With Barclays Bank recently publishing the figures of refunds it made to customers who fell victim to authorised push payment (APP) fraud, there have been calls for greater transparency and reform to the current (voluntary) reimbursement code.

Authorised Push Payment (APP) Fraud

APP refers to situations where consumers have used a bank transfer to pay for goods or services that are fake/don’t exist and the money is stolen by fraudsters.

The Contingent Reimbursement Model (CRM)

Where money has been stolen in this way by fraudsters, banks can choose to use a voluntary code, introduced in May 2019, called the Contingent Reimbursement Model (CRM).  This code sets out how and by whom consumers who have suffered APP fraud losses are re-imbursed.  Banks that sign up to the code are often the ones to re-imburse victims where the conditions of the code are met.

Issues

There are, however, several issues relating to this code and the reimbursement to APP fraud victims that organisations such as consumer champion ‘Which?’ have been pushing to change.  For example:

– An apparent gap in fraud protection and redress for fraud via authorised push payments compared to other forms of payment such as debit and credit cards.

– A lack of transparency by banks and building societies about their reimbursement rates relating to APP fraud. There has been criticism that figures are not being published and/or are not being published on a regular basis.

– A feeling among banks (as outlined recently in a blog post by Starling) that other organisations used by criminals as part of their frauds (e.g. social media companies and telecoms networks) should be taking some responsibility and co-operating with banks to prevent fraud.  For example, social media may be used to advertise the fraud and also to find those who are willing to launder money (money mules) and to buy stolen identity and card data.

The Reality

One way to get a realistic view of what is happening as regards the behaviour towards consumers who are victims of fraud could be to look at the figures by the Lending Standards Board which oversees the CRM code. Their figures show that in the first year of the code’s introduction, banks ruled that 77 per cent of fraud victims were partially or fully to blame for their losses and that customers were fully at fault in 60 per cent of cases.

Which? Wades In

Consumer champion ‘Which?’ has also published concerns online about how banks and building societies have been behaving as regards re-imbursement (or not) and has published its view of the issues that it hopes will “help inform the Lending Standards Board’s one-year review of the CRM Code”.  According to ‘Which?’ these issues are:

– An over-reliance (by the banks) on victims having ignored warnings.

– Unreasonable expectations of how victims should have verified who they were paying.

– A failure to properly assess vulnerability.

– Poor communications (by banks) with victims.

‘Which?’ has called for urgent action to ensure that businesses adhere to the Code (CRM) and has called upon all those organisations signing up to the Code to test warnings to see if they are ‘effective’, make judgements based on what is reasonable on evidence of actual customer behaviour and to train staff in how to identify customers who could be vulnerable to APP fraud. Which? has also called for code signatories to properly explain specific reasons for reimbursement decisions to victims and has called on the Payment Systems Regulator to look at whether or not the voluntary industry code is effective in its current form.

Barclays The First To Publish Details

Barclays Bank recently became the first CRM code signatory to publish its APP fraud reimbursement rates online. According to Barclays, 74 per cent of its customers who suffered APP fraud losses in the first two months of 2021 have now been repaid. This appears to be a reversal of the trend identified by the Lending Standards Board.

Looking Ahead

We all make decisions about what offers seem legitimate to us and who/what to pay money to, however, not every Web user is as experienced or informed with regards to cybercrime, and many web users could also, for many reasons, be described as more vulnerable to fraud. Fraudsters are also becoming more sophisticated and creative in their methods which could, arguably make more consumers more vulnerable to APP fraud.

The banks and building societies have argued, perhaps with some legitimacy, that some responsibility for preventing push payment fraud may lie with other organisations in the chain (e.g. social media companies). However, it appears that, based on Lending Standards Board figures, the apparent lack of transparency in banks and building societies publishing figures about how many customers have been reimbursed for the APP losses may be due to the fact that most consumers have not been re-imbursed and often appear to be blamed for falling victim to fraud.

