Internet Changes Everything: March 2005 Archives

March 31, 2005

Banks urged to act on Net security fears

Finextra: Banks urged to act on Net security fears

Banks must act "urgently" to tackle Net user security fears if they are to retain and attract customers to cheaper online channels says Forrester Research.

In a survey of more than 22,000 Europeans, Forrester found that just 30% of Internet users are confident of the security of personal financial information, like credit and debit card numbers, when used to make transactions online. Two-fifths of the European Net users who don't use online banking say they don't because they worry about security.

Benjamin Ensor, senior analyst, financial services at Forrester says: "Consumers' deep-seated security fears remain one of the biggest barriers to online banking use in Europe, particularly in countries like Italy, France, and the UK, where two-factor online banking authentication is rare or unknown. The more confidence Net users have in security, the more likely they are to bank online."

The analyst group says that banks should look to educate Net users about security precautions, not let usability fears compromise security, deploy or strengthen two-factor authentication "urgently", and collaborate rather than compete on security.

March 31, 2005 at 10:10 PM in Financial Services | Permalink | TrackBack (47) | Top of page | Blog Home

Crowned at last

http://www.economist.com/printedition/displaystory.cfm?story_id=3785166

Mar 31st 2005
From The Economist print edition
The claim that �the customer is king� has always rung hollow. But now the digital marketplace has made it come true, says Paul Markillie

IT IS the biggest advertising event of the year. On February 6th, half the households in America sat down in front of their televisions to watch the 2005 Super Bowl. Never mind the game: the Super Bowl is a showcase for television commercials, and more than a quarter of the viewers tune in just to watch the ads. For days before and after the event, these are discussed in the newspapers, on radio and on TV. At an average cost of $2.4m for a 30-second slot, a Super Bowl commercial is the most expensive pitch an advertiser can make. For some, such as Anheuser-Busch, it has become an institution. The brewer's decision to drop one of its ads from the ten slots it had booked made headlines. The commercial was a cheeky take on Janet Jackson's �wardrobe malfunction� (a slipping top) during the half-time show at the 2004 game. The resulting publicity prompted large numbers of people to visit Anheuser-Busch's website to look at the ad, which meant that probably as many saw it as if it had been screened.

The Super Bowl is a great excuse for a party, especially for the advertising industry. It shows that people still enjoy ads that are creative and entertaining. But it raises an awkward question: does it actually sell any more bottles of beer, cars or pills for erectile dysfunction? Although TV viewers tend to be able to recall a particularly good commercial, many cannot remember the product it featured. And for the most part they try to avoid the rising barrage of ads. Getting their attention is becoming increasingly difficult, because audiences are splintering as people use different kinds of media, such as cable television and the internet. The choice of products and services available is multiplying, but at the same time consumers have become more sceptical about claims made for products. In today's marketplace, consumers have the power to pick and choose as never before.

All-seeing, all-knowing

This new consumer power is changing the way the world shops. As this survey will show, the ability to get information about whatever you want, whenever you want, has given shoppers unprecedented strength. In markets with highly transparent prices, they are kings. The implications for business are enormous: threatening for some, welcome for others. For instance, the huge increase in choice makes certain brands more valuable, not less. And as old business divisions crumble, a strong brand in one sector can provide the credibility to enter another. Hence Apple has used its iPod to take away business for portable music players from Sony; Starbucks is aiming to become a big noise in the music business by installing CD-burners in its caf�s; and Dell is moving from computers into consumer electronics.

�I am constantly amazed at the confidence level and sophistication of the average consumer,� says Mike George, Dell's chief marketing officer and general manager of its consumer business in the United States. Dell soared to the top of the personal-computer business by cutting out retailers and selling directly to consumers. If Dell changes prices on its website, its customers' buying patterns change literally within a minute. �That tells you people are well-researched and knowledgeable,� adds Mr George.

Even buying a car, long considered to be one of the worst retail experiences anyone can have, is being transformed. Over 80% of Ford's customers in America have already researched their prospective purchase on the internet before they arrive at a showroom, and most of them come with a specification sheet showing the precise car they want from the dealer's stock, together with the price they are prepared to pay. Similarly, more than three-quarters of mobile-phone buyers in America do their research on the web, even though only 5% buy online, says John Frelinghuysen of Booz Allen Hamilton, a firm of business consultants. They still want to go to a shop to hand over their money and get their phone, but first they want to see exactly what the service package covers, and to read what other users say about their proposed purchase.

Disintermediation seems to be in the air

With consumers becoming increasingly empowered, how can the marketing, advertising and communications firms that companies use to promote their products hope to get their messages across? And what does it mean for media businesses relying on advertising revenue, the traditional channels for reaching this increasingly elusive audience? Disintermediation�the process of middlemen being cut out�seems to be in the air. The three big TV networks in America have all hedged their bets by acquiring cable channels. The advertising business is reorganising itself, seeking safety in size. Many agencies are now clustered into four big global groups: America's Omnicom and Interpublic, France's Publicis and Britain's WPP. In some ways they are recreating the big, vertically integrated advertising giants of the past, but with separately run companies to deliver the range of specialist marketing services they think their clients will need in the future.

So what will that future hold? �For the first time the consumer is boss, which is fascinatingly frightening, scary and terrifying, because everything we used to do, everything we used to know, will no longer work,� says Kevin Roberts, chief executive of Saatchi & Saatchi, part of Publicis. Shelly Lazarus, head of Ogilvy & Mather, part of WPP, is more sanguine. �Advertising is as vibrant as it has ever been. It's just that the way you define it is so much broader now, with new ways to reach people,� she explains. �In the past you would keep pounding the creative message out into the market place and look at reach frequency,� says Howard Draft, a veteran direct-marketing expert and chief executive of his eponymous New York agency, part of Interpublic. �Well, basically that is dead. What you have today is an informed consumer who is taking control of the way he learns and hears about products.�

Companies with some of the world's biggest advertising budgets are beginning to look for new ways of attracting consumers' attention. Jim Stengel, global marketing officer for Procter & Gamble (P&G), is one of the advertising industry's harshest critics, awarding it a �C minus� for its ability to embrace new media. And Larry Light, who has been giving McDonald's a makeover as its chief marketing officer, says bluntly: �The days of mass marketing are over.�

Mass retailing, however, looks as healthy as ever. The supermarkets are taking an increasing proportion of consumer spending�and on a lot of things beside groceries. A growing part of Wal-Mart's business comes from people searching online for information on products such as consumer electronics, and then visiting a store to make a purchase. �I think it works to our advantage, because we are the price leader,� says Lee Scott, chief executive of the world's biggest retailer. �There's power for them and us.�

Consumers, of course, care not a jot about marketing machinations. They are delighted to have more choice, which makes it easier for them to turn their back on a company they do not like and buy elsewhere. For some this is sweet revenge. �Consumers have become jaded and cynical,� says Rob Markey, a partner at Bain & Company, a consultancy. �There is a pile of broken promises heaped on the floor.�

The ads we love to hate

In fact, consumers have been telling market-research companies for 50 years that they do not trust advertising. But they have become even more negative about it recently, says Eric Schmitt of Forrester, a research firm. Indeed, people are actively looking for ways to avoid ads, using tools such as pop-up blockers on web browsers and digital video recorders (DVRs) that allow them to skip the ads when they record TV programmes. Forrester found that 60% of the programmes watched by DVR users are recorded, and 92% of the ads on such programmes are skipped. The firm reckons that by the end of 2008, 36m households in the United States will be using DVRs. So what will happen to the $60 billion spent on TV advertising in America every year? Mr Schmitt thinks that if the TV industry can no longer guarantee its audiences, a lot of that money will move elsewhere.

For the moment, advertising expenditure gives no hint of trouble ahead. The business is bouncing back strongly from the slump that began in 2001, when the bursting of the technology bubble caused a sudden collapse in ad spending. Worldwide advertising expenditure on the mainstream media and the internet in 2004 grew by around 7% to $370 billion, estimates ZenithOptimedia (see chart 1). Universal McCann, a media-services firm, uses different measures but sees a similar recovery. It says that in America last year $264 billion was spent on national and local advertising and other marketing, such as direct mail (a $50 billion business), up 7.4% on the previous year. And it expects ad spending in the world's biggest market to grow by more than 6% this year.

But the way that money is spent is changing. In America, growth in ad spending is led by the internet, Spanish-language TV and cable networks, according to TNS Media Intelligence, a media-monitoring company (see chart 2). And as with P&G's $4 billion advertising budget, a growing proportion is shifting from mainstream media, such as television, radio and print, to new media and other forms of sales promotion, such as direct mail, public relations, promotions, sponsorship and product placement. Collectively this sort of spending, sometimes called �below-the-line� advertising, or marketing services, is already worth more than twice what is spent on traditional display advertising. Together, the two sorts of spending added up to more than $1 trillion last year, says WPP.

By comparison, the $10 billion or so spent on internet advertising in America last year looks tiny. But it was 32% up on 2003, according to a study by the Interactive Advertising Bureau and PricewaterhouseCoopers. And that growth is accelerating, leading some forecasters to suggest that the online ad market could double in value this year. The internet is also becoming a lot more sophisticated as an advertising medium, beyond banner ads and pop-ups. In search advertising, companies buy words that, if they appear in searches made on sites such as Google or Yahoo!, will bring up a link to the company's website, displayed alongside the search results. The advertiser pays only if someone clicks on his links. This makes the results of search advertising reassuringly measurable, because tracking how many people go on to make a purchase is relatively easy. Google is beginning to work like an advertising agency, placing small text-based ads on other people's websites on behalf of its clients and splitting the revenue with the website owners. Google's software scans the sites to match the ads it serves up to the site's content.

Local search could be the next big moneyspinner on the internet�for whoever comes up with a winning formula. Microsoft's MSN site, for instance, will provide details about a local shop, and a map to get you there. A9, a new search engine from Amazon, has a feature called �Block View� with pictures of streets and their shop fronts, so if you have forgotten the name of the restaurant you are looking for, you may be able to recognise it in the picture. The next step will be a feature that allows users to �click to call�. Initially this service is likely to be free, but in time it could be developed into another big source of online revenue.

Media from dawn to dusk

Some changes in consumer behaviour that were already under way have been speeded up by the growing use of the internet. For example, consumers are spending more time with media of all kinds: currently about ten hours per person per day in America. According to Veronis Suhler Stevenson (VSS), a New York-based media merchant bank, this is likely to grow to 11 hours by 2008. James Rutherfurd, the bank's managing director, thinks this is due to a relatively new phenomenon he calls �media multi-tasking�: using different media at the same time. �This has enormous implications for advertisers and programmers,� he says. �It used to be that they were competing to get you to turn on the television. Now the TV may be on, but they are competing to keep your attention on the TV as opposed to the computer screen, the magazine or the iPod.�

Consumers are spending more time with media of all kinds: currently about ten hours per person per day in America

Fujio Nishida, chief marketing officer of Sony's electronics division, points out that this forces advertisers to think very carefully not only about which media to use for the market they want to reach, but what people are likely to be doing when their ad appears. In Japan, he says, in the past you could be fairly sure that 90% of your potential targets would be watching TV at some point between 8pm and 10pm; but now only 70% may be watching and 60% will be using the internet�many doing both at the same time. Advertisers can take advantage of this by putting on TV ads specially designed to encourage consumers to go straight to a website, as Sony has done.

�Who actually controls distribution in this type of world?� asks Bill Gossman. �The individual does. That's where the ultimate consumer power comes from.� His company, Revenue Science, is developing new ways of �behavioural targeting�. This involves analysing online consumer behaviour and then delivering ads that are likely to be relevant to groups with common interests. Mr Gossman thinks that as the world becomes more digital, his techniques will increasingly be used by all kinds of electronic media.

Amazon, which has long evolved from an online bookseller into a mass retailer, uses a form of behavioural targeting by suggesting products its customers might like, based on their past purchases. Jeff Bezos, Amazon's chief executive, was among the first to spot that the transparent pricing and product information the internet was able to provide would allow people to shop just about anywhere. The trick was to make it easier for them, so Amazon's website now operates as a shop front for lots of other companies too. And it gives customers the chance to read not only the sales blurb but also other customers' comments on the products.

For some companies this is scary stuff�the same as throwing open your customer-relations files and hoping that people have said enough nice things about you. Companies can, of course, try to control everything that is said and written about them through advertising and public relations. But nowadays a web search can turn up all sorts of skeletons in the cupboard, especially from news groups where people post comments, from online journals (called �web logs� or �blogs�) and more recently from �podcasting�, in which individuals produce their own audio programmes for others to download to their Apple iPods or other MP3 players. Video versions of this are sure to follow. Not all of this can be dismissed as amateurish twaddle. Microsoft, for instance, is taking blogs seriously enough to have hired its own celebrity blogger, Robert Scoble, even at the risk that he might be scathing about the company's products.

This is a clever move. The less control a company has over its marketing message, the greater its credibility, says Pamela Talbot, an expert in consumer-product marketing and chief executive of the American side of Edelman, a giant public-relations firm. Indeed, Saatchi & Saatchi's Mr Roberts thinks marketing departments must accept that brands no longer belong to them, but to the people who use them. The most valuable users of a company's brand are what he describes as �inspirational consumers��people who are closely associated with a company and its products. It does not even have to be another company. Some of the most successful agents for generating a buzz�and plenty of free publicity�can be the people who run the business.

For example, the celebrity status of Sir Richard Branson has rubbed off on the Virgin brand, so his businesses, from music to airlines to space travel, get instant consumer recognition. Stelios Haji-Ioannou, a familiar face in Britain, founded easyJet, one of Europe's first cut-price airlines. Mr Haji-Ioannou, who describes himself on his business card as a �serial entrepreneur�, believes that a brand represents �a promise�. So whether he is attaching his name to a car-rental business, a new no-frills hotel chain or a new cruise line, the consumer knows what to expect from the person putting his reputation on the line. Donald Trump has also turned himself into a brand, but the New York businessman is especially well known for �The Apprentice�, a business reality show on TV. This is a huge hit in America (unlike Sir Richard's own show), and companies pay to be involved.

What is it worth to have the contestants on such a show design a new product for your business, as Burger King did? The fast-food chain then went on to mount a similar competition on its own website. Measuring the effectiveness of such marketing is not easy. The marketing profession has yet to catch up with new media, says Malcolm Hunter, chief strategy officer of Vizeum, a London agency set up to seek out opportunities from recent trends. �Consumers are real people, and companies that understand that can do well.� That might seem blindingly obvious, but he is right to remind the industry of it. Advertisers are still inclined to depict their activities as a form of warfare. Consumers are �targets� and ad �campaigns� are meant to �wear down resistance� and score �hits�.

The rise of consumer power can best be charted through three industries: packaged goods, consumer electronics and cars. In each of these three very different categories consumers carry increasing clout. As the cost of the product goes up, they spend more time and effort considering which make and model to buy. The battle for their attention and money begins at the supermarket.

March 31, 2005 at 08:42 PM in Web lifestyle | Permalink | TrackBack (12) | Top of page | Blog Home

Power at last

Economist.com | Consumer power

Mar 31st 2005
From The Economist print edition
Armed with the internet, the customer has finally got on top
WHEN a customer enters my store, forget me. He is king, decreed John Wanamaker, who in 1876 turned an abandoned railway depot in Philadelphia into one of the world's first department stores. This revolutionary concept changed the face of retailing and led to the development of advertising and marketing as we know it today.

But compelling as that slogan was, in truth the shopper was cheated of the crown. Although manufacturing efficiency boosted the variety of goods and lowered prices, advertising provided most information about products. Through much of the past century, ads spoke to a captive audience confined to just a few radio or television channels or a limited number of publications. Now media choice has exploded too, and consumers select what they want from a far greater variety of sources�especially with a few clicks of a computer mouse. Thanks to the internet, the consumer is finally seizing power.

As our survey in this issue shows, consumer power has profound implications for companies, because it is changing the way the world shops. Many firms already claim to be �customer-driven� or �consumer-centric�. Now their claims will be tested as never before. Trading on shoppers' ignorance will no longer be possible: people will know�and soon tell others, even those without the internet�that prices in the next town are cheaper or that certain goods are inferior. The internet is working wonders in raising standards. Good and honest firms should benefit most.

But it is also intensifying competition. Today, window shopping takes place online. People can compare products, prices and reputations. They can read what companies say about products in far greater detail, but also how that tallies with the opinions of others, and�most importantly of all�discover what previous buyers have to say. Newsgroups and websites constantly review products and services.

This is changing the nature of consumer decisions. Until recently, consumers usually learned about a product and made their choice at the same time. People would often visit a department store or dealership to seek advice from a salesman, look at his recommendations and then buy. Now, for many, each of these steps is separate. For instance, Ford is finding that eight out of ten of its customers have already used the internet to decide what car they want to buy�and what they are willing to pay�even before they arrive at a showroom.

Know-alls

Of course, the amount of time people spend researching and checking prices tends to rise in proportion to the value of the product�and cars are expensive. But consumers are displaying similar behaviour when they purchase other things, such as digital cameras, mobile phones or fashionable clothes. And while supermarket shoppers may not research in this way all the individual items they drop into their trolley, many suppliers of the packaged goods sold in supermarkets are already acutely aware that their customers, too, are better informed than ever before about the value or health implications of the products they sell.

Reaching these better-informed consumers with a marketing message is not easy, and not only because they are more sceptical. Many people now spend as much time surfing the web as they do with television, magazines or newspapers. The audience for advertising is splintering and its attention is harder to attract. On top of that, many people are arming themselves with technology to avoid marketing messages, such as pop-up ad-blockers for the internet and personal video recorders that make it easy to skip TV commercials.

Despite the flood of product and price information suddenly available, consumers are unlikely ever to become wholly calculating. Tastes and fashion will differ. Brands are likely to remain popular. But brand loyalties are weakening. A slip or delay can cost a firm dearly and hand the advantage to an opportunistic rival. This is how Apple's iPod snatched from Sony the market leadership in portable-music devices.

Virtual shopping

Many firms do not yet seem aware of the revolutionary implications of newly empowered consumers. Too many companies relaxed after the bursting of the dotcom bubble, assuming that the online threat had faded. This was a mistake. It is true that the vast majority of people still go to shops for most purchases (though online sales continue to grow). Before doing that, however, most have used the internet. More than 90% of people aged between 18 and 54 told America's Online Publishers Association in a survey that they would turn to the internet first for product information. The differences between the virtual and the bricks-and-mortar worlds do not worry consumers. But they should worry companies. Many consumers first encounter a firm through its website, and yet for too many firms, their online presence remains a low priority.

By contrast, some businesses have embraced the internet wholeheartedly, and been rewarded for it. Dell has by-passed retailers and used direct sales to become the world's leading supplier of personal computers. The web is also transforming the travel business, giving consumers the power to book flights, hotels and cars directly. And it has allowed hundreds of thousands of small businesses, from mom-and-pop stores to traders of collectibles on eBay, to reach a global market.

The explosion of choice that followed the opening of Mr Wanamaker's store is minuscule compared with the cornucopia already provided by the internet. But the consumer's choice is about to become even greater. Internet search firms such as Google, Yahoo! and MSN are now falling over each other to offer more localised services. These promise to open up a new goldmine in search advertising. And soon this facility will be available not just on PCs at home or work, but on mobile phones. At a touch, consumers will be able to find a local store and then check the offers from nearby outlets even as they browse the aisles, or listen to a salesman. When that happens consumers will truly be kings, and only those firms ready and able to serve these new monarchs will survive.

March 31, 2005 at 08:40 PM in Web lifestyle | Permalink | TrackBack (13) | Top of page | Blog Home

Comment: Jill Kerby: Internet offers banks window of opportunity

Comment: Jill Kerby: Internet offers banks window of opportunity - Sunday Times - Times Online

WHAT is it that good Christian bankers say? That the good Lord doesn’t close one branch without opening another? Last week Bank of Ireland announced that 10 of its branches would shut over the next few years. But hadn’t Bank of Scotland just announced that it was going to open 52 new branches in the old ESB shops in towns and cities around Ireland?

It wasn�t too long ago that the closure of Bank of Ireland and AIB branches was deeply resented by customers and the cause of much complaining on radio talk shows. However, as Bank of Scotland, Danske Bank and even Permanent TSB start taking up the slack in the big banks� traditional rural strongholds, I expect the attitude to 10 more Bank of Ireland branch closures will be more �so what�, than �oh, no, not again�.

Anyone who is a confident internet user has an even greater choice of bank service, of course, since they can do their banking via their home or office computer or mobile phone. Which makes one wonder why the big banks are not doing more to encourage vulnerable customers � such as older people � to join the computer generation so they can also check their account balances, shift money between accounts and pay bills online.

I don�t accept for a second � and neither do the excellent people at Age Action Ireland � the patronising view that older people are incapable of becoming computer literate. They simply need encouragement and education. I keep in touch with older friends and relatives by e-mail who are quite comfortable on their laptops.

The minister for social welfare says he wants to break the cycle of isolation that affects social welfare beneficiaries such as the elderly and single parents. Providing them with subsidised access to the internet would be a good way to achieve that. Brian Goggin, the Bank of Ireland�s new chief executive, should be at the forefront of such an initiative too.

Jail the biggest tax transgressors

Michael Roche, a retired farmer, was probably a bit unlucky to find his name alongside fellow Limerick men such as Matthew Kavanagh, who recently settled with the Revenue Commissioners for �536,605, Brendan Nolan, who paid more than �309,959, or the late Dr Anne Teahan whose estate presumably ended up settling her �469,593 bill.

Roche owed �13,305, just �605 over the �12,700 limit which saw him end up on the Revenue�s published list of tax settlements. Since at least half that amount is made up of interest and penalties, it does seem to be a disproportionate punishment for what was probably an under-declaration of �5,000 or �6,000.

The farmer was doubly unlucky that his transgression wasn�t discovered a little later: from now on, only settlements of �30,000 or more will be listed.

I�ve no idea how Roche or the 181 other named parties feel about being on this list, but an automatic jail sentence for the biggest transgressors would be one way of cutting down the numbers. Why not introduce this penalty for anyone owing more than �500,000 after all the undeclared tax, interest and penalties are taken into account. Fourteen people fall into that category for the October to December 2004 period, with three owing more than �1m.

Double trouble over stamp duty

When I called one of the main banks last week on behalf of a Money reader who wanted to know how to switch her credit card without paying double stamp duty, I assumed the process was simple enough. Silly me. Nothing that involves tax, banks and a minister for finance is ever simple, as the answer provided by the bank in this week�s MoneyMatters column shows.

