128 posts categorized "Europe" Feed

Smart Mouse Traps: A Good Deal For Consumers?

Rentokil logo Rentokil, a pest control company, has introduced in the United Kingdom a new pest-control device for consumers wanting the latest WiFi technology. The company introduced ResiConnect, an Internet-connected mouse trap. A Rentokil representative explained to the Register UK newspaper:

“This is a trap that’s connected to the internet, essentially. Whereas there are other standard traps on the market that just catch and kill the mouse, that mouse can be caught in that trap for several weeks or several months. What this does is sends us a signal to notify us the trap has been activated, which allows us to respond... What this allows us to do is catch, kill and contain the mouse... and provide the best solution to the customer as well.”

Rentokil technician and vehicle Reportedly, the device sells for about £1,300, or about U.S. $1,300. Last summer, Rentokil Initial Plc announced a partnership with Google and PA Consulting Group (PA) to deploy globally the company's:

"... innovative digital pest control products and, in the future, to the development of ‘next generation’ services to offer customers new levels of proactive risk management against the threat of pest infestation... Rentokil has developed and begun to roll out its range of connected rodent control products particularly to customers in the tightly regulated food and pharmaceutical industries. In the field today, Rentokil has over 20,000 digital devices running in 12 countries which have now sent more than 3 million pieces of data.

The new digital pest control services use connected rodent devices with embedded sensors and mobile connectivity. The units communicate with Rentokil’s online ‘Command Centre’ and when they've caught a rodent, the technician is automatically alerted while customers are kept informed through myRentokil, the industry’s leading online portal... Built on Google’s Cloud Platform, and delivered by PA using Agile techniques, this technology is highly scalable and is now ready to be deployed more widely to existing and new customers from Q4 2016 and to other parts of the company..."

It seems that Rentokil is making available to consumers smart traps similar to those already deployed in the commercial market, such as fast food restaurants with multiple locations. Rentokil sells in the United States a device that uses radar to detect and capture mice. This raises the question: do consumers really need a smart mouse trap?

I have direct experience with mice. The building where I live is contains condominiums, and I have the responsibility to pay the condo association's monthly bills (e.g., water, insurance, and electricity), plus hire vendors and contractors, as needed, for repairs and maintenance. That includes pest control companies. Last week, our pest-control vendor deployed bait traps (e.g., poison and glue strips) in all units, plus the basement (with utilities and storage areas).

Obviously, owners of retail stores with multiple locations (e.g., fast food restaurants) would benefit from smart mouse traps. It seems cost-prohibitive to send (and pay for) technicians to visit each store and check multiple traps, while only selective traps would have caught rodents.

First, the benefit for residential customers sees marginal. Internet-connected mouse trap might appeal to squeamish consumers, who are afraid or unsure what to do, but it's hard to beat the convenience and low cost of a phone call. For our condo association, it was easy to know when a trap has caught a mouse. You heard the squeaking.

For us, the rodent removal process was easy. After a quick phone call the evening the mouse was caught, a pest-control technician arrived the next morning. The company sent a technician that was already in the area for nearby service calls. The technician removed the mouse stuck on a glue strip, checked, and re-baited several traps. That visit was included in the price we paid, and the phone call cost was negligible.

Second, the price seems expensive. The $1,600 price for a smart mouse trap equals about three years of what our condo association pays for pest control services.

Reliability and trust with smart devices are critical for consumers. A recent global study found that 44 percent of consumers are concerned about financial information theft via smart home devices, and 37 percent are concerned about identity theft.

Informed shoppers know that not all smart devices are built equally. Some have poor security features or lack software upgrades. These vulnerabilities create opportunities for bad guys to hack and infect consumers' home WiFi networks with malware to steal passwords and money, create spam, and use infected devices as part of DDoS attacks targeting businesses. (Yes, even the hosting service for this blog was targeted.) So, it is wise to understand any smart trap's software and security features before purchase.

What do you think? Are smart mouse traps worthwhile?


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


Travelers Face Privacy Issues When Crossing Borders

If you travel for business, pleasure, or both then today's blog post will probably interest you. Wired Magazine reported:

"In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts."

Devices include smartphones, laptops, and tablets. Many consumers realize that relinquishing passwords to social networking sites (e.g., Facebook, Instagram, etc.) discloses sensitive information not just about themselves, but also all of their friends, family, classmates, neighbors, and coworkers -- anyone they are connected with online. The "Bring Your Own Device" policies by many companies and employers means that employees (and contractors) can use their personal devices in the workplace and/or connected remotely to company networks. Those connected devices can easily divulge company trade secrets and other sensitive information when seized by Customs and Border Patrol (CBP) agents for analysis and data collection.

Plus, professionals such as attorneys and consultants are required to protect their clients' sensitive information. These professionals, who also must travel, require data security and privacy for business.

Wired also reported:

"In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents."

For travelers wanting privacy, what are the options? Remain at home? This may not be an option for workers who must travel for business. Leave your devices at home? Again, impractical for many. The Wired article provided several suggestions, including:

"If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too..."

What are the consequences when travelers refuse to disclose passwords and encrpt devices? Ars Technica also explored the issues:

"... Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device)... The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled "Privacy Impact Assessment for the Border Searches of Electronic Devices." That document states that "For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist." The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507."

The Electronic Frontier Foundation (EFF) collects stories from travelers who've been detained and had their devices seized. Clearly, we will hear a lot more in the future about these privacy issues. What are your opinions of this?


Big Data Brokers: Failing With Privacy

You may not know that hedge funds, in both the United Kingdom and in the United States, buy and sell a variety of information from data brokers: mobile app purchases, credit card purchases, posts at social networking sites, and lots more. You can bet that a lot of that mobile information includes geo-location data. The problem: consumers' privacy isn't protected consistently.

The industry claims the information sold is anonymous (e.g., doesn't identify specific persons), but researchers have it easy to de-anonymize the information. The Financial Times reported:

"The “alternative data” industry, which sells information such as app downloads and credit card purchases to investment groups, is failing to adequately erase personal details before sharing the material... big data is seen as an increasingly attractive source of information for asset managers seeking a vital investment edge, with data providers selling everything from social media chatter and emailed receipts to federal lobbying data and even satellite images from space..."

One part of the privacy problem:

“The vendors claim to strip out all the personal information, but we occasionally find phone numbers, zip codes and so on,” said Matthew Granade, chief market intelligence officer at Steven Cohen’s Point72. “It’s a big enough deal that we have a couple of full-time tech people wash the data ourselves.” The head of another major hedge fund said that even when personal information had been scrubbed from a data set, it was far too easy to restore..."

A second part of the privacy problem:

“... there is no overarching US privacy law to protect consumers, with standards set individually by different states, industries and even companies, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society..."

The third part of the privacy problem: consumers are too willing to trade personal information for convenience.


