readers to reliable news. Also on the disconcerting side is today’s polarized politics. While it drives some people to feedback loops, it may make others willing to shell out for sources with established bona fides. 

I hope we see more and more responsible digital newspapers become fully viable. The day may yet come when they completely supplant paper editions. Who knows: Future generations may ask why we call that thing on a smartphone or tablet “the paper,” much as today’s rising generation isn’t quite sure why we call using the keypad on a smartphone “dialing.”

Posted in Uncategorized by Matt. No Comments

Pushing back against
harmful headlines

news-677409_1280DON’T GET me wrong. I like competition. Honest I do. But that’s not to say that it doesn’t have its occasional downside. In the news media in particular, competition for audience share inevitably makes a priority of pressing hot buttons, often at the expense of putting things in perspective.

Take this recent CBS DFW headline: Study: ID Fraud Up Since Security Chips Put Into Play.” Or this one from Sputnik News: “Credit Cards Technology Fail: Credit Card Frauds Up in US Since Chips Introduced.” Both use as their source Javelin Strategy & Research’s well-executed 2017 Identity Fraud study, released on the first of this month. According to the report,

2016 will be remembered as a banner year for fraudsters as numerous measures of identity fraud reached new heights. The overall fraud incidence rose 16% to affect 6.15% of U.S. consumers, from 5.30% in 2015 — the highest on record. 

I have no quarrel with Javelin’s findings. Javelin is, after all, a first-rate research consulting firm.* Nor have I any quarrel with connecting the fraud increase with the rollout of chip cards.

My quarrel is with implying, as the above-referenced headlines arguably do, that chip cards cause fraud. The real story is that the exodus of fraudsters from point-of-purchase to online fraud is evidence of the chip card’s success. 

CreditCardscom, which average consumers don’t read, did a better job of putting the problem in perspective

… as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities. At the top of the list, payment security experts say, is using stolen card numbers to buy stuff from the Internet. 

But then, that’s not the stuff of eyeball-grabbing headlines, is it. 

It doesn’t help that few writers write their own headlines. Competition for readership led to the century-old practice of employing headline writers, whose job places a higher priority on grabbing attention than on conveying content. The result is that even the most responsible research and reporting may end up under a sensationalized, even misleading headline. The Sputnik article provides a good example. While its headline screams “Technology Fail,” that term is not to be found in the article, and the body of the article somewhat straightens the record. The CBS DFW article, not so much. 

Either way, body copy that clarifies is of little help considering that most people don’t bother reading body copy. As anyone who has seen a hasty, regrettable “share” on Facebook can attest, most readers are content to scan headlines and call it a day, unwittingly walking away under false impressions. 

Irresponsibly sensationalized headline writing is more than a pet peeve. It hurts the financial services industry. The good news is that we needn’t sit helpless. Perhaps it’s time to get more aggressive in telling the whole story. While some publications won’t care, let’s do what we can with those that will. 


*For proof of Javelin’s competence, look no further than the fact that they had the acumen to rate my employer, Fiserv, “Best in Class Mobile Banking Provider” and our Mobiliti™ platform as “Top Customizable Solution.” What more evidence do you need?


Posted in Uncategorized by Matt. No Comments

Gambling and Bitcoin
(by way of Super Bowl 51)

Bitcoin - poker chipA NUMBER OF notable companies now accept Bitcoin, albeit usually via an intermediary like Coinbase or BitPay. Yet one Bitcoin use in particular seems to be catching on in a big way. “By most estimates,” PBS Newshour reported in 2014, “more than half of global Bitcoin transactions are wagers on gambling sites.”

To explain the growth of Bitcoin gambling, I need to talk about Super Bowl 51.

SB 51, which only sounds like pending Senate legislation, took place just a few days ago. It received a fair amount of media coverage, so you may have heard about it. You may even have had an opportunity to place an online wager or two, including a host of “prop” or “proposition” bets, which are tied to sporting events short of predicting winners and final scores. USA Today lists 86 of 2017’s most popular Super Bowl online prop bets, ranging from whether Luke Bryan was going to show up on-camera wearing a hat, to whether Malcolm Butler would intercept a pass, to which song Lady Gaga would sing first.*

Which is curious when you consider that online sports gambling in the United States is illegal. This is due to what’s commonly called the Wire Act, which only sounds like a circus routine. The Federal Wire Act of 1961 prohibits financial institutions from knowingly wiring funds for the purpose of sports gambling. In 2011, the U.S. Department of Justice ruled that the Wire Act applied equally to online sports gambling. Financial institutions could no longer allow clients to whip out a credit card to bet on their favorite team.

There is no federal law forbidding other kinds of online gambling. Individual states, however, can ban all the online gambling they like, and most do. Either way, online sports gambling remains verboten nationwide.

But never underestimate the ingenuity of Humans Seeking Loopholes (HSLs).** HSLs argue that, technically speaking, laying down money on how many times an announcer would say “Gronk” or “Gronkowski”*** isn’t betting on the game. So far, that one seems to fly with regulators. And since it’s illegal for U.S. companies to take online sports bets, enterprising HSLs set up virtual casinos outside the U.S. that you can access via the Internet (but would be wise not to). I’m not going to link to them, even though a recent Crypto Hustle article by Nick Jakubowski suggests that the law “… doesn’t specifically … target individual gamblers.”

