Monthly Archives: April 2016

Firms cash to fraudsters

“Hi, are you busy? I need you to process a wire transfer for me urgently. Let me know when you are free so I can send the beneficiary’s details. Thanks.”

Many of us would jump to it, eager to please.

But this message has all the hallmarks of CEO fraud, one of the most common forms of business email fraud targeting thousands of companies around the world every day.

Last year, Barbie manufacturer Mattel sent more than $3m (£2.3m) to a fraudulent account in China, after a finance executive was fooled by a message supposedly sent by new chief executive Christopher Sinclair.

Mattel eventually got its money back from China – where the company has significant business interests – but most companies usually have to take the hit after falling victim.

Earlier this year, for example, Austrian aerospace parts maker FACC fired its president and chief financial officer after losing a thumping €42m (£36m) in a business email fraud.

Some smaller companies targeted have gone bust as a result.

“Criminals have realised that hitting businesses rather than individuals can mean much bigger wins,” says Orla Cox, director of security response at cyber security specialist Symantec.

The US Federal Bureau of Investigation (FBI) says CEO fraud has shot up by 270% since January 2015 and has cost businesses around the world at least $3bn (£2.3bn) over the past three years.

Out of control

Simply tricking companies into sending invoice payments to the wrong people costs UK companies about £9bn a year, according to research from invoicing company Tungsten Network.

And procurement fraud – charging for stuff that was never delivered; taking a bribe for awarding a contract to a particular supplier; or encouraging suppliers to charge over the odds then creaming off the difference – accounts for 88% of total UK fraud losses.

“Procurement fraud is becoming a big problem, with at least 20% of corporate spend categorised as ‘unmanaged’,” says Philip Letts, chief executive of enterprise services platform, Blur Group.

‘Unmanaged’ means there is insufficient monitoring of the tendering process and whether the terms of the contract have been fulfilled, for example. Quite often smaller jobs are given to suppliers without any written contract at all and paid for cash-in-hand.

“This puts businesses at high risk of procurement fraud,” says Mr Letts.

Lots of such payments add up to a big amount of cash potentially lost down the back of the corporate sofa.

Blur’s platform helps companies find vetted service providers and manage the entire contract from pitch to payment, theoretically making invoice fraud easier to spot and harder to perpetrate.

‘Suspicious’

Most business email fraud is relatively lo-tech, relying on psychological manipulation and people’s willingness to get the job done.

But Jim Wadsworth, managing director at Accura, the data analysis arm of payments giant VocaLink, believes his company’s hi-tech solution could prove the best way to combat it.

Called Accura Invoice Payment Profiling, it is an anti-fraud analytics system that uses VocaLink’s massive store of payments data to identify and flag fraudulent payments before the money is even transferred.

“We are working with one of the country’s largest banks to prevent these frauds by scanning transactions and contacting the bank directly when we see something suspicious,” Mr Wadsworth says.

Home be a weapon of web destruction

Do you use a webcam to check on Tiddles the cat or Bonzo the dog while you’re at work?

If so, you could be unwittingly turning your internet-connected “smart” home into a weapon of web destruction.

That’s the unsettling conclusion to be drawn from the recent web attacks that made use of a botnet army of compromised connected devices, from webcams to printers, to knock out a number of popular websites.

The smart home, it seems, is pretty dumb when it comes to security.

Wi-fi routers, digital video recorders, controllable lighting, security cameras – all these devices offer a potentially easy way in to your network and then the wider internet.

As the Internet Society warned last year: “The interconnected nature of IoT [internet of things] devices means that every poorly secured device that is connected online potentially affects the security and resilience of the internet globally.”

Yes, checking on Frou-Frou, your Miniature Schnauzer, via a poorly secured webcam could help break the internet. Forget Kim Kardashian.

In the good old days, hackers could launch a distributed denial-of-service (DDoS) attack – overloading computer servers with millions of pointless requests for information, thereby knocking them out – using personal computers infected with malware.

Nowadays, they also have the IoT to play with – the increasingly diverse array of web-connected devices, from industrial sensors to clever fridges, thermostats to baby monitors.

Research consultancy Gartner forecasts that there will be nearly 21 billion connected things in use worldwide by 2020, up from about seven billion now.

So the hackers are moving away from better-policed corporations and governments to easier targets – and they don’t come easier than the IoT-connected smart home.

So what should we be doing to protect ourselves?

Building defences

One quick and easy thing we can all do is change default passwords as soon as we buy an IoT gadget.

“The first rule of security is ‘do not use default accounts or passwords’. They are posted on the internet, so the bad guys don’t have to scan for credentials of assets to compromise,” says Gary Hayslip, IoT specialist and chief information security officer for the City of San Diego.

Simple tools such as Bullguard’s IoT Scanner software can also help spot weaknesses.

The scanner detects any devices on a smart home network that are publicly exposed using the vulnerability service Shodan, the Google for finding unprotected computers and webcams.

If the scan identifies any exposed devices specified by the vendor, then you should immediately change log-ins and passwords. BullGuard has also published an IoT manual that gives a checklist on what to check and how.