German Regulators Ask Tesla To Stop Advertising 'Autopilot' Term

Government regulators have asked the automaker Tesla to stop using the term "autopilot" for its driver-assist feature. Deutsche Welle (DW) reported that a letter:

"... published in the newspaper "Bild am Sonntag," called on Tesla to take urgent action "in order to prevent misunderstandings and false expectations from clients." The KBA transport regulator said the term "autopilot" was misleading, and called for it to be removed in future advertisements for Tesla products. The self-driving feature has been available on the California-based automaker's Model S since October 2015."

The Autopilot feature manages the car's speed, steers within a lane, changes lanes (when the driver taps a turn signal), scan for a parking space, and parallel parks on command. Officials in Germany are still conducting an investigation into the car's capabilities.

After the fatal crash in May of a Tesla Model S car operating beta-version software for its Autopilot feature, Tesla engineers said in August the problem was with the car's brakes and not its Autopilot feature.

DW also reported:

"... the German transport regulator wrote to Tesla owners warning them that the autopilot function was purely to assist the driver and did not turn the car into a highly-automated vehicle. The feature still required the driver's unrestricted attention at all times, the letter said. Under German road traffic regulations, the driver is required to remain alert and in control of the vehicle at all times when using the system, the letter added."

The Los Angeles Times reported:

"Tesla Chief Executive Elon Musk has repeatedly said he’s sticking with the name, and the company responded to the German report as it does every time the subject comes up: The term “autopilot” has a long history in aerospace, where human pilots and autopilot systems work together to fly a plane."


Federal Reserve Bars 2 HSBC Foreign Exchange Traders From Working In The Industry

HSBC Holdings logo The Federal Reserve Board (FRB) has prohibited two former foreign exchange (FX) traders from working in the banking industry. Both persons, Mark Johnson and Stuart Scott were managers at London-based HSBC Bank plc, a subsidiary of HSBC bank Johnson had been a managing director and the global head of FX cash trading. Scott reported to Johnson and had managed the bank's FX trading for Europe, the Middle East, and Africa.

The FRB's press release explained the reasons for its actions:

"Mark Johnson and Stuart Scott, former senior HSBC managers, were recently indicted for criminal wire fraud in connection with their trading activities... According to the indictment, Johnson and Scott made multiple misrepresentations to an FX client of HSBC in connection with a large pre-arranged currency transaction. The indictment also alleges Johnson and Scott engaged in conduct to trade to the detriment of HSBC's client and for their own (and HSBC's) benefit... the Board found that given the indictment, Johnson's and Scott's continued participation in any depository institution may threaten to impair public confidence in that institution."

The U.S. Department of Justice filed criminal charges on July 16, 2016 against Johnson and Scott in U.S. District Court for the Eastern District of New York. On August 16, 2016, a federal grand jury indicted Johnson and Scott with multiple counts of wire fraud and conspiracy to commit wire fraud. The alleged fraud happened during November and December, 2011, in part, in New York City at the offices of HSBC Bank USA National Association, a unit of HSBC.

HSBC Bank plc is a unit of HSBC Holdings plc (HSBC). HSBC's website says it has 4,400 offices in 71 countries that serve 46 million customers worldwide.  Bloomberg described HSBC Bank plc's activities:

"HSBC Bank plc provides various banking products and services worldwide. The company operates through Retail Banking and Wealth Management, Commercial Banking, Global Banking and Markets, and Global Private Banking segments. It accepts various deposits, such as current, savings, and business bank accounts..."

The prohibition is effective immediately and until the criminal charges against Johnson and Scott are resolved.


News About The Massive Data Breach At Yahoo Isn't Pretty

Yahoo logo The news about Yahoo's massive data breach seems to be getting worse. The Oregonian reported:

" "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter. A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous. Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time..."

Apply those success rates to half a billion stolen credentials and criminals have plenty of opportunities to break into consumers' online accounts. And, this list of seven ways the breach has exposed consumers to online banking fraud is definitely accurate.

The tech company's stock has dropped 4 percent since September 22. During an interview, Tim Amstrong, the head of Verizon's AOL would not comment about whether Verizon might renegotiate its $4.8 billion purchase price cash offer for Yahoo's core business. Experts have speculated about whether or not the breach might trigger the "material adverse effect" clause in the purchase transaction.

Tech Week Europe reported:

"Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning.” Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.” Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.” "

On Monday, U.S. Senator Mark R. Warner (D-VA) requested that the U.S. Securities and Exchange Commission (SEC) investigate Yahoo and its executives. Senator Warner said in a statement:

"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," wrote Sen. Warner, a former technology executive. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."

Senator Warner called on the SEC:

"... to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,

Also, six U.S. Senators sent a letter on September 27 to Marissa Meyer, the Chief executive Officer at Yahoo, demanding answers about precisely how and why the massive breach went undetected for so long. The letter by Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), and Ron Wyden read in part:

"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. That is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of Americans in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."

Indeed. Consumers have these reasonable and valid expectations. The letter demands that the tech company provide a briefing to the Senators' staffs with answers to a set of eight questions including a detailed timeline of events, specific systems and services affected, steps being taken to prevent a massive breach from happening again, and how it responded to any communications and warnings by government officials about state-sponsored hacking activity.

Elizabeth Denham, the Information Commissioner of the United Kingdom (UK), released a statement on September 23 demanding answers from Yahoo:

"The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today. We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected..."

Some consumers aren't waiting for lawmakers. The Mercury News reported:

"... a class-action suit accusing the Sunnyvale tech firm of putting their finances at risk and failing to notify them earlier about the breach. “While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit, filed Thursday in U.S. District Court in San Diego, said. “Two years is unusually long period of time in which to identify a data breach.” On Friday in U.S. District Court in San Jose, a second class-action suit was filed over the hack. Plaintiff Ronald Schwartz, of New York, claims his personal information was stolen. His suit calls Yahoo’s treatment of users’ data “grossly negligent” and alleges that circumstantial evidence indicates “Yahoo insiders” knew of the breach “long before it was disclosed.” "

Reportedly, one of the plaintiffs has already experienced financial fraud as a result of identity theft from the data breach.


Viking River Cruises Ship Collides With Bridge Killing 2 Crew Members

View of the top deck of Viking ship with the wheelhouse in the up position. Click to view larger version Earlier this week, Viking River Cruises announced that one of its ships struck a bridge Sunday while sailing the Rhine-Main-Danube Canal in Germany:

"Viking Freya experienced an accident in Erlangen, Germany early Sunday morning. Viking Freya’s wheelhouse collided with the bridge in Erlangen. Two crew members of the ship were in the wheelhouse and died as a result of injuries sustained during the collision. No other crew members or guests were injured, and all guests have been transported to local hotels..."