Looking ahead, it may be necessary, as suggested by ‘Which?’ and recommended by the Finance and the Treasury Select Committee, for the current voluntary CRM code to become mandatory with the hope that regulatory oversight could bring better reimbursement outcomes for consumers and greater transparency from banks and building societies. It may also be helpful for more of a collaborative approach to be taken among all links in the chain used by fraudsters to tackle the problem.

In this article, we take a brief look at what a firewall is, what types there are, and the benefits and drawbacks of firewalls.

Firewall

A firewall is a network security system that can monitor and control incoming and outgoing network traffic based on predetermined security rules.  Based on these rules, it decides whether to allow or block specific traffic and as such, provides a valuable, controllable security barrier between inside network devices and potential threats from outside (the Internet).

Hardware firewalls protect the machines on a network and software firewalls protect the individual machines that they are installed upon.

How Do Firewalls Work and What Types Are There?

Firewalls use their set of configurable rules to decide which traffic is allowed through and which traffic must be blocked. The firewall is generally able to do this by scanning packets of data (e.g. for known malicious code or attack vectors which are regarded as threats according to the rules). The main ways in which firewalls work include:

– Packet filtering.  This involves using certain identified threats as filters for incoming data. The small ‘packets’ (from packet switching) that make up data being sent digitally across the Internet are scanned and are either allowed to enter the network or are blocked depending on whether they are within or outside of the configured firewall rules.

– Proxy service/proxy server firewalls. These firewalls are intermediary (application level) servers that separate end-user clients from the destinations that they browse. They create a mirror version of the computer behind the firewall but prevent direct connections between the customer device and incoming data packets. As well as being used as firewalls, proxy servers also work as web filters, provide shared network connections, and cache data to speed up common requests. Proxy service firewalls are very secure.

– Stateful inspection/dynamic packet filtering. Often found on non-commercial and business networks, a stateful firewall (using stateful inspection) works by individually tracking sessions of network connections traversing it (i.e. it monitors the full ‘state ‘of active network connections). This method of firewall filtering therefore relies upon looking at the whole context of the traffic and data packets trying to access the network, rather than just looking at discrete traffic and data packets in isolation.

Benefits and Disadvantages

The benefits of having firewalls in place include:

– Protecting business continuity and protecting the business from threats that could cause damage, disruption, and lead to fines (data protection), loss of customers, reputational damage and more.  For example, firewalls monitor traffic, filter out malware and trojans and, prevent hacking attempts, and maintain privacy as well as security.

Although firewalls are generally for the good of the business, some of the disadvantages include some firewall rules being so strict that they can restrict the legitimate work of employees, thereby affecting productivity, firewall maintenance for large organisations can be complex (unless handled by the MSP), some firewall costs can be high, and some malware attacks (e.g. through phishing) can get past firewalls.

What Does This Mean For Your Business?

Firewalls are a long-established (and now a relatively standard) element of cyber-defences that still provide a vital protective function. The fact that they can be applied to different parts of the IT system and infrastructure and can be configured with different rules and different levels as required and left to operate on their own gives them flexibility but at the same time, they provide businesses with a level of confidence that networks are being monitored automatically. Firewalls, however, are just one (important) tool in the overall defence of business networks and devices.  Today’s cybercriminals are finding ever-more inventive ways to breach defences and exploit human errors and social engineering opportunities, so businesses need to employ a large number of different security (and privacy) tools and strategies to ensure that they are protected day-to-day.

If, for whatever reason, you have not used Incognito browsing in Google and would like a fast and easy way to delete the last 15 minutes of your search history, here’s how:

– Open the Google Search app on your Android or iOS device.

– Tap on your profile picture (top-right).

– Tap on “Delete the last 15 mins”.

To erase your search history for a longer period:

– Tap on the Search history button.

– Select the date range to be deleted.

– Alternatively, set up an auto delete function via the search and location history in the Google account settings.

Drop-in audio conversation social network app ‘Clubhouse’ has launched its Android (beta) version for download in the UK.

