Posts tagged BBC
This week I appeared on BBC1’s The One Show sharing advice on how parents can help their children to develop healthy habits when using smartphones and tablets.
I’m a dad, and like most parents, I feel as if I’m making it up as I go along – which, of course, I am. How I introduce my children to technology is no exception.
Understanding a little about how children develop, what their needs are at different ages, and how easily influenced they are by adults around them, can all help make sure that children – and their parents – have a happy relationship with gadgets.
Technology offers amazing opportunities but, for me, the old adage that ‘too much of a good thing is a bad thing’ stands as true with smartphones and tablets as it does with anything else.
The One Show is on BBC1 at 7pm most evenings, viewers in the UK with a television licence can watch here.
It’s a familiar tale: any time I once made to play Metal Gear Solid, Pro Evolution Soccer or PaRappa the Rapper has long since been eroded by the glamours of parenthood and an erratic work schedule. Mario Kart Wii still gets spun up, as much of an occasional treat for me as it is for my kids.
I am the ‘lapsed gamer’.
But I do still play games. Armed with my smartphone or tablet, pocket puzzlers like the stunning Monument Valley, gory graphic novel epics such as The Walking Dead or riddlers including Mr Robot help ensure that train platform dead-time can still be game-time.
I’ve yet to tire of exploring new places with Pokémon Go, and I stand firm that the Swift Playgrounds lessons are every bit as satisfying as a good Sudoku puzzle – plus I get to learn a valuable skill.
I am the ‘on-the-go gamer’. Living the smartphone gaming dream I am part of the fastest area of revenue growth in the games industry.
So, when Nintendo formally announced its latest console last Friday I wondered if it was an attempt to appeal to gamers like me.
Nintendo Switch is a hybrid tablet/TV games console, as comfortable in your hands as it is hooked up to your television. Accompanying the hardware is a strong first year line-up of titles including new the Zelda Breath of the Wild and Super Mario Odyssey adventures.
But the big question is whether Nintendo has given itself enough of a fighting chance with the Switch to emerge from the shadow of the debacle that was the Wii U, to overcome the console behemoths that are Microsoft and Sony, and to take on the smartphone gaming market.
That was the topic of the story I wrote this week for Mobile World Live: “Will Nintendo fanboys make the Switch?”.
After going hands on with the Nintendo Switch at the London launch event, including playing the new fun fighting game Arms, I headed over to BBC Broadcasting House to report back for two live spots with the BBC News Channel and BBC World News:
On BBC Watchdog tonight I appear in an item highlighting gaping holes in home food delivery service Deliveroo’s security and fraud prevention systems.
Victims of so-called ‘Deliveroo fraud’ report having their credit and debit cards emptied of many hundreds of pounds on food and drink orders they never placed, to addresses many hundreds of miles from where they live.
Deliveroo’s standard response to claims of a security breach has left those affected with a bitter taste in their mouths, suggesting victims look to their own security failings instead.
The first a victim knows of the fraud is when they receive an email from Deliveroo confirming an order has been placed.
Deliveroo insists that its own systems have not been the subject of a hack or data breach; instead, the firm advises that customers should not reuse passwords and usernames across multiple online accounts.
Sound advice on its own, but a critical mass of Deliveroo victims all suffering the same fraud might suggest that Deliveroo should look again at its own security measures.
- Smart fraud prevention mechanisms, if present at all, appear to be ineffectual here. Purchases that are so out of character – such as those highlighted in the show – should easily be picked up by automated systems and subjected to additional verification.
- Similarly, a change of delivery address should also trigger additional verification – a PIN sent to the account holder’s smartphone, for example.
- Deliveroo chooses not to authenticate customer card payments with a CVV2 code.
The Card Verification Value is one of the names given for the additional security numbers printed on the signature strip or front of the card. Deliveroo is far from the only retailer to forego ‘card not present’ security – Amazon, with its 1-click purchase, is another. However, this lack of verification allows fraudsters to place orders on credit cards that are not theirs with no challenge at all.
Deliveroo’s light touch on security can be put down to one thing: sales. Here’s how skimping on security benefits Deliveroo’s bottom line:
- When we buy something, the more hoops we have to jump through to make that purchase, the more likely we’ll drop out and go somewhere else.
- Understandably Deliveroo wants to make placing an order with them as simple a process as possible by cutting out as many hoops as it can.
- However, some of those hoops are there for reasons of security; in removing those, Deliveroo is not only making it easier for its customers to place an order, it’s making it easier for them to be defrauded.
Among the topics I cover in this series of Rip Off Britain: Live on BBC1 is speech recognition. In Tuesday’s show I went to Liverpool to investigate how viewers are talking to their tech to help make their everyday lives easier.
According to researchers at Stanford University we can talk three times faster – and with 20% more accuracy – than we can type or swipe on a mobile phone.
Proof that it’s good to talk, right?
It was no surprise, however, to find that many I spoke with were initially sceptical about the effectiveness of speech recognition. But I had a hunch that their lack of confidence was misplaced, with judgements on poor comprehension based on older generations of the technology.
Our day of filming in and around Liverpool proved my point: I found that Apple’s intelligent personal assistant Siri was better than even I was at comprehending commands, irrespective of accent or background noise.
Speech recognition technology – and Siri is far from the only or even the best example at present – has now reached a level of useful maturity. What is needed next to help more to benefit from it is further accessibility and behavioural change.
In the main Rip Off Britain series in September I also took a look at how voice biometrics are being used by major service providers as an authentication factor to make logins to our online accounts safer, simpler and more secure.
Check out further clips from this series of Rip Off Britain here on the BBC website.
The new series of Rip Off Britain begins this Monday on BBC1 resuming its mission to expose shams, scams and poor customer service.
In this series I look at how failures in Vodafone’s billing systems and customer services have left subscribers out of pocket and with costly black marks on their credit history; also I investigate how freely available information might be used by identity thieves to build up detailed profiles of their victims.
One item that I hope to be covering more of is the future of passwords.
Like a stuck record, over the last four or so seasons on Rip Off Britain I’ve made the point again and again about the importance of good password hygiene to minimise the risk of hacks.
But recent developments in voice biometrics technology might be part of a move to make our live online much safer. In fact, customers of some major UK banks and service providers are already using just their voices to securely log-in to their online accounts.
The software claims to analyse around one hundred different behavioural and physical characteristics of our voices (for example accent or length of vocal folds) and is being used by customers of TalkTalk and HSBC among others. Its developer, Nuance, says the technology is so sophisticated that it can even distinguish between identical twins.
We took a special version of the voice recognition app to the BBC pop up shop at the Trafford Centre in Manchester to discover whether shoppers there felt secure using their voice as their password.
Rip Off Britain airs on BBC1 Monday to Friday from 12th September at 9.15am.
Right on the Money, hosted by Dom Littlewood and Denise Lewis, returns for a second season on BBC1 this summer and I’m excited to be part of the reporting team.
In Friday’s show I front a film about how make money on the move, armed with little more than a smartphone. I look at how people are using apps including Nimber, which pays you to be a courier, YouGov, which rewards you for sitting and submitting surveys, and also Bounts and Sweatcoin, which convert exercise into cash and prizes.
Here’s a quick clip from the show:
You can watch the full Right on the Money episode here (for as long as BBC iPlayer allows, that is).
Despite this appearing on screens in the height of summer, the item was filmed during the depths of winter – the shorts and t-shirt sequence in particular during a sub-zero day in High Wycombe!
Right on the Money airs on BBC1 weekdays 9.15-10am between 11th – 22nd July 2016.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.