View of lowered handrails and partially lowered wheelhouse on a Viking ship. Click to view larger version The above photo (click to view larger version) shows the top deck of another Viking ship with the wheelhouse in the "up" position. For low bridge clearances, the wheel house lowers inside the ship. Also, the crew lowers all railings on the top deck, and passengers are prohibited from that area. The photo on the left shows lowered handrails and a partially lowered wheelhouse.

The Metro UK reported (with photos) that the ship struck the bridge about 1:30 AM. The two crew members killed were from Hungary. None of the 181 passengers were injured. All passengers and 49 crew members were transferred to local hotels. Passengers were able to board another Viking ship in Passau, Germany to continue their journey to Budapest. While the Viking Freya is out of service for repairs, the Viking Bestia ship will substitute for future 2016 sailings.

During my Viking cruise in September 2014 from Amsterdam to Budapest, I noticed that there wasn't much clearance under some bridges; perhaps 5 to 7 feet between the top deck and the bottom of several bridges. See the photo below.

View of low clearance between a Viking ship and a bridge. Click to view larger version Clearly, something went awfully wrong on the Freya. This was terrible, sad news.


Drone Strikes Commercial Airliner While Landing At London Airport

Image of drone. Click to view larger version Several news organizations reported this morning that a drone struck a commercial airliner during its approach to land at an airport in England. CNN reported:

"British Airways Flight BA727 from Geneva, Switzerland, was coming in to land at London's Heathrow Airport when the pilot said he thought a drone had struck the front of the aircraft, London Metropolitan Police said."

During the drone strike, the plane was descending and at an altitude of about 1,700 feet. The plane landed safely and no passengers were injured. Officials inspected the plane and found no damage. Government authorities are investigating. They do not know who operated the drone, nor the type of drone. So far, officials haven't found any debris from the drone, during a land search.

In the United Kingdom, as in the United States, drone operators are supposed to operate their drones within flight restrictions (e.g., 400-foot maximum altitude, not near airports). The trouble is enforcement. There doesn't seem to be any way for government authorities to enforce the restrictions.

In the United States, the Federal Aviation Administration (FAA) is responsible for maintaining the safety of our skies. Current flight restrictions by the FAA for drones (also called Unmanned Aircraft Systems):

"Fly below 400 feet and remain clear of surrounding obstacles. Keep the aircraft within visual line of sight at all times. Remain well clear of and do not interfere with manned aircraft operations. Don't fly within 5 miles of an airport unless you contact the airport and control tower before flying. Don't fly near people or stadiums. Don't fly an aircraft that weighs more than 55 lbs. Don't be careless or reckless with your unmanned aircraft – you could be fined for endangering people or other aircraft

What does "near" mean: 5 feet, 5 yards, 50 yards, 500 yards, or 5 miles? What does "careless" mean? Enforcement seems to be an open security issue. There is nothing stopping drone operators from violating these flight rules. The FAA registration rules seem equally problematic:

"Anyone who owns a small unmanned aircraft that weighs more than 0.55 lbs. (250g) and less than 55 lbs. (25kg) must register with the Federal Aviation Administration's UAS registry before they fly outdoors. People who do not register could face civil and criminal penalties... The owner must be: 13 years of age or older...A U.S. citizen or legal permanent resident."

How is this enforced when anyone can walk into a retail store and buy a drone (or order one online)?

The Heathrow drone strike should not be a surprise. There were two near misses in New York in August last year.The CNN news story also reported:

"A recent report, based on the center's analysis of Federal Aviation Administration data from August 21, 2015 to January 31, 2016, said there were 519 incidents involving passenger aircraft and unmanned drones in the U.S. within that period."

Last year, U.S. Senator Chuck Schumer (Democrat-New York) proposed an amendment to Federal Aviation Administration Re-authorization bill to require all remote-controlled aircraft sold in the United States to have tracking mechanisms installed. The mechanisms would use geo-fencing technology to keep drones away from high-value targets, such as airports, major parades, the Pentagon, major sporting events, and sports stadiums.

Drones have many valid uses, including faster, easier safety inspections of infrastructure, such as bridges, residential roofs, towers, and stacks; plus commercial package delivery. While drone pilots have been required to register with the FAA since December, there are still many unregistered operators.

The Heathrow drone strike could have had a very different result. It seems the drone bounced off the plane's metal exterior. A strike that punctures a windshield, or damages an engine, could produce a different outcome.

Once terrorists figure out the security hole with drone flight enforcement, you can bet they will test security limits. Heaven forbid terrorists pack explosives on larger drones and successfully fly them into a commercial airliner. If this happens, the travel industry will take a huge economic hit as consumers fly less often; or stop flying altogether (and takes trains or buses). Related tourism industries and locations would also be affected economically. People will lose jobs.

Image of M1A2 Abrahms battle tank. Click to view larger image A more sensible approached would have been to have put in place drone flight rules combined with effective enforcement processes before allowing consumers to purchase drones. One could argue that limits also apply. Consumers cannot buy an M1A2 Abrahms battle tank or a howitzer cannon. Maybe consumers should not be able to buy drones until effective enforcement and safety processes are in place first. Last year, a person installed and fired a handgun on his drone.

If this bothers you (and I sincerely hope that it does), tell your elected officials. What are your opinions of drones safety?


Report: Significant Security Risks With Healthcare And Financial Services Mobile Apps

Arxan Technologies logo Arxan Technologies recently released its fifth annual report about the state of application security. This latest report also highlighted some differences between how information technology (I.T.) professionals and consumers view the security of healthcare and financial services mobile apps. Overall, Arxan found critical vulnerabilities:

"84 percent of the US FDA-approved apps tested did not adequately address at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. Similarly, 80 percent of the apps tested that were formerly approved by the UK National Health Service (NHS) did not adequately address at least two of the OWASP Mobile Top 10 Risks... 95 percent of the FDA-approved apps, and 100 percent of the apps formerly approved by the NHS, lacked binary protection, which could result in privacy violations, theft of personal health information, and tampering... 100 percent of the mobile finance apps tested, which are commonly used for mobile banking and for electronic payments, were shown to be susceptible to code tampering and reverse-engineering..."

Some background about the U.S. Food and Drug Administration (FDA). The FDA revised its guidelines for mobile medical apps in September, 2015. The top of that document clearly stated, "Contains Nonbinding Regulations." The document also explained which apps the FDA regulates (link added):

"Many mobile apps are not medical devices (meaning such mobile apps do not meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act)), and FDA does not regulate them. Some mobile apps may meet the definition of a medical device but because they pose a lower risk to the public, FDA intends to exercise enforcement discretion over these devices (meaning it will not enforce requirements under the FD&C Act). The majority of mobile apps on the market at this time fit into these two categories. Consistent with the FDA’s existing oversight approach that considers functionality rather than platform, the FDA intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended. This subset of mobile apps the FDA refers to as mobile medical apps."