The fact that a credit card holder must get a signed and stamped certificate from the old bank to confirm that the �40 stamp duty on an existing credit card has been paid before another bank can issue a lower-cost, stamp- duty-exempt replacement, is positively Pythonesque.

The absurdity doesn�t end there. After much lobbying by the banks and consumer groups who argued that this duty was anti-competitive, the finance minister Brian Cowen corrected the anomaly in his December budget. Why then did he not extend the concession to the ATM and laser cards that each carry a �10 stamp duty and the combined ones with the �20 duty? Anyone who switches their current account following the introduction of the switching code designed to facilitate this change, is going to lose some of the advantage of lower charges by having to pay two sets of stamp duty for the year. Meanwhile, the Revenue website, www.revenue.ie, is expected to post a FAQ on the stamp duty on bank cards in the next few weeks.

March 31, 2005 at 06:08 AM in Financial Services | Permalink | TrackBack (15) | Top of page | Blog Home

March 29, 2005

Yahoo ups free email storage to 1 gigabyte

Yahoo ups free email storage to 1 gigabyte - Yahoo! UK & Ireland News

SAN FRANCISCO (Reuters) - Yahoo says it will soon begin giving users of its free Web e-mail service 1 gigabyte of storage, four times more than it now offers, amid intense competition.

Consumers are increasingly using their Web e-mail inboxes as a repository for e-mail as well as digital photos and documents. Web e-mail providers have been responding with offers of ever more free storage

Yahoo said on Wednesday the global storage upgrade will begin in late April and take about two weeks to complete.

The Internet media company also said it is beefing up antivirus protection for free e-mail users, giving them the ability to remove viruses from attachments -- a feature that had only been available to paying users.

Yahoo Mail is available in 15 languages in almost two dozen countries around the world.

Google last spring was the first to offer 1 gigabyte of free storage to users of its invitation-only test Gmail service, setting off me-too moves from rivals.

Gmail is now available only as an English-language service.

Microsoft currently limits free storage on its free MSN Hotmail accounts to 250 megabytes.

Yahoo and Microsoft each offer 2 gigabytes of storage to users who pay about 10 pounds per year for the service.

March 29, 2005 at 08:38 AM in Portals | Permalink | TrackBack (31) | Top of page | Blog Home

Stolen Laptop Exposes Data of 100,000

Yahoo! News - Stolen Laptop Exposes Data of 100,000

Mon Mar 28,10:55 PM ET
By MICHAEL LIEDTKE, AP Business Writer

SAN FRANCISCO - A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

University officials waited until Monday to announce the March 11 crime, hoping that police would be able to catch the thief and reclaim the computer. When that didn't happen, the school publicized the theft to comply with a state law requiring consumers be notified whenever their Social Security numbers or other sensitive information have been breached.

The law is meant to alert people their personal information could be used by scam artists to obtain loans or conduct other business under an assumed identity.

UC Berkeley plans to advise the 98,369 people affected by the laptop theft to check their credit reports, although there has been no indication any of he personal information has been used illegally, university spokeswoman Maria Felde said.

"The campus really regrets this happened and is taking steps to strengthen security in the future," Felde said. The university has set up a hotline, 1-800-372-5110, and a Web site, http://newscenter.berkeley.edu/security/grad/ to answer questions about the laptop theft.

The UC Berkeley incident follows several other high profile instances in which businesses and schools have lost control of personal information that they kept in computer databases.

Recent breaches have occurred at: ChoicePoint Inc., a consumer data firm duped into distributing personal information about 145,000 people; Lexis-Nexis, a data storehouse where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft.

Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That's more than any other group, including financial institutions, which have accounted for 26 percent of the breaches affecting Californians.

This is the second time in six months that UC Berkeley has been involved in a theft of personal information. Last September, a computer hacker gained access to UC Berkeley research being done for the state Department of Social Services. The files contained personal information of about 600,000 people. That security breach hasn't been linked to any cases of identity theft, Felde said.

The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information.

All that valuable data has turned the computer storehouses into inviting targets for thieves who frequently don't have to work too hard to pull off their crimes.

Computer hackers create some of the mischief by circumventing high-tech firewalls, but 58 percent of the breaches recorded by California officials have occurred after a computer or other device containing personal information is lost or stolen, McNabb said.

The security risks of these incidents could be minimized if the caretakers of the personal information encrypted the sensitive information � a process that makes it virtually impossible to read the data without a special code.

The laptop stolen from the UC Berkeley was supposed to be encrypted this month, Felde said. The computer, which required a password to operate, was left unattended for a few minutes in a restricted area of a campus office before someone walked in and stole it, Felde said. A campus employee witnessed the theft and reported it to university police.

Authorities suspect the thief was more interested in swiping a computer than people's identities. Felde said there been no evidence so far to indicate the stolen information has been used for identify theft.

The stolen laptop contained the Social Security numbers of UC Berkeley students who received their doctorates from 1976 through 1999, graduate students enrolled at the university between fall 1989 and fall 2003 and graduate school applicants between fall 2001 and spring 2004. Some graduate students in other years also were affected.

The stolen computer files also included the birth dates and addresses of about one-third of the affected people.

March 29, 2005 at 08:37 AM in Phishing & identity theft | Permalink | TrackBack (18) | Top of page | Blog Home

Microsoft to Implement EU's Windows Changes

Yahoo! News - Microsoft to Implement EU's Windows Changes

BRUSSELS (Reuters) - Microsoft has agreed to implement all the "main changes" to its new stripped-down version of Windows requested by the European Commission, the software giant said on Tuesday.

The European Union's executive had ordered Microsoft to sell a version of the dominant computer operating system without its Windows Media Player program after ruling that the company had abused the near-monopoly of Windows to crush competition, and fined it nearly 500 million euros ($650 million).

The two disagreed over technical issues, but on Monday Microsoft said it would adopt the Commission's suggested name for the operating system, "Windows XP Home Edition N," after the EU anti-trust authority rejected 10 options from Microsoft.

"Earlier today we contacted the Commission and informed them that we have accepted all the main changes they have requested we make to the version of Windows without Media Player," said Horacio Gutierrez, Microsoft's top lawyer in Europe.

The modifications include technical changes to "registry settings," and removing references in product documents and packaging warning that certain products won't work without Media Player, Gutierrez told Reuters by telephone.

Microsoft had also agreed to create a software package allowing consumers to replace the absent media files, he added.

Gutierrez said "a few technical issues" remained to be resolved but added: "This basically takes care of 99 percent of the things they asked for."

A Commission spokeswoman could not immediately confirm that Microsoft had notified it of the changes.

The Commission's order is meant to open the market for alternative software to play films and music, from RealNetworks , Apple and others.

Microsoft is appealing the Commission's landmark decision, and other disputes are still simmering about a second order to share information with rival makers of servers and the appointment of a trustee to monitor Microsoft's compliance.

Microsoft could ultimately face fines of up to $5 million a day if the Commission finds it is refusing to comply with its decision.

March 29, 2005 at 07:51 AM in Microsoft | Permalink | TrackBack (33) | Top of page | Blog Home

Grokster and StreamCast face the music

Economist.com | Illegal file-sharers under attack

Mar 24th 2005
From The Economist Global Agenda

The entertainment industry is taking its battle against illegal downloading to America’s Supreme Court. But attacking the technology behind file-sharing could stifle innovation without tackling the industry’s long-term problems

THE music business should have stuck by Thomas Edison�s technology if it wanted to avoid the threat of piracy. His wax cylinders could record a performance but could not be reproduced; that became possible only with the invention of the flat-disc record some years later. On Tuesday March 29th, America�s Supreme Court will begin to hear testimony in a case brought by the big entertainment companies that is intended to stop the illegal downloading of copyright-protected music and film. The industry�s target is the peer-to-peer (P2P) technology that allows the swapping of files directly over the internet. The defendants in the case are two firms that make file-sharing software: StreamCast Networks and Grokster.

The entertainment business has long been susceptible to copyright infringement�and it has usually blamed the electronics industry. The music industry first cried foul at the introduction of the cassette-tape recorder in the late 1960s. More recently, the digitisation of music has allowed �burning� of music tracks on to CDs with the help of a computer. The latest threat to the record companies is a copying technique of even greater speed, ease and scope. Every day some 4m Americans swap music files over the internet, according to figures from Pew, an independent research organisation. And now the swapping of new films online is gaining ground too, to the chagrin of the movie industry.

This comes at a particularly bad time for the music industry, which is struggling to reverse a long-term decline. According to the IFPI, a recording-industry umbrella group, worldwide music sales plunged in value by 22% in the five years to 2003�a drop of over $6 billion. In 2004, sales fell by 1.3%, though that decline looks less bad when revenue from legal digital downloads is added in. The music industry largely blames illegal file-sharers for its ills, noting that CD sales are dipping steeply in countries where broadband internet access is growing fast.

Some suggest that the latest attempt to curb illicit file-swapping�legal action against the technology that drives P2P networks�threatens the future of innovation. P2P software allows computers to talk to others running the same software without having to use intermediaries. Grokster and StreamCast argue that they are not able to control the use to which their software is put, whether it be searching, downloading or sharing.

In court, the two software firms will no doubt cite the case of Sony�s Betamax technology as a precedent. The home video-recording system, which was eventually superseded by VHS, faced a suit in 1984 in which Disney and Universal called for its ban. The entertainment firms feared that the ability to record on to video would allow considerable infringement of their copyright. America�s Supreme Court ruled that Sony was not liable because the equipment had �substantial� uses other than infringement, such as the recording of TV programmes for later viewing.

Similarly, the software produced by StreamCast and Grokster has significant non-infringing uses, such as sharing music that is not copyright-protected and internet-routed phone calls. In fact, some make the case that P2P technology could make the internet more robust and secure by avoiding the use of centralised servers, and that the entertainment companies� lawsuit is thus harmful to the web as a whole.

Napster, the first and best-known of the file-sharing businesses, was killed off by the music industry in 2001. Because it used central servers and so had the ability to block users who broke copyright laws, a judge issued an injunction ordering Napster to shut its servers down. At the time, it boasted some 14m users. Since then, the industry has ramped up action against file-sharing and widened its attack by going after individual downloaders as well.

At present, some 8,000 individuals around the world face lawsuits for illegal file-sharing. The industry has backed up its legal moves with a publicity offensive aimed at convincing the public that unauthorised downloading is theft. As well as cinema- and TV-advertising campaigns, 45m instant messages have gone out to users of P2P services, warning them to stop putting copyrighted material on the internet. America�s Department of Justice has weighed in too, even suggesting that P2P services could be used to support terrorism. Others have muttered darkly that the technology is a conduit for illegal pornography.

There are some signs that these measures are working: surveys suggest that internet users are becoming more wary of illegal file-sharing, for instance. However, according to the IFPI�s own figures, the number of unauthorised music files on the web has grown in recent months after falling sharply in the first half of 2004 (see chart). The number of users is also up, with 8.6m offering illegal files compared with 6.2m a year ago.

The music business has employed other defensive measures. Apart from a round of mergers and cost-cutting over recent years, the industry has tried to embrace legal downloading. Napster itself was reborn as a legal downloading service. And in 2004, according to the IFPI, the number of legal download sites increased four-fold to 230 and the number of legal downloads to over 200m (a figure that could double in 2005, according to forecasts). Apple�s iTunes, the largest legal download catalogue, has over 1m songs available and handles over 1m downloads a day.

But even if the entertainment business manages to coax more users into paying for legal downloads and succeeds in court against Grokster and StreamCast, its problems are unlikely to go away. True, a Supreme Court ruling in the industry�s favour would put paid to other P2P services. But it is not clear that curbing illegal downloading will translate into extra sales for the music business. A rush into legal downloading would hardly be good for sales of CDs: some cannibalisation is inevitable. And perhaps the decline in global sales is indicative of a far greater problem for the music industry�consumers simply think that many of its products are just not worth paying for.

March 29, 2005 at 07:50 AM in Business Models | Permalink | TrackBack (20) | Top of page | Blog Home

March 25, 2005

Grokster and StreamCast face the music

Economist.com | Illegal file-sharers under attack

Mar 24th 2005
From The Economist Global Agenda

March 25, 2005 at 12:54 PM in Business Models | Permalink | TrackBack (8) | Top of page | Blog Home

March 23, 2005

Banking on a Distinctive Identity

Design Flash

Photography by Roy Wright

Independence Savings Banks charged Landy Verderame Arianna Architects to redesign its branch offices to reflect the local culture and flavor of each neighborhood.

It has always been a challenge for financial institutions to find ways to create a distinct identity. As a result, they need to look beyond just their service offerings to find ways to distinguish themselves in the eyes of their customers.

That challenge is even greater if you're an institution that relies heavily on branch offices to attract customers and deposits. The cost of "bricks and mortar" branching is significant. Plus, often there are conflicting goals of propagating a singular corporate visual identity, while at the same time conveying a sense of community and commitment to the neighborhoods in which the branches reside.

Independence Savings Bank, based in Brooklyn, NY, faced all of these factors when it undertook a major overhaul of its branch banking system beginning in 1994. The bank, with assets exceeding $4 billion, is one of the fastest growing institutions in the northeastern United States. Through growth and, in part, acquisitions, the bank's branch network now stands at 34. Branches can be found in neighborhoods representing practically all socio-economic sectors within the New York City metropolitan area.

The ATM at the Roosevelt Ave. branch shows how Independence Savings Bank's logo and signage was incorporated into Vitricor surfaces.

A driving force behind the overhaul program was the desire to give Independence Savings Bank branches a distinctive appearance in order to differentiate them from other neighborhood branches. "We wanted our customers to feel comfortable banking with us," says Terence J. Mitchell, the bank's executive vice president and director of retail banking. "To accomplish this, each of our branches was redesigned to reflect the local culture and flavor of the neighborhood."

That approach is unusual. Typical branch offices of financial institutions adhere to a "corporate style" of mandated colors and materials that can rob them of a strong personality and tend to give them a "cookie cutter" appearance. Given the inner-urban environments of many of the branches, a common practice has been to redecorate them frequently, but to use only average materials in the belief that it is uneconomical to invest more.

The New York City architectural firm of Lady Verderame Arianna was selected to produce the designs for the branch overhaul project. Instead of establishing a rigid "design standard" to be adhered to across the system, a decision was made to use a surfacing material as the standard: Vitricor�. Vitricor is a methacrylate decorative surfacing that provides a reflective gloss appearance much like that achieved through hand-lacquering. It also is available in a matte finish known as Mist, as well as in woodgrains and stone patterns known as Impressions by Vitricor.

"Independence Savings Bank had actually used Vitricor in two of its branches back in the late 1980s," explains Deborah Verderame, RA, ASID, a principal at Landy Verderame Arianna. "It turned out that, in addition to its unique appearance, this material actually held up better than other surfacing materials used. As a result, we felt that the Vitricor would provide not only a distinctive design statement, it would also be the best choice for the long-term from a cost standpoint."

Since 1994, more than 20 Independence Savings Bank branches have been redone. In some instances the interior of the branch has been completely gutted and redesigned, while in others, existing fixtures and furnishings have been resurfaced. The Vitricor material has been the central unifying element in each project: it appears on wall surfaces, on teller stations and check-writings stands, as well as on the ATM surrounds located in the 24-hour banking areas.

At the Jackson Heights branch, strip lighting underneath the purse shelf at teller stations highlight the bank's logo and diamond inlay pattern displayed on the vertical surface.

Independence Savings Bank favors the use of red, white and blue colors in its branch interiors. Such a combination could have turned out to be problematic for designers, except that the bank's only directive was that "some aspect" of the colors appear in each branch design. Robert P. Braun, RA, one of the Landy Verderame Arianna architects working on the project, explains. "They wanted all of the branches to have some subtle reflection of the three colors. But that still gave us a lot of leeway.

"At the recently completed Prospect Park branch in Brooklyn, for instance, we have a blue matte Vitricor, exposed red brick walls, and plenty of white on the walls. At the Broadway branch in Queens, the floor tiles are blue, but they also incorporate white and red tones. That's completely different from many corporate design standards, which often require the same millwork, the same light fixtures, the same flooring, carpeting, wall covering and decorative surfaces," says Braun.

"The flexibility we were given made it much easier for us to give each branch an individual personality and tie it into the neighborhood," adds Verderame. "The Roosevelt Ave. branch in Queens is anchored in a Hispanic neighborhood. The color scheme we used there actually emanated from a colorful chair fabric that is reflective of the Latin American culture. We led with that color scheme and designed the rest of the elements around that," she notes.

Another striking element is the integration of signage and lettering into the Vitricor surfaces. Independence Savings Bank's name and logo are prominently incorporated into the ATM surrounds. In addition, the logo is displayed on the vertical surfaces of the teller stations. "Since we place strip lighting underneath the purse shelf, it is an ideal location to highlight the bank's logo," says Verderame. Some of the teller stations feature other artistic inlays or embossed-like elements to add interest and flair to the 40-foot-long teller station expanse. Others have incorporated the indicator lights in clear Vitricor material. The effect is rich and elegant.

Floor plan

A. Vestibule
B. Corridor
C. Travel agency
D. Work room
E. Conference room
F. Expediting area
G. Banking hall
H. Teller line
I. Office
J. Hallway
K. Stairway
L. Closet
M. Restrooms
N. Break room
O. Lockers
P. Community room
Q. Open to below
R. E-mail

March 23, 2005 at 11:34 AM in Financial Services | Permalink | TrackBack (25) | Top of page | Blog Home

Inside the branches

The Banker: Inside the branches

Published: 02 July, 2004
Page 140

The bank branch is undergoing another transformation as the emphasis shifts further towards self-service offerings, using ATMs, smart ATMs and online kiosks. Rekha Menon looks at progress.

The role of the bank branch has undergone a number of transformations in recent times. Although it represents the bank and its value proposition in the customer’s mind, being the oldest delivery channel, several industry pundits had predicted the demise of the branch during the internet heyday, suggesting that new-age delivery channels such as online banking would replace it. When the internet bubble burst, such predictions came to nought and the branch has once again been identified as a critical delivery channel. But this time its role is being perceived differently.

Enduring delivery channel

Unlike other delivery channels, the branch is one place where most bank customers still go for complex transactions that are facilitated by human interaction. By providing face-to-face human contact, branches are in a unique position to help banks to develop invaluable personal relationships with customers. Banks are therefore migrating routine banking transactions, such as cash withdrawal and deposit; funds transfer and standing instructions, to the less expensive non-traditional delivery channels, such as ATMs, telephone banking and online banking. This gives bank staff more time and space to focus on higher end activities, such as client relationship management and sales, which helps to drive down costs and increase revenues.

Inside a branch, the emphasis is on self-service, on enabling bank customers to complete routine banking transactions without any human interference through self-service terminals like cash-dispensing ATMs, smart ATMs and online kiosks. For instance, leading UK high street bank Barclays has introduced more than 600 quick pay point machines across its branches that enable customers to make payments by cash, cheque or a combination of the two, without having to queue for a teller.

According to analyst firm Forrester Research, in an effort to enhance self-service terminals at their branches, more than four-fifths of European banks have enhanced their ATM networks with functionality beyond cash withdrawals, three-quarters plan deposit ATMs, and more than half are adding kiosks (self-service PCs for online banking). Two-thirds of these firms are enabling ATMs with bill payment or statement printing options, and one-third are ordering account management functionalities such as changing PINs. Product marketing through ATMs is also being considered by one-third of these banks.

Marketing via ATM

OCBC Bank, a leading Singapore-based financial services group, has introduced targeted marketing and a personalised experience at all its in-branch ATMs in Singapore. The bank is the first in Asia to target personalised product and service offerings, record potential customer needs based on individual transactions and provide frontline customer service staff with the information they need to respond better to customer needs and identify cross-selling opportunities.

Patrick Chew, head of delivery, consumer financial services at OCBC Bank Singapore, says that ATMs are an important link in the bank�s customer relationship management (CRM) strategy. �We launched our CRM strategy in 1999 and in due course linked up all other delivery channels: branch, call centre and internet. Linking the ATM was the next logical step in our effort to provide our customers with an enhanced banking experience,� he says.

Among the various features that the bank has introduced, the most popular has been a �usual transaction� feature that provides bank customers with the option to customise and pre-set their usual ATM transaction choices such as the dollar amount and receipt option. During the pilot period, OCBC found that more than 60% of customers who used the upgraded ATMs signed up for the new feature, which according to the bank reduces the transaction time by up to 30%.

Industry observers believe that such features, which positively enhance the banking experience, can lead to an increase in usage of the self-service terminal for the bank. Banks in general have found it quite difficult to increase the level of self-service in branches because customers who visit branches are usually those who want human contact and are usually not comfortable with the non-branch delivery channels like ATMs, telephone and the internet. To get them to use an ATM in a branch is not easy, a fact that was highlighted in a survey carried out by Forrester Research. The survey showed that nearly one-third of branch transactions are over-the-counter primarily because banks do not actively encourage migration to the automated branch platforms out of fear of annoying customers.

Encouragement needed

Banks that adopt a wait-and-see policy on customer migration to self-service at the branch will be disappointed: customers will stick to their habits and will not switch to self-service terminals, says Charlotte Hamilton Clark, analyst at Forrester Group and author of the survey report, Fostering Self Service at the Branch. Banks should also use branch staff to help branch users gain confidence in ATMs, says Ms Clark. She gives the example of UK building society Nationwide, 75% of whose customers use self-service ATMs once they are shown how, compared with only 5% of customers that migrate of their own accord.

There is a wide array of ATMs available from vendors such as NCR, Diebold and Wincorp-Nixdorf. There are plain vanilla cash machines and the new-age ATMs based on open architecture can be included in a bank�s multi-channel integration exercise. OCBC Bank has deployed APTRA Relate from NCR, which enables it to design a tailored CRM solution for the ATM. APTRA Relate is one of the solutions in NCR�s APTRA suite of solutions that are designed for self-service banking.

According to Ms Clark, when a bank is deploying ATMs, it should clearly communicate the function of the self-service terminal to customers. This would allay a first-time user�s anxiety and confusion. Banks should also bear in mind other factors affecting customer psyche; for instance, Ms Clark says, banks should realise that customers only feel comfortable using new terminals like cheque-imaging and cheque-deposit ATMs inside the branch, where help is at hand. She also suggests that in the basic ATMs, which are plain cash dispensing machines, banks must avoid time-wasting financial product advertising or time-consuming additional third-party services like ticketing.

