Monday 13 August 2012

Passport? Money? Sun hat? Semi-skimmed milk?


Tesco's bold move into rolling out virtual shops as part of a two week trial at Gatwick Airport is, in many ways, rather innovative. Not for the technology this sort of thing is the backbone of Japanese vending machine culture and has already been successful for Tesco itself in Korea and Covent Garden, as well as for Ocado in London last summer and Birmingham this  but more for the it's boldness as an off-the-wall ad campaign for its multichannel (or should that now be omni-channel?) offering in general and it's grocery app in particular.
As our story this week reveals, Tesco has installed ten interactive screens the size of vending machines in Gatwick's North Terminal with the top line mission of getting consumers who are about to jet off on their holidays to pre-order their victuals bread, milk, cheese, olive oil, wine; to name but a few of the 80 items on offer so that they can be delivered just after the happy holiday makers step through the door of their house all tanned and relaxed. (WARNING: this is assuming that French air traffic controllers don't unleash sudden industrial action as you wait to board your homeward bound Airbus and you sit in Alicante knowing that your groceries are rotting on your doorstep or have been taken back to the warehouse.)
But joking aside, really what these virtual shops do is advertise in a very large and shiny way that if you download the Tesco app onto your smartphone you can do your shopping where ever you may roam. But is it such a great idea? For starters, if I had battled my way through security and was finally in the departure lounge waiting to jet off to the sun, the last thing it'd want to do is my shopping.
But, I may be prompted to do it the day before I head home using the app from the comfort of my sun lounger, hotel wifi permitting. I may also be reminded that I have the app and I might just start doing my shopping from it again. So perhaps the mega-omni-retailer is on to something.
But what's in it for Tesco? The retailer is adamant that multichannel retailing or offering the consumer as many easy and convenient ways to shop at Tesco as possible, in the company's own parlance is its future. But not at the expense of pushing people from one channel to another, but in being so convenient that new people start to use its channels.
And this is really the driver behind the trial at Gatwick. It lets Tesco push new people to its app, get existing app users to reignite their usage (and perhaps this time stay sticky which is crucial: as revealed in the news below, according to comScore only one in eight European smartphone users have bought anything through their smartphone). The services could also make loyal Tesco mobile and online shoppers feel even more warm and fuzzy toward their favourite supermarket.
But it also serves another even more useful purpose for Tesco: it lets the company see whether consumers will shop using these virtual shop fronts as part of the shopping mix. If they do then the company will no doubt roll them out elsewhere at travel hubs and all sorts of other places, including perhaps their own storefronts (for the gentleman shoppers amongst us they may even think of putting them in pubs, at football grounds or even the bookies). It is in essence a proof of concept of something that could either cut Tescos store costs or extend the reach of the company to many, many, many new locations and tap into a whole new way of shopping.
I went to the launch of the service at Gatwick and have no idea if I had just seen a really expensive but cool ad campaign for an app, or the future of shopping? Even if the former is the case, and given that Webcredible has found that UK consumers only use an average of four apps regularly and they are the four they consider most useful, as our story below shows getting consumers to include Tescos grocery app as one of these cant live without apps is probably worth this sort of elaborate marketing. And who knows, it may even actually fulfil a consumer demand, I just cant tell. Perhaps I need to jet off to a beach somewhere and think about it?