The Arxan report found that consumers are concerned about app mobile security:

80 percent of mobile app users would change providers if they knew the apps they were using were not secure. 82 percent would change providers if they knew alternative apps offered by similar service providers were more secure."

Arxan commissioned a a third party which surveyed 1,083 persons in the United States, United Kingdom, Germany, and Japan during November, 2015. 268 survey participants were I.T. professionals and 815 participants were consumers. Also, Arxan hired Mi3 to test mobile apps during October and November, 2015. Those tests included 126 health and financial mobile apps covering both the Apple iOS and Android platforms, 19 mobile health apps approved by the FDA, and 15 mobile health apps approved3 by the UK NHS.

One difference in app security perceptions between the two groups: 82 percent of I.T. professionals believe "everything is being done to protect my apps" while only 57 percent of consumers hold that belief. To maintain privacy and protect sensitive personal information, Arxan advises consumers to:

  1. Buy apps only from reputable app stores,
  2. Don't "jail break" your mobile devices, and
  3. Demand that app developers disclose upfront the security methods and features in their apps.

The infographic below presents more results from the consolidated report. Three reports by Arxan Technologies are available: consolidated, healthcare, and financial services.

Arxan Technologies. 5th Annual State of App Security infographic
Infographic reprinted with permission.


Apple vs. FBI: "Extraordinary" Government Actions May Cause U.S. Companies To Move Offshore

Apple Inc. logo There may be unintended consequences of the Federal Bureau of Investigation (FBI) is successful with forcing Apple, Inc. to build back doors into its iPhones. What might some of those unintended consequences be? TechCrunch reported that Lavabit filed an amicus brief supporting Apple. Never heard of Lavabit? Forgot about Lavabit? You may remember:

"... Lavabit, a technology company that previously judged it necessary to shutter its own service after receiving similarly “extraordinary” government demands for assistance to access user data, in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden... the FBI sought the private encryption key used by Lavabit to protect the Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) connections to their servers. With the SSL/TLS private key in hand, the FBI would be able to impersonate Lavabit on the Internet. This would allow them to intercept, decrypt, inspect, and modify (either with intent, or by accident) all of the connections between Lavabit and the outside world..."

Federal Bureau of Investigation logo In its brief, Lavabit argues that by being forced to build back doors into its devices. not only would Apple's brand be tarnished, but that the ability of iPhone users to receive reliable and secure operating-system security updates would be degraded. Some updates might include malware. If users' trust decreases and they choose to stop receiving security updates, then their devices become more vulnerable than otherwise. That's not good. And, if people blame government for starting this security mess, then that's not good either since it would erode trust in government.

Would companies relocate out of the United States due to privacy and surveillance concerns? Consider:

"... Silent Circle, moved its global headquarters from the Caribbean to Switzerland back in May 2014 — citing the latter’s “strong privacy laws” as one of the reasons to headquarter its business in Europe. Various other pro-encryption startups, including ProtonMail and Tutanota, have also chosen to locate their businesses in countries in Europe that have a reputation for protecting privacy."

Plus, there are money concerns. Since 1982, at least 51 companies completed tax inversions: moved their headquarters (and sometimes some employees) out of the United States to another country to enjoy lower taxes. So, Burger King is now a Canadian company. Pfizer is now an Irish company. And, lower tax payments by companies make government deficits (federal, state, local) worse. The bottom line: profitability matters. When companies suffer lower profitability -- as tarnished brands often do -- their executives take actions to improve profits. It's what they do.

Want to learn more about Lavabit? At about the two-thirds mark in the film "CitizenFour," Lavabit founder Ladar Levison shares some of his experiences.


Safer Internet Day: Do Your Part

Safer Internet Day 2016 logo Today is Safer Internet Day (SID) #SID2016. This event occurs every year in February to promote safer and more responsible use of online technology and mobile phones, especially among children. This year's theme is:

"Play your part for a better Internet"

There are events in 100 countries worldwide. The European Commission’s Safer Internet Programme started the event, which has continued under the Connecting Europe Facility (CEF). This is the 13th annual event. According to its press release:

"Last year’s celebrations saw more than 19,000 schools and 28 million people involved in SID actions across Europe, while over 60 million people were reached worldwide..."

Hans Martens, Digital Citizenship Programme Manager at European Schoolnet and Coordinator of the Insafe Network said:

“The theme of ‘Play your part for a better internet’ truly reflects how stakeholders from across the world can and should work together to build a trusted digital environment for all. This approach is at the core of the Better Internet for Kids agenda, and we look forward to seeing many exciting onitiatives and collaborations, both on the day of SID itself and beyond."

Sophos, a security firm, described six safety tips for families. That includes learning to spot phishing scams to avoid password-stealing computer viruses and ransomware. Children need to learn how to create strong passwords, and never use these weak passwords. Read about several SID events in California, including teens brainstorming ways to fight online bullying and teens helping adults.

To learn more, watch the video below and then visit SaferInternetDay.org for events in your country.

Or, watch the video on Youtube.


EU Antitrust Chief: Vast Digital Data Collection By A Few Threatens Competition

On Sunday, the New York Times reported comments by the European Union's antitrust chief:

"Margrethe Vestager, the European Union’s antitrust chief, warned on Sunday that the collection of a vast amount of users’ data by a small number of tech companies like Google and Facebook could be in violation of the region’s tough competition rules."

The European Union (EU) and the United States are negotiating a new data-sharing arrangement by the January 31, 2016 deadline after the European Court of Justice ruled in October 2015 that Europeans’ sensitive personal information was not adequately protected when transmitted to the United States under the safe harbor agreement. The court ruled the agreement invalid because of access by U.S. government (spy) agencies.

The EU developed its Privacy Directive during the late 1990s to, a) standardize privacy laws across its member countries, b) protect their residents' sensitive personal and financial information as the Internet industry blossomed, and c) define the protections as information is transmitted across country borders. The protections cover online activities such as posting to social networking sites, buying products online, and performing searches at search engine websites. To learn more, read the "US/EU Safe Harbor Agreement: What It Is and What It Says About the Future of Cross Border Data Protection" (Adobe PDF) document by the U.S. Federal Trade Commission (FTC) from 2003. (The 2003 report is also available here.) To sell their products and services within the EU, companies based in the United States must comply with these privacy regulations.

Reportedly, Vestager said:

"If a few companies control the data you need to cut costs, then you give them the power to drive others out of the market...”

She is not the only one concerned:

"A number of European executives echoed Ms. Vestager’s fears about how a small number of American tech companies could use their large-scale data collection to favor their own services over those of rivals. Among them was Oliver Samwer, the German entrepreneur who co-founded Rocket Internet, one of the region’s most high-profile tech companies."

