Article on IMSI Catchers and Stingrays

24 April 2015

I have been helping a proper journalist, Brady Dale, write a article on the use and abuse of Stingrays and other IMSI catchers. It turned out quite well. It is up on Motherboard.


Open Streetmap v Google smackdown

24 April 2015

While everybody seems to be using Google maps, the quality of the maps in Open Streetmaps has quietly surged ahead. Now the detail and useful information on OSM easily beets Google into the covers. Here is a simple example of a location in Reading that I know well.

osm screenshot

Open Streetmap of and area in Reading UK

google map screenshot

Google maps of the same location

 

The street names are there in the Google version, and one or two building outlines. Bus stops are in both, but in OSM these all have labels. Many more amenities are in OSM that Google, and they probably score equally on businesses. I would have thought that Google would have many more businesses, but perhaps these are not all displayed in trying to keep the map clean.

Try it yourself and see if you can find an area where Google is better!


Fridge lighting hack

14 April 2015
With the new LED lighting

After: The fridge with the new LED lighting strip installed.

It took way longer that it should, but I have managed to complete my LED fridge lighting project. This was to replace the single bulb at the top of the fridge with a strip of LED lights around the top and sides of the fridge. I found an old power supply I think it was a laptop brick, that would do 12 volts reasonably. Replaced the IEC connector with a screw connector, and presented the 12v output on PCB mount screw connectors.

Before the change

Before: The fridge with the original incandescent light at the top.

Next was a replacement cover, this I designed in OpenSCAD to cover over the power supply and replace the moulded lamp cover that was there before. Then an 10 hour 3D print run to create the cover. Although there were a few minor mistakes the cover worked pretty well first time so I didn’t have to do a reprint.

The LED lighting is a big improvement, the whole fridge is illuminated and because the light is coming from different angles no shadows, and even illumination. The only down side is that the power supply can take a second to come up after opening the door. The fridge does have a temperature management system and a LCD display, so presumably there is some low voltage floating around there, that I could have used. But that would have meant much more disassembly and potential breakage of the fridge.


DRIP letter part 2

27 February 2015
I got a reply to my previous email to my MP Alok Sharma, with a note from James Brokenshaw, basically reiterating the the well publicised position of the government on the DRIP act. I wont type all of this in here, but here is my response to this.

Dear Alok Sharma

Thanks for the response to my letter from James Brokenshire of the home office. This appears to be a form letter reiterating the government position, rather that a response to any of my issues. It was also good to chat briefly to you when you called at my house a couple of weeks ago.

I get the impression you don’t fully grasp the importance of this. The internet at the moment is the preferred tool of communication for many in some circumstances, but it is rapidly becoming the only way of communication for many things. For the UK to prosper it is essential that individuals and businesses can operate here in a secure manner.

I noted that your response was a physical letter, and so not subject to electronic surveillance, or retention. Why should there be such a vast difference in the government and police powers depending on the medium of communication?

I and most people would agree that the Police need to have access to electronic data and the RIPA should be the basis of that access. That a warrant is required, and it has to be specific, relevant, and proportionate.

What we object to is the “Collect it all” attitude of turning the internet into the total surveillance tool. Firstly because it is amoral and repugnant in a free society, and secondly because it does not work in catching criminals.

The DRIP act extends the current powers in crucial areas, for the government to assert otherwise is misinforming the public. (see https://www.openrightsgroup.org/blog/2014/the-drip-myth-list )

What should we do about this? The best laws are those based on clear principals, not on specific technologies. Like the Human Rights act. So when a court such as the CJEU rules that a domestic law breaches human rights the government should take note and adjust the domestic laws. Not just pass another “emergency” law to reinstate the powers that the court have ruled on.

I hope that you will consider this carefully when the DRIP act comes up for renewal, and pledge in your election manifesto not to support this law.

Kind Regards

Stuart Ward

Mobile banking apps

29 January 2015
I have been getting slowly frustrated with my bank, First Direct who I joined soon after they launched, because they were then offering the latest technology in telephone banking. Removing the frustration of having then to go physically to the bank to get anything done. Back then this was quite revolutionary. But they have not kept that zeal going and everyone else has caught up with them, and overtaken them. Time to find a new bank.