Interestingly, the company recently acquired Israeli start-up Dojo-labs and will soon announce a smart network security device that plugs in to a wi-fi router to protect all connected devices on a home network.

All internet traffic on the home network is routed via Dojo, allowing it to secure the network against cyber-attacks and protect the user from privacy breaches.

When malicious activity or a privacy breach is detected, Dojo automatically blocks it and notifies the owner through a mobile app, the company says.

“The recent internet outage caused by the Mirai botnet enhances the fact that IoT security needs to be taken more seriously,” says Bullguard chief executive Paul Lipman.

“The Mirai botnet consists of easily hackable low-end security cameras with no changeable passwords. A home security device such as Dojo has the ability to instantly detect and block an attack such as Mirai.”

And Martin Talks, founder of digital consultancy Matomico, offers this advice for smart home owners.

“Only point connected cameras where they are really needed. It was Edward Snowden who alerted us to the fact that cameras can be taken over and our presence in our houses monitored. If you don’t need a camera active, tape over it.

“Think about what devices you really need to connect to the internet,” he adds. “And if you decide you do need to connect a device, use the connectivity only when you need it… turn it off at night.”

Other ways to increase IoT security including keeping product software and firmware up-to-date and buying from trusted brands and trusted platforms.

Do away with smartphone apps

Is the smartphone app doomed?

To look at the stats you wouldn’t think so: Apple has two million of them in its App Store and Google Play has a few hundred thousand more than that. Total app downloads have passed the 150 billion mark.

But some are wondering whether apps are about to be replaced by something smaller, smarter and faster.

Bots.

These programs, thanks to AI [artificial intelligence] software in the cloud, can chat to humans via text, extract the meaning and then act on it.

They are little digital helpers.

Any time you see a live chat box open up on a retailer’s website, or order a taxi or flowers through chat platforms such as WeChat and Facebook Messenger, you’re most likely talking to a bot.

App fatigue?

Despite the vast choice of apps open to us, the average number we use is 27, according to research by Nielsen. This hasn’t changed for years.

And the problem with apps – and their seemingly endless updates – is that they eat up our smartphone storage capacity alarmingly quickly.

Developers often get a raw deal as well. One estimate suggests that 94% of the cash generated by apps in Apple’s App Store goes to just 1% of publishers, and those firms also get 70% of all downloads.

“One of the worst things about the App Store is the App Store itself, because it’s such a walled garden,” says Ted Nash of Tapdaq, who was a veteran app developer while still a teenager.

Apple’s oversight of all apps slows down development and forces programmers to include specific chunks of code that look after adverts, usage statistics and other metrics, he says.

Add to this the trouble of making apps work across lots of different devices and keeping up with changes to Apple software, and it’s no wonder some people are disillusioned, he says.

So is app fatigue setting in?

The joy of text

“Apps used to be the big thing,” says Kriti Sharma, head of mobile development at accounting software firm Sage. “But many more people are messaging than are posting on social media these days.”

This is why she thinks bots are the natural successors to apps – the interface is instantly familiar to customers.

Ms Sharma started her coding career at Barclays, where she co-created its Pingit banking app and oversaw its mobile portfolio.

 

For companies or brands that want meaningful interaction with customers, a conversation mediated by a bot could work well, she believes.

Sage is developing a bot called Pegg that acts as a smart business assistant. It will help small business owners keep track of outgoings and expenses, making tracking cashflow easier.

“Bots don’t have to be super-complicated,” says Ms Sharma. “But over time they must add a lot more value for a customer.”

 

Bots are more credible because good progress has been made in writing artificially intelligent software, she says. And also because many companies now have huge amounts of data they can use to fine-tune bot responses.

Another advantage bots have over apps is the speed with which they can be developed, deployed and updated, she argues.

‘Bots are the new black’

This growing interest is being inflated by work at Facebook, Microsoft and Google, as well as by newer firms such as Slack and HipChat. And start-ups such as Begin, Growbot, Butter, Wisdom and Operator are also helping to take bots mainstream.

One catalyst for the interest was Facebook’s announcement earlier this year of a bot framework that streamlines the bot-creation process.

One report suggests that this massive amount of interest has unleashed a $4bn (£3bn) flood of venture capital funding into big and small bot developers.

“Bots are the new black,” says Jon Moore, chief product officer at rail ticket booking service, The Trainline.

Although most people now use The Trainline via a smartphone and many regular users have installed its app, the company is keen to investigate what bots can do, Mr Moore says.

For booking train tickets, a website or an app is profoundly better than using a bot, he maintains, but there are times when an app falls short and a conversation handled by a bot may be better.

“We’re just at the point of saying it’s another interesting piece of technology,” he tells the BBC. “We expect that they are going to be useful to us, though it won’t work for every context and circumstance.”

‘Immensely complicated’

Tapdaq’s Ted Nash warns that though bots might look straightforward, they’re not necessarily an easier option.

“A bot is a much more simple technology from a customer perspective, but the AI that powers it is immensely complicated to do,” he says.

That difficulty often means that bots are pretty crude.

“A lot of them now have pre-defined inputs and responses,” says Mr Nash. “The only way they are going to become truly ubiquitous is when they can respond as a human would.”