Posts tagged Consumer Champion
My feature on how to secure your Amazon Echo was published in TechRadar last week. Here is my take on why securing these intelligent home hubs is of vital importance.
Buttons are obsolete. Simply by conversing with my Alexa I can control my central heating and the lighting around my house and garden; I can buy products with my voice, check my personal calendar, set alarms or reminders, update my things to do list, read my favourite book or play any song, album or playlist on Spotify. With my voice.
Hear no Evil
The convenience this offers is staggering and, in a little over three months since I plugged it in and powered it on, my Amazon Echo has already changed many behaviours in our household. For the better? I think so. However…
With convenience comes compromise, especially when it comes to security. We should never be blinded by the utility of any new piece of technology.
I made one mistake in extolling the virtues of our Amazon Echo above. You see, all of these amazing things and more can be commanded not only with my voice, they can be asked by anybody’s voice.
Voice Recognition versus Speech Recognition
While Alexa has enviable speech recognition – the ability to understand and interpret natural language input by speech – she has yet to learn the skill of voice recognition. Often confused, voice recognition is the ability to uniquely distinguish between different people’s voices by analysing physical and behavioural characteristics.
With voice recognition Alexa would know whether it was me (ie authorised) ordering that Nintendo Switch console from Amazon Prime, or if it was my Mario Kart-loving daughter trying her luck (sorry, denied). Did I just ask Alexa for a 2am alarm call or was somebody outside my living room window attempting to play a prank?
Amazon has no plans to introduce voice recognition into the Amazon Echo just yet. Nevertheless, there are steps that Echo owners can take to make sure they enjoy the convenience of a virtual assistant without the worry of being woken up by a 2am prank alarm call.
Pop over to TechRadar to read my 8 top tips to lock down your Alexa.
In the US Black Friday follows Thanksgiving Thursday and, along with so-called Cyber Monday, has become one of the biggest days in the online shopping calendar. Inevitably it has become a big deal in the UK now too.
On Friday’s ITV Good Morning Britain I was in the studio sharing some tips on how to bag the best online Black Friday bargains.
Many Black Friday shopping tips apply equally to buying online around the rest of the year, but some peculiarities have emerged:
- Keep checking throughout the day. A large element of surprise and secrecy exists around Black Friday that retailers are keen to persist. Prices change, new deals get added and stocks are limited: it’s all part of a clever strategy to keep us interested throughout the day and coming back to their online stores. But that does mean that a good price at 8am might be even better by midday, but sold out by six. That’s the risk you take.
- Black Friday Pop-Up Portals: Comparison sites and aggregation tools are useful all year round, but on Black Friday dozens of pop-up sales portals appear on reputable websites. Which to choose? If you’re shopping for gadgets and technology (always a big deal over this weekend) then take a look at the website of popular gadget magazines or online titles – referrals and traffic mean Black Friday is great business for them too, and many have journalists locked in a room all day hunting down the best deals so you don’t have to.
- Is it really a bargain? It’s worth pointing out that some retailers don’t play fair – research by Which? found many so-called Black Friday bargains were anything but, with prices cheaper both before and after the shopping bonanza weekend. Websites like camelcamelcamel.com (I’ve no idea…) keep track of prices over a period of time to let you see how the price you on offer today compares with the price over, say, the last twelve months.
It goes without saying to watch out for scams though phishing, smishing and malvertising, be aware of your rights and consider paying by credit card for the best consumer protection.
A final thought:
- Don’t let Black Friday Frenzy take over. Remember this is essentially a bit of fun – the worst that can happen is that we pay full price for something or don’t buy it at all. Part of the fun of the whole experience is the thrill of chasing a bargain but your life absolutely does not depend on it. Keep it in perspective and if the fun stops then switch off your computer, switch on the kettle and make a cup of Black Friday tea.
On BBC Watchdog tonight I appear in an item highlighting gaping holes in home food delivery service Deliveroo’s security and fraud prevention systems.
Victims of so-called ‘Deliveroo fraud’ report having their credit and debit cards emptied of many hundreds of pounds on food and drink orders they never placed, to addresses many hundreds of miles from where they live.
Deliveroo’s standard response to claims of a security breach has left those affected with a bitter taste in their mouths, suggesting victims look to their own security failings instead.
The first a victim knows of the fraud is when they receive an email from Deliveroo confirming an order has been placed.
Deliveroo insists that its own systems have not been the subject of a hack or data breach; instead the firm advises that customers should not reuse passwords and usernames across multiple online accounts.