Bo Harald, vice-president and head of electronic banking at Nordea, the largest financial services group in the Nordic and Baltic regions, is also critical of direct marketing features on ATMs. �There is usually a long queue in front of ATMs and having such a feature will only increase transaction time, which is quite the opposite of what customers would like to experience. An ATM is a very expensive device and the shorter the transaction times, the better,� he says.

Direct marketing strategy

Although OCBC Bank has deployed enhanced ATMs and is using direct marketing on-screen messages, it is careful about not wasting customers� time. �We don�t want to overwhelm our customers with unnecessary marketing messages. Instead what we have done here is to leverage on the capability of our CRM-powered ATMs to recognise the unique needs of each of our customers and then target relevant products and services according to what they need,� says Mr Chew. At OCBC�s ATMs questions like �Your fixed deposit is maturing soon. Would you like to find out how to earn more interest?� or �Would you like a reno loan with your recently approved housing loan?� pop up while a customer is awaiting a cash transaction to come through, requiring the customer to press a �yes� or a �no� button. The responses are channelled to the bank�s personal financial consultants, branches or call centre for future follow-up.

Industry experts suggest that marketing programmes that are designed to meet specific needs of customers are a powerful way to leverage the number of contacts that customers make with the bank through the ATM.

New-age technologies and open standards are coming together to include ATMs in the multi-channel integration strategy of banks. But banks need to realise that to enhance the branch self-service proposition, the solution needs to be implemented intelligently, keeping in view the customer psyche and requirements.

1709.photo.jpg

March 23, 2005 at 11:28 AM in Financial Services | Permalink | TrackBack (8) | Top of page | Blog Home

Growth Formula: Mergers and Retail Strength (Wachovia)

BAI Online | Banking Strategies | September/October 2004: Growth Formula: Mergers and Retail Strength

By Kenneth Cline

Even as Wachovia's Ken Thompson forges a retail strategy based on service, sales and new customer acquisition, merger integration remains a key concern.

As 2004 draws to a close, retail banking strategy at Wachovia Corp. is dominated by a familiar theme: merger integration.

Never mind that in the last four years, chairman and CEO G. Kennedy "Ken" Thompson has also presided over a complex evolution of Wachovia's retail operations based on improved service quality, sales management and customer acquisition. The Charlotte-based company now has a multiple channel delivery system that is able to provide appropriate products and service levels to a wide array of targeted customer segments. And more refinement of that model is underway.

Yet for now, and for Wachovia's executives as well as for Wall Street, merger integration remains the front-burner issue.

In June, Wachovia announced a $14 billion purchase of Birmingham, Ala.-based SouthTrust Corp., which comes shortly after the completion of the company's landmark deal, the 2001 merger of First Union Corp. and the old Wachovia Corp. Last year, Wachovia also undertook a joint venture with Prudential Financial Corp.'s retail brokerage operation that created the third largest U.S. brokerage.

It's fair to say, then, that merger integration has been a top-of-mind issue at Wachovia since Thompson assumed command of the old First Union in April 2000. This makes it difficult for Thompson, 53, to keep analysts and investors focused on the more fundamental changes and improvements engineered by his retail operation, headed by senior vice president Benjamin Jenkins, 60. Jenkins manages the company's General Bank, which includes 1,637 retail branches and the small business banking and recreational dealer finance units.

Wachovia's "challenge, in the near term, is integrating the most recent deal," i.e., SouthTrust, says Denis Laplante, an analyst with Keefe, Bruyette & Woods Inc. in New York.

The SouthTrust integration occurs in the context of Wall Street's long-held concern that mergers take up too much of management's attention at Wachovia. "Any time you have a focus on a deal, it takes away resources from customer contact and customer marketing," Laplante says. This causes some frustration for Thompson, who likes to point out that deposit growth and service quality metrics improved steadily throughout the First Union/Wachovia integration process. "We ought to be applauded for doing two things at once, not criticized for it," he says.

One problem is that Wall Street still remembers the problems predecessor First Union encountered in its 1998 integration of CoreStates Financial Corp., when a rushed systems conversion caused massive customer defections.

This time, the concern has less to do with systems integration � which is expected to go smoothly, given the fairly straightforward systems architecture at SouthTrust � and more to do with SouthTrust employee morale as the combined bank adopts Wachovia's more robust sales culture. Will employees stay or leave? "Investors should not underestimate the challenges of bringing the SouthTrust retail system up to Wachovia's level," says Gerard Cassidy, managing director of bank equity research at RBC Capital Markets in Portland, Maine.

The merger integration is scheduled to be completed in the first quarter of 2006. In the meantime, Thompson and his team also are contending with the issues of running the bank, which includes managing in a rising rate environment.

Service Matters

The ramifications of rising rates are complex. In certain scenarios, such as when assets re-price faster than deposits, higher rates can help bank profitability. But retail bankers will certainly be challenged to grow deposits, since customers will be looking for higher yields in the broader market. This will at least partially reverse the trend of recent years, when customers had few attractive alternatives to low-rate bank accounts.

"We won't have the rising tide lifting all boats that we've had over the last several years," Thompson says.

The challenge for banks will be to keep this money in-house, whether that means in certificates of deposit, money market accounts or investment accounts, in order to preserve as much share of the customer wallet as possible. In this arena, Thompson argues, Wachovia is fully competitive, since it can offer a wide array of bank deposit and investment products through multiple delivery channels. "We are well balanced in that we can play in the bank deposit market or in the investment market at the same time," he says.

This balanced approach is at the heart of Wachovia's retail strategy, which stresses quick and efficient service in the branches and call centers for transactors and a full product array for investors. The investors can be served by licensed salespeople in the branches, or off-site brokers and financial experts who work closely with the branches.

This delivery system is backed up by a rigorous enforcement of service quality standards based on up-to-date feedback from customers using all the company's branches and call centers. To obtain this feedback data, Wachovia has hired the Gallup Organization to survey each week a sample of 6,500 Wachovia customers who recently visited a bank branch or phoned a call center. The data is compiled into weekly reports, which the managers use to either praise and reward employees who met customer service expectations or coach those who fell short. The scores for individual branches and call center units are also linked to the compensation system, so they become an important factor in how Wachovia employees get paid.

To measure itself against industry standards, Wachovia looks at the University of Michigan's American Customer Satisfaction Index (ACSI), which ranks the four major retail banks in the U.S.: Wachovia, Bank of America Corp., Bank One Corp. and Wells Fargo & Co. Both Gallup and ACSI data show a steady improvement in service quality at Wachovia in recent years. In the most recent ACSI ranking (fourth quarter of 2003), Wachovia beat its three peers.

Jenkins recently added customer loyalty to the mix as a metric to be analyzed and linked to incentives. The weekly Gallup survey of Wachovia customers now includes three questions that seek to determine whether the respondent is likely to stay with the bank, such as "Would you recommend Wachovia to a friend?" An affirmative answer to the question, Wachovia believes, shows the customer is likely to stay loyal.

"We want to go beyond customer service and achieve loyalty," Thompson says. "We think there's a big payoff in revenue."

Book of Business

As important as service quality and customer loyalty are, retail profitability also depends on sales � moving more product through existing delivery channels � as well as customer acquisition. Wachovia measures and incents all of these through a management system known as "book of business."

As Jenkins explains it, each branch maintains separate books of business � essentially names of its existing and potential customers � categorized by three strategic initiatives. The first is the retention book, which comprises a list of customers identified by Wachovia's customer integration group as highly valuable. The branch employees are asked to provide these customers with special attention and service so they remain loyal.

The second book contains names of people who are good customers, but who have purchased only a few products from the bank. Branch employees are asked to cross-sell to these customers and try to tie them more closely to the bank.

Finally, there's the third book, which is focused on new customer prospects. Employees are asked to contact these people and try to sell them a checking account or other product.

This approach by Wachovia differs from other banks that manage their branches through individual profit and loss statements. From Jenkins' perspective, separate P&Ls incorporate many elements outside the control of branch employees. By tying employee compensation to 1) service quality as measured by Gallup, 2), sales productivity as measured internally, and 3), what's happening with the balance sheet as measured by each branch's book of business, Wachovia is able to "measure totally what we can control," Jenkins says.

Since Wachovia has already made good progress on customer service and sales productivity in recent years, Jenkins says he and his team are working hardest right now on customer acquisition, an effort that includes advertising, new products and de novo branch openings, particularly in Texas and New York City.

Jenkins is specifically focusing on customer acquisition in the small business and affluent markets. Unlike many banks, which serve small business out of their wholesale or commercial units, Wachovia houses small business customers with up to $3 million in annual sales in the retail bank, with the branches functioning as the service nexus. Small business customers can take care of their basic needs, such as deposits, in the branches while small business bankers are available at nearby locations to handle more complicated issues.

For the affluent market, Wachovia recently introduced its private advisory banking program, which focuses on customers with investable assets in the $250,000 to $2 million range. Like the small business specialist, a private advisory banker typically services several branches from a central location to take care of retail customers with complex financial needs at a level below the wealth management group, which handles customers with $2 million and up in investable assets.

Below the level served by private advisory bankers, customers can receive help from branch platform employees licensed to sell mutual funds and annuities, known as "financial specialists." These financial specialists, in turn, work with and are coached by licensed brokers who work outside the branch and can handle more complex investments, like stocks and bonds.

Wachovia's system is designed to provide investment and insurance products for customers at all levels. One missing element is financial planning for the mass market, which is currently available only to wealth management clients. But Jenkins says plans are underway to introduce a simpler version of financial planning to the mass market by next year.

"For a company with a broad retail product line and a broad investment product line, the retirement market is very attractive," Jenkins says. "And as people think about retirement, they think about financial planning."

Network Optimization

This question of how to serve the mass market efficiently is a perennial issue in banking. Most institutions are generally aware that affluent customers are the most efficient to serve simply because they provide more business to the bank per employee time devoted to serving them. A Wachovia study has found that the typical affluent customer costs $554 per household to serve, but represents $1,837 in revenue per year, compared to a cost of $515 and revenue of $801 for the mass market customer. The "network efficiency" of serving affluent customers, then, is nearly double that of the mass market.

"That told us we need to be really attuned to acquiring affluent customers, and we're all over that," Jenkins says. "On the mass market side, there may be a way to do things more efficiently."

Jenkins intends to proceed gingerly on the latter front. Both he and Thompson are adamant about the need to retain current headcount and service quality levels in the branches. Earlier this year, Wachovia hired a former McKinsey & Co. consultant, Jonathan W. Witter, as its new head of distribution to look into the issues involved in network optimization. This means making sure the appropriate level of resources are allocated to each customer segment and delivery channel. "Like a grocery store, we have to make sure that shelf space in our distribution system is allocated properly between products," Thompson says.

Also like a grocery store, Wachovia needs to keep adding outlets to increase market share. One big plus to the SouthTrust acquisition, Thompson says, is that it jumpstarts Wachovia's entry into Texas by about two years. Prior to striking the deal, Wachovia had planned to open about 40 de novo branches in Texas this year. The addition of SouthTrust gives Wachovia an in-place network of 60 branches in Texas, to which the planned branches can be added. Jenkins says he then expects to build 150 to 175 more branches over the next four years in a state that's growing faster than the national average. Wachovia also believes its four targeted markets � Dallas, Houston, San Antonio and Austin � are on the cusp of a robust job recovery.

And Thompson sees another opportunity. Since SouthTrust's branch sales productivity is less than Wachovia's in several key areas such as core deposits and investments, he estimates that bringing SouthTrust's 665 branches up to Wachovia's standards will generate "a couple of hundred million dollars" in revenue opportunities not included in the financial estimates Wachovia presented when the deal was announced.

Wall Street will be watching this integration process closely, in part because bad memories from the CoreStates debacle of 1998 still linger. First Union had focused so much on headcount reduction during the integration in order to meet financial projections that the CoreStates branches were ill-equipped to handle service complaints generated by a rushed integration effort.

No problem of this magnitude showed up in the subsequent First Union/Wachovia merger, which helped the company regain credibility on the merger integration front. But Thompson concedes that a definitive judgment on the SouthTrust integration awaits the completion of the merger in first quarter of 2006.

As for whether the new Wachovia has once again become the "merger machine" First Union was in the '90s, Thompson says, "We spend very little time focused on the next company we're going to buy. We're focused on execution, organic growth and customers."

Mr. Cline is senior editor of Banking Strategies.

March 23, 2005 at 11:19 AM in Financial Services | Permalink | TrackBack (6) | Top of page | Blog Home

Bank branch transformation: The new multi-channel reality

IBM - Bank branch transformation: The new multi-channel reality

By: Patrick Brazel, CEO Eontec Limited and Mark Greene, General Manager, Global Banking Industry, IBM Corporation

"... the emergence of branch renewal within a broader integrated multi-channel delivery infrastructure for retail banking continues to be one of the most significant trends today." — Retail Banking Fact Sheet 2002, � 2002, The TowerGroup

Representing and protecting the brand of an organization, providing a physical presence and serving the full range of customer needs, the branch network has always been the heart of a bank's franchise and revenue generating potential.

Yet not all that long ago, many analysts and industry commentators were convinced that the bank branch was going the way of the dinosaur. And who could blame them? The evidence was clear for all to see. A combination of increased competition, especially from non-banks with trusted proven brands combined with tougher economic conditions, and industry consolidation meant that achieving rapid cost savings was right at the top of the management agenda. The result was that some banks started closing branches, sometimes in great numbers and often with what seemed, at least to many of the banks' customers, with undue haste.

Similarly, rapid changes to demographic and commuting patterns left increasingly time-poor customers looking for alternatives to having to visit their local branch. Advances in self-service banking, particularly by phone, through ATMs and over the Internet, seemed just what the customer needed and appeared to make branches totally redundant.

However, the bursting of the Internet bubble mirrored a marked transformation in the way banks now view their branch networks. As more and more customers access banking products and services through multiple channels, banks have come to realize that the distinctions between the channels are not nearly as clear and defined as once believed.

Customers are increasingly clear (not to mention vocal) about how they view their branches. While they like the convenience of Internet Banking, they also like the personal nature of branch banking. For example, research in the UK published by Deloitte & Touche, "Bring back the Branch: September 2002," underlines the importance of the branch as part of a multi-channel network and stresses the role of the branch as an engine for future growth. According to this research, the branch is used by more than 80% of all bank customers and is the preferred channel for 52% of consumers interviewed. The Deloitte & Touche research also directly contradicts the entrenched belief that young consumers prefer the Internet finding that 78% of 16-year-old to 24-year-old account holders use branches in preference to the Internet or phone.

Similarly in the United States, customers are reinforcing the multi-channel role of the branch in how they wish to do business with their bank. Research from Forrester , "Comparing Channel Usage At The Top US Banks: Forrester Techstrategy, June 2003," indicates that 47% of online U.S. households say they have used an electronic channel to manage their financial accounts in the past, but they plan to use human channels in the future. The same research shows that only one in three online financial services consumers intends to do routine transactions electronically in the future.

In addition to a blurring of distinctions between channels, revitalized branch networks have re-emerged as combined centers for advice-based product sales and service, as well as more traditional banking transactions. Customers want more than just a place to complete transactions. They want a full-service center for all their needs -- from banking products to brokerage services.

Under the trend towards multi-channel banking and the growth of full-product sales and service centers is the realization that whether a customer accesses a bank's products and services through a branch, the Internet or via a call center, the provision of real-time customer knowledge is the key to ensuring consistency of product and service. Ensuring consistency of product and service is the key to retaining profitable customers -- especially in today's competitive banking environment where customers are increasingly mobile and fickle. In fact, almost half of U.S. consumers have dumped their primary financial provider at least once. ("Winning The Changing Financial Consumer -- Forrester Techstrategy: July 2003.")

Branches -- A New Multi-Channel Reality

Any banker can easily prove that electronic transactions, like balance inquiries and account transfers, are exponentially cheaper than the same transaction conducted through a bank representative either in a branch or through a call center. Yet at the same time, face-to-face contact with a bank representative is still the most effective way of building revenue from high value sales and services. Optimizing the channel mix as part of a multi-channel strategy to service and sell to customers is the new reality -- and at the heart of this reality remains the branch.

Yet, today's transformed branches bear little resemblance to what preceded them. Rather than a banking hall with a limited range of mainly cash focused functionality, transformed branches are destined to become collaborative-networked service centers that sell multiple product streams. Lightly staffed and highly adaptive to local market niches and conditions, transformed branches are differentiated by open standards, connectivity to internal or external service networks through integration hubs, and the ability to easily add additional customer- focused banking services to meet changing customer demands.

While branches may be transforming, some things will remain the same for banks: the need to reduce costs, decrease risk and increase sales.

* Reductions in development costs, time to market, implementation costs, maintenance costs and total cost of ownership (TCO) can be achieved by reusing and deploying applications built from proven banking services across multiple channels and disparate systems. Such banking services should of course operate independently of the channel that uses them. Thus, whether a balance check is performed in a branch, online or by telephone the same service is being used, resulting in a consistent outcome for the customer and the bank.
* Operational risk may be reduced by leveraging a bank�s existing systems, maintaining a rigorous and disciplined software development and delivery environment and by deploying proven software applications that are flexible and scalable enough to meet the most challenging of future demands. Further reductions in risk may be achieved by using a proven platform such as the IBM WebSphere software platform, which offers a comprehensive set of integrated e-business solutions, based on industry standards as eXtensible Markup Language (XML) and Java technologies.
* Increased sales can be delivered by boosting cross-selling and up-selling opportunities. To best achieve this, banks need to excel at two things -- the ability to quickly roll out new and enhanced products to meet specific customer needs and to leverage customer knowledge where it counts -- at the point of customer contact. Using Eontec component-based solutions allows a bank to rapidly address the origination and fulfillment of additional financial products by quickly extending Eontec Banking Services across more customer interaction points, thus achieving even greater ROI, increased operational efficiencies and shorter time to value.

Equally important is the need for tellers to leverage customer knowledge. Tellers and call center agents don't have time to assimilate and analyze exhaustive databases when dealing with customers - they need a simple, intuitive, informative view of the customer. That's why Eontec infuses every customer contact point with specific information relevant to that customer. Presented visually, with a single glance, and supported by more detailed information and contact history at the touch of a button -- the end result is increased conversion of customer contacts into closed sales and deepened relationships.

For banks, branch transformation is rapidly becoming one of the key drivers of competitive advantage allowing them to maximize revenue opportunities by delivering highly focused banking services to their customers while at the same time managing costs and improving productivity. Transforming branches -- especially as part of a multi-channel strategy -- means that an asset, which was once isolated and undervalued, is now a vital profit center.

Read other articles in this issue:

* The case for business transformation outsourcing in the financial markets industry
* Update on internet insurance
* The technology challenge for corporations from International Accounting Standard No. 39
* Technology isn't enough...the key to customer management
* Mistakes that might sink your wealth management initiative

March 23, 2005 at 11:08 AM in Financial Services | Permalink | TrackBack (24) | Top of page | Blog Home

Yahoo Ups Free Email Storage to 1 Gigabyte

Internet News Article | Reuters.com

SAN FRANCISCO (Reuters) - Yahoo Inc. (YHOO.O: Quote, Profile, Research) said on Wednesday it will soon begin giving users of its free Web e-mail service 1 gigabyte of storage, four times more than it now offers, amid intense competition.

Yahoo said the global storage upgrade will begin in late April and take about two weeks to complete.

Yahoo Mail is available in 15 languages in almost two dozen countries around the world.

Google Inc. (GOOG.O: Quote, Profile, Research) last spring was the first to offer 1 gigabyte of free storage to users of its invitation-only test Gmail service, setting off me-too moves from rivals.

Gmail is now available only as an English-language service.

Microsoft Corp. (MSFT.O: Quote, Profile, Research) currently limits free storage on its free MSN Hotmail accounts to 250 megabytes.

Yahoo and Microsoft each offer 2 gigabytes of storage to users who pay about $20 per year for the service.

March 23, 2005 at 09:01 AM in Portals | Permalink | TrackBack (17) | Top of page | Blog Home

Managing IT as a business for the business

Nov. 2004 -- Let's start with this premise: Practically every large enterprise today is completely dependent on information technology. Whether it's a financial institution's online banking portal or a manufacturer's supply chain linked to key suppliers, the service quality that IT organizations provide is essential to business success.

Now, though, IT organizations are being asked to do more. They're being asked to become reliable, low-cost IT service providers. They're also being asked to align strategically with their internal line-of-business customers. Increasingly, the view from the top is that IT should focus on business as well as technology outcomes and should become an enabler of a company's success.

The challenge is that most IT organizations have evolved as IT-centric cost centres focused more on technology management than on service and on users instead of customers. One study says that nearly 70 percent of IT departments still function as tactical, reactive technology partners rather than as strategic service providers and business enablers.

How then does an IT organization transform itself into a service provider strategically aligned with the business? At HP, we have all the pieces � the systems, HP OpenView management software, and the consulting services � to help IT organizations make this transition. We also have a robust set of best practices based on our extensive experience working with IT departments around the globe.

The key, we have found, is to integrate process, people, and technology through a combination of management software and IT services best practices.

The Role of IT Service Management
Many IT organizations seeking a roadmap through this transformation have turned to IT Service Management for guidance. IT Service Management is based on the IT Infrastructure Library (ITIL), the most comprehensive and respected source of information about IT processes. To make these best practices even more accessible to our enterprise customers, we developed the HP ITSM Reference Model. This reference model covers such issues as service delivery assurance, continuity and security management, configuration and change management, and much more. Many customers have told us that they have found this reference model to be an invaluable tool for implementing changes to their processes, people, and technology.

Let's look first at the importance of process in IT transformation and the high cost of process problems. While technology management has been the traditional mainstay of IT, most IT organizations now realize that poor service delivery has little to do with technology and much to do with poorly designed or missing IT processes. According to our estimates, nearly 80 percent of unplanned downtime results from process and people issues. The best technology is not helpful if a service fails because of a process-related problem.

Clearly, improved processes are useless without people. But the people component of IT refers to more than a simple understanding of how process reengineering and process management affect IT staff. It also involves skill sets, attitudes, and the new roles and responsibilities that the staff must assume to be successful. Examples include viewing the consumers of their services as customers and expanding their focus on technology to include a focus on service delivery. Each of these human aspects must be transformed in order for IT organizations to evolve from technology to service providers.

