On BBC Watchdog tonight I appear in an item highlighting gaping holes in home food delivery service Deliveroo’s security and fraud prevention systems.
Victims of so-called ‘Deliveroo fraud’ report having their credit and debit cards emptied of many hundreds of pounds on food and drink orders they never placed, to addresses many hundreds of miles from where they live.
Deliveroo’s standard response to claims of a security breach has left those affected with a bitter taste in their mouths, suggesting victims look to their own security failings instead.
The first a victim knows of the fraud is when they receive an email from Deliveroo confirming an order has been placed.
Deliveroo insists that its own systems have not been the subject of a hack or data breach; instead, the firm advises that customers should not reuse passwords and usernames across multiple online accounts.
Sound advice on its own, but a critical mass of Deliveroo victims all suffering the same fraud might suggest that Deliveroo should look again at its own security measures.
- Smart fraud prevention mechanisms, if present at all, appear to be ineffectual here. Purchases that are so out of character – such as those highlighted in the show – should easily be picked up by automated systems and subjected to additional verification.
- Similarly, a change of delivery address should also trigger additional verification – a PIN sent to the account holder’s smartphone, for example.
- Deliveroo chooses not to authenticate customer card payments with a CVV2 code.
The Card Verification Value is one of the names given for the additional security numbers printed on the signature strip or front of the card. Deliveroo is far from the only retailer to forego ‘card not present’ security – Amazon, with its 1-click purchase, is another. However, this lack of verification allows fraudsters to place orders on credit cards that are not theirs with no challenge at all.
Deliveroo’s light touch on security can be put down to one thing: sales. Here’s how skimping on security benefits Deliveroo’s bottom line:
- When we buy something, the more hoops we have to jump through to make that purchase, the more likely we’ll drop out and go somewhere else.
- Understandably Deliveroo wants to make placing an order with them as simple a process as possible by cutting out as many hoops as it can.
- However, some of those hoops are there for reasons of security; in removing those, Deliveroo is not only making it easier for its customers to place an order, it’s making it easier for them to be defrauded.
Among the topics I cover in this series of Rip Off Britain: Live on BBC1 is speech recognition. In Tuesday’s show I went to Liverpool to investigate how viewers are talking to their tech to help make their everyday lives easier.
According to researchers at Stanford University we can talk three times faster – and with 20% more accuracy – than we can type or swipe on a mobile phone.
Proof that it’s good to talk, right?
It was no surprise, however, to find that many I spoke with were initially sceptical about the effectiveness of speech recognition. But I had a hunch that their lack of confidence was misplaced, with judgements on poor comprehension based on older generations of the technology.
Our day of filming in and around Liverpool proved my point: I found that Apple’s intelligent personal assistant Siri was better than even I was at comprehending commands, irrespective of accent or background noise.
Speech recognition technology – and Siri is far from the only or even the best example at present – has now reached a level of useful maturity. What is needed next to help more to benefit from it is further accessibility and behavioural change.
In the main Rip Off Britain series in September I also took a look at how voice biometrics are being used by major service providers as an authentication factor to make logins to our online accounts safer, simpler and more secure.
Check out further clips from this series of Rip Off Britain here on the BBC website.
The new series of Rip Off Britain begins this Monday on BBC1 resuming its mission to expose shams, scams and poor customer service.
In this series I look at how failures in Vodafone’s billing systems and customer services have left subscribers out of pocket and with costly black marks on their credit history; also I investigate how freely available information might be used by identity thieves to build up detailed profiles of their victims.
One item that I hope to be covering more of is the future of passwords.
Like a stuck record, over the last four or so seasons on Rip Off Britain I’ve made the point again and again about the importance of good password hygiene to minimise the risk of hacks.
But recent developments in voice biometrics technology might be part of a move to make our live online much safer. In fact, customers of some major UK banks and service providers are already using just their voices to securely log-in to their online accounts.
The software claims to analyse around one hundred different behavioural and physical characteristics of our voices (for example accent or length of vocal folds) and is being used by customers of TalkTalk and HSBC among others. Its developer, Nuance, says the technology is so sophisticated that it can even distinguish between identical twins.
We took a special version of the voice recognition app to the BBC pop up shop at the Trafford Centre in Manchester to discover whether shoppers there felt secure using their voice as their password.
Rip Off Britain airs on BBC1 Monday to Friday from 12th September at 9.15am.
Right on the Money, hosted by Dom Littlewood and Denise Lewis, returns for a second season on BBC1 this summer and I’m excited to be part of the reporting team.
In Friday’s show I front a film about how make money on the move, armed with little more than a smartphone. I look at how people are using apps including Nimber, which pays you to be a courier, YouGov, which rewards you for sitting and submitting surveys, and also Bounts and Sweatcoin, which convert exercise into cash and prizes.
Here’s a quick clip from the show:
You can watch the full Right on the Money episode here (for as long as BBC iPlayer allows, that is).
Despite this appearing on screens in the height of summer, the item was filmed during the depths of winter – the shorts and t-shirt sequence in particular during a sub-zero day in High Wycombe!
Right on the Money airs on BBC1 weekdays 9.15-10am between 11th – 22nd July 2016.
The convergence of car tech and consumer tech is something I’ve spoken and written about in the past, so when Channel 4 asked if I’d explain more to Mary Portas in her new show What Britain Buys I was only too happy to oblige.
Mary was particularly intrigued by the emergence of the dashcam as the must-have in-car accessory for 2016. That said, she was somewhat preoccupied with what happens when the camera faces into the car rather than out front – mercifully our own carpool karaoke didn’t make it into the final cut.
As I wrote in The Metro recently, dashboard-mounted cameras are quickly becoming a must-have accessory for safety-aware, litigation-conscious drivers. Dashcams record video in the event of a bump or prang (or even a malicious key-scrape) with some insurers offering owners lower premiums to counter so-called ‘crash for cash’ and ‘flash for cash‘ scams.
What Britain Buys with Mary Portas is produced by Sundog Pictures for Channel 4.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
On Challenge TV’s Videogame Nation recently I chatted with presenter Dan Maher about the challenges faced by studios when developing games for Virtual Reality platforms.
Videogame Nation is that rare thing on mainstream television: a show about video games.
Hosted by Inside Xbox co-host Dan Maher, Aoife Wilson and John Robertson, produced by Ginx TV and airing in the UK on Challenge TV, VGN celebrates games and gaming culture with a maturity and intellect that appeals to gamers and non-gamers alike.
In this week’s episode I speak with Dan about a pet subject of mine: virtual reality. We discuss the specific challenges that studios face when developing for VR platforms, and the role that mobile can play in VR’s future.
Here’s a clip from the show where Dan and I talk about the challenges, how mobile will be an invaluable on-ramp for VR, and get hands on with Kickstarter project prototype, Goblin VR.
Hardware is one of the challenges faced by developers – platform fragmentation is already real – and so is grammar: a successful VR experience is not simply a case of lifting traditional a game and dumping it into a pair of virtual reality goggles. The fact is that developers don’t know what works yet; it’s frontier-land all over again which makes VR development a very exciting – if very risky – arena for studios to be working in.
*** UPDATE: Since I wrote this story in early 2016 VGN has, after four series and much critical acclaim, used up all of its credits – much to the disillusionment of gamers all over the internet. Fear not: without too much searching you can still find pretty much every episode of Videogame Nation on YouTube.