The EU has several antitrust investigations underway:

"... for example, investigations into Apple’s tax practices in Ireland and has started a wide-ranging inquiry into e-commerce that analysts say could encompass the likes of Amazon, among others. Ms. Vestager also brought antitrust charges against Google last April, saying the search giant had unfairly favored some of its digital services over those of rivals. An announcement in that case is expected in late spring... while a separate European investigation continues into whether Google used Android, its popular mobile software, to unfairly restrict rivals..."

It seems wise for consumers in the United States to pay attention to events and negotiations in Europe to ensure as much competition and privacy as possible.


The Most Discussed Topics On Facebook During 2015

Facebook logo What did Facebook members discuss the most during 2015? It wasn't all lolcats, music, selfies, and humor. The social networking giant published its list of most discussed global topics:

  1. U.S. Presidential Election
  2. November 13 Attacks in Paris
  3. Syrian Civil War & Refugee Crisis
  4. Nepal Earthquakes
  5. Greek Debt Crisis
  6. Marriage Equality
  7. Fight Against ISIS
  8. Charlie Hebdo Attack
  9. Baltimore Protests
  10. Charleston Shooting & Flag Debate

Survey: 40 Percent Of Companies Expect Data Breaches Caused By Employees

eSecurity Planet reported the results of a recent survey of information technology managers and employees. The survey included workers in the United States, United Kingdom, Germany, and Australia. The key findings:

"... 40 percent of companies expect to experience a data breach resulting from employee behavior in the next 12 months... 75 percent of employees believe their company doesn't give them enough information about data policies... 58 percent don't understand what would actually constitute a security breach... 50 percent of respondents admitted that they disregard their companies' data protection policies in order to get their jobs done."

The phrase "insider data breach" refers to data breaches caused by employees. Companies seem focused on external threats from hackers, while not focusing also upon insider threats. Lax or untrained employees and poor internal processes are often the root causes.

These survey results are not good. The results indicate that companies are not doing everything they can (and should) to protect the sensitive customer, client, employee, and retiree information they have collected.


Learning Apps Company Confirms Data Breach Affecting 11.6 Million Persons

Vtech logo Earlier today, educational toy maker VTech confirmed a data breach affecting 11.6 million persons. On November 27, Motherboard first reported the breach affecting 5 million parents and 200,000 children. The data breach is larger than first reported by many news organizations.

In its FAQ page, VTech confirmed that on November 14 hackers accessed its customer database:

"... on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.  Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet."

The company learned of the data breach on November 24 when a journalist inquired. During its current breach investigation, During its breach investigation, Vtech has temporarily suspended operations at Learning Lodge, the Kid Connect network, and a dozen websites including both PlanetVtech and VSmileLink sites in the US, France, Germany, United Kingdom, and Spain. Vtech's customer data includes the USA, Canada, United Kingdom, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The number of persons affected by the breach:

"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.  In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate."

The VTech FAQ page also listed the number of breach victims by country. Parent accounts include the following data elements: name, e-mail address, security question and answer for password retrieval, IP address, mailing address, download history, and encrypted password. VTech's customer database does not contain credit card payment information, nor Social Security and similar identification information.

VTech describes itself as a global leader in electronic learning products for children and the world's largest manufacturer of cordless phones. Founded in 1976, VTech is headquartered in Hong Kong and has operations in 11 countries including manufacturing facilities in China. It employs about 30,000 employees, with 1,500 research and development professionals in Canada, Germany, Hong Kong, and China.

Even though customers' passwords were encrypted, VTech advised breach victims to change their passwords anyway, as skilled hackers may break the encryption. This is critical if breach victims used the same passwords, security questions, and security answers at other online sites.

This is not good. Whatever security detection software VTech used needs to be upgraded or replaced. A company should not learn about a breach from a journalist. The data elements stolen are sufficient for criminals to impersonate data breach victims, attempt to break into victims' other online accounts (e.g., banking), and send spam e-mail messages.

Do you or your children use VTech apps, games, or e-books? If so, what breach notifications have you received?


Transcript: Pope Francis' Speech To The U.S. Congress

Earlier today, Pope Francis spoke to the U.S. Congress. He said some very interesting things, mentioned several names That was the first time a Pope spoke to a joint session of Congress. He mentioned topics I didn't expect to hear, and emphasized working together to support each other to solve some challenging problems facing society:

"... no religion is immune from forms of individual delusion or ideological extremism. This means that we must be especially attentive to every type of fundamentalism, whether religious or of any other kind. A delicate balance is required to combat violence perpetrated in the name of a religion, an ideology or an economic system... The challenges facing us today call for a renewal of that spirit of cooperation, which has accomplished so much good throughout the history of the United States. The complexity, the gravity and the urgency of these challenges demand that we pool our resources and talents, and resolve to support one another, with respect for our differences... If politics must truly be at the service of the human person, it follows that it cannot be a slave to the economy and finance... I think of the march which Martin Luther King led from Selma to Montgomery fifty years ago as part of the campaign to fulfill his "dream" of full civil and political rights for African Americans. That dream continues to inspire us all..."

While video of the speech is available online at many sites, often it is helpful to read (and re-read) the words. CNN provided a transcript, which I am happy to provide in full below. I am not a Catholic. I am a resident of this planet and concerned citizen of the USA.

The transcript of the Pope's speech:

"Mr. Vice-President,

Mr. Speaker,

Honorable Members of Congress,

Dear Friends,
I am most grateful for your invitation to address this Joint Session of Congress in "the land of the free and the home of the brave". I would like to think that the reason for this is that I too am a son of this great continent, from which we have all received so much and toward which we share a common responsibility.

Each son or daughter of a given country has a mission, a personal and social responsibility. Your own responsibility as members of Congress is to enable this country, by your legislative activity, to grow as a nation. You are the face of its people, their representatives. You are called to defend and preserve the dignity of your fellow citizens in the tireless and demanding pursuit of the common good, for this is the chief aim of all politics. A political society endures when it seeks, as a vocation, to satisfy common needs by stimulating the growth of all its members, especially those in situations of greater vulnerability or risk. Legislative activity is always based on care for the people. To this you have been invited, called and convened by those who elected you.

Yours is a work which makes me reflect in two ways on the figure of Moses. On the one hand, the patriarch and lawgiver of the people of Israel symbolizes the need of peoples to keep alive their sense of unity by means of just legislation. On the other, the figure of Moses leads us directly to God and thus to the transcendent dignity of the human being. Moses provides us with a good synthesis of your work: you are asked to protect, by means of the law, the image and likeness fashioned by God on every human face.

Today I would like not only to address you, but through you the entire people of the United States. Here, together with their representatives, I would like to take this opportunity to dialogue with the many thousands of men and women who strive each day to do an honest day's work, to bring home their daily bread, to save money and --one step at a time -- to build a better life for their families. These are men and women who are not concerned simply with paying their taxes, but in their own quiet way sustain the life of society. They generate solidarity by their actions, and they create organizations which offer a helping hand to those most in need.