Clubhouse Android Launched In English-Speaking Countries

San Francisco-based Clubhouse announced on May 9 that, starting in the U.S., and quickly following in other English-speaking countries, it was rolling out of the beta Android version of its popular app.

Still Invite Only

Clubhouse has stressed, however, that despite what will be a worldwide rollout over the next few weeks, the app will continue to have the waitlist and invite system in order to “keep the growth measured”.  Clubhouse says that the plan is to continue to scale out the backend over the coming months in order to open up further to the millions of people on its iOS waitlist.  The app will also be expanding its language support and adding accessibility features to help with the growth in membership.

Android users in the UK can now download the Clubhouse app from the Google Play Store.

Problems Earlier in the Year

Clubhouse has acknowledged that the problems that it experienced earlier in the year, such as server outages, notification failures, and surpassing the limits on its early discovery algorithms were a result of rapid growth.  The company says that it has switched its focus from “hiring, fixing, and company building” to investing to enable the growing app to be able function well for the membership.

Hype and Benefits

The Clubhouse app has grown very quickly, accompanied by quite a bit of hype, but also because it appears to offer users the kind of direct access to an audience with influential people and industry leaders from around the world that it would be very difficult, costly, and time-consuming to get normally. Also, the real-time conversations mean that time is saved while issues, ideas and plans can be addressed and discussed instantaneously. As such, it has proven to be very appealing to business users.

Privacy Concerns

Important aspects of the Clubhouse app that were not mentioned in the recent announcement are the possible security and privacy concerns.  For example, the Clubhouse app doesn’t appear to have end-to-end encryption (like WhatsApp), user data is routed through Chinese servers (and by implication, the Chinese state) and the requirement on sign-up that users must upload their device address books, thereby sharing other peoples’ contact details without consent.

What Does This Mean For Your Business?

The rapid initial growth of Clubhouse has been fuelled by some of the potential benefits valued by businesses (e.g. the possibility of getting direct access to an audience with influential people) and finding new business opportunities, coupled with the exclusivity (invite only) and the other benefits of getting in early before the crowd. The app had some problems due to its growth exceeding its capacity but the promise to invest by Clubhouse may mean that it may suffer fewer outages going forward. Now that Clubhouse is really growing it can expect some stiff competition from other popular meeting apps (e.g. Zoom) and the threat of big social media players quickly launching their own versions (e.g. Twitter’s ‘Spaces’). The security and privacy concerns remain, however, despite the big Android rollout, and for users it may simply be a case of weighing up the known risks against the possible benefits, accepting that this is simply an exclusive space to meet and chat but that it comes with potential privacy and security risks at this stage in the app’s life.

With AI recently in the spotlight in Europe over the need to regulate over some ‘unacceptable use’, some experts are warning of the threat of AI keystroke reading spy tools.

Possibilities

Companies like TypingDNA developing AI biometric verification (back in 2017) based on recognising the individual characteristics of how a person types, suggest that it is possible that similar programs from other sources could be used for malicious intent as well as good.

The type of keystroke recognition used in the TypingDNA system (which is safe and secure and has not been used for nefarious purposes) uses timings and durations of key-press events and compares these against the normal typing pattern that each new enrolling customer gives a sample of when they sign up to the app. The same company has also managed to create a system called ‘Focus’ that can tell a user when they are most focused, tired, or stressed, purely based upon their typing.

Given this is already possible, the argument from some tech and security commentators is that it may only be a matter of time before AI keystroke analysis is used by cybercriminals to steal private, personal data.

Keystrokes Research

Keystroke dynamics/keyboard biometrics/typing biometrics research has been going on for over 20 years, and there have been several studies into how keystrokes can be analysed to extract data.