Thursday 9 August 2012

Lessons Learned from Mat Honan’s Epic Hacking


“ Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.”
If you haven’t read Gizmodo writer Mat Honan’s gut-wrenching play-by-play of how his entire digital life was evaporated in the matter of hours, do yourself a favor and Instapaper it. Or, if you’re too busy to read the whole article, I’ve created a quick-and-dirty summary that retraces the hacker’s steps and highlights some steps we can take to protect ourselves from similar attacks.
How It Happened
1.) Hacker targets @mat via Twitter
2.) Hacker browses to @mat’s personal website, which is linked from his Twitter profile
3.) Hacker sees @mat’s Gmail address on his website
4.) Hacker tries to login to Gmail using @mat’s (knowing he won’t get in)
Hmm, if the hacker can’t break into @mat’s Gmail account, why is this important?
When you tell Gmail that you’ve lost your password, it responds by showing you the partially obscured alternate email address it has on file for account recovery.
This is a big hole. Why? Because m***n@me.com was enough information to know which service to attack next – iCloud, which, as you’ll see in a minute, is extremely vulnerable to social engineering.
It’s worth noting that, as @mat mentions in Wired, if Gmail’s two-factor authentication was enabled, the nightmare ends here. Hopefully Google will figure out a better mechanism for securing your alternate email account other than blanking out a few characters (a security question would be a good start!).
Email is the skeleton key to your online identity since so many services reset your account via a confirmation link sent to your email address. Guard it well.
How can you protect your Gmail account?
Go enable two-factor authentication for your gmail account…now! Jeff Atwood wrote an excellent tutorial for Gmail in his Make Your Email Hacker Proof post and Matt Cutts posted a video today.
5.) Hacker obtains @mat’s billing address by doing a simple WHOIS lookup on his website’s domain name
I can’t really ding @mat here since, as he points out, most peoples’ billing addresses are obtainable via WhitePages or a similar service unless you’re unlisted, which isn’t a bad idea. If you own a domain name, think about paying the extra $20/year for private registration.
6.) Hacker obtains last 4 digits of @mat’s credit card
Why was the hacker after the last 4 digits? Because this was the last piece of the iCloud-cracking puzzle. In order to verify your identity, AppleCare phone support requires: 1) name, 2) email, 3) billing address, and 4) the last 4 digits of the credit card on file. The hacker already had 3 of the 4.
Where might someone’s credit card number be stored? Amazon!
The hacker (correctly) assumed that @mat had an Amazon account that used one of his two known email addresses as the account name. But how did the hacker gain access? Hint: he didn’t crack the password. He used social engineering.
The hacker placed a call to Amazon tech support claiming to be @mat. He provided his name, address, and email (yikes!), and then asked the tech support rep to add a new credit card number to the account. Then he hung up the phone and waited.
Later, the hacker placed a subsequent call to Amazon saying he lost access to his account. Upon providing name, address, and the newly added fake credit card number, Amazon support let the hacker add a new email address to the account (e.g.,hacker@danger.com).
Game over.
The hacker could now click “forgot password” on the Amazon login page and the subsequent password reset email would go tohacker@danger.com instead of @mat’s real email address. Having reset the password, the hacker then logged into the Amazon account and nabbed the last 4 digits of the real credit card on file.
@mat notes:
“And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’re giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.”
How can you protect your Amazon account?
Until Amazon rethinks their identity verification process, the only way to protect against this social engineering hack is to delete any credit card data you have on file with Amazon. Yes, it’s painful to have to enter your credit card information every time you place an order, but is it as painful as having your digital identity stolen?
Let’s recap: Hacker grabs public information: name, gmail address, billing address. Gmail’s login system reveals that @mat has an AppeID (m***n@me.com). The hacker knows that in order to own that AppleID the only missing piece is the last 4 digits of @mat’s credit card, which can be socially engineered from Amazon support. Whew.
Still with me? Good. Here’s where it gets really ugly.
7.) Hacker calls AppleCare with the information required to infiltrate an iCloud account: name (public), email (public), billing address (public) and last 4 digits of a credit card (virtually public).
How can you protect your AppleID?
Apple requires you to have a credit card on file if you want to use iTunes and the App Store, so deleting your credit card data might not be a viable option. However, you could dedicate a single purpose credit card for Apple. If the card @mat stored with Amazon didn’t match the card stored with Apple, the attack would have stopped here. Regardless, Apple needs to seriously rethink their identity verification process.
8.) Hacker remote wipes @mat’s iPhone, iPad and Macbook Pro
There are more security steps involved to opt into a MailChimp newsletter than to remotely decimate an entire laptop. The way iCloud’s remote wipe process was designed leads me to believe they didn’t even think through the possibility that an iCloud account could be hacked.
How can you protect your data?
Backup your data. No excuses. Have multiple backups and test your restores. You can get a 2TB external hard drive for $120 on (wait for it…) Amazon, and online backup services are a few bucks a month for unlimited data. (Anecdotally, the only hard drive failure I ever experienced was 1 day after my very first online backup completed. Most people aren’t so lucky.)
So many systems are interconnected in the cloud making things more convenient than ever before, but we have to realize that this same interconnectedness makes security exponentially harder. Passwords are no longer good enough—not for the important stuff. If Apple, Amazon, and (too a much lesser extent) Google—companies with a combined market cap of 900B—can’t get security right, what are the lesser known providers doing?