Well now we have moved on from that position through the internet to mobile banking. My idea was to evaluate the various banks that I could move to in terms of their mobile offerings, and choose the one with the best mobile presence.

Lets define what I am looking for here. The mobile app should be fast, and integrate well with the Android user experience. I have seen many apps transferred from iOS that don’t adapt to the way Android works. I don’t care about the Apple app as I will never use that. My bag is security so it needs to have good security. Preferably integrate with Lastpass so I can have a password that is too complicated to remember.

I have no interest in offers, cash-back, or other gimmicks, just a business like interface that presents clear information and allows simple actions.

Here is a list of the main contenders and their current rating on the Google store:

First direct   3.3
first direct Banking on the go - screenshot thumbnail

This one I know well, it works OK but is essentially a iOS app transported to Android. It is slow and clunky, every menu item or back button involves some spinning icon wait time. Getting to the login screen takes about 20 seconds. They do some funny stuff to stop me using Laspass to log on. I cannot paste my password in, password for the mobile app is limited to 8 characters. If you change focus to another app it may log you out. The menu button just shows the about page, you have to use the iOS style menu button at the top of the screen to navigate. and the back button only works sometimes. I am sure that all the apps here have these sorts of problems, but many of these aspects I can’t evaluate without signing up for an account.

HSBC   3.8
HSBC Mobile Banking - screenshot thumbnail

This is clearly the same as the First Direct app, and this is to be expected as they are the same banking group. They have these offers and rewards on the front screen, this just says to me our service is so bad we have to offer you stuff to use it.

Lloyds Bank   4.2
Lloyds Bank Mobile Banking - screenshot thumbnail

This is clearly better, but why have an ATM finder in there, I can get that from my mapping app (I use osmand which is based on the Open Street Map data, so better than Google. The login is through convoluted letter selection from a password, so I have to have a password that I can remember and can’t use Lastpass to store it in, thus reducing my security.

 

 Nationwide  4.1

Nationwide Mobile Banking - screenshot thumbnail

This feels like I am in kindergarten. and there is a login by the selection of digits from a pass number. Even harder to remember a complex number, and reduced entropy of only providing 3 digits. I have enough stupid PIN number to remember I don’t want any more. This feels like the best so far though.

Metro Bank    3.9
Metro Bank Personal Banking - screenshot thumbnail

Well what about the new comers to the banking market, perhaps they can produce a decent mobile app. Looking through the comments it seems that setting this up is a pain, lost of PINs and pass-codes before you can start. Summarising the comments they say it is a workable app, clunky, but functional.
Well at this point I cam across a news item on the BBC http://www.bbc.co.uk/news/business-30849322 saying that two new banks offering internet only service were starting up. Atom bank have a website, and are recruiting people but there is nothing to see in the way of a mobile app to look at yet. The other is a German bank Fidor. So let us have a look at their German offering.

Fidor.de   4.6
Fidor Bewegungsmelder - screenshot thumbnail

This looks much more professional. They have widgets so show current status, so you can see these without opening the app. The app itself uses the Android 9 dot pattern for authentication, easy to remember and enter on a mobile, hard to guess. There are not many reviews there, only one describing issues. The news article says that this is launching in the UK in March, so not long to wait.

Letter to my MP on the DRIP act

20 January 2015

Here is a copy of the letter I have sent to my MP asking him not to renew the DRIP act.

Dear Alok Sharma,

Please reject the DRIP act renewal.

The DRIP Act was passed as an emergency legislation but it seems that this was primarily to avoid any discussion of the issues rather than any real emergency.

The problem is that extraordinary level of surveillance that we are subject to by Police, GCHQ, and external organisations such as the NSA, is not subject to any reasonable levels of oversight.

RIPA which seems on the face to control the interception with procedures to raise a specific warrant, subject to oversight by the Interception Commissioner, and general rules on the scope and breadth of the request that it is proportionate to the investigation. Mostly that it is an investigation not a fishing exercise.