Sound advice on its own, but a critical mass of Deliveroo victims all suffering the same fraud might suggest that Deliveroo should look again at its own security measures.
- Smart fraud prevention mechanisms, if present at all, appear to be ineffectual here. Purchases that are so out of character – such as those highlighted in the show – should easily be picked up by automated systems and subjected to additional verification.
- Similarly, a change of delivery address should also trigger additional verification – a PIN sent to the account holder’s smartphone, for example.
- Deliveroo chooses not to authenticate customer card payments with a CVV2 code.
The Card Verification Value is one of the names given for the additional security numbers printed on the signature strip or from of the card. Deliveroo is far from the only retailer to forego ‘card not present’ security – Amazon, with its 1-click purchase is another. However, this lack of verification allows fraudsters to place orders on credit cards that are not theirs with no challenge at all.
Deliveroo’s light touch on security can be put down to one thing: sales. Here’s how skimping on security benefits Deliveroo’s bottom line:
- When we buy something, the more hoops we have to jump through to make that purchase, the more likely we’ll drop out and go somewhere else.
- Understandably Deliveroo wants to make placing an order with them as simple a process as possible by cutting out as many hoops as it can.
- However, some of those hoops are there for reasons of security; in removing those, Deliveroo is not only making it easier for its customers to place an order, it’s making it easier for them to be defrauded.
Watchdog airs on BBC1 tonight at 8pm.
Among the topics I cover in this series of Rip Off Britain: Live on BBC1 is speech recognition. In Tuesday’s show I went to Liverpool to investigate how viewers are talking to their tech to help make their everyday lives easier.
According to researchers at Stanford University we can talk three times faster – and with 20% more accuracy – than we can type or swipe on a mobile phone.
Proof that it’s good to talk, right?
It was no surprise, however, to find that many I spoke with were initially sceptical about the effectiveness of speech recognition. But I had a hunch that their lack of confidence was misplaced, with judgements on poor comprehension based on older generations of the technology.
Our day of filming in and around Liverpool proved my point: I found that Apple’s intelligent personal assistant Siri was better than even I was at comprehending commands, irrespective of accent or background noise.
Speech recognition technology – and Siri is far from the only or even the best example at present – has now reached a level of useful maturity. What is needed next to help more to benefit from it is further accessibility and behavioural change.
In the main Rip Off Britain series in September I also took a look at how voice biometrics are being used by major service providers as an authentication factor to make logins to our online accounts safer, simpler and more secure.
Check out further clips from this series of Rip Off Britain here on the BBC website.
The new series of Rip Off Britain begins this Monday on BBC1 resuming its mission to expose shams, scams and poor customer service.
In this series I look at how failures in Vodafone’s billing systems and customer services have left subscribers out of pocket and with costly black marks on their credit history; also I investigate how freely available information might be used by identity thieves to build up detailed profiles of their victims.
One item that I hope to be covering more of is the future of passwords.
Like a stuck record, over the last four or so seasons on Rip Off Britain I’ve made the point again and again about the importance of good password hygiene to minimise the risk of hacks.
But recent developments in voice biometrics technology might be part of a move to make our live online much safer. In fact, customers of some major UK banks and service providers are already using just their voices to securely log-in to their online accounts.
The software claims to analyse around one hundred different behavioural and physical characteristics of our voices (for example accent or length of vocal folds) and is being used by customers of TalkTalk and HSBC among others. Its developer, Nuance, says the technology is so sophisticated that it can even distinguish between identical twins.
We took a special version of the voice recognition app to the BBC pop up shop at the Trafford Centre in Manchester to discover whether shoppers there felt secure using their voice as their password.
Rip Off Britain airs on BBC1 Monday to Friday from 12th September at 9.15am.
Right on the Money, hosted by Dom Littlewood and Denise Lewis, returns for a second season on BBC1 this summer and I’m excited to be part of the reporting team.
In Friday’s show I front a film about how make money on the move, armed with little more than a smartphone. I look at how people are using apps including Nimber, which pays you to be a courier, YouGov, which rewards you for sitting and submitting surveys, and also Bounts and Sweatcoin, which convert exercise into cash and prizes.
Here’s a quick clip from the show:
You can watch the full Right on the Money episode here (for as long as BBC iPlayer allows, that is).
Despite this appearing on screens in the height of summer, the item was filmed during the depths of winter – the shorts and t-shirt sequence in particular during a sub-zero day in High Wycombe!
Right on the Money airs on BBC1 weekdays 9.15-10am between 11th – 22nd July 2016.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.