Making new or improved IT processes function smoothly often requires significant changes to existing technologies as well as incorporating new technologies into the existing IT environment. An IT organization needs special tools to automate processes and the collection of information needed to manage IT services across the enterprise This list can include tools that let companies view their Internet infrastructure and simulate and monitor business activity; track the performance of Web sites and improve the customer experience; and provide timely and accurate service reporting.

Stages of IT Evolution Before an IT organization begins this kind of transformation, several key questions should be addressed. For example, where should an IT organization start? Should the team try to transform everything at once? What are the priorities? Do they need to cut costs? Improve service delivery? Or is the goal to comply with regulatory requirements like Sarbanes-Oxley or HIPPA in the U.S. or Basel 2 in Europe?

Some IT departments may know their goals and their desired end-state but are unsure how to get there. For example, one IT organization may need to lower its costs but doesn't know how to do that without compromising service levels. Another might need to comply with Sarbanes-Oxley requirements but isn't sure of the best approach to take. In these cases, a services-led assessment is a smart first step so that an IT organization gets a clear picture of its starting point and where it is today.

In addition, we have created a three-stage framework that describes how enterprise IT management evolves and that shows how IT organizations can create greater business value at each stage.

* Managing the Infrastructure Initially, IT organizations evolving from technology providers into service providers focus on improving the management of the enterprise infrastructure. This means maximizing return on computing assets and taking control of the infrastructure, the devices it contains, and the data it generates. Achieving this goal begins with an understanding of all computing elements. The desired outcome is a highly available enterprise IT infrastructure. Tactically, the emphasis during this stage is on implementing technology, such as HP OpenView, which plays a critical role in helping an IT organization become a reliable infrastructure provider. This technology discovers, monitors, and manages all computing elements that critical business applications depend on�regardless of where they are located�and displays linkages and topology. This comprehensive monitoring and management of computing elements is critical to IT Service Management success. For example, management software automatically detects status changes, such as a failure or subtle performance degradation that might lead to service failure. When problems arise, automated, corrective actions can repair routine problems.
* Managing the services An IT organization that evolves through stage two is actively identifying the services its customers need and focusing on planning and delivering those services to meet availability, performance, and security requirements. In addition, IT is managing service-level agreements, both internally and externally, to meet agreed-upon quality and cost targets. These activities are central to running IT as a business. When a service is disrupted or performance degrades, the IT organization not only knows the devices involved but, more importantly, understands the business implications of the problem and takes effective action. Given its new, business-focused perspective, IT can base its actions on broader business priorities rather than on pressure from users. When implemented properly, an IT Service Management solution combining process, people, and technology will tightly associate every device with the services it supports. As a result, IT organizations can proactively manage that device as part of strategic business services. By measuring the results of these daily activities, an IT organization can manage IT services to meet its business customers' expectations for reliability, availability, and performance. It also positions the IT organization to deliver and support services that provide real business value.
* Managing the business value of IT At this stage IT organizations have full infrastructure data and can provide services at agreed-upon cost and quality targets. But another crucial change has taken place: The IT organization is now looking for innovative ways to use its intellectual property for business advantage. At HP, for example, we have begun marketing security and supply chain tools that were created by internal IT teams to solve line-of-business challenges. At this point, IT moves from being a cost centre to a profit centre and becomes an enabler of the company's success. This is managing IT as a business for the business.

Summary IT executives with a broader business-IT perspective realize that the measure of an IT organization's success is increasingly based on business outcomes as well as technology outcomes. This requires aligning the IT organization with the business' goals, transforming IT into a trusted service provider for internal customers, and becoming an enabler of the company's success.

We know that this will require a transformation for many IT organizations. We know this from what customers tell us and from our own experience transforming HP's internal IT organization. Yet help is available. At HP, we have invested for more than 10 years to develop the tools, methodologies, and best practices to make this transformation a reality for our customers. On November 30, we took another large step forward and introduced more than two dozen new management software solutions and services to make this transformation easier. For more information, visit here. This is the direction to go if you want to realize the benefits of managing IT as a business for the business.

� 2005 Hewlett-Packard Development Company, L.P.

March 23, 2005 at 07:38 AM in Financial Services | Permalink | TrackBack (6) | Top of page | Blog Home

March 20, 2005

Physical security becoming an IT problem

Physical security becoming an IT problem - Yahoo! UK & Ireland News

By Andrew Donoghue, ZDNet UK

Security experts from the Royal Mail, Proctor & Gamble and Barclaycard agree that the systems used to secure company facilities and IT systems are merging

The proliferation of technologies such as identity management mean more IT managers are having to take responsibility for physical security, according to a panel of leading IT security managers.

Speaking at the Business Continuity Expo in London's Docklands, IT security experts from the Royal Mail Group, Proctor & Gamble and Barclaycard acknowledged that their companies are increasingly merging systems used to authenticate employees' entry to physical facilities with those used to control access to computing resources.

"I have worked in a lot of different areas of our company and I have found that physical and IT security are coming together, especially around the area of identity management," said David Lacey, director of information security, Royal Mail Group.

David McCaskill, section manager for global security solutions at Proctor & Gamble, explained that the pharmaceutical giant had also integrated its physical and IT authentication systems. "We are also seeing these authentication systems come together. Before, if you forgot your passcard to access the building that wasn't a major problem, but now it is."

Companies have generally treated physical security as the responsibility of the facilities department and computer security as that of IT. But employee information has increasingly become integrated, allowing businesses to link the two systems, Steve Hunt, an analyst with Forrester Research, said in a recent report.

"Locks, cameras, entry systems, and even guard desks will be upgraded to work with the same computing systems that control computer and network sign-on, identity management and security incident management," Hunt wrote. "Consequently, IT security vendors will rush to merge or find partnerships with their physical security brethren to respond to the new opportunities."

The link between physical security systems and network security is another ripple emanating from the terrorist attacks of September 11, 2001. Twice as much will be spent on such integration this year compared with 2004, reaching $1.1bn in Europe and the United States, according to Forrester.

Jamie Watters, business continuity manager at Barclaycard, agreed that IT and physical security were coming together, but said it was more important to unite the disparate groups in charge of IT security to create a single body with responsibility for protecting an organisations infrastructure. "For me the most pressing issue is not the coming together of IT and physical security but more importantly the coming together of IT security groups. Companies I have worked for have two or three different IT security organisations.

Lacey agreed it was vital that companies had one single group with overarching responsibility otherwise decisions on IT security would be delayed by a "court of infinite appeals". He advocated creating one single business continuity group with cross-organisational responsibility for physical and IT security.

March 20, 2005 at 10:36 PM in Security | Permalink | TrackBack (6) | Top of page | Blog Home

March 19, 2005

Agence France Presse sues over Google News

Agence France Presse sues over Google News - Yahoo! UK & Ireland News

SAN FRANCISCO (Reuters) - Agence France Presse has sued Google, alleging the Web search leader includes AFP's photos, news headlines and stories on its news site without permission.

The French news service is seeking damages of at least $17.5 million (9.1 million pounds) and an order barring Google News from displaying AFP photographs, news headlines or story leads, according to the suit filed on Thursday in the U.S. District Court for the District of Columbia.

"We allow publishers to opt out of Google News but most publishers want to be included because they believe it is a benefit to them and to their readers," Google spokesman Steve Langdon said of the AFP lawsuit. The attorney for AFP was not immediately available for comment.

AFP sells subscriptions to its content and does not provide it free. Google News gathers photos and news stories from around the Web and posts them on its news site, which is free to users.

"Without AFP's authorisation, defendant is continuously and willfully reproducing and publicly displaying AFP's photographs, headlines and story leads on its Google News web pages," AFP charged in its lawsuit.

AFP said it has informed Google that it is not authorised to use AFP's copyrighted material as it does and has asked Google to cease and desist from infringing its copyrighted work.

AFP alleged that Google has ignored such requests and as of the filing date of the lawsuit "continues in an unabated manner to violate AFP's copyrights."

The lawsuit comes a few months after Perfect 10, a publisher of nude photographs, sued Google in federal court in Los Angeles.

In that lawsuit, Perfect 10 charged that Google illegally allowed people to view hijacked versions of photos it owns and produced, violating copyrights and harming its ability to profit from the distribution of the photos via its magazine and Web site.

"I'm very happy that other people who are 'more respectable' than myself are suing," Norm Zada, president of Beverly Hills, California-based Perfect 10, told Reuters.

Zada added that other Web search providers display illegally obtained versions of copyrighted photos.

In 2002, a federal appeals court ruled that Web sites may reproduce and post "thumbnail" or down-sized versions of copyrighted photographs. But the court said displaying full-sized copies of photographs is a copyright violation.

Langdon declined comment on the Perfect 10 litigation.

March 19, 2005 at 01:08 PM in Portals | Permalink | TrackBack (7) | Top of page | Blog Home

Growth of Wireless Internet Opens New Path for Thieves

The New York Times > Technology > Growth of Wireless Internet Opens New Path for Thieves

By SETH SCHIESEL

Published: March 19, 2005

The spread of the wireless data technology known as Wi-Fi has reshaped the way millions of Americans go online, letting them tap into high-speed Internet connections effortlessly at home and in many public places.

But every convenience has its cost. Federal and state law enforcement officials say sophisticated criminals have begun to use the unsecured Wi-Fi networks of unsuspecting consumers and businesses to help cover their tracks in cyberspace.

In the wired world, it was often difficult for lawbreakers to make themselves untraceable on the Internet. In the wireless world, with scores of open Wi-Fi networks in some neighborhoods, it could hardly be easier.

Law enforcement officials warn that such connections are being commandeered for child pornography, fraud, death threats and identity and credit card theft.

"We have known for a long time that the criminal use of the Internet was progressing at a greater rate than law enforcement had the knowledge or ability to catch up," said Jan H. Gilhooly, who retired last month as special agent in charge of the Secret Service field office in Newark and now helps coordinate New Jersey operations for the Department of Homeland Security. "Now it's the same with the wireless technologies."

In 2003, the Secret Service office in Newark began an investigation that infiltrated the Web sites and computer networks of suspected professional data thieves. Since October, more than 30 people around the world have been arrested in connection with the operation and accused of trafficking in hundreds of thousands of stolen credit card numbers online.

Of those suspects, half regularly used the open Wi-Fi connections of unsuspecting neighbors. Four suspects, in Canada, California and Florida, were logged in to neighbors' Wi-Fi networks at the moment law enforcement agents, having tracked them by other means, entered their homes and arrested them, Secret Service agents involved in the case said.

More than 10 million homes in the United States now have a Wi-Fi base station providing a wireless Internet connection, according to ABI, a technology research firm in Oyster Bay, N.Y. There were essentially none as recently as 2000, the firm said. Those base stations, or routers, allow several computers to share a high-speed Internet connection and let users maintain that connection as they move about with laptops or other mobile devices. The routers are also used to connect computers with printers and other devices.

Experts say most of those households never turn on any of the features, available in almost all Wi-Fi routers, that change the system's default settings, conceal the connection from others and encrypt the data sent over it. Failure to secure the network in those ways can allow anyone with a Wi-Fi-enabled computer within about 200 feet to tap into the base station's Internet connection, typically a digital subscriber line or a cable modem.

Wi-Fi connections are also popping up in retail locations across the country. But while national chains like Starbucks take steps to protect their networks, independent coffee shops that offer Wi-Fi often leave their connections wide open, law enforcement officials say.

In addition, many universities are now blanketing campuses with open Wi-Fi networks, and dozens of cities and towns are creating wireless grids. While some locations charge a fee or otherwise force users to register, others leave the network open. All that is needed to tap in is a Wi-Fi card, typically costing $30 or less, for the user's PC or laptop. (Wi-Fi cards contain an identification code that is potentially traceable, but that information is not retained by most consumer routers, and the cards can in any case be readily removed and thrown away.)

When criminals operate online through a Wi-Fi network, law enforcement agents can track their activity to the numeric Internet Protocol address corresponding to that connection. But from there the trail may go cold, in the case of a public network, or lead to an innocent owner of a wireless home network.

"We had this whole network set up to identify these guys, but the one thing we had to take into consideration was Wi-Fi," Mr. Gilhooly said. "If I get to an Internet address and I send a subpoena to the Internet provider and it gets me a name and physical address, how do I know that that person isn't actually bouncing in from next door?"

Mr. Gilhooly said the possibility of crashing into an innocent person's home forced his team to spend additional time conducting in-person surveillance before making arrests. He said the suspects tracked in his investigation would regularly advise one another on the best ways to gain access to unsecured Wi-Fi systems.

"We intercepted their private conversations, and they would talk and brag about, 'Oh yeah, I just got a new amplifier and a new antenna and I can reach a quarter of a mile,' " he said. "Hotels are wide open. Universities, wide open."

Sometimes, suspected criminals using Wi-Fi do not get out of their car. At 5 a.m. one day in November 2003, the Toronto police spotted a wrong-way driver "with a laptop on the passenger seat showing a child pornography movie that he had downloaded using the wireless connection in a nearby house," said Detective Sgt. Paul Gillespie, an officer in the police sex crimes unit.

The suspect was charged with child pornography violations in addition to theft of telecommunications services; the case is pending. "The No. 1 challenge is that people are committing all sorts of criminal activity over the Internet using wireless, and it could trace back to somebody else," Sergeant Gillespie said.

Holly L. Hubert, the supervisory special agent in charge of the Cyber Task Force at the F.B.I. field office in Buffalo, said the use of Wi-Fi was making it much more difficult to track down online criminals.

"This happens all the time, and it's definitely a challenge for us," she said. "We'll track something to a particular Internet Protocol address and it could be an unsuspecting business or home network that's been invaded. Oftentimes these are a dead end for us."

Ms. Hubert says one group of hackers she has been tracking has regularly frequented a local chain of Wi-Fi-equipped tea and coffee shops to help cover its tracks.

Many times the suspects can find a choice of unsecured wireless networks right from home. Special Agent Bob Breeden, supervisor of the computer crime division for the Florida Department of Law Enforcement, said a fraud investigation led in December to the arrest of a Tallahassee man who had used two Wi-Fi networks set up by residents in his apartment complex.

Over those Internet connections, the suspect used the electronic routing information for a local college's bank account to pay for online pornography and to order sex-related products, Mr. Breeden said. The man was caught because he had the products delivered to his actual address, Mr. Breeden said. When officers went to arrest him, they found his computer set up to connect to a neighbor's wireless network. Mr. Breeden said the suspect, Abdul G. Wattley, pleaded guilty to charges of theft and unauthorized use of a communications network and was sentenced to two years' probation.

In another recent case, the principal of a Tallahassee high school had received death threats by e-mail, Mr. Breeden said. When authorities traced the messages to a certain Internet Protocol address and went to the household it corresponded to, Mr. Breeden said, "Dad has his laptop sitting on a table and Mom has another laptop, and of course they have Wi-Fi, and they clearly didn't know anything about the threats."

Cybercrime has been known to flourish even without Wi-Fi's cloak of anonymity; no such link has been found, for example, in recent data thefts from ChoicePoint, Lexis/Nexis and other database companies.

But unsecured wireless networks are nonetheless being looked at by the authorities as a potential tool for furtive activities of many sorts, including terrorism. Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.

In the end, prevention is largely in the hands of the buyers and sellers of Wi-Fi equipment. Michael Coe, a spokesman for SBC, the nation's No. 1 provider of digital subscriber line connections, said the company had provided about one million Wi-Fi routers to its customers with encryption turned on by default. But experts say most consumers who spend the $60 to $80 for a Wi-Fi router are just happy to make it work at all, and never turn on encryption.

"To some degree, most consumers are intimidated by the technology," said Roberta Wiggins, a wireless analyst at the Yankee Group, a technology research firm in Boston. "There is a behavior that they don't want to further complicate their options."

That attitude makes life easier for tech-savvy criminals and tougher for those who pursue them. "The public needs to realize that all they're doing is making it harder on me to go find the bad guys," said Mr. Gilhooly, the former Secret Service agent. "How would you feel if you're sitting at home and meanwhile someone is using your Wi-Fi to hack a bank or hack a company and downloads a million credit card numbers, which happens all the time? I come to you and knock on your door, and all you can say is, 'Oops.' "

March 19, 2005 at 10:06 AM in Wireless | Permalink | TrackBack (15) | Top of page | Blog Home

March 18, 2005

Police foil �220m plot by cyber thieves to rob bank

Police foil �220m plot by cyber thieves to rob bank - Britain - Times Online

By Stewart Tendler and Sam Coates
A Japanese finance house in London was the international gang's target

POLICE have smashed an international hi-tech plot to steal �220 million from the London offices of a leading Japanese bank group in one of the world�s biggest bank thefts.

The gang planned to hack their way into the computer systems at Sumitomo Mitsui, Japan�s third largest bank, and transfer money electronically to ten bank accounts around the world.

The plot would have dwarfed traditional robberies such as the �26 million raid on the Northern Bank in Belfast last year and sent shockwaves throughout the financial world.

As British detectives questioned an Israeli suspected of being a frontman for the gang yesterday, financial institutions across London�s banking and money markets were on their guard against other attempts.

The hackers infiltrated the bank�s system using �keystroking� equipment that enabled them to record and sift every key stroke made on computers. The gang could then learn account numbers, passwords and other sensitive information that they would use to order electronic transfers of cash round the world.

But last October the bank�s IT security staff realised that they were under attack, reported their suspicions to Britain�s National Hi-Tech Crime Unit and detectives began an international manhunt.

Takashi Morita, head of communications at Sumitomo in Tokyo, said the company had not suffered any financial loss and investigations were still under way. New security measures have been introduced.

In Israel a lawyer representing Yaron Bolondi, 31, an odd- job man accused of money laundering and trying to transfer �13.9 million from the bank, said his client knew nothing of any international conspiracy. Ilan Mizrahi said Mr Bolondi was approached by a stranger who asked if he would receive several million pounds through a dormant business account he controlled.

Mr Bolondi passed on details of a company called Varo Petrol Distribution. Mr Mizrahi said his client �met this guy he didn�t know some place. He just thought the whole thing was a joke and so in the spirit of a joke he gave the guy details of his bank account. When he was arrested he had no idea what it was about.�

But Israeli officers believe Mr Bolondi is a frontman for others in the plot and he was remanded in custody on Wednesday. Police claimed that Mr Bolondi had given a large number of false addresses to cover his tracks. The addresses given for both his company�s registered office and bank account proved to be fake.

In London investigators remain reluctant to say anything publicly but computer experts said the case highlighted the growing threat to financial institutions from organised gangs of cyber-criminals.

Another British-based bank discovered that 80 of its Swift banking machines, which are used to transfer money internationally, had been fitted with �keystroke monitoring� adaptors in December. They were forced to replace their keyboards with more secure equipment.

Steve Purdham, of SurfControl, an internet security company, said the Sumitomo plot �must act as a wake-up call for the banking and finance sector and business in general�.

Graham Cluley, an anti-virus specialist at the computer security firm Sophos, said this type of electronic attack was becoming increasingly popular with criminals.

Richard Archdeacon, of the internet security firm Symantec, said: �We have seen a meteoric rise in cyberfraud that specifically targets confidential data.�

Gangs are known to have breached security at several British banks in the past year but financial institutions are reluctant to disclose potentially damaging information to police. One in five financial institutions admitted it was a victim of fraud in a police survey last year but only 56 per cent of them contacted officers.

One British bank recently discovered a member of staff making two copies of data back-up tapes. He took one of them home, altered the information to give himself a bank account with �significant� funds from other accounts and then swapped it with the original back-up tape.

Another large multinational bank had �source code� computer programme data which can be used by hackers stolen using a �29 USB memory stick.

For Sumitomo Mitsui, a successful plot would have been a new disaster for the bank that has struggled with a history of bad luck. In the late 1990s, it lost �1.3 billion after auditors uncovered the world�s biggest rogue trading fraud at the bank. Over the course of ten years, Yasuo Hamanaka hid losses after a huge bet on the future price of copper turned sour.

In 1998, Hamanaka was jailed for eight years after pleading guilty to charges of fraud and forgery but a legal battle between Sumitomo and some of the City firms with which Hamanka dealt rumbled on until October last year, when the bank settled a �500 million law suit with a French broking firm.

In 1990, the bank�s chairman had to resign after police arrested a branch manager who allegedly helped to finance a share-price manipulation ring.

The bank was in trouble again a year later, when executives were heavily criticised for lending millions to Itoman, a Japanese trading house that subsequently became embroiled in allegedly illegal art deals worth �242 million.

In 1994, a senior Sumitomo manager was murdered, allegedly by the Japanese mafia. The banker had been responsible for dealing with sokaiya � criminals who threatened to disrupt annual general meetings unless they were paid off.

March 18, 2005 at 11:44 AM in Financial Services | Permalink | TrackBack (5) | Top of page | Blog Home

SMBC Fraud ($420MM)

0,,186618,00.jpg (JPEG Image, 600x642 pixels)

March 18, 2005 at 11:41 AM in Financial Services | Permalink | TrackBack (18) | Top of page | Blog Home

March 17, 2005

Web tools blaze trail to the past

Web tools blaze trail to the past | CNET News.com

In the race to build the Web of the future, some developers are reaching back to the past.

Start-ups and industry giants such as Microsoft continue to devise newfangled systems for delivering desktop-like applications over the Web. But search giant Google has taken a different path, using older technology to build its newest applications such as Google Maps and Gmail.

That's prompted developers to take a second look at old-hat technologies that have been kicking around on the Web since the 1990s, such as JavaScript and Dynamic HTML.

"Suddenly you've got a company like Google that has shown to a mass audience that rich Internet applications have a tremendous benefit to the end user," said David Temkin, chief technology officer of Laszlo Systems, a start-up whose Web application system underlies EarthLink's new e-mail Web site. "The difference between Google Maps and any other map site is not subtle--it's almost a different product category. And the same is true of Gmail."

Those older technologies--such as the JavaScript scripting language, the Cascading Style Sheets recommendation by the World Wide Web Consortium (W3C) for applying styles to multiple Web pages, and other coding bells and whistles--are sometimes grouped under the marketing term Dynamic HTML, or DHTML.

The interest isn't driven by some dot-com nostalgia. Proponents argue that these older technologies are good enough to do the job and that support for them is already embedded in common Web browsers.