I would also like to enter into dialogue with the many elderly persons who are a storehouse of wisdom forged by experience, and who seek in many ways, especially through volunteer work, to share their stories and their insights. I know that many of them are retired, but still active; they keep working to build up this land. I also want to dialogue with all those young people who are working to realize their great and noble aspirations, who are not led astray by facile proposals, and who face difficult situations, often as a result of immaturity on the part of many adults. I wish to dialogue with all of you, and I would like to do so through the historical memory of your people.

My visit takes place at a time when men and women of good will are marking the anniversaries of several great Americans. The complexities of history and the reality of human weakness notwithstanding, these men and women, for all their many differences and limitations, were able by hard work and self-sacrifice -- some at the cost of their lives -- to build a better future. They shaped fundamental values which will endure forever in the spirit of the American people. A people with this spirit can live through many crises, tensions and conflicts, while always finding the resources to move forward, and to do so with dignity. These men and women offer us a way of seeing and interpreting reality. In honoring their memory, we are inspired, even amid conflicts, and in the here and now of each day, to draw upon our deepest cultural reserves.

I would like to mention four of these Americans: Abraham Lincoln, Martin Luther King, Dorothy Day and Thomas Merton.

This year marks the one hundred and fiftieth anniversary of the assassination of President Abraham Lincoln, the guardian of liberty, who labored tirelessly that "this nation, under God, [might] have a new birth of freedom". Building a future of freedom requires love of the common good and cooperation in a spirit of subsidiarity and solidarity.

All of us are quite aware of, and deeply worried by, the disturbing social and political situation of the world today. Our world is increasingly a place of violent conflict, hatred and brutal atrocities, committed even in the name of God and of religion. We know that no religion is immune from forms of individual delusion or ideological extremism. This means that we must be especially attentive to every type of fundamentalism, whether religious or of any other kind. A delicate balance is required to combat violence perpetrated in the name of a religion, an ideology or an economic system, while also safeguarding religious freedom, intellectual freedom and individual freedoms. But there is another temptation which we must especially guard against: the simplistic reductionism which sees only good or evil; or, if you will, the righteous and sinners. The contemporary world, with its open wounds which affect so many of our brothers and sisters, demands that we confront every form of polarization which would divide it into these two camps. We know that in the attempt to be freed of the enemy without, we can be tempted to feed the enemy within. To imitate the hatred and violence of tyrants and murderers is the best way to take their place. That is something which you, as a people, reject.

Our response must instead be one of hope and healing, of peace and justice. We are asked to summon the courage and the intelligence to resolve today's many geopolitical and economic crises. Even in the developed world, the effects of unjust structures and actions are all too apparent. Our efforts must aim at restoring hope, righting wrongs, maintaining commitments, and thus promoting the well-being of individuals and of peoples. We must move forward together, as one, in a renewed spirit of fraternity and solidarity, cooperating generously for the common good.

The challenges facing us today call for a renewal of that spirit of cooperation, which has accomplished so much good throughout the history of the United States. The complexity, the gravity and the urgency of these challenges demand that we pool our resources and talents, and resolve to support one another, with respect for our differences and our convictions of conscience.

In this land, the various religious denominations have greatly contributed to building and strengthening society. It is important that today, as in the past, the voice of faith continue to be heard, for it is a voice of fraternity and love, which tries to bring out the best in each person and in each society. Such cooperation is a powerful resource in the battle to eliminate new global forms of slavery, born of grave injustices which can be overcome only through new policies and new forms of social consensus.

Here I think of the political history of the United States, where democracy is deeply rooted in the mind of the American people. All political activity must serve and promote the good of the human person and be based on respect for his or her dignity. "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable rights, that among these are life, liberty and the pursuit of happiness" (Declaration of Independence, 4 July 1776). If politics must truly be at the service of the human person, it follows that it cannot be a slave to the economy and finance. Politics is, instead, an expression of our compelling need to live as one, in order to build as one the greatest common good: that of a community which sacrifices particular interests in order to share, in justice and peace, its goods, its interests, its social life. I do not underestimate the difficulty that this involves, but I encourage you in this effort.

Here too I think of the march which Martin Luther King led from Selma to Montgomery fifty years ago as part of the campaign to fulfill his "dream" of full civil and political rights for African Americans. That dream continues to inspire us all. I am happy that America continues to be, for many, a land of "dreams". Dreams which lead to action, to participation, to commitment. Dreams which awaken what is deepest and truest in the life of a people.

In recent centuries, millions of people came to this land to pursue their dream of building a future in freedom. We, the people of this continent, are not fearful of foreigners, because most of us were once foreigners. I say this to you as the son of immigrants, knowing that so many of you are also descended from immigrants. Tragically, the rights of those who were here long before us were not always respected. For those peoples and their nations, from the heart of American democracy, I wish to reaffirm my highest esteem and appreciation. Those first contacts were often turbulent and violent, but it is difficult to judge the past by the criteria of the present. Nonetheless, when the stranger in our midst appeals to us, we must not repeat the sins and the errors of the past. We must resolve now to live as nobly and as justly as possible, as we educate new generations not to turn their back on our "neighbors" and everything around us. Building a nation calls us to recognize that we must constantly relate to others, rejecting a mindset of hostility in order to adopt one of reciprocal subsidiarity, in a constant effort to do our best. I am confident that we can do this.

Our world is facing a refugee crisis of a magnitude not seen since the Second World War. This presents us with great challenges and many hard decisions. On this continent, too, thousands of persons are led to travel north in search of a better life for themselves and for their loved ones, in search of greater opportunities. Is this not what we want for our own children? We must not be taken aback by their numbers, but rather view them as persons, seeing their faces and listening to their stories, trying to respond as best we can to their situation. To respond in a way which is always humane, just and fraternal. We need to avoid a common temptation nowadays: to discard whatever proves troublesome. Let us remember the Golden Rule: "Do unto others as you would have them do unto you" (Mt 7:12).

This Rule points us in a clear direction. Let us treat others with the same passion and compassion with which we want to be treated. Let us seek for others the same possibilities which we seek for ourselves. Let us help others to grow, as we would like to be helped ourselves. In a word, if we want security, let us give security; if we want life, let us give life; if we want opportunities, let us provide opportunities. The yardstick we use for others will be the yardstick which time will use for us. The Golden Rule also reminds us of our responsibility to protect and defend human life at every stage of its development.

This conviction has led me, from the beginning of my ministry, to advocate at different levels for the global abolition of the death penalty. I am convinced that this way is the best, since every life is sacred, every human person is endowed with an inalienable dignity, and society can only benefit from the rehabilitation of those convicted of crimes. Recently my brother bishops here in the United States renewed their call for the abolition of the death penalty. Not only do I support them, but I also offer encouragement to all those who are convinced that a just and necessary punishment must never exclude the dimension of hope and the goal of rehabilitation.