Back in 2017, for example, a study by Princeton University showed that keystrokes, mouse movements, scrolling behaviour, and the entire contents of web pages visited may already have been tracked and recorded by hundreds of companies. The study revealed that no fewer than 480 websites of the world’s top 50,000 sites were known to have used a technique known as ‘session replay’, which, although designed to allow companies to gain an understanding of how customers use websites, also records an alarming amount of potentially dangerous information. The researchers found that companies were now tracking users individually, sometimes by name.

Back in 2019, researchers from SMU’s (Southern Methodist University) Darwin Deason Institute for Cyber-security found that the sound waves produced when typing on a computer keyboard can be picked up by a smartphone and a skilled hacker could decipher which keys were struck. That particular research project tested whether ‘always-on’ sensors in devices such as smartphones could be used to eavesdrop on people who use laptops in public places and the researchers were able to pick up what people were typing at an amazing 41 percent word accuracy.

AI and Machine Learning Used For Bad

AI and Machine Learning have already been used for illicit purposes, such as deepfake videos and faked images.  For example, Social media analytics company Graphika reported identifying images of faces for social media profiles that had been faked using machine learning for the purpose of China-based anti-U.S. government campaigns. These campaigns, dubbed ‘Spamouflage Dragon’, involved the production and distribution of AI-generated photos (made using GAN) to create fake followers on Twitter and YouTube and Videos made in English, targeting US foreign policy, its handling of the coronavirus outbreak, its racial inequalities, and its moves against TikTok.

What Does This Mean For Your Business?

The rapid growth of AI and its incorporation into many systems and services across Europe has recently required new rules and regulation to keep up. Tech and security commentators have also been warning for many years about the possible uses of AI for dishonest purposes.  Although this has already happened with deepfake videos, there are real fears that AI can be manipulated to spot patterns that could be used in social engineering attacks, identify any new vulnerabilities in networks, devices, and applications and, of course, analyse keystrokes to steal valuable personal information from a user. Combining keystroke recognition, cameras, AI chips in phones and other AI-enabled spying methods could, if used in the right combination, pose a threat to the data protection defences of businesses. It is important to remember, however, that AI also points the way forward for protection (e.g. its incorporation into anti-virus and other cyber-security systems).

With Google recently committing to phasing out third-party cookies as Firefox and Safari have already done, we take a brief look at the possible alternatives and replacements for using cookies to track and understand user behaviour.

Cookies

Cookies are pieces of code/small text files used for tracking and stored on the browser of someone who visits a website. First party cookies are generated when a person visits one particular website (domain) and are only used for finding out what that person did when they visited that particular site. This type of cookie does not record details about a person’s activities when they go on to visit other websites after leaving that website.

Third-party cookies are created by a third-party (e.g. an advertiser) and are placed on a visitor’s computer when that user visits a website.  The purpose of third-party cookies is to track a web user and gather data about their activities and preferences (e.g. websites they visit frequently, what they purchased online and what they show interest in). This enables the building of a visitor profile which, in turn, leads to them being shown ‘relevant’ targeted adverts.

The Trouble With Third-Party Cookies

Google has recently joined other browser companies in committing to the phasing out (over 2 years) of third-party cookies. The reasons for phasing out third-party cookies are:

– Legislation. Improved and new data privacy laws. The introduction of GDPR, the California Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) preventing tech companies from tracking everything that users do without permission and sharing the data with multiple other third parties.

– Privacy Campaigners. Many privacy campaign groups and others have challenged tech companies and advertisers over the years about privacy and tracking users.

– High profile Criticism. Among other things, in January the UK Competition and Markets Authority started investigating whether restricting cookies on Chrome could help Google increase its dominance in the online ad industry. For example, some commentators have questioned Google’s motives for removing third-party cookies, suggesting that forcing a reliance upon first-party cookies may simply be a way for Google to get more of a grip on the ad market and receive the revenue that would have been spent on third-party platforms.

The Challenge

The challenge is to create an alternative that is compliant, acceptable to users and privacy groups, and enables advertisers, publishers, and owners of ad-supported websites to keep revenue streams.  For example, Google (Ad manager) data shows that when advertising is made less relevant by removing cookies, funding for publishers falls by 52 per cent on average.