Developers have filled their blogs with debate over a recent Feb. 18 posting by Jesse Garrett, co-founder of San Francisco consultancy Adaptive Path, who coined the acronym AJAX to promote the idea of using "Asynchronous JavaScript + XML" as a way of building Web applications with freely available technologies.

Bloggers have nitpicked at the term, and Google engineers refer to their coding technique simply as JavaScript. But in just a month, "AJAX" has gained currency with the recent flurry of blog postings and a story about it in The Wall Street Journal.

"While I'm not usually a big fan of new acronyms, I'm happy to see this AJAX idea emerging," said Toni Schneider, product manager in Yahoo's platform engineering group and former CEO of Oddpost, which Yahoo acquired last year. "Someone's given a name to what we've been working on for years, to the idea of using JavaScript and moving it to the next level."

If technology that works in the current generation of Web browsers is indeed good enough for powerful, scalable Web-based applications, that could result in reduced demand for everything from Laszlo Systems' tools, Macromedia's Flash and Flex-based offerings, Sun Microsystems' Java-based applications, and for Microsoft's planned system based on XAML (Extensible Application Markup Language) and Avalon graphics.

The stakes are especially high for Microsoft, which for the past 10 years has had to contend with the Web as a potential threat to its core operating system and desktop applications businesses.

The software giant, which pioneered several of the technologies developers are now re-evaluating, dismissed any threat to its plans for XAML.

"It's a little depressing that developers are just now wrapping their heads around these things we shipped in the late 20th century," said Charles Fitzgerald, Microsoft's general manager for platform technologies. "But XAML is in a whole other class. This other stuff is very kludgy, very hard to debug. We've seen some pretty impressive hacks, but if you look at what XAML starts to solve, it's a major, major step up."

So which is easiest?
One area of debate is whether JavaScript and other DHTML technologies wind up making development easier or more complex than newer systems over the course of an application's lifetime.

Some purveyors of alternate methods point out that HTML was designed to build hypertext documents, and is now being jerry-rigged to create interactive applications. That, they claim, results in more development difficulties and compatibility issues, a harder quality assurance cycle, and the absence of prefabricated, higher-level building blocks.

"It is really, really, really hard to build something like Gmail and Google Maps," said David Mendels, general manager of platform products for Macromedia. "Google hired rocket scientists--they hired Adam Bosworth, who invented DHTML when he was at Microsoft. Most companies can't go and repeat what Google has done."

That level of difficulty might explain why it's taken until 2005 for some 1990s-era Web technologies to become more popular, said Peter O'Kelly, an analyst with the Burton Group. Renewed interest is "partly because of some clever approaches that have been recently exploited and partly because it has been exceptionally difficult to master the underlying technologies," he said.

It isn't just Google advocating the blast-from-the-past approach. Sentiment in favor of status quo methods erupted into a schism within the W3C, where a splinter group called the Web Hypertext Application Technology Working Group (WHAT-WG) rebelled against the W3C's XForms vision of Web forms--a crucial component of Web-based applications--and drafted its own specification to standardize currently widespread techniques.

That consortium of browser developers--including Apple Computer, Opera Software and the Mozilla Foundation, whose working group representative Brendan Eich invented JavaScript--is also developing a Web application specification geared toward stitching together JavaScript, HTML, CSS and the W3C's Document Object Model for letting scripts act on individual parts of a Web page.

The group formed last year in part to respond to the potential threat posed by Microsoft's plans for the proprietary XAML/Avalon Web and Windows application coding system that, if successful, could marginalize standard approaches.

"Microsoft published an outline of what they were trying to achieve, which is using markup languages to build applications," said Hakon Wium Lie, chief technology officer at Opera Software, that company's representative on W3C's advisory committee, and a WHAT-WG founder. "We thought we could do the same thing with existing Web languages. People were writing applications like Amazon and Hotmail and Google search, so why not have a specification for it?"

One benefit of working with JavaScript and HTML, say proponents, is the preponderance of experienced developers as compared with Flash developers or specialists in other systems. Flash, while widely distributed, isn't as universal as a Web browser, and some developers say their clients fret about Flash-incompatible firewalls.

Some developers mix and match. The popular online photo site Flickr, for example, uses Flash for some tasks and JavaScript for others on the same page.

Passing fad?
Technologists working on the next generation of Web application technologies scoff at the idea that a JavaScript renaissance is going to threaten their vision of the future. Instead, they insist Google's rising tide is lifting their boats.

"For a company serving that many people at that scale, Google is taking uncharacteristic risks on their front end to do things that other companies with old infrastructures in place don't know are even possible," said Laszlo's Temkin. "I'm incredibly happy that Google is taking this step, because it's forcing the market to realize what to us has been incredibly obvious about rich Internet applications. It's forcing the portals and others to notice the value here. That's tremendous for us."

By the same token, Google denies any ideological attachment to its standards-based approach. Instead, the company says it has evaluated all the options before it and will continue to do so as new technologies become available or existing ones get refined.

The JavaScript approach, Google acknowledges, leaves some things to be desired. For example, it's harder to integrate applications with third-party applications.

In the final analysis, however, Google has given JavaScript that crucial programming designation: good enough.

"We've considered these other things, and we've talked about some of the other options, but thus far the technologies haven't gotten to the point where we feel the need to switch to them," said Paul Buchheit, the Google engineer who spearheaded the Gmail project.

"If something like Avalon or Mozilla's XUL (Extensible User Interface Language) were to become powerful and common enough, that would be interesting to us," Buchheit said.

Ultimately, any push away from JavaScript and other DHTML technologies may stem less from the improvement of other options than from the demands of the applications.

"Google is a first step or second step, not an end point," Temkin said. "The successors to Word and Excel and Powerpoint are not going to be written this way. It's just not going to happen."

March 17, 2005 at 10:29 AM in Web/Tech | Permalink | TrackBack (18) | Top of page | Blog Home

Report of the UKERNA Computer Security � Protecting Computers conference held at the Royal Geographical Society, London on 22 November 2000

Minutes of a meeting of the Security Liaison Group, held in Room 115 of Claremont Tower, Newcastle University on Wednesday 24 November 1999

An audience derived from many academic institutions in the United Kingdom and Ireland attended the conference. In spite of the travel difficulties both on land and in the air (Heathrow being fogbound) over 100 attendees were present. This delayed the start, which meant the introductory welcomes were cut short, without affecting the timing of the actual talks.

Report of the UKERNA Computer Security � Protecting Computers conference held at the Royal Geographical Society, London on 22 November 2000

What is the Threat by Darren Watts, DERA � an interesting talk, which at times more resembled a salesman at the Quayside Market on a Sunday than an exposition on security threats. His main thrust was to make sure in looking at security issues we look at the whole picture, taking in a holistic view of the threat. He advocated (being from DERA � Defence Evaluation and Research Agency) the need for an in-depth study of the issues whilst co-operating with other bodies in a common defence against attack. A network attach requires the handling of three distinct phases �

o Reconnaissance
o The actual attack
o Comprehending the affects of the attack

Ideally any attack should be detected soon as possible. Co-operation allows the spotting of a given attack on a site being part of a more global attack on an agency. The examples of the solar sunrise and moonlight maze attacks on the US defence network were cited. These had been preceded by attacks on various institutions to provide camouflaged launch pads for the main attack. He felt that the UK Academic Community was a primary source for such launch pads, with their open networks running a large number of systems, a number of which were not tightly screwed down with the latest security updates.

Security for Unix Systems by Andrew Cormack, UKERNA � This was an interesting presentation as the speaker showed how an off the shelf linux system could be hardened in a relatively small umber of steps to make the system less vulnerable to attack from a hostile source. He advocated the basic principles for configuring any system of-

o Run only what was needed
o Configure those services securely
o Restrict Access and privilege

o Only then should the system be connected to the network

A example of how to configure a linux Web Server was shown � disabling unwanted start-up scripts, wrapping and enabling services, verifying that the relevant daemons are the latest version from the relevant supplier etc. This was a well thought out presentation and a similar exercise may well be useful on campus, showing system administrators a series of easily followed steps to make their systems more secure. This would be a move towards a preventative approach for campus security rather than the current largely curative measures.

Securing NT4 � by Alan Hood, DERA � The speaker tried to follow a similar approach to Andrew Cormack, using NT4 as a platform. Maybe he was trying to cover a wider set of problems, but the use of a poor visual display diluted the impact of his talk. There is clearly a need for a similar set of hardening steps for NT4 (along with other Microsoft Operating Systems). The talk covered the following dangers-

o Using bootable floppy drives to modify files on the hard disk
o SMB password vulnerabilities
o Registry weaknesses
o Port 139 information gleaning
o Dangerous utilities, including the NT resource kit tools
o Trojans and Backdoors

IP Filtering � George Ross, Edinburgh University � The speaker presented the benefits and disadvantages of the use of the TCP wrapper and the use of IP Filters/Chains in protecting networked systems. He outlined how filtering was used to improve system protection, with minimal (claimed) impact on system performance. The system was now in production use, having overcome initial sceptical user reaction. The speaker felt that wrappers and filters were largely exclusive tools, and that their combined use would increase a site�s security protection. Neither tool though gives any protection when access is gained to a vulnerable daemon on a given system.

Detecting intrusions � Andrew Blyth, Glamorgan � The final talks was perhaps surprisingly the most informative of the day. The speaker outlined how he was using the "snort" Intrusion Detection System to monitor network activity on both Unix and Microsoft OS platforms. The package is available for a number of operating systems and has an active user community, which is coming up with new signature files to detect newer types of probes as the hackers start using such probes. The package (which is freeware) can also handle logging to a number of different logging systems.

The speaker shows a log of the system running on his office PC, which highlighted the varied nature of campus wide probes. His system is an office PC, which provides no services as such either on of off campus. He quoted a probe that snort had detected as sourcing from Estonia. He had contacted the Estonian CERT and received a response the next day indicating that the offending system had been taken off the network and that the operator was now in police custody!

Michael Ellison

28th November 2000

March 17, 2005 at 08:07 AM in Online crime | Permalink | TrackBack (15) | Top of page | Blog Home

Moonlight Maze

The Moonlight Maze of secret cyberwar gossip.

As we approach the end of 1999, dear reader, you cannot help but notice that secret cyberwars aimed at the Pentagon seem to be occurring every day. Although the average citizen sees no trace or serious bad effect from them, they are there, claim our national security mandarins.

Russian hackers, Chinese hackers, French hackers -- all are or could be in merciless combat against the electronic forces of the Pentagon, looting ill-defined precious national secrets from under the noses of our guardians.

And the loud trumpet of terror this month is Moonlight Maze.

But first, we'll go back a bit in time, to the first quarter of 1999, to see how it started.

In the first half of March, Deputy Secretary of Defense John Hamre claimed the United States was in a cyberwar -- under attack by hackers.

In a story in the March 1 issue of Defense Week, reporters John Donnelly and Vince Crawley wrote that John Hamre had revealed to Congressman Curt Weldon the "details" of an on-going cyberattack.

"We are at war right now. We are in a cyberwar," John Hamre was said to have claimed. The secret cyberwar was dubbed Moonlight Maze.

Although information was vague then, as it is now, the activity which caused the Pentagon reaction was a slow, extended series of probes seemingly aimed at an Air Force Information Warfare Center (AFIWC) server in San Antonio, Texas. AFIWC -- like most military sites -- is a high profile target for hackers, mostly because of the continuing publicity surrounding the agency's efforts in information warfare.

In addition, the alarms appeared very similar in nature to warning announcements made by SHADOW, a somewhat publicity hungry Navy computer security operation with a fancy acronym in Dahlgren, Virginia, in September of 1998. SHADOW's leader at the time, computer security administrator Stephen Northcutt, has since been associated with the private sector and appears from time to time to announce the approach of various Net menaces. (Most recently Northcutt has appeared as a pitchman for a computer security company's services in detecting boobytrapped software allegedly installed by programmers and the enemies of democracy under the cover of Y2K remediation. The cynics among the readership may notice four similar characteristics between Moonlight Maze and the dread menace of Y2K programmers sapping and impurifying our bodily fluids with software boobytraps: (1) unknown foreigners -- usually ex- or unreconstructed commies -- are involved; (2) more anonymous sources than you can shake a stick at; (3) Congressional hearings which say nothing; (4) shills for computer security vendors employing both as advertisements.)

All of this information on Moonlight Maze was in the public domain by the end of the first quarter of 1999.

Seeing potential enemies everywhere in cyberspace, Hamre also turned the glare of the professional paranoid on his own: "We are increasingly concerned about those who have legitimate access to our networks -- the trusted insider," he said for Defense Week.

And in a gesture that resembled the rumblings of the "Un-American Activities" hysteria of the Fifties, when citizens were asked to staunchly proclaim that were loyal to America, Hamre said he was now instituting "an oral attestation" in which DoD people who have access to Top Secret material or compartments affirm "they will conform to the conditions and responsibilities imposed by that access."

David Kennedy of the International Computer Security Association reflected in a memo to Crypt News, "[Some] details seem to be ignored in all the [current] 'Pentagon Hacks' reporting:"

"[Detection of an attack] is a function of one's ability to observe. [The Pentagon] has dramatically improved its ID capabilities and [it is] now able to observe what was in all likelihood, already there."

"Finally, for two years running Deputy Secretary Hamre has made dramatic announcements of the Pentagon being under attack just as budget submissions are going in," wrote Kennedy. "Last year it was Feb 25, 1998 -- three teenagers and 'the most organized and systematic' attack DoD had seen."

"So far, none of the [mainstream] reports I've seen have considered the possibility DoD is social engineering the Congress, media and public to bolster their Fiscal Year 2000 budget request."

(Note: Coincidentally, on October 8 the Pentagon ran a dog-and-pony show in Norfolk, Virginia, in which a number of DoD bigwigs including the chairman of the Joint Chiefs of Staff and Secretary of Defense William Cohen ballyhooed the opening of a new US military center for "cyberwar" to be headquartered at Colorado Springs. "To combat the expanding threat of cyberwarfare, the Pentagon established a new center on Thursday to defend the United States from hackers and to plot ways to attack an enemy's computer network," read one account of it which ran in the New York Times. "In future wars, U.S. cyberwarriors will try to disable air defense systems, upset logistics and infect software [with computer viruses] . . . according to [an anonymous] Pentagon official.")

After a spate of news stories piggybacking on the Defense News revelations in March of this year, Moonlight Maze died away for awhile.

Then, in a London Sunday Times piece published on July 25, Hamre's "we're in a cyberwar" quote was resurrected once again to ring the bell for "electronic Pearl Harbor" in a story that implied Russian hackers were stealing US information treasure via the Internet.

Entitled "Russian Hackers Steal US Weapons Secrets," the article breathlessly proclaimed: "The intelligence heist, that could cause damage to America in excess of that caused by Chinese espionage in nuclear laboratories, involved computer hacking over the past six months."

However, it was apparent even then that a significant part of the US military devoted to computer security operations was either ignorant of the Moonlight Maze secret "cyberwar" or not particularly interested in it.

In an article that ran in Defense Daily, a trade publication, two days after the London Sunday Times piece, Navy Captain Bob West, deputy commander of the Pentagon's Joint Task Force on Computer Network Defense said: "The odds of the U.S. being attacked on line by a foreign nation state in some kind of cyberwar in the near future are probably pretty low."

The Sunday Times story was pumped up by a great deal of anonymous government and military sources uttering baleful warnings. It maintained: "Besides military computer systems, private research and development institutes have been plundered in the same operation. Such institutes are reluctant to discuss losses, which experts claim may amount to hundreds of millions of dollars."

The London Sunday Times wrote that secret documents had been stolen but that the US military could not determine what was in them or which ones, precisely, had been stolen -- which would seem to constitute a somewhat ludicrous contradiction in terms.

Further, this information -- claimed the Times -- had been revealed at a private computer security conference by an employee of the Space and Naval Warfare Systems Command (SPAWAR).

The Times article speculated that either Russia or China could be behind the "cyberwar" that only the Pentagon can see because: ". . . Russia's relations with America have reached their lowest ebb since the cold war because of NATO's intervention in Yugoslavia. Relations with China have also suffered. An offensive in cyberspace may be their one way of retaliating without getting into a shooting war."

The London paper also speculated that Russian organized crime might be behind Moonlight Maze, and that: "China, Libya and Iraq are developing information warfare capabilities and, according to one White House official, 'we see well-funded terrorist groups that also have such capabilities'."

The London Sunday Times piece set a hallmark by which subsequent stories in the US media on Moonlight Maze could be judged:

That is -- Moonlight Maze stories are recognizable by their almost complete reliance upon gossip and speculation; their complete lack of definition in the who, what and where categories; and a stupefying preponderance of anonymous sources from the Pentagon, intelligence agencies, and/or the private computer security industry speculating or expostulating for journalists.

Throughout the latter part of the summer, reporters from the mainstream media contacted Crypt Newsletter about Moonlight Maze. The story had taken on a life of its own even though there was a complete lack of substantive evidence to go by. It was clear that Moonlight Maze was going to enjoy a second lifetime in the news and, indeed, a media cascade resulted in the second week of October, mostly built upon a wave of copycat reporting and inconclusive statements about the affair made in a Congressional hearing that week.

All of the reporters contacting Crypt Newsletter for comment had one thing in common.

They were all working from the exact same script. In addition to being inspired by the London Sunday Times piece, they all said or wrote that one "anonymous" source in "the Pentagon" was telling them that "Russian hackers" working off of the "Russian Academy of Sciences'" Internet domain were "involved."

This being the case, one could not totally rule out the possibility that someone within, connected to or formerly connected with the Pentagon or Department of Defense was attempting to pump this story into the mainstream U.S. media for the usual "cyber-scare" purposes.

On September 13, Newsweek's Gregory Vistica "We're In The Middle Of A Cyberwar" rolled out the old quote attributed to Hamre from the first quarter of the year.

Vistica's article reported nothing new from the London Sunday Times, but did republish, unattributed, much of its quote, tone and phraseology.

"Russian hackers may have pulled off what could be the most damaging breach ever of U.S. computer security . . ." writes Vistica.

"This was, Pentagon officials [anonymous, of course] say flatly, 'a state-sponsored Russian intelligence effort to get U.S. technology' -- as far as is known, the first such attempt ever by Russia," wrote Newsweek.

In response to the growing media hubbub created by Vistica's article, Michael Vatis, the head of the National Infrastructure Protection Center, was questioned about it in a Congressional subcommittee meeting on technology and terrorism on Wednesday, October 8.

Articles immediately resulted from the New York Times, the Los Angeles Times and Reuters. None reported anything that hadn't been written about from earlier in the year. All repeated the same nebulous quote. All, to varying degrees, attempted to make the case that Moonlight Maze had resulted in the loss of unspecified national security treasure to unspecified parties.

On October 6, "Cyber Blitz Traced To Russia, FBI Says," was a story issued by Reuters.

"A major effort to pierce U.S. government and private-sector computer networks seems to have originated in Russia, a top U.S. law-enforcement officer told Congress Wednesday," wrote Reuters.

In Moonlight Maze, Vatis said intruders had stolen ``unclassified but still-sensitive information about essentially defense technical research matters.''

This was a quote, the substance of which would be repeated in every subsequent story on Moonlight Maze.

``About the furthest I can go is to say the intrusions appear to originate in Russia,'' Vatis said.

A Pentagon public relations officer "said the Defense Department knew of no classified information that had been jeopardized in the Moonlight Maze intrusions."

On October 7, the New York Times checked in with a story entitled "Computer Intruders Apparently From Russia, Senate Panel Is Told."

"Intruders who stole sensitive information on Defense Department weapons during a widespread series of attacks on government and private computer networks are apparently based in Russia, an FBI official told a Congressional panel . . ." wrote the Times, referring to NIPC's Michael Vatis.

Lost in much of the overheated coverage on Moonlight Maze was Vatis testimony before Congress that most computer security breakdowns can be traced to insiders.

"Senator Robert F. Bennett, a Utah Republican who is chairman of a special Senate committee that is overseeing Year 2000 efforts . . . [said] 'The challenge of information warfare will be the No. 1 security issue for the next administration," wrote the Times.

Bennett, wrote the Times, proposed an "electronic FEMA" to combat cyberterror.

This was completely unremarkable. Over the years, stories about secret cyberwars and hackers plundering our national treasure tend to be chock full of suggestions for creating new law enforcement or military agencies designed to protect us from them.

Also on October 7, the Los Angeles Times filed a front page story entitled "Yearlong Hacker Attack Nets Sensitive US Data."

The LA Times' story, while lengthy, was par for the course in that it produced no new information on Moonlight Maze.

It did state, however, that Wednesday marked "the first public confirmation of Moonlight Maze." This was, as we have read, flat-out wrong.

The Los Angeles Times article was, however, quite notable for its excessive reliance on anonymous sources passing on innuendo, speculation, hypotheses and half-baked theories on the matter.

Some excerpts:

" . . . circumstantial evidence points heavily toward a Russia-based intelligence gathering operation, officials said."

"'There are strong indications and it's our belief, that it's coming from Russia and that it may be a sponsored activity,' a senior Energy Department official said."

"Another computer security expert called Moonlight Maze 'the longest-running and most widespread attack we've seen. It's not been stopped . . . It's not even clear why. But the consequences are potentially huge."

"One US intelligence veteran, now a Senate staff member, said that the Internet has created huge new opportunities, as well as frightening vulnerabilities, for spy agencies around the world. 'Think of it . . . You can sit anywhere in the world now and run a spy operation.'"

"A senior White House official said that the evidence so clearly points to Russia that it almost seems like a deliberate diversion."

"Other intelligence experts argued that skilled hackers hired by Russian organized crime elements may be probing for commercially valuable information."

"Some experts suggested that France, a longtime proponent of economic espionage, may be the ultimate customer. That theory also remains unproved, however . . . "

Which would seem indisputable.

Crypt Newsletter asks the reader to pose these questions: Why are all the "sources" on Moonlight Maze anonymous? Why does the mainstream media persist in giving them a free ride? Why cannot anyone say what, precisely, has been stolen? Since when does a theory or hypothesis about unknown "hackers" constitute evidence of what is happening? Why can it not be said precisely what national security interests have been damaged, if this is so serious? And why has this news story been repeated from March in the year with no substantial addition of information?

There has been one doubting Thomas in the media with regard to Moonlight Maze.

On September 27, 1999, Federal Computer Week published a story on "Moonlight Maze" by reporter Dan Verton. Entitled "Russia hacking stories refuted," the piece stated flatly, "DOD sources say U.S. military secrets were not compromised."