In these times when social concerns are so important, I cannot fail to mention the Servant of God Dorothy Day, who founded the Catholic Worker Movement. Her social activism, her passion for justice and for the cause of the oppressed, were inspired by the Gospel, her faith, and the example of the saints.

How much progress has been made in this area in so many parts of the world! How much has been done in these first years of the third millennium to raise people out of extreme poverty! I know that you share my conviction that much more still needs to be done, and that in times of crisis and economic hardship a spirit of global solidarity must not be lost. At the same time I would encourage you to keep in mind all those people around us who are trapped in a cycle of poverty. They too need to be given hope. The fight against poverty and hunger must be fought constantly and on many fronts, especially in its causes. I know that many Americans today, as in the past, are working to deal with this problem.

It goes without saying that part of this great effort is the creation and distribution of wealth. The right use of natural resources, the proper application of technology and the harnessing of the spirit of enterprise are essential elements of an economy which seeks to be modern, inclusive and sustainable. "Business is a noble vocation, directed to producing wealth and improving the world. It can be a fruitful source of prosperity for the area in which it operates, especially if it sees the creation of jobs as an essential part of its service to the common good" (Laudato Si', 129). This common good also includes the earth, a central theme of the encyclical which I recently wrote in order to "enter into dialogue with all people about our common home" (ibid., 3). "We need a conversation which includes everyone, since the environmental challenge we are undergoing, and its human roots, concern and affect us all" (ibid., 14).

In Laudato Si', I call for a courageous and responsible effort to "redirect our steps" (ibid., 61), and to avert the most serious effects of the environmental deterioration caused by human activity. I am convinced that we can make a difference and I have no doubt that the United States -- and this Congress -- have an important role to play. Now is the time for courageous actions and strategies, aimed at implementing a "culture of care" (ibid., 231) and "an integrated approach to combating poverty, restoring dignity to the excluded, and at the same time protecting nature" (ibid., 139). "We have the freedom needed to limit and direct technology" (ibid., 112); "to devise intelligent ways of... developing and limiting our power" (ibid., 78); and to put technology "at the service of another type of progress, one which is healthier, more human, more social, more integral" (ibid., 112). In this regard, I am confident that America's outstanding academic and research institutions can make a vital contribution in the years ahead.

A century ago, at the beginning of the Great War, which Pope Benedict XV termed a "pointless slaughter", another notable American was born: the Cistercian monk Thomas Merton. He remains a source of spiritual inspiration and a guide for many people. In his autobiography he wrote: "I came into the world. Free by nature, in the image of God, I was nevertheless the prisoner of my own violence and my own selfishness, in the image of the world into which I was born. That world was the picture of Hell, full of men like myself, loving God, and yet hating him; born to love him, living instead in fear of hopeless self-contradictory hungers". Merton was above all a man of prayer, a thinker who challenged the certitudes of his time and opened new horizons for souls and for the Church. He was also a man of dialogue, a promoter of peace between peoples and religions.

From this perspective of dialogue, I would like to recognize the efforts made in recent months to help overcome historic differences linked to painful episodes of the past. It is my duty to build bridges and to help all men and women, in any way possible, to do the same. When countries which have been at odds resume the path of dialogue -- a dialogue which may have been interrupted for the most legitimate of reasons -- new opportunities open up for all. This has required, and requires, courage and daring, which is not the same as irresponsibility. A good political leader is one who, with the interests of all in mind, seizes the moment in a spirit of openness and pragmatism. A good political leader always opts to initiate processes rather than possessing spaces (cf. Evangelii Gaudium, 222-223).

Being at the service of dialogue and peace also means being truly determined to minimize and, in the long term, to end the many armed conflicts throughout our world. Here we have to ask ourselves: Why are deadly weapons being sold to those who plan to inflict untold suffering on individuals and society? Sadly, the answer, as we all know, is simply for money: money that is drenched in blood, often innocent blood. In the face of this shameful and culpable silence, it is our duty to confront the problem and to stop the arms trade.

Three sons and a daughter of this land, four individuals and four dreams: Lincoln, liberty; Martin Luther King, liberty in plurality and non-exclusion; Dorothy Day, social justice and the rights of persons; and Thomas Merton, the capacity for dialogue and openness to God.

Four representatives of the American people.

I will end my visit to your country in Philadelphia, where I will take part in the World Meeting of Families. It is my wish that throughout my visit the family should be a recurrent theme. How essential the family has been to the building of this country! And how worthy it remains of our support and encouragement! Yet I cannot hide my concern for the family, which is threatened, perhaps as never before, from within and without. Fundamental relationships are being called into question, as is the very basis of marriage and the family. I can only reiterate the importance and, above all, the richness and the beauty of family life.

In particular, I would like to call attention to those family members who are the most vulnerable, the young. For many of them, a future filled with countless possibilities beckons, yet so many others seem disoriented and aimless, trapped in a hopeless maze of violence, abuse and despair. Their problems are our problems. We cannot avoid them. We need to face them together, to talk about them and to seek effective solutions rather than getting bogged down in discussions. At the risk of oversimplifying, we might say that we live in a culture which pressures young people not to start a family, because they lack possibilities for the future. Yet this same culture presents others with so many options that they too are dissuaded from starting a family.

A nation can be considered great when it defends liberty as Lincoln did, when it fosters a culture which enables people to "dream" of full rights for all their brothers and sisters, as Martin Luther King sought to do; when it strives for justice and the cause of the oppressed, as Dorothy Day did by her tireless work, the fruit of a faith which becomes dialogue and sows peace in the contemplative style of Thomas Merton.

In these remarks I have sought to present some of the richness of your cultural heritage, of the spirit of the American people. It is my desire that this spirit continue to develop and grow, so that as many young people as possible can inherit and dwell in a land which has inspired so many people to dream.

God bless America!


Payment Scam Dupes Airbnb Customer. Was There A Data Breach?

Airbnb logo Readers of this blog are aware of the various versions of check scams criminal use to trick consumers. A new scam has emerged with social travel sites.

After paying for a valid stay, an Airbnb customer was tricked by criminals using an wire transfer scam. The Telegraph UK described how an Airbnb customer was tricked. After paying for for their valid rental with a valid credit card, the guest:

"... received an email from Airbnb saying that the card payment had been declined and I needed to arrange an international bank transfer within the next 24 hours to secure the apartment. Stupidly, I did as asked. I transferred the money straight away to someone I assumed was the host as they had all the details of my reservation."

Formed in 2008, Airbnb now operates in 34,000 cities in 190 countries.

After checking with their bank, the guest determined that the credit card payment had been processed correctly. So, the guest paid twice, with the second payment to the criminal. The guest believes that Airbnb experienced a data breach. According to one security expert:

"The fraud works by sending an email to a host that appears to come from Airbnb asking them to verify their account details. The host foolishly responds thus giving the fraudster access to their account and all the bookings correspondence. Even though the addresses are anonymised the fraudster can still send emails to the customers via Airbnb to try to extract a second payment by bank transfer."