I would however welcome a change as stated by David Cameron that the Home Secretary would personally sign all interception warrens rather than it being delegated down to Police Sergeants.

However, the Interception Commissioner only ever sees a faction of the intercepts that actually happen. If any part of the communication travels outside of the UK, it can be intercepted without a warrant.

Terrorism and child molesters are always trotted out as the justification for giving up our rights in order to protect us. But then these powers are used to detain the partner of a journalist, to intimidate them against embarrassing revelations.

Having lived through the Irish troubles we know that all these methods of preventing terrorism do not work. Internment did not work, restrictions on broadcasting did not work. What does work is treating these acts as simple crimes and allowing the court process to move forward in a fair and transparent manner. And political negotiation between countries and organisations with grievances that fuel acts of terrorism.

The UK and US governments are doing much to promote terrorism where they are killing people with drone strikes without any due process of the law. How would we feel if other countries were sending drones in to kill people here based on political orders of a foreign government?

We will win only if we show that everyone has the same human rights and our democratic governments respect these.

David Cameron recently stated that he wanted to be able to intercept every communication in the UK. This is an extraordinary stupid pronouncement. Firstly that the just because a conversation is mediated by an electronic network mean that it is right that interception should be possible. And that it shows a total lack of understanding of the good that encryption technologies play in keeping us safe. To ban encryption, which is the logical extension of his claim, would be to put the UK back into the stone age, and would not offer any protection in return.

The gunmen in Paris that this is predicated on were known to the authorities, and had been under surveillance. It was not a case that existing levels of interception were insufficient to know what these men were planning. The wife of one of the gunmen was not aware of what he was planning, to know this in advance the police would have had to know this man even more intimately than she did.

Irrespective of the fact that the levels of surveillance that the government is proposing will not make us safer. I do not want to live in a Panopticon society. Privacy is a basic human right and must be respected.

Yours sincerely,

Stuart Ward


Apple pay

31 October 2014

The recent announcement by Apple that it has incorporated an NFC chip into the latest iPhone (at Last) and that this is supported by a payment service, Apple Pay, is good news. The mobile payment systems seemed to have stalled for a while until this happened. This, combined with the adoption of Chip & PIN by the US, means that US retailers are finally starting to upgrade their POS terminals, and support for NFC is mostly coming along with adoption of chip & PIN.

The main part of the Apple announcement is that the Apple Pay system will support Tokenisation. This is not well understood out there so I will attempt to explain what this actually is and how it works.

Registration process. The first step is to create a token and associate it with an account. On the Apple Pay system you send a photograph of your card. I presume this is then processed by OCR to read the PAN from the card and then Apple servers submit this and request a token for the card. A token looks exactly like a normal card number, the first 6 digits are the Bank ID Number (BID) but this will be from a specific token range for that issuing bank. Apple then stores this token number on the phone.

When a transaction happens the normal NFC protocols are followed, but the token number is presented to the reader, rather than the subscribers’ PAN. This is then processed in the normal way by the retailer, and sent via the acquiring bank to Visa scheme systems for processing. The Visa systems recognise the BIN number as a token range and pass the token number to a tokenisation system. This will ten apply the special token rules to the transaction. In the case of Apple Pay the transaction will only be accepted if it came from an iPhone. It determines this from elements in the transaction record provided by the merchant.

If the transaction passes these tests then the transaction is passed back into the normal processing, but with the customers actual PAN replacing the token. Normal processing then presents this to the issuing bank for authorisation and collection.

The consequence of this is that the retailer will not be able to correlate transactions that happen with the real card and those where a token is presented. Not so much of a problem at the moment when Apple Pay is the only service. But say you had 15 different tokens, and presented different ones, this is going to confuse retailer systems that analyse sales patterns. This is a very important part of large retail operations, and an increasing part of smaller operations.

Then we come to the competition a number of large retailers in the US are launching their own mobile payment system. CurrentC is the brand name of the service offered by Merchant Customer Exchange. This differs from all the above, in that it expressly tries to maximise the identity information that it retains so retailers can analyse the sales patterns. It also bypasses the Card schemes, to minimise transaction processing fees.