Bias disclosure: Crypt Newsletter was a quoted source in this article.

". . . Pentagon officials and security experts refute claims that the Russian government officially took part in a computer break-in that reportedly resulted in the theft of sensitive naval codes and missile-guidance data," wrote FCW.

". . . a DOD spokesperson called recent media coverage of [Moonlight Maze] 'a combination of outright fabrications, distortions and incorrect quotations,' adding that military secrets were not compromised."

One of the anonymous sources peddling the story of Moonlight Maze through the summer, "who works for a major Internet domain registration firm, said he found copies of DOD duty rosters, network maps and photographs of DOD facilities residing on servers belonging to [the alleged attackers]," wrote FCW.

"As far as the pictures of DOD facilities and other materials that sources claim to have found on Russian systems, [Crypt Newsletter] said that type of material can be found in many places on the Internet."

" 'Portions of DOD are prone to yell cyberwar at just about any potential misuse of cyberspace,'" CN added.

A sampling of the incongruity in reporting on Moonlight Maze:

From Newsweek reporter Greg Vistica: "This was, Pentagon officials say flatly, 'a state-sponsored Russian intelligence effort to get U.S. technology' -- as far as is known, the first such attempt ever by Russia."

From Federal Computer Week: ". . . Pentagon officials and security experts refute claims that the Russian government officially took part in a computer break-in that reportedly resulted in the theft of sensitive naval codes and missile-guidance data."

From Federal Computer Week: ". . . a DOD spokesperson called recent media coverage of [Moonlight Maze] 'a combination of outright fabrications, distortions and incorrect quotations,' adding that military secrets were not compromised."

From the London Sunday Times:

"The intelligence heist . . . that could cause damage to America in excess of that caused by Chinese espionage in nuclear laboratories, involved computer hacking over the past six months."

From Reuters: ". . . the Defense Department knew of no classified information that had been jeopardized in the Moonlight Maze intrusions."

From The LA Times: "'There are strong indications and it's our belief, that it's coming from Russia and that it may be a sponsored activity,' a senior Energy Department official said."

Also from The LA Times: Some experts suggested that France, a longtime proponent of economic espionage, may be the ultimate customer."

From the London Sunday Times: "The computer assaults have given fresh impetus to measures ordered by [President] Clinton more than a year ago to protect the country's electronic infrastructure. Alerted to the threat of Moonlight Maze, the president has called for an extra $600 [million] to help fund a variety of initiatives, including [boosted investment in the National Infrastructure Protection Center] . . ."

Other relevant links. No -- you are not seeing double when you read them. The previous analysis was excerpted from Crypt Newsletter reports over the last nine months. Caution: May be annoying to national security mandarins, Congressional fear-mongers and computer security industry marketing types.

The genesis of Moonlight Maze: Read about how Pentagon info-warriors claimed we were in the secret cyberwar earlier this year.

The big Kahuna of "electronic Pearl Harbor" reportage: Crypt Newsletter's archive of media excerpts on the topic.

NIPC analyst sees foreign programmers polluting our precious bodily fluids in assorted Y2K plots aimed at subverting computer software.

The men who started Moonlight Maze in the press: The Pentagon's John Hamre and politician Curt Weldon.

Solar Sunrise: Read about how Pentagon info-warriors claimed we were in yet another secret cyberwar last year, too.

Read about how the Army wishes to disconnect from the Internet because of the danger of secret cyberwar.

Or read about Eligible Receiver.

London police foil huge bank raid

BBC NEWS | UK | London police foil huge bank raid

Police in London say they have foiled one of the biggest attempted bank thefts in Britain.

The plan was to steal �220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui.

Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems.

A man has been arrested by police in Israel after the plot was uncovered by the National Hi-Tech Crime Unit.

Unit members worked closely with Israeli police.

The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank's computer system in London.

They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

Cyber warning

From that they could learn account numbers, passwords and other sensitive information.

Yeron Bolondi, 32, was seized in Israel after an attempt to transfer �13.9m into an account there.

He has been charged with money laundering and deception, but police say their investigation is continuing. His relationship with the gang who tried to break into the network is unknown.

They have issued a warning for banks and businesses to watch out for cyber criminals.

The National Hi-Tech Crime Unit was launched in April 2001 with responsibility for tracking down the growing range of criminals who operate in cyberspace.

Takashi Morita, head of communications at Sumitomo Mitsui in Tokyo, said the company had not suffered any financial loss as a consequence of the robbery attempt.

He said: "The case is still in the middle of investigation so we cannot comment further.

"We have undertaken various measures in terms of security and we have not suffered any financial damage."

March 17, 2005 at 07:53 AM in Online crime | Permalink | TrackBack (15) | Top of page | Blog Home

MTFG Plaza architect - Neil M.Denari

Neil Denari

1957
Born in Fort Worth, Texas, USA
1980
University of Houston, Bachelor of Architecture
1982
Harvard University, Master of Architecture
1988
Established COR-TEX, Los Angeles
1988-
Studio Professor- Southern California Institute of Architecture, Los Angeles
1993-
Adjunct Assistant Professor - University of Texas, Arlington: Fall Semester

1988
Westcoast Gateway Competition, Los Angeles : FINALIST
1989
Tokyo International Forum Competition : 3RD PRIZE SPECIAL MENTION
1993
Central Glass Competition, Tokyo : 3RD PRIZE

March 17, 2005 at 07:47 AM in Financial Services | Permalink | TrackBack (20) | Top of page | Blog Home

Shirokane MTFG Plaza

Google Search: MTFG Plaza shibuya neil denari

Download file

March 17, 2005 at 07:45 AM in Financial Services | Permalink | TrackBack (10) | Top of page | Blog Home

Japan: Bank Services With A Smile?

Japan's banks are focusing on a huge retail push -- a sign they're fit again

Pedestrians wandering into MTFG Plaza in Tokyo's hip Shibuya district could be forgiven for thinking they are about to enter a chic boutique. The building was designed by an American architect and features an ultramodern, snow-white exterior embedded with thin strips of multicolored lights. But instead of designer brands, what's for sale is an array of home loans, mutual funds, insurance, annuities, brokerage services, and plain old savings accounts. Just ask at the concierge desk. The banking supermarket is one of the first signs of a new strategic focus on retail customers by Mitsubishi Tokyo Financial Group Inc. (MTF ). Since the remodeled branch reopened in December, it has kept its rank as the bank's busiest in Japan.

While financial one-stop shops are nothing new in much of the industrialized world, the concept is just now taking root in Japan, where the biggest banks have traditionally catered to the needs of corporate clients at the expense of individuals. Indeed, retail customers have long been subjected to unhelpful tellers, a poor selection of financial products at uncompetitive rates, and automated teller machines that shut down after 6 p.m. But after spending the 1990s digging themselves out of a pile of bad loans to Japan Inc., the major banks have suddenly seen the wisdom of emulating titans such as Citigroup (C ) and HSBC Holdings PLC (HBC ), which are world leaders in retail. "Our first goal is to be the most profitable retail bank in the world," says Tetsuya Wada, a director in charge of MTFG's retail banking business. "The second is to keep that No. 1 position for the next 50 years."

Wada's bravado is a result of MTFG's plan to execute a $29 billion friendly merger with UFJ Holdings Inc., Japan's fourth-largest bank and the big bank most focused on retail services. Although UFJ had to fight off a hostile counterbid from Sumitomo Mitsui Financial Group Inc. (SMFG), the merger is now scheduled to be completed in October. It would make the new Mitsubishi UFJ the world's largest bank, with $630 billion in assets.

The big new investment in retail is one sign Japan's major banks have put most of their troubles behind them. The long hangover from nonperforming loans is all but over. As of December, Merrill Lynch & Co. (MER ) estimates the bad loan ratio at Japan's major banks dropped to 3.8%, down from a peak of 8.4% in 2002. And after some serious belt-tightening, Japanese banks now have the lowest cost ratios in the developed world, according to Goldman, Sachs & Co. (GS ) Yet bankers can't revert to the old ways of doing business. Their best blue-chip clients are awash in cash and have less need for loans, while troubled borrowers have been cut off from fresh lines of easy credit. What's more, all-time-low interest rates in Japan translate into puny profit margins.

SAVINGS TO BE SNAGGED
So the big banks -- MTFG, UFJ, SMFG, and Mizuho Financial Group -- are in need of a new business model. "It's about margins," says John Sequeira, a partner at Bain & Co. in Tokyo. "Lending to corporates isn't a good business to be in right now, so Japan's banks are looking elsewhere." Where they are looking first is retail banking. The industry got some help in December from the government, which rescinded regulations that forbade direct sale of stocks and bonds to retail bank customers. That came on top of a decision three years ago to allow banks to market insurance products such as annuities. Those reforms, plus government plans to scale back bank deposit insurance guarantees starting on Apr. 1, are expected to free up some of the $13.5 trillion of personal assets in Japan, over half of which is locked up in low-yield, long-term deposits, much of it in the postal savings system.

Standard & Poor's (MHP ) estimates that, on average, retail banking contributes no more than 30% of total profits at Japanese banks, compared with 70% at Bank of America Corp. (BAC ). The proportion for Mitsubishi and UFJ is just 15%, which the managers of the combined group hope to raise to 35% in the next few years. A big step toward that is the MTFG Plaza in Tokyo, one of nearly 100 such branches -- out of a total of 712 slated to survive the merger with UFJ -- that the bank expects to open across Japan by 2007. Inside, each is split up into sections offering different services, usually including a comfy lounge for private bank clients and a satellite office of MTFG's house broker, Mitsubishi Securities.

Even before unveiling the remodeled branches, the bank had been turning its giant hull toward retail. In 2002 it formed Mitsubishi Securities, now Japan's fourth-largest broker, through the merger of four securities houses. The bank also has more than doubled the size of its home loan business since 2001, thanks in part to a high-profile "Meet MTFG" TV ad campaign. And the bank was the first in Japan to install biometric ATM machines that scan customer palms to provide account access. MTFG charges customers $95 to register for the palm-scanning ATMs, which are an extra security option in addition to PIN numbers. Last year its earnings in retail banking totaled a respectable $902 million. "While these services are very attractive to our clients, they are also very profitable," says Wada.

MTFG's rivals have been quick to respond to its retail push. Mizuho has opened Mizuho Investors Securities outlets at 31 of its 528 branches and plans to open 100. Mizuho also acquired a 4.92% stake in Nikko Cordial Securities Inc. in December, with which it may seek to market more financial products. Meanwhile, SMFG -- already the leading marketer of annuities, private pensions, and mortgages -- has begun selling foreign bonds at all its branches. And SMFG is in talks with Daiwa Securities Group Inc., Japan's No. 2 broker, about a merger.

NICENESS TRAINING
Of course, remaking corporate cultures that have long been largely indifferent to individual customers won't be easy. MTFG is transferring 300 employees from Mitsubishi Securities to help train bank employees in the brokerage business. And it has also set up an internal "retail academy" which, among other things, teaches staff to be nicer to customers. The academy, which has already graduated some 1,500 staffers, offers a range of courses from a single day to one day a week over three months.

Not all industry observers believe that blurring the line between banks and other financial companies is such a wise move. They say banks risk overreaching as they rush to be all things to all customers. And they may have trouble beating established brokerages such as Nomura Securities Co. at their own game. "It's hard to see the synergies from banking, the brokerage business, and insurance," says Yoshinobu Yamada, an analyst at Merrill Lynch Japan Securities Co. (MER ) in Tokyo. "The one-stop shop isn't the answer."

Moreover, a real commitment to retail banking will require expensive new investment. Goldman Sachs estimates Mitsubishi UFJ would have to double its workforce, to 96,236, if it wants to provide the level of service to retail customers routinely provided by banks such as HSBC. "What the banks talk about sounds all good and well in theory, but serious implementation would require significant investment in branches and people," says David Atkinson, an analyst at Goldman Sachs in Tokyo.

Whether Japan's Big Three can reinvent themselves as profitable full-service financial supermarkets remains to be seen. Still, a shift toward more profit-driven growth, even if it is a bit awkward, signals the end of a long, painful period of retrenchment for Japan's banks.

By Ian Rowley in Tokyo

March 17, 2005 at 07:42 AM in Financial Services | Permalink | TrackBack (6) | Top of page | Blog Home

MTFG to open Shibuya MTFG Plaza

Mitsubishi Tokyo Financial Group: News Releases > 2004

MTFG Plaza
Download file

March 17, 2005 at 07:37 AM in Financial Services | Permalink | TrackBack (2) | Top of page | Blog Home

March 16, 2005

Chip and PIN security flaw uncovered

Finextra: Chip and PIN security flaw uncovered

An investigation by the UK's London Programme has uncovered a security flaw in Chip and PIN payment cards which allows fraudsters to disable and over-ride chip security measures using information embedded in the magnetic strip.

The television programme, which aired last night, showed an anoymous "industry insider" cloning a chip-based payment card using software and a skimming device bought on the Internet.

The skimming device records data embedded in the magnetic strip on a smartcard, but information stating that the card contains a chip can be changed using the illegal software. The data is then copied onto a basic plastic card, such as those used for mobile top-ups. Programme makers were able to use the cloned card to withdraw cash from an ATM.

The findings of the investigation were presented to the UK's Association for Payment Clearing Services (Apacs). In a statement issued to the programme makers, Apacs says: "When fully in place, chip and PIN technology will identify chip and PIN cards that have been fraudulently tampered with in this way, and also fraudulent copies of those cards."

But in the programme, Sandra Quinn, director of corporate communications, Apacs, did admit that data embedded in the magnetic strip on a card can be accessed and copied by fraudsters but insisted that it cannot be changed: "That data will always say 'there is a chip on this card' therefore if there's no chip on the card the fraudster can't use it."

But research conducted by Ross Anderson, head of security engineering at Cambridge University, found that if a card with a damaged chip is presented at an ATM or POS terminal, then the device falls back to magnetic strip operation.

David Cooper, risk management, Lloyds TSB, told the programme that although banks in Europe were committed to using chip-based technology, financial firms in the US have not made much effort to move into chip and PIN yet, so the industry isn't able to drop magentic strips from payment cards.

Despite the security risks uncovered, Quinn says cards containing both chips and magnetic strips will be around "for a very long time".

March 16, 2005 at 11:06 PM in Smart Cards | Permalink | TrackBack (77) | Top of page | Blog Home

Smart Cards at the Crossroads:

Smart Cards at the Crossroads: Authenticator or Privacy Invader

By Ari Schwartz, The Center for Democracy and Technology

Published by the Direct Selling Education Foundation, in "At Home With Consumers," Volume 19/Number 3/December 1998

As our economy moves increasingly into a networked world, more information is collected and retained on the daily interactions of individuals. Everyday individuals unwittingly hand over personal information that quickly finds its way into a consumer profile or "digital dossier." In the supermarket we hand over our frequent shopper card and pay with a credit or ATM card. The information collected from this transaction is captured and stored and often combined with other information gleaned from "public records" and private sources. Concerns over these "digital footprints" are the basis for growing consumer concerns with privacy in the networked economy.

In the mind of a thoughtful consumer, smart cards escalate these concerns. Creating a single card that could merge their financial affairs with health information and even interactions with government raises unease and mistrust. Individuals fear that a single card will accelerate the centralization and sharing of personal information in ways that will erode privacy. While the increased use of smart cards poses challenges to protecting privacy, smart card designers and policy makers have the opportunity to devise privacy protections that many believe are crucial for gaining the trust of consumers in the digital economy.

Authentication and Smart Cards

Creating tools that will both protect privacy and provide the convenience of the networked world require us to examine the nature and purpose behind each function of the card or "application." Smart cards are diverse, ranging from simple single function cards like credit cards to cards serving multiple functions such as a student ID on a university campus which allows access into buildings, pays for meals and serves as a library card. While diverse all share a common basic function: authentication. A driver�s license, e-cash and even a door key are simply tools that authenticate or certify different things about the individual: a drivers license � their ability to drive and identity; e-cash � their ability to pay for goods; a door key � their authority to enter a building. Simply put, authentication is different from identity. We can break authentication into three boxes:

* Identity �
Birth certificates and state issued identification cards prove that we are who we claim ourselves to be.

* Eligibility �
Various keys allow us or those with whom we share them to enter our home, car or office. Documents such as a frequent flyer numbers allow us to prove membership in an organization.

* Value �
Currency acts as one form of certifier, performing the narrow function of proving that an individual is able to pay for a good or service.

While authentication mechanisms are necessary for a thriving and rich networked economy, their development and implementation raise important individual privacy, system security, and social concerns. These concerns multiply as we begin to use single cards � smart cards � to bundle different services and with them authentication systems created to support them. For example, when we pay cash we do not expect people to ask for our identity but on a smart card it is quite possible that someone will be providing this information and more when paying with e-cash. The merging of services could have extreme social effects on consumers, some examples are:

* Centralization of personal information collection
� A single card used for different purposes runs the risk of creating a centralized warehouse of data about an individual�s activities. Today various record-keepers have information that reflects different aspects of an individual�s life. The bank has banking records; doctors have medical records; and credit card companies have records of credit transactions. The walls between these records protect individual privacy in two ways. First they limit, to some extent, the damage to individual privacy that occurs through either misuse by an authorized user or unauthorized access by an intruder. Second, they place checks on the surveillance and monitoring capacity of each system. If all of an individual�s transactions occurred through, or were recorded at, the same source we would create a powerful center of data on all citizens that would be ripe for misuse and abuse.

* Means for new social controls
� The issuing, revoking, or withholding of such a card could be used to control social behavior, limit an individual�s activities, or punish unrelated activities. Today, specific tokens enable specific activities. While losing a driver�s license may limit a person�s ability to drive, it does not impact on her ability to purchase goods in the market, seek health care, or engage in other transactions. A single card does not provide the same flexibility.

* Greater collection and use of personal information
� When a single card is used across all transactions, it could become a default personal identification or a national ID card. As mentioned above, many of our daily activities require far less "personal" means of certification. A single certifier will result in more data being collected than is needed for many interactions. In the most extreme case it could lead to every online interaction being fully identifiable and traceable to an individual. Utilizing a single card for all purposes could create an electronic trail of all personal interactions.

Keys on a Key Ring

Perhaps the best real world metaphor for the problems that smart cards pose to personal privacy is the key ring. Given the choice between a ring with multiple keys or a single key to open all doors, most consumers would stick with the key ring � despite the initial appeal of the single key. The single key could be easily lost or misused and its functions could not be isolated; the keys would have to remain connected at all times � by giving someone the key to your car you would be in effect giving them the key to your life. The popular conception of smart cards has been this single key with the related possibility of tying all data inexorably together, but this does not have to be the case. Cards with complex operating systems are already being devised, but questions remain as to how to maintain the walls between different kinds of personal information. How will the data be stored and who will have access to it?

Fortunately, at this nascent stage in the adoption of smart cards in the marketplace, smart card designers and policy makers still have the opportunity to heed the advice of consumer and privacy advocates and create a tool offering the convenience intended and protections for privacy. In order to accomplish this goal, smart card designers should be asking themselves questions about privacy, such as:

* What type of authentication is required for this application? Do we need to know "who" the individual is or not?

* How can the collection of information be limited to only what is necessary? Can any of the applications utilize and maintain anonymity (e.g. electronic cash)?

* Has the application changed (technologically or otherwise) since the creation

of the application, that may warrant a rethinking of the authentication needed?
* Are there risks of placing this application onto a card with other applications?

* What safeguards are employed to limit the ability to combine and warehouse data elements collected by different applications?

* What protections can be utilized to prevent the disclosure of information across applications?

In short, designers should not be afraid to think about changing the way that old applications were used if the changes will help to protect the consumer on the new format of the smart card.

While technology can be implemented with an increased focus on protecting consumer privacy, there is still a role for policy makers. Policy makers will need to look into such issues as:

* the ability of government to use the card to track individuals;

* the information handling practices of the different applications on the card; and

* the ability of smart card companies to warehouse and package data for sale to third parties.

Conclusions

Ultimately, smart cards will not be able to succeed if consumers do not trust them. If the tracking ability of the cards weighs greater in the minds of consumers than convenience, the cards will not succeed in the market. Now is the opportune time for those who would like to see smart cards succeed to build in privacy enhancing features and eliminate the valid privacy concerns of consumers.

March 16, 2005 at 09:38 PM in Smart Cards | Permalink | TrackBack (39) | Top of page | Blog Home

Digital Authentication and Consumers' Privacy

CFPpaper

Report commissioned by:

Electronic Commerce Task Force
Industry Canada

Prepared by:

Angie Barrados, Researcher
Public Interest Advocacy Centre
1204 - 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
barrados@web.net
www.piac.ca

April 2000

Table of Contents

INTRODUCTION

A. OVERVIEW OF DIGITAL AUTHENTICATION

B.SECURITY

B1. Securing Entire Systems

B2. Security Problems with Digital Signatures

B3. Use of Best Available Technology

B4. Social Systems

B5. Security: Conclusion

C. MANAGEMENT OF PERSONAL INFORMATION

C1. Centralization of Personal Information and Data Matching

C2. Certification Authorities

C3. Certificates and Names

C4. Management of Personal Information: Conclusion

D. INDIVIDUAL CONTROL OVER PERSONAL INFORMATION

D1. Choices and Ability to Evaluate Systems and Certification Authorities

D2. Key Rings

D3. De-linking Authentication from Identification

D4. Individual Control Over Personal Information: Conclusion

CONCLUSION

Digital Authentication and Consumers' Privacy

INTRODUCTION

This paper identifies and discusses the main implications of digital authentication to consumers' privacy based on two sessions of the Tenth Conference on Computers, Freedom and Privacy (CFP) held in Toronto from April 4-7, 2000: "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication" and "Everything You Need to Know to Argue About Cryptography"(1). The material from the conference is supplemented by selected secondary sources.

The paper provides a brief explanation of what authentication is, and provides definitions of some key terms relating to digital authentication. The main potential problems and issues for protecting consumers' privacy in the context of systems that use digital authentication are then discussed under three headings: security, management of personal information and individual control of personal information. Experts' main recommendations on protecting consumer privacy in these three areas are also noted.