What can consumers make of this? First, hosts should learn to recognize phishing e-mails. Don't respond to them. Second, guests need to remember that inattentive hosts can compromise their identity information. Third, guests should never make payments outside of Airbnb's system.

Criminals are creative, persistent, and knowledgeable. Consumers need to be, too. Read the Scams/Threats section of this blog.


Discover Introduces 'Smart' Credit Cards With EMV Chip Technology. Are We There Yet?

Discover chip credit card This month, Discover Bank began to ship upgraded credit cards for its cardholders. The new "smart" credit card includes an embedded EMV chip that offers far more security. The chip stores and transmits encrypted data with a unique identifier for each transaction. The EMV chip technology was developed jointly by Europay, MasterCard, and Visa.

In the United States, cardholders will use the new cards the same way they used the old cards with the obsolete magnetic strip technology. At retail stores with older terminals, cardholders will continue to swipe their cards to make purchases. At retail stores with the chip-enabled terminals, cardholders will instead insert their card into the new terminals. To withdraw cash at bank ATM machines, a PIN number is required.

Like other new credit cards in the United States, the new Discover credit cards use "chip and signature" technology. I asked a Discover customer service if their new credit cards could be used in Europe, where cards use the "chip and PIN" technology. (When the United Kingdom switched to EMV chip cards years ago, fraud in stores there decreased 70 percent.) The customer service rep stated that the new cards could be used in Europe, provided the cardholder sets up a PIN number before their trip.

Wise readers note the limitations. The new chip cards won't stop hacks and data breaches at companies, employers, and banks that archive consumers' payment information. The new chip cards won't offer any more security or payment protections until retail stores upgrade their terminals. Credit Card Forum described the method being used to encourage retailers to upgrade by October 2015:

"... the card networks (Visa, MasterCard, AmEx and Discover) are giving both [retail merchants] and card-issuing banks an incentive (both a carrot and a stick) to upgrade by October 2015. At that point, the networks will institute a “fraud liability shift.” That’s a fancy way of saying “adapt or pay.” If a consumer’s card is involved in fraud, whichever party involved in the transaction (the bank that issued the card or the merchant that accepted it) that didn’t upgrade to EMV will be held accountable."

Retailers see the situation differently. CNBC published a retail spokesperson's commentary about the new "chip and signature" credit cards:

"Retailers are also asking card issuers to take more than a half step, and issue "chip and PIN" cards to American consumers. As it currently stands, banks are only issuing "chip and signature" cards in the United States, a less secure standard as signatures can easily be forged. It has been reported by the Federal Reserve that including a PIN makes a transaction up to 700 percent more secure, yet to date, banks are not issuing these cards to American customers... The fastest, easiest and smartest thing we can do to make transactions more secure in the near term is to upgrade credit cards with Chip and PIN technology. Retailers are making the investments needed to accept them, but we need the financial industry to make the same commitment."

Discover chip card and new terminalSeveral banks and card issuers in the United States offer EMV-chip credit cards:

  • American Express Premier Rewards Gold
  • Bank of America Travel Rewards
  • Capital One VentureOne Rewards
  • Chase Freedom
  • Chase Sapphire Preferred
  • Citi Diamond Preferred
  • Marriott Rewards Premier
  • Plenti Credit Card from Amex
  • USAA Preferred Cash Rewards World MasterCard

Browse a longer list of EMV-chip cards available in the United States. Both cardholders and non-cardholders can learn more about the new chip credit cards at the Discover site.

Why go part of the way and introduce EMV chips with signature instead of with PIN numbers? Seems to me, the banks seem mare more interested in shifting the liability of data breaches from them to retailers, rather than provide cardholders with state-of-the-art EMV security that's already available in most other parts of the world.

What are your opinions of the new "chip and signature" credit cards in the United States?


5 Banks Plead Guilty And Pay More Than $5.5 Billion In Penalties

U.S. Department of Justice logo Earlier reports have proven true. Five banks have plead guilty and will pay more than $5.5 billion in total penalties to U.S. and European regulators to settle charges that traders rigged foreign exchange markets. USA Today reported:

"Five major banks Wednesday agreed to plead guilty to criminal charges and pay more than $5.5 billion in collective penalties... The Department of Justice, the Federal Reserve and other U.S. and European authorities and regulators said corporate units of Citicorp, JPMorgan Chase, London-based Barclays, and Royal Bank of Scotland acknowledged their traders rigged foreign exchange prices of U.S. dollars and euros from Dec. 2007 to Jan. 2013... UBS also acknowledged involvement in the rate-rigging. However, the Swiss banking giant received conditional immunity from criminal prosecution because it was the first to report foreign-exchange misconduct to DOJ investigators."

U.S. Attorney General Loretta Lynch described in the Justice Department announcement the wrongdoing:

"Starting as early as December 2007, currency traders at several multinational banks formed a group dubbed “The Cartel.” It is perhaps fitting that those traders chose that name, as it aptly describes the brazenly illegal behavior they were engaged in on a near-daily basis. For more than five years, traders in “The Cartel” used a private electronic chatroom to manipulate the spot market’s exchange rate between euros and dollars using coded language to conceal their collusion. They acted as partners – rather than competitors – in an effort to push the exchange rate in directions favorable to their banks but detrimental to many others. The prices the market sets for those currencies influence virtually every sector of every economy in the world, and their actions inflated the banks’ profits while harming countless consumers, investors and institutions around the globe – from pension funds to major corporations, and including the banks’ own customers..."

The fines by bank:

"... to pay criminal fines totaling more than $2.5 billion – the largest set of antitrust fines ever obtained in the history of the Department of Justice. And the fine that Citicorp alone will pay – $925 million – is the largest single fine ever imposed for a violation of the Sherman Act... Switzerland’s UBS AG, has agreed to plead guilty and pay a $203 million criminal penalty for breaching the non-prosecution agreement it entered in December 2012 regarding manipulation of the London Interbank Offered Rate, or LIBOR – a benchmark interest rate used worldwide. he breach of the NPA was based in part on UBS’s fraudulent and deceptive currency trading and sales practices related to foreign exchange markets, its collusion with other participants in the FX markets and its failure to take adequate action to prevent unlawful conduct after prior civil, criminal and regulatory resolutions.  In other words, UBS promised, in other resolutions, not to commit additional crimes – but it did."

The announcement did not state which, if any, bank executives would go to prison for the wrongdoing. The announcement did not state what portion, if any, of the fines would be tax-deductible. Previously, penalties and fines paid by some banks have been tax-deductible. Some experts and politicians have stated that better disclosures are needed for settlement agreements.