Alternatives

With this in mind, here are some examples of the possible alternatives to cookie-based systems:

– Using machine learning systems (Google) to model user behaviour and to pursue a modelled, first-party approach. This means using first-party data and the data Google can gather from users who consent, integrated with tools like the Google Tag Manager. Consent Mode, for example (announced in September 2020), gives advertisers access to a new tag setting, dubbed “ad_storage”.  This controls cookie behaviour for advertising purposes, including conversion measurement. With Consent Mode, a website visitor is given the option to consent to the use of ads cookies (or not) on the cookie consent banner, thereby enabling Google tags to determine whether or not permission has been given for the site to use cookies for advertising purposes for that user. If a user consents, conversion measurement reporting continues normally. If a user does not consent, the Google tags are adjusted accordingly to not use ads cookies, but instead to measure conversions at a more aggregate level. Crucially, Google’s Consent Mode enables the use of conversion modelling for those who don’t consent, thereby recovering some 70 per cent of ad-click-to-conversion journeys that would otherwise be lost to advertisers. Google believes that Consent Mode, coupled with its Tag manager is a way for Google Ads, Campaign Manager, Display & Video 360, and Search Ads 360 to continue reporting conversions while respecting users’ consent choices for ads cookies.

– Google’s Privacy Sandbox, which it originally announced last August, and touched upon again in January this year.  Google describes this as “a new initiative to develop a set of open standards to fundamentally enhance privacy on the web” and “a secure environment for personalisation that also protects user privacy”.  The idea of Sandbox is to move all user data into the Google Chrome browser where it can be securely stored and processed so that it stays on the user’s device and is, therefore, making it compliant with privacy laws. It is understood that the Privacy Sandbox may also include an algorithm to group people according to their common web browsing and thereby create ‘clusters’ of people (who can’t be directly identified) with similar interests. These clusters can then be targeted by adverts without affecting the privacy of the individuals in a cluster.

– Federated Learning of Cohorts (FLoC).  This is another Google idea that uses third-party data, doesn’t affect the ability of publishers to track their own visitors, and allows ads to be targeted at groups of users based on common interests (interest-based advertising). The FloC idea, however, has been met with criticism from the Electronic Frontier Foundation over privacy concerns and that it could be equivalent to a “behavioural credit score.”

– Microsoft’s PARAKEET proposal is an alternative to Google’s FLoC.   PARAKEET (Private and Anonymized Requests for Ads that Keep Efficacy and Enhance Transparency) places a proxy server between the user and the ad company, with users being given a unique ID, known only to the proxy server. This means that when a web page requests an ad, the request is routed via the proxy server and statistical noise is added to mask the user’s private data.  This system allows the PARAKEET gatekeeper service to provide aggregate reporting to ad networks.

– Systems made by rivals of Google Ads, such as Trade Desk Inc’s (open source) Unified ID 2.0 where people can protect their privacy by logging on to websites using encrypted copies of email addresses, i.e. the system creates an identifier for each person who logs in with their email address. Also, Criteo SA, an AdTech company is reported to have developed a possible alternative.

What Does This Mean For Your Business?

The ad ecosystem, which ultimately provides huge amounts of revenue for companies like Google also supports (and is very important in revenue terms for) ad customers, publishers, and owners of ad-supported websites. While new solutions must be found that provide acceptable levels of privacy (which is a task in itself), the way forward in terms of alternatives to cookies has generated a number of different options including the use of machine learning, proxy servers, and encrypted email logins, all of which are designed to provide smarter and more private and acceptable ways of still supplier data for advertising. With Google being the most powerful of the big advertisers and cookie users, it appears likely that its modelled, first-party approach using its machine learning resources is going to be the most prominent replacement for cookie-reliance. It is relatively early days though, and the important aspect for many businesses that rely heavily upon Google Ads is that any new system is still able to provide the same or better results in terms of conversion.