A. OVERVIEW OF DIGITAL AUTHENTICATION

Generally, authentication means "the process of establishing confidence in an assertion"(2) and is the basis of being able to conduct transactions of many kinds. Authentication is often related to establishing the identity of someone entering into a transaction, such as when consumers show their driver's license to have a cheque accepted. Methods of authentication can also be used establish someone's authority, as in a diploma, or to establish someone's privileges, as in a membership card. Also, statements can be authenticated as being endorsed by a specific person by means of a signature or a seal.

Authentication methods currently in use for electronic transactions such as magnetic strips on cards, credit card numbers, PINs and passwords share some major flaws. They are not very secure, since they can be stolen relatively easily, either through low-tech methods (looking over someone's shoulder at an ATM) or higher-tech methods (breaking into someone's computer). Also, they cannot be tightly bound to one person. Consider buying something over the Internet with a credit card for instance; the credit card number alone does not tell the vendor that you are who you say you are. Added to these problems is the fact that much electronic communication is occurring over relatively insecure media such as the Internet that can easily be eavesdropped on.

Public key cryptography potentially offers a secure way of authenticating digital transactions over the Internet, and thus a great deal of attention is being paid to the development of systems that use public key technology, and the infrastructure needed to support such systems. In particular, digital signatures that use public key cryptography have great potential to facilitate electronic transactions. Generally, "digital signature" means a scheme using public key cryptography that functions much like a physical signature to authenticate the origin and integrity of documents.

Public key cryptography is distinct from traditional cryptography, because traditional cryptography uses the same key to encrypt and decrypt messages, while public key cryptography uses two keys to convey one message: one key to encrypt a message and another key to decrypt the message(3). One key cannot be derived from the other, so that one key can be made public, while the other can be kept secret. The way that public key encryption works is explained by the following example of how it can be used to send a message securely:

Say that Alice wants to send Bob a message. We assume they both own a key pair and they both know each other's public key. Alice encrypts the message using Bob's public key, and sends it over an insecure channel. Bob decrypts the message using his private (secret) key.

In this case, Alice can send a message to Bob over an insecure channel knowing that only Bob can read the message. But it does not authenticate the message (ie. confirm that the message comes from Alice). In order to authenticate the message, Alice must use her private key as a digital signature to the message in the following way:

Alice computes the "hash" of the message using a "hash function"(4). She then encrypts the hash with her private key: this is the digital signature. She sends this signature to Bob along with the message.

When Bob receives the message, he computes the hash of the message. He then decrypts the signature with Alice's public key, and compares the resulting hash to the hash of the message he computed. If they are the same, he can be sure that the message was sent by Alice, and was not tampered with.

In this example, Bob can only rely on the digital signature if he can be sure that Alice's public key in fact belongs to Alice. Alice's public key must be tied in some way to Alice herself. This can be done through a certification authority that checks Alice's identification, and certifies that the "real" Alice owns the public key. The certification authority would issue a certificate that Alice could send with her signature to validate her public key. It would be important that the certification authority be trustworthy, so that a certificate signed by the authority could be relied upon.

The establishment of certification authorities is the main part of the infrastructure needed to support the use of digital signatures (known as "public key infrastructure" or PKI). By and large, PKI is still a conceptual notion and not a reality, but there is a great deal of interest in establishing certification authorities and standards for their operation. Creating PKI may seem like a primarily technical issue, but in fact, once PKI is in place, it could lead to the widespread use of digital signatures. This has quite important implications for consumers. Digital signatures will facilitate the further use of electronic communication and storage of personal information in many fields. The new systems that use digital signatures as authentication will introduce new ways of identifying people, change individuals' responsibilities and liabilities, and provide new ways to centralize information.

B. SECURITY

Digital signatures have a great deal of potential to increase the security of electronic transmissions, but the reliance on digital signatures in itself would create new security concerns (discussed below). Also, digital signatures will probably facilitate the development of new electronic systems through which to carry out transactions, and these systems in turn will have to be secure.

The importance of system security to the individuals who use these systems was made clear by the hypothetical example that was discussed by the CFP panel. The hypothetical system used public key technology to control access to a database of emergency medical profiles, and was accessible to doctors and insurance companies with certain certificates. Individuals could access their own files using a smart card containing a biometric identifier. An Orwellian scenario was given of an individual finding that her file had been altered without her knowledge. Her private key (the smart card) had in no obvious way been violated, so she had no way of proving that she did not make the changes to her file. If the culprit was not found, she could be held liable for the misuse of her card, and expenses to her insurance company.

B1. Securing Entire Systems

Computer security experts find that people are dazzled by public key cryptography, and that they tend to assume that it can be used to completely secure systems(5). However, most ordinary operating systems are vulnerable to attack by hackers. In many cases using digital signature technology will be "like putting a vault-door on a cardboard box". For instance, a security expert on the CFP panel explained that in sending a digital signature over the Internet, a user's browser may have access to the user's private key. In this case, the digital signature itself may be hard to attack, but it would not be hard to attack the user's browser and find the private key.

The layperson may assume that one cryptography function is all it takes to secure a computer system, but in actual fact, most security problems require many functions in different parts of the system (a cryptographic protocol)(6). Designing good cryptographic protocols is "amazingly hard", and applying them to software is even harder, according to cryptographers. However, many systems designers consider security at the last minute, and do not realize how hard it is to apply cryptography to security problems. In many cases, the use of cryptography may give a false sense of security.

In setting up systems using public key cryptography, it is important that the limitations of the technology be clearly understood by both system administrators and users(7). It can never be assumed that systems are completely secure.

B2. Security Problems with Digital Signatures

A digital signature can be less secure in some ways than a physical signature in authenticating a transaction. As discussed above, a digital signature relies on the use of a private key; the private key is actually a string of digits that would most likely be stored on a card accessible with a PIN. Proponents of digital signatures tend to assume that the private key and certificate is controlled by the certified keyholders, but if the private key is kept on a card, there is clearly a danger that the card and PIN could be copied or stolen. Critics feel that the problem with relying on digital signatures is that it would be as easy to steal a signature as it is to steal a credit card(8).

In the case of a forgery of a physical signature, an individual can try to prove that he was not the person who physically signed a document through a number of methods. He can show that the forged signature does not match his real signature, he can call on people who witnessed the signing of a document, and he can try to prove that he was in a different location at the time the document was signed. A digital signature cannot be related to a person in the same way, unless there is a video camera recording who is at the computer monitor conducting a particular transaction.

To tie private keys more strongly to individuals, private keys could be based on biometrics (such as fingerprints, or iris scans). If biometric data was downloaded to a card for use, there would be the same danger of the card being copied or stolen. However, if the public key was an actual scan of one's fingerprint, for instance, it would be harder to forge, although some computer security experts feel that even biometrics are not secure(9).

An investigation of a fraudulent use of a digital signature would depend on the audit trail of the suspicious transaction. It is, therefore, important that systems be designed to keep such audit trails(10).

B3. Use of the Best Available Technology

Designing secure systems is expensive, and the companies that build these systems may not always have the incentive to use the best available technology(11). The extent to which this incentive is present will be determined by the assignment of liability in the case of a security breach. Contracts between individuals and service providers will likely specify who is liable for misuse of the individual's private key. If providers bear liability for misuse of the private key, they will have a strong incentive to use the best available technology. This assignment of liability would be analogous to the liability banks have for misuse of ATM cards. Banks bear the liability for misuse of ATM cards provided customers take reasonable security precautions, so they use good security methods such as video cameras at ATM machines.

In future, individuals may be able to choose among different service providers that have varying levels of system security. It will probably hard for individuals to be able to understand and evaluate security issues, since these issues are complex, even for experts. Also, individuals may not understand the potential risks that security breaches pose for them. Therefore, consumer protection laws should clearly place responsibility for security on service providers.

B4. Social Systems

Even if technology can provide good security for a computer system, there may be serious security problems if the people using the system are not security conscious. The CFP panel on authentication discussed the difficulty of ensuring security of medical files in a hospital or clinic setting. Typically, security is based on a "firewall" concept, that allows the insiders (say hospital staff) to have access to all files(12). This means that a great many people have access to the files, which increases the possibility of abuse. Also, there are typically many low-tech ways of accessing personal information (such as reading files left in easily accessible places). Introducing an electronic system based on public key cryptography will not solve these problems and may indeed introduce greater potential for abuse because of increased centralization of personal information.

To provide data security, attention needs to be paid to the social system that uses the computer system, as well as the computer system itself. The panelists agreed that changing these social systems to ensure data security can be just as hard as designing technological solutions to security problems.

B5. Security: Conclusion

The application of public key cryptography is not enough to solve all security problems. In fact, the new systems that will be facilitated by public key cryptography create a whole set of complex security concerns that must be addressed to ensure the protection of personal information.

C. MANAGEMENT OF PERSONAL INFORMATION

Digital signatures could lead to the development of much larger, more complex electronic systems than have previously been used. These systems may raise significant concerns about how individuals' private information is collected and exchanged by private entities.

C1. Centralization of Personal Information and Data Matching

The systems that will be facilitated by the use of digital signatures will likely increase the centralization of personal information. For instance, it will soon be possible for all of an individual's medical information to be stored and updated in one electronic file. This may be advantageous to doctors and patients in many ways, but it also means that patients would have less control over their medical information. A patient would no longer be able to withhold parts of her medical history from a new doctor. Also, unauthorized access to the file would disclose the entire medical history and potentially create far more problems for an individual than disclosure of a partial file.

A major privacy concern will arise if one digital signature is used for multiple purposes. In this situation, the public key would become a de facto universal identifier, and allow for matching of diverse databases. This means that comprehensive files on individuals could be compiled by authorities with access to many different databases, or by hackers. Also, all of an individual's electronic transactions could be recorded, and traced back to the individual.

C2. Certification Authorities

Certification authorities will likely play an important role in PKI; they will issue digital certificates to individuals to certify that an individual is the rightful holder of a public key. Through the process of issuing certificates, a certification authority would keep records about individuals identification, registries of public keys and certificates, as well as certificate revocation lists(13). The revocation lists in particular raise concerns because anyone relying on digital signatures would have to check the revocation list each time they accept a signature. In the process of checking the revocation list, a data trail would be created that would show every inquiry about a particular certificate. Therefore, everyone with whom an individual transacts could potentially be recorded by the certification authority.

Certification authorities could have a great deal of power over individuals by virtue of their function in issuing/withholding certificates, and revoking certificates. This power will be greater to the extent that the following factors are true:

* individuals need to obtain a certificate in order to engage in important or essential transactions;
* individuals do not have a choice as to which certificate authority they deal with, or all certification authorities offer the same service;
* eligibility requirements are not regulated;
* identification requirements and application criteria are not publicly disclosed.

Privacy advocates are concerned about the creation of authorities that could potentially exercise a great deal of power over individuals, and would hold significant amounts of information about them.

C3. Certificates and Names

Identification requirements to establish an individual's eligibility for a certificate will have to be established. Privacy advocates are concerned that these requirements may be too onerous, and thus privacy invading. This problem will be more pronounced with certificates that actually establish identity, compared to certificates that establish some type of eligibility without identifying the individual.

Another privacy concern involves the personal information that the certificates would potentially display. The subject's name and public key may not be enough information, because names are not always enough to unambiguously identify someone; other information such as an e-mail address or a driver's license number may be required. A subject's privacy could be compromised by having to disclose personal information in a certificate every time she uses a her digital signature.

The identification and eligibility requirements used by certificate authorities will have very important privacy implications. Many companies have an interest in securely identifying their customers. In the context of digital signatures they may see an opportunity to improve identification by pushing for more onerous identification requirements for certificates than the identification that is currently used to verify physical signatures. Any such push towards identifying individuals more comprehensively needs to be counterbalanced by privacy considerations.

C4. Management of Personal Information: Conclusion

To protect individuals' privacy, personal information held by certification authorities and systems managers would need to be protected from misuse, and any authorized use of the information would have to be carefully evaluated to ensure that it is not privacy invasive. These privacy protections rely on good data management practices which could be promoted by sound rules and oversight. However, it will be impossible to completely avoid misuse of information or security breaches. It is important therefore, that PKI build in privacy protections apart from private-sector information management practices.

D. INDIVIDUAL CONTROL OVER PERSONAL INFORMATION

As digital signatures allow systems to be built that increase the centralization of information, it will become more and more important to ensure that individuals do not lose all control over their personal information, and thus any ability to protect their privacy. There are three main ways that individual control over personal information can be maintained in a digital environment: allowing people to choose privacy-enhancing services, allowing for the use of a "key ring" rather than one multipurpose key, and the de-linking of authentication and identification in many situations.

D1. Choices and Ability to Evaluate Systems and Certification Authorities

In the future, individuals may or may not have a choice about whether to acquire a digital signature, and which certification authority to use to validate it. It is important that individuals be able to choose options that maximize their privacy. As PKI is developed, it is important that individuals not be forced by mandated use of certain systems to acquire digital signatures. People should be free to acquire digital signatures when they are confident that their privacy is adequately protected.

If individuals are given choices about which systems and certification authorities to use, they must be able to evaluate the security and information management practices of a particular service. This will require the disclosure of key information about services, and some sort of independent evaluation of them, made available to consumers in understandable language.

D2. Key Rings

As mentioned above, there is a major concern with the public key becoming a de facto universal identifier. A public key would not become a universal identifier if an individual owned different key pairs (public and private keys) for different transactions, so that, for instance, an individual's public key for accessing her bank account would be different from that used for accessing her medical records. Ari Schwartz of the Center for Democracy and Technology suggests that individuals should possess a "key ring" of different keys. This would be preferable to a single key, according to Schwartz because:

Given the choice between a ring with multiple keys or a single key to open all doors, most consumers would stick with the key ring - despite the initial appeal of the single key. The single key could be easily lost or misused and its functions couldn't be isolated; ... by giving someone the key to your car you would in effect be giving them the key to your life(14).

There are a number of factors that suggest that single keys may indeed become the norm. As mentioned above, powerful companies would like to have their customers identified conclusively, and will probably try to set up PKI so that one key will be the norm. Also, having multiple keys could mean additional expenses for individuals and the responsibility of managing multiple cards with multiple PINs. Nonetheless, the key ring concept should be promoted, as it could be the single most important way of maintaining individuals' control over their personal information.

D3. De-linking Authentication from Identification

The potential for systems managers and certification authorities to invade individual privacy would be greatly reduced in cases where digital signatures did not function as identifiers. It is important to remember that authentication also applies to credentials, eligibility and reputation in ways analogous to diplomas or membership cards. There are many potential applications for digital signatures in which identification is not disclosed, and "blinded" digital signatures in which identification is hidden. To protect individual privacy, individuals should only be identified in digital transactions when it is necessary to do so(15).

D4. Individual Control Over Personal Information: Conclusion

In envisioning PKI, it is important not to assume that individuals will use one type of identifying digital signature for all of their transactions. The extent to which individuals can use different keys for different purposes, and choose whether or nor to identify themselves with a key, will determine how much control individuals will retain over their personal information. Also, the extent to which individuals can choose different types of certificates will determine how much individuals will be able to opt for privacy-enhancing options.

CONCLUSION

This overview of the privacy issues surrounding the development of digital authentication indicates three overall recommendations to maintain and protect individual privacy:

1) The limitations of public key cryptography in securing systems must be taken into account. Ensuring that information is secure throughout a system is a complex task that requires a number of methods, including providing incentives through assigning liability for misuse of information, and changing social systems. Systems must be auditable so that suspicions transactions can be investigated.

2) In the future, certification authorities and other service providers could possess a great deal of personal information. To protect individual privacy, information held by private entities would need to be protected from misuse, and any authorized use of the information would have to be carefully evaluated to ensure that it is not privacy invasive. These good information management practices should be promoted by sound rules and oversight, but this will not be enough to ensure individual privacy; PKI should also be designed so that individuals retain control over their personal information.

3) PKI should give individuals the choice to opt for privacy enhancing services. People should have the option to own multiple keys, and to use keys that do not identify them. As PKI is developed, people should not be forced to acquire digital signatures, but should rather be allowed to acquire them when they have confidence that there are adequate consumer safeguards in place.

As PKI is being developed, there will be a need for much more investigation of how these general recommendations can be implemented in practice.

1. Appendix A gives a description of the sessions and who contributed to them.

2. Roger Clarke, Personal Notes on Computers, Freedom & Privacy 2000
Toronto, 5-7 April 2000 at http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html accessed on April 18, 2000

3. The following discussion on public key cryptography relies upon Brian A. LaMacchia of Microsoft "Everything You Need to Know to Argue About Cryptography" Cryptograph Tutorial, CFP 2000, April 4, 2000.

4. A hash function reduces a message to a fixed size, and is a "one-way" invertable function. This means that knowing the hash function and the hash of the message does not allow someone to be able compute what the initial message was. Therefore, Alice can choose a well-known hash function; it does not need to be kept secret.

5. This paragraph is based on remarks by Carl Ellison of Intel at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication".

6. This paragraph is based on Brian A. LaMacchia "Everything You Need to Know to Argue About Cryptography" Cryptograph Tutorial, CFP 2000, April 4, 2000.

7. This point was made by Phil Hester of IBM at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication"

8. This point was made by Margot Freeman Saunders of the National Consumer Law Centre at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication"

9. This was suggested by Carl Ellison at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication". Roger Clarke reports that fingerprints are very easily forged, and that most biometrics will probably be "forged with ease" in Privacy Requirements of Public Key Infrastructure at www.anu.edu.au/people/Roger.Clarke/DV/PKI2000.html accessed on 18/4/2000.

10. This point was made by Phil Hester at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication"

11. This paragraph is based on comments by Margot Freeman Saunders of the National Consumer Law Centre at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication".

12. This point was made by Carl Ellison at "Who Am I and Who Says So? Privacy and Consumer Issues in Authentication"

13. Certificate revocation lists would list certificates that have been revoked because they have been compromised, or have expired.

14. Ari Schwartz, "Smart Cards at the Crossroads: Authenticator or Privacy Invader?" Center for Democracy and Technology at www.cdt.org/gigsig/idandsmartcards.shtml accessed on 12/4/2000.

15. Roger Clarke, Personal Notes on Computers, Freedom & Privacy 2000.

March 16, 2005 at 09:34 PM in Financial Services | Permalink | TrackBack (26) | Top of page | Blog Home

A nation of communicators

A nation of communicators - Connected Business - Times Online

Sara McConnell introduces a Times Online series that charts how communications technology is revolutionising our work and home lives

We have become a nation of communicators. Constantly plugged into laptops, mobile phones and computer networks, working from home has become commonplace as people cut out the commute and log into office IT systems from their spare bedrooms or living rooms. Even when mobiles or computers are off, voicemails and e-mails wait in message boxes.

More than half of all households in the United Kingdom now have access to the internet at home, up from 2.2 million six years ago. Nearly 60 per cent of adults surveyed this summer had used the internet either at work or at home in the previous three months, mostly for sending e-mails and buying goods and services online.

Over the next 10 weeks, Times Online will look at how communications technology and online connectivity are changing and shaping the way we live and work.

Growing numbers of people work from home using desktops and laptops linked up to fast broadband connections which makes downloading even complex documents with graphics quick and easy.

But new hardware and software has to work with existing equipment. Paul Magree, communications manager at Cable & Wireless, says: "You need to get the infrastructure right. It's more than just data. Technology needs to be an enabler."

The spread of broadband has made it much easier for employees working away from the office to work efficiently and for employers to keep track of what they are doing, says Mr Magree. An estimated 50,000 new subscribers are signing up for broadband every week. New figures from the Telecom Markets Broadband Subscriber Database show that there are now five million broadband subscribers in the UK.

In cities like London, Birmingham and Leeds, developers are responding to demand from buyers working from home some or all of the time for new apartments to be equipped with the latest wiring for broadband, sound systems and satellite connections. These are no longer just "boys' toys" � there is just as much demand for high tech homes from sophisticated women buyers.

Meanwhile employers are turning to smaller cities like Southampton, Aberdeen and Cardiff. According to research by Cable & Wireless, these cities have a winning combination of high levels of broadband access, good transport links and an educated workforce. Telecommunications companies have a key role to play in Government-backed efforts to entice businesses out of the overcrowded south-east.

Since the Disability Discrimination Act came into force on October 1, employers have had to make workplaces accessible for disabled workers, not only physically but technologically. E-mails which can be stored and heard as sound files for blind workers and voice mails which can be read as e-mails for deaf and hard of hearing employees are among the innovations being tested.

In the public sector, long criticised for bureacracy and inefficiency, communications companies are developing new systems. In one case, police forces across the country are linking up through Cable & Wireless's Criminal Justice Extranet system which allows e-mail and information sharing and access to the National Police Computer.

But computer hackers, online criminals and viruses are flourishing as more people get online. Companies selling goods and services online can be brought down by hackers accessing their databases and systems. Public confidence in buying and selling online can be destroyed by evidence of security lapses in holding data.

Businesses should be doing more to protect themselves from cybercrime and should see such risk management as a positive corporate selling point rather than a chore.

Those who see e-mails and text messaging as a great marketing tool should also think twice before firing off a stream of untargeted product announcements into the ether. Surveys show that people are irritated rather than interested when they receive unsolicited mailings. Even those who have signed up to be sent news or offers are turned off and companies which make no effort to tailor e-mails and texts risk alienating their customers permanently.

March 16, 2005 at 09:21 PM in Web lifestyle | Permalink | TrackBack (12) | Top of page | Blog Home

Getting the message across - directly

Getting the message across - directly - Connected Business - Times Online

By Sara McConnell, Times Online

How do you reach the largest number of people in the shortest possible time with your latest new offer or promotion? Easy. Send them a text or an e-mail.

Direct marketing via text message or e-mail already accounts for an estimated 13 per cent of the direct mail market, and is growing rapidly, as anyone�s e-mail inbox will show.

Robert Dirskovski, the head of interactive media at the Direct Marketing Association, says that electronic marketing is set to get more sophisticated with the spread of the new 3G generation of mobile phones which can handle graphics and larger chunks of text.

At least one company is also experimenting with using wireless technology to download details of promotions to the mobiles of passers-by. These e-messages will be generated from microchips contained in special sashes worn by marketing teams in high streets around the country.

Hypertag, the Cambridge-based company behind this idea, has already introduced advertising billboards equipped with microchips which can download information on to the mobiles of passers-by.

The advantages for companies of using electronic marketing are obvious. They can fire off messages at any time, reaching potential customers instantly without having to rely on the post. They can see how many people have opened messages or followed links to specific web pages.