As for that nasty detail in the Wire Act that forbids your bank from moving funds for sports gambling, that’s where Bitcoin comes in. Bitcoin leaves banks out of it. As NPR’s Cyrus Farivar quoted senior research fellow Mercatus Center at George Mason University, “Bitcoin … totally circumvents [regulations]. There is no Bitcoin company, there’s no Bitcoin building that regulators can get their hands on. It’s basically cash.” Farivar’s article goes on to say:

… no one knows if Bitcoin is money, a financial instrument or something else.

“We don’t have a bank account at Seals with Clubs,” says Bryan Micon, the spokesperson for … a Bitcoin-based poker site. “There’s no bank account. There’s no bank of any sort that we do. We only do this one weird brand-new Internet protocol transaction that some of the nerds out there are calling money.”

Micon says it might be tough for the Feds to regulate what is just a piece of computer code and not real money.

When it comes to gambling, enthusiasts praise Bitcoin’s alleged transparency and efficiency. According to the above-referenced Crypto Hustle article,

Legitimate Bitcoin casino operators and players have worked out arrangements between themselves for fair gaming. There are standards for provably fair games. The blockchain reinforces transaction fairness while allowing immediate deposits and, importantly, withdrawals. And, above all, the whole process is anonymous.

HSLs further argue that Bitcoin isn’t “funds” and that no one “wires” them. Some even challenge if online gambling using Bitcoin can even truly be considered online gambling. Which is kind of an interesting argument, considering that it’s called “online gambling using Bitcoin.”

So perhaps it’s no wonder that, amid the weaseling and wordplay, Kyle Torpey hyperbolized a few weeks ago in his CoinJournal article, “Bitcoin is eating the entire online gambling industry.” It’s difficult to know if he’s right or turning up the volume on his wishful thinking.

Maybe it’s just me, but none of this sounds on the up-and-up. Especially that part about “the whole process is anonymous.” If it’s legit, anonymity shouldn’t be a priority. As for trying to outwit the authorities on technicalities, well, that rarely goes well. Better not to proceed. Not even with caution.


* No, yes, “God Bless America.”
** Do not take anything you read here for legal advice. If you’re bent on trying online gambling, first check with an attorney, which (and I cannot emphasize this enough) I am not.
*** Fewer than three.

Posted in Uncategorized by Matt. No Comments

The password and
the pendulum

Tip: Don’t use your birthday.

Tip: Don’t use 123456.

In Umberto Eco’s 1988 novel Foucault’s Pendulum, the protagonist tries to access a friend’s computer only to come up against the prompt, “Do you know the password?” After umpteen unsuccessful attempts, the exasperated protagonist types, “No.” Which unlocks the computer.

You might think, Get real, Umberto, what kind of nitwit uses an easily-guessed password like “No”?

The surprising answer is: Nitwits from all walks of life. Last week, The Telegraph published “The World’s Most Common Passwords.” The article lists 25. Here’s a sneak peek at the top ten:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321

Lest you think that the 25th most commonly used password must surely be way tougher to guess, well, I hate to disappoint. It’s 1q2w3e. You need only plot that one on your keyboard to see why it’s not much better than 987654321. The list goes a long way toward answering the question, How did they access my data?

I have suggested that, beyond their own security measures, financial institutions would do well to educate clients on security measures they can implement themselves. Though the primary reason for educating clients is for their own benefit—they will be safer—the benefits for financial institutions are not to be overlooked. One benefit is that sharing useful information creates good will. Another, according to a recent Fiserv consumer trends survey, is that teaching clients good security measures emboldens them to adopt more digital banking services.

There are reasons people use easily-guessed passwords. Chief among them is that what makes a password hard to guess also makes it hard to remember. The most secure passwords comprise a long string of random letters, digits, capitals, and symbols, with no real-world words or proper nouns. Since there is only so much RAM between the ears, how on earth can we expect clients to remember passwords like that, much less a different one for every account?

A good starting point might be to show clients how to create a unique, hard-to-guess password that they themselves can recall. It needn’t be difficult. If, for instance, you happen to be a Denver Broncos fan—and you should be—you might come with a password like dbR!23DB@219. Doubtless you have already figured out how I came up with that one, but just in case, I’ll explain it. dbR means denver bRoncos; the ! is there because the Broncos are awesome; 23 is player Devontae Booker; his initials are DB; and @219 means Devontae weighs in at 219 pounds. There you have a password that was easy for me to conjure up, is easy for me to recall, but would be extremely difficult for evildoers to guess.

A mnemonic device like dbR!23DB@219 is all well and good as long as clients don’t have to remember lots of mnemonic devices and keep track of which unlocks what. Trouble is, your clients most likely have a lot of password-requiring accounts. A Microsoft study found the average person was using some 25 of them, and that was in 2007. It’s not unreasonable to speculate that, with the growth and popularity of online apps, the number is much larger today.

Many people solve the need for multiple passwords in a not-terribly-smart manner: They use one password for everything. I need hardly point out why that’s unwise, but I will anyway: The moment someone divines your Facebook or Netflix password, that same person now has access to all of your financial accounts. Not good.

Which is why you might consider recommending clients use a good password manager. It may seem counterintuitive: How can it be safe to store all of your passwords in one place? But a decent password manager does what people should but generally do not or cannot do, such as assigning one complex password per account, evaluating password security, generating and tracking random passwords, providing two-way authentication, and allowing authorized access across platforms and devices. Proper use of a password manager—and guarding access to it with the most un-guessable password you can come up with—is a lot more secure than easily-guessed passwords used for several accounts.

As for me, I guess I can’t use dbR!23DB@219 anymore.

Posted in Uncategorized by Matt. No Comments