For retail operations one of the major expenses is their transaction processing fees. This is an extremely complex area. The fee structures charged by the card schemes run to thousands of pages of rules, exceptions caveats and the like. But basically a retailer will need to spend a percentage of their revenue on these transaction fees. For large retailer this could be as low as 0.1%, but more normally it would be more like 1% to 2% for POS transactions. These will vary depending if the card is a credit or debit card, and every nuance of the processing.

These fees are the main driver behind the CurrentC scheme, as this will connect direct to banks, transaction fees for the retailer owned MCX system will be much lower. But they will have to attract customers to their system. At the moment these retailers seem to be alienating their customers by refusing to accept Apple Pay transactions.

Many Issuers offer various reward schemes, as part of their consumer offering. These are paid for largely out of the processing fees they charge. So a payment transaction for a product will be presented for say $15.00 this will be deducted from the customer’s account, but the issuing bank will only pay 99% of this to the acquiring bank, who will then take their cut before passing onto to the retailers account.

references:
Apply Pay    https://www.apple.com/apple-pay/ https://en.wikipedia.org/wiki/Apple_Pay
CurrentC    http://www.mcx.com/ https://en.wikipedia.org/wiki/Merchant_Customer_Exchange
EMVCo        http://www.emvco.com/
– Tokenisation Standards    http://www.emvco.com/specifications.aspx?id=263
– EMV Contactless            http://www.emvco.com/specifications.aspx?id=21
Google HCE
– SDK        https://developer.android.com/guide/topics/connectivity/nfc/hce.html
– Wikipedia    https://en.wikipedia.org/wiki/Host_card_emulation

Transaction Fees
– Overview: http://www.cardfellow.com/blog/credit-card-processing-fees/
– POS 1%-2% Large retailers 0.5%  http://www.transfirst.com/processing-rates-fees/retail
– Mobile / eCommerce 2% – 3%
– Fraud 0.5% if well managed

Glossary:
Issuing Bank          the bank that gives the card to the customer
Acquiring Bank    the bank that processes the retail transaction
PAN                Primary Account Number, this is the credit card number
BIN                Bank Identification Number this is the first 6 digits of the PAN

News reports:

http://www.theverge.com/2014/10/25/7069863/retailers-are-disabling-nfc-readers-to-shut-out-apple-pay

Following Apple’s announcement last month, both Wal-Mart and Best Buy confirmed to The Wall Street Journal that customers would not be able to use the system in their stores. Earlier this week, a leaked internal memo from Rite Aid revealed that the drug store chain was modifying or disabling its NFC readers, preventing access to Apple Pay (and other systems, like Google Wallet and wireless carrier-backed SoftCard, which also depend on the contact-less technology). A representative later confirmed the news to iMore. Today, CVS followed suit and shut out Apple Pay, according to reports. Both will support CurrentC on launch next year. The companies have not immediately returned requests for comment.

http://www.businessweek.com/articles/2014-10-29/currencs-data-breach-adds-to-awful-week-for-apple-pay-rival

From a publicity standpoint, a data security issue is one of the worst things that could happen to CurrentC right now. The app exists only in a private testing mode, but its plans call for a public launch sometime next year. Since CurrentC bypasses credit cards, the system will ask millions of shoppers to upload sensitive banking information to its servers. Users will also be asked to embrace features that allow CurrentC to track their physical location, information about their transactions, and other data.

MCX’s privacy policy says it may make commercial deals to acquire personal data from third parties, combining that with data it is gathering on its own to build its service. Dekkers says that anyone wishing to remain completely anonymous while using the system will be able to do so.

Anonymity is the default setting for Apple Pay, which makes a selling point of its inability to collect information about transactions. It’s a limitation that irks even some of its supporters. Apple also uses a technique called tokenization: temporary codes, rather than credit card numbers, are used to process payments, which can’t go through unless a user also scans a thumb with an iPhone fingerprint reader.


Follow

Get every new post delivered to your Inbox.

Join 445 other followers