But companies which bombard customers with e-mail and text messages risk turning away the very people they are trying to attract. The latest figures from the Advertising Standards Authority show a big rise in numbers of complaints. In 2002, the figures were 17 and 65 respectively. In 2003, there were 455 complaints about e-mail marketing and 393 complaints about texts. Many of the complaints concerned firms which sent unsolicited messages telling consumers they had won a prize and giving them a premium phone number to call.

Research carried out last year by consultancy Teleconomy revealed that unsolicited text messages are twice as likely to irritate people as a phone call, particularly if they receive the text after working hours.

One London man told researchers: �I�m inundated by text messages from my mobile phone operator. It�s rubbish. I just delete them.� Another consumer in Yorkshire said: �I kept getting the same message twice a day, three times running. It was really annoying.�

Paul Hudson, the head of research at Teleconomy says: �Some companies have no understanding of the context in which a customer is receiving a message. They see the world in terms of cost calculations and formulae, processes and products. Companies need to think more deeply about the channels they are using. They have to understand more about customers� lifestyles.�

Teleconomy found that e-marketing worked best when it came from online brands like Amazon or Lastminute.com, which have built up sophisticated databases of customers� buying habits and can target messages efficiently and intelligently.

The direct marketing industry argues that reputable companies abide by rules requiring them to text or e-mail only those people who have asked to be contacted.

Under EU rules introduced in December 2003, members of the public now have to �opt in� to receive most types of e-mail or text marketing, usually by ticking a box when they register or buy goods online. They can then opt out at any time by unsubscribing.

Consumers approached in the street by marketing teams using Hypertag�s wireless technology will always have to consent to receiving information on their mobiles. Rachal Harker, Hypertag�s sales and marketing director, says: �You have got to decide you want to interact.�

Mr Dirskovski says: �You shouldn�t find yourself receiving unsolicited e-mail or text messages.� But many people are glad to receive email or text alerts, he adds. Customers who complain that they are receiving unsolicited e-marketing messages have sometimes forgotten they have given a company their details.

March 16, 2005 at 09:19 PM in Online Marketing | Permalink | TrackBack (16) | Top of page | Blog Home

Online security: can you bank on it?

Online security: can you bank on it? - Connected Business - Times Online

Phishing and other financial scams carried out online can often deter customers from using financial websites. As Sara McConnell reports, providing proper security is a must for modern business

You are choosing between two online banking services. Both have similar rates, accounts and services, and both are major players on the high street.

But one has recently made the headlines because its online security has been breached and hackers have gained access to millions of customer account details. Its refusal to talk to the press or discuss the steps it will take to stop similar problems occurring in future (on the grounds of security, of course) has kept the story going longer. By contrast, its rival is happy to discuss its commitment to online security and keeping your personal and financial information safe.

Which of these two (fictional) banks would you choose, asks Richard Starnes, the director of incident response for managed security at Cable & Wireless. "If I was an internet bank, I would be happily promoting my bank as a secure place to do business."

With growing numbers of individuals and companies buying, selling, trading and banking online, a reputation for good security and tight risk management is becoming an increasingly important selling point. Customers who would have been reluctant to provide credit or debit card details to internet sites a few years ago now do so readil,y but only if they trust the site to hold the information securely, with back up systems in place so that the business can continue even if it is a victim of hi-tech crime.

Companies are starting to recognise that their brand and reputation can be severely damaged by online crimes such as hacking and data theft, especially when these become public knowledge. "If I was CEO of a bank and my website was hacked into and �500,000 stolen, that�s nothing to a financial institution. What is damaged is the brand," says Mr Starnes.

In a survey carried out last year by the National Hi-Tech Crime Unit, nearly 20 per cent of firms questioned said the impact on share price and reputation of computer crime was their greatest concern, with finance and IT firms most likely to put this top of the list.

Of the UK�s 42 million bank customers, 15 million now manage their accounts online. Banks are acutely aware of how quickly they can lose customers and damage their reputations if they do not act quickly when there is a problem. Sandra Quinn, of the Association for Payment Clearing Services (APACS), which speaks for the banking industry on fraud and risk management, says: "Customers don�t mind banks closing down a service temporarily but they�re worried about no one taking any action. Yes, there are threats, but yes, your money is safe. Banks need to keep this at the forefront of customers� minds."

Tracy Goodyer, of Barclays, which has 4.2 million online customers, says: "We�re constantly reviewing our security. Risk is a game we�re into and we take security very seriously. Banking is part of people�s every day lives and from a reputational point of view security breaches would be very serious."

But many companies still see security as a cost and a regulatory necessity rather than as good business, says Mr Starnes. Too few companies have IT ssecurity experts in senior positions and a formal written security policy. The National Hi-Tech Crime Unit discovered that nearly half of the 201 companies questioned have no formal procedures in place to deal with computer crime and nearly a quarter did not carry out audits to check security processes and spending were working properly.

"Companies are taking security more seriously but they haven�t really understood the business benefits. I don�t think they believe that having a good corporate asset protection programme is differentation between one company and another for customers," says Mr Starnes.

March 16, 2005 at 09:18 PM in Phishing & identity theft | Permalink | TrackBack (7) | Top of page | Blog Home

Mobile phone gigs: they could be the next best thing to being there

News

Tomorrow night Natasha Bedingfield will perform not only to 300 at the ICA but also to thousands by phone
By Ian Burrell

14 March 2005

When Natasha Bedingfield takes to the stage at the Institute of Contemporary Arts in London tomorrow night, it will not just be the 300-odd fans in the venue with their eyes on her.

The gig isn't being televised and nor is it being broadcast on radio, but some 2,200 viewers and listeners will be taking in the show by holding up their mobile phones.

Bedingfield is well used to having her fans holding their phones up to take pictures of her from the audience - but these ones will be as far away as Scotland and Wales, having paid �5 for a live feed of the gig.

This is the start of a form of broadcasting that could revolutionise the music industry, offering in effect gigs on demand, provided you have a phone with the means to pick up a signal.

Bedingfield, who has been selected by phone company 3 Mobile to pioneer the technology, seems suitably impressed. "Record companies should really keep their eyes on this because it could become much bigger," she says.

The singer, who has just come back from a tour of major venues, is excited by the prospect of playing a small auditorium such as the ICA and yet performing to a comparatively large audience. "Intimate gigs a re special - there's nothing like them," she says.

It might not be everybody's idea of fun to pay for the privilege of watching an entire concert on a tiny screen, but 3 Mobile claims that the quality of sound and vision is exceptionally high.

Graeme Oxby, director of marketing at 3, says the gig will be filmed by a company with a proven track record in music television. "We have a number of cameras with different angles, as you would for any decent gig," he says.

The audience are all 3 Mobile customers who were told of the chance to view the gig through a daily video messaging service "Today on 3". The first 2,200 to take up the offer will have �5 added to their regular phone bills. People from Manchester, Glasgow and Bristol are among those paying for the gig to be streamed to their phones.

Oxby says the audience is supposed to listen to the gig through their headphones (or "headset") but that use of speakerphone would allow more than one person in the room to hear the show (if not to see it).

"There is a lot of interest among artist management because there is a lot of potential here," he says. "Some of the more inventive record labels will start to push this whole thing."

Bedingfield was chosen to take part in the experiment because she is the most popular British artist among 3 Mobile customers for video downloads.

But whether your preference is for the mosh pit at the Roxy or a box at the Royal Albert Hall, you will have to wait a while before getting concerts on demand. Oxby admits that the potential for expanding the service to gigs nationwide is severely hampered by the lack of technology at most venues.

Very few can match the ICA when it comes to editing and video mixing desks and suitable connections to the phone networks. For the time being at least, most gig-goers will have to content themselves with getting off their backsides and actually going to the show.

March 16, 2005 at 08:22 AM in Web lifestyle | Permalink | TrackBack (27) | Top of page | Blog Home

Web of deceit

finextra.com

The day when two-factor authentication is mandatory for online banking access is drawing near.

In the US, the Federal Deposit Insurance Corporation (FDIC) is currently formulating guidance that will encourage US banks to abandon single password-based ID systems in favour of two-factor authentication following a sharp rise in 'account hijacking' ID theft. And in Australia, the national banking association is drawing up an agreed set of standards that would require all banks to use two methods of identifying Internet customers.

The Australian Bankers Association (ABA) and the FDIC are merely the first industry bodies to acknowledge that the current password-based system of online authentication is comprehensively broken.

Even discounting the threat from organized crime rings, password overload long ago rendered the current system unworkable. How many of us have dormant online accounts because we can no longer remember the codes we were given at the first time of sign-up?

All banks need to face up to the problem and begin exploring costings and techniques for upgrading security to encompass two-factor authentication. Interim measures based around the use of virtual keyboards to protect from keyloggers, or ever-more convoluted online Q&A sessions, will prove ineffective long-term as customers eventually tire of jumping through hoops to get online.

Private polling research by the ABA indicates that consumers are not yet ready to use biometric devices for authentication purposes because of privacy concerns.

Alternatives include SMS messaging, token-based random number generators, or personal smart card reader systems.

Although superficially appealing from a cost perspective, mobile messaging systems are likely to prove burdensome to administer as the phones themselves are prone to theft, loss and high customer churn.

Token-based systems, such as those available from RSA, Vasco and ActivCard, are proven in the field, but they are also bolt-on solutions with limited applicability beyond online banking.

In Finextra's opinion, pocket-sized EMV-compliant smart card readers incorporating a challenge/response capability offer the most promising long-term answer to online authentication problems. Not only do the readers leverage the considerable investment by the banking industry in chip card migration, but they can also be extended in scope to cover other forms of card not present fraud.

Recent statistic from Apacs show that the UK banking industry lost �12 million to online banking fraud in 2004. This sum was dwarfed by the �504.8 million losses attributable to card fraud. Of this, card-not-present fraud (CNP) was up 24% to �150.8m in 2004 and continues to be the biggest category of fraud.

With consumer trust in bank security crumbling, the industry would be advised to co-operate on the development of standards for online banking access. To encourage fast adoption, Finextra believes that banks should swallow the cost of token/reader development and deployment to customers.

The payback will be material, in encouraging more transactions and enquiries through low-cost automated channels, and in reinvigorating the trusted relationship between consumer and financial services provider.

March 16, 2005 at 07:51 AM in Security | Permalink | TrackBack (5) | Top of page | Blog Home

Barclays advances plans for online card authentication

Finextra: Barclays advances plans for online card authentication

Barclaycard is in talks with leading UK retailers about plans to roll out pocket-sized card authentication devices for customers to use when shopping online.

The UK bank has been testing the Vasco-based chip card readers with 5000 customers and staff over the past six months. Users of the system are prompted to insert their card into the reader and enter their four-digit PIN code when shopping online. The reader and the card then generate a unique dynamic password for entry on the Web form.

Barclays is initially planning to use the system to cut down on card not present fraud, the fastest growing category of card fraud, which cost UK banks �150.8 million in 2004. But the system also has the potential to eradicate phishing fraud by introducing two-factor authentication at the bank Web site when consumers log on to their accounts.

According to a report in the Times, Barclaycard has initiated discussions with leading retailers about introducing the system nationally. Other debit and credit card providers are expected to follow suit, although this would require a complex logisitical operation masterminded by payments body Apacs.

Barclaycard suggested that the security devices would be given to its customers free. "We would not want to make it difficult for our customers to participate in the scheme," a spokesman told the Times.

The Barclaycard scheme is in line with proposals moted by Finextra in a recent news analysis article: Web of deceit

March 16, 2005 at 07:51 AM in Financial Services | Permalink | TrackBack (42) | Top of page | Blog Home

March 15, 2005

United we find

Economist.com | CASE HISTORY

Mar 10th 2005
From The Economist print edition

Computing: Collaborative filtering software is changing the way people choose music, books and other things, by helping them find things they like, but did not know about

EACH year, thousands of films are released and tens of thousands of books published. A big city has thousands of restaurants. How does one deal with such abundance? Reading reviews of films, books and restaurants can provide a guide, but there are more reviews than one has the time to read, and you cannot be sure that the reviewer's taste matches your own. Word-of-mouth recommendations can help in that regard; friends, after all, are often friends because they share similar tastes.

For many people, technology now plays an increasing role in making such choices and navigating through large numbers of alternatives. But while this might sound like a job for an internet search engine, keyword-based search engines (such as Google) have a fundamental constraint: they can only help you find something if you already have an idea of what it is. Two people's idea of �good music� may differ substantially, but Google would return the same results to both of them. To find things you might like, but are not already familiar with, requires a different technology, known as �collaborative filtering�.

This increasingly pervasive technology looks for patterns in people's likes and dislikes, and uses those patterns to help people find things they did not know they were looking for. Computer scientists term this task, in a welcome respite from jargon, �find good things�. Collaborative filtering also has the power to do the converse, �keep bad things away�, for instance by filtering unsolicited commercial e-mail messages, or spam. Systems that use collaborative filters to keep spam away already exist, though there are many other ways to do the same thing. Finding unknown good things, however, can at present only be done using collaborative filtering.

The idea has been around for over 15 years. Early prototypes at Xerox PARC, a corporate research facility in Palo Alto, California, date back to the early 1990s. But the delay between the genesis of the idea and its widespread implementation turned out to be quite long, for two reasons. First, a successful collaborative-filtering system is computationally demanding and becomes rapidly more so as the number of users increases. A prototype system might have a few thousand users, which is manageable, but a real-world system will have millions�and the difference in scale introduces new challenges, which have been only recently overcome.

The second reason is that for collaborative filtering to reach its potential, it has to be seamless. Early incarnations of the technology required users to state their tastes explicitly, by going to special websites and filling in on-screen forms, before being presented with recommendations. But a system that is integrated into an online store, and recommends one product to you as you are buying another, is far superior because it requires no intervention by the user. The business challenge of collaborative filtering lies as much in creating a seamless interface as it does in generating the right suggestions�so the technology has had to await the widespread adoption of internet shopping, to which it makes a natural adjunct.

Now that both of these conditions have been met, however, collaborative filtering has started to pop up all over the place. Anyone who shops online is used to having books and music recommended to them as they browse and buy; the technology is also used on DVD-rental sites to recommend films. Having changed the way many people choose books, music and films, collaborative filtering is moving into new areas. It can help people to choose which programmes to watch on television, which restaurants to go to, even where to go on holiday. But how does it work? And should users be worried about collaborative filtering's impact on privacy, or the possibility that recommendation systems can be rigged?

Tell me what I want

Collaborative filtering starts off by collecting data on individuals' preferences. This can be an explicit process, by which a user ranks a book (or CD, or restaurant) on a numerical scale, typically on a scale of one to five. It can also be an implicit process�a purchase, for instance, is a clear indication that an individual is interested in the item in question. But implicit measures can also be more subtle; for instance, the amount of time spent viewing a web page, or even just the �clickstream��the sequence of links clicked on by a person browsing on the web. These different methods can then either be aggregated into a single score, or stored separately to allow more detailed analysis. And sometimes, consumers will be asked to score the same item in different ways�for instance, what one thought of the food at a restaurant, and what one thought of the service.

The result is a mountain of data, the size of which is the main challenge when it comes to searching it for patterns. But things are helped slightly by the �sparseness� of the data. The vast majority of items do not have a ranking, implicit or explicit, from any given user. Even the busiest users have rarely ranked more than 1% of the items. Amazon, for instance, sells over 2m books through its online store. The sparseness of the data is a saving grace, because it allows various mathematical techniques to be brought into play which vastly speed up the process of generating recommendations.

There are two basic ways of doing this. The first idea was proposed in 1992 by Dave Goldberg and his colleagues at Xerox PARC, who also coined the term �collaborative filtering�. Their approach was to recommend items to a user based directly on that user's similarity to other users. If I liked a book and you liked the same book, then I am likely to like things you like. However, this so-called �user-user� collaborative filtering turns out to have very poor performance when scaled up to millions of users. The problem is that the relationships between users must be constantly recalculated, which is too computationally costly.

This is why Badrul Sarwar and his colleagues at the University of Minnesota, in Minneapolis, pioneered so-called �item-item� collaborative filtering systems in 2001. (Other groups, including Amazon, had similar ideas around the same time.) Item-based filtering works by periodically taking a snapshot of everybody's item rankings. It then computes the similarities between items as follows. For a given item, such as a book, it finds all the other items that were also ranked by people who ranked the original book. The filtering software then looks for other items that were given a similar rank to the original item by many people (see diagram).

The details of what it means to be �similar� vary from system to system. Indeed, one key aspect of getting a system to make good recommendations is having an appropriate mathematical definition of similarity. The simplest approach, which is to measure the average difference in rankings, works fairly well. And there are various tricks that can be used to increase performance, such as introducing a bias against very popular items: there is little value in recommending a bestseller such as �The Da Vinci Code� to people, because they have probably heard of it already.

The benefit of item-item filtering is that this elaborate similarity calculation need only be done infrequently. Then, when a user ranks a new item�by purchasing it, ranking it, visiting its web page, or whatever�the system can simply call up a pre-calculated list of items that are also likely to appeal to that user. This is what allows Amazon to handle over 30m customers and give instant recommendations, even as the list of items that have been ranked by a customer changes, since merely calling up the web page for a particular book counts as a ranking. All the calculations are done by Amazon's powerful server, which creates a list of recommended items and seamlessly stitches that list into the next page sent to the user's web browser, neatly excluding items they have already purchased.

The TiVo personal video recorder, on the other hand, which can recommend programs based on your (and other users') previous viewing habits, works in a different way: the recommendations are generated by each TiVo box, not by a central server. The server generates a matrix that relates the popularity of different shows to each other, akin to the pre-calculated item lists used by Amazon to generate recommendations. But the task of making recommendations is then left to the individual TiVo boxes, which use that matrix, combined with the data they have stored locally about the viewer's preferences, to suggest shows that might be of interest. As well as unloading much of the work on to the individual boxes, this has the added virtue of preserving privacy: the central server never stores data about individual users, just aggregated data about viewing trends.

�A search-engine user hunts alone; the user of a collaborative-filtering system is part of a crowd.�

That is just one way to address what is, for privacy advocates, a major concern about collaborative filtering: that to make recommendations, it is necessary to gather information about many people in a central repository. But there are other ways too. Indeed, a scheme proposed by John Canny, of the University of California at Berkeley, shows that it is, in fact, possible for a group of individuals to pool their opinions and generate recommendations without revealing their own personal preferences to others.

Each individual encrypts their data using what is called a one-way hash�a function that is very easy to compute in one direction, but virtually impossible in the other (without a key, at least). The computations are then performed using the encrypted data. This is possible because many modern encryption schemes have the helpful property that performing calculations on encrypted data produces the same answer as manipulating the unencrypted data and then encrypting the result. The resulting matrix of recommendations is then decrypted incrementally, since each user can only decrypt a small part of it. Eventually, the whole matrix is decrypted and made available to everyone. But, says Dr Canny, �at no stage does unencrypted information about a user's preferences leave their own machine.�

This sort of scheme has the advantage, he says, that users can store personal information themselves, without having to surrender it to a central authority (such as an online retailer), while still benefiting from the power of collaborative filtering. At the moment, users' personal information is sprinkled around on several different sites. Dr Canny worries that this favours retail monopolies, since they will have the most data from which to generate recommendations. His scheme demonstrates that personal data could, instead, be aggregated by users themselves. Your taste in books can then be used to generate recommendations, by aggregating your purchasing histories from several online bookstores.

Fiddling the filters

A second concern about collaborative filtering is that as it grows in importance, people may increasingly try to manipulate it: publishers, for example, might start recommending their own books. Last November, Michael O'Mahony of University College, Dublin, published a paper demonstrating that even today's most advanced collaborative filtering systems are not all that robust when subjected to malicious users seeking to subvert their ranking systems. None of the existing systems is explicitly designed to combat malicious use. Can such �recommendation spam� be prevented?

Nolan Miller, of Harvard University's Kennedy School of Government, and his colleagues believe that it can, and have outlined a way to do it. Their scheme uses probabilistic techniques to determine whether a score is likely to be �honest�, by spotting unusual-looking patterns in scoring. Dozens of accounts created on the same day, all of which give high scores both to a bestseller and a new book, for example, might be an orchestrated attempt by a publisher to get fans of the former to buy the latter. Honest users are rewarded, and dishonest ones punished, through a points-based system akin to a loyalty scheme, so that honest users might earn discounts or store credit.

The scores used to compute recommendations are the ones corrected for honesty, not the original, potentially malicious scores. Dr Miller's system is not yet ready for commercial application; it makes assumptions about the statistical distribution of people's recommendations that may not correspond to their real-world behaviour, for example. But it points out a line of research that could preserve the integrity of collaborative-filtering systems under attack. If the rise of spam e-mail is any guide, it makes sense to think about such problems now, before they become widespread.

But even if the problems of privacy and dishonesty can be overcome, there may be a limit to how accurate the recommendations made by collaborative-filtering systems can be. This arises from the fact that people's opinions change. You may enjoy a new album at first, and give it a good score, but change your mind after a few weeks once the novelty has worn off. But your old score still stands.

A recent study by Jonathan Herlocker of Oregon State University and his colleagues evaluated several film-recommendation systems based on collaborative filtering. Using a five-point scale, it compared the scores users would be expected to give particular films, based on their known preferences, with the scores they actually gave. The predicted and actual scores differed by at least 0.73 points. Dr Herlocker speculates that this might be evidence for a fundamental limit to the accuracy of recommendation systems based on collaborative filtering. There is no point in making suggestions any more finely tuned than the variations in an individual's own opinions. Dr Herlocker may well be correct, or the technology may just have further to go.

But the value of collaborative filtering has, in any case, already been established. It helps people find things they might otherwise miss, and helps online retailers increase sales through cross-selling. Where the user of a search engine is on a solitary quest, the user of a collaborative-filtering system is part of a crowd. Search, and you search alone; ramble from one recommendation to another, and you may feel a curious kinship with the like-minded individuals whose opinions influence your own�and who are, in turn, influenced by your opinions.

March 15, 2005 at 09:35 PM in eCommerce | Permalink | TrackBack (12) | Top of page | Blog Home

The future, just around the bend

Economist.com | BRAIN SCAN

Mar 10th 2005
From The Economist print edition

Ray Kurzweil is an accomplished inventor, but he is best known for his wild prognostications about the future. Is he as crazy as he sounds?

BLAME it on Tom Swift. For it was Swift, the fictional teenage genius who repeatedly saved the world with his scientific savvy, who inspired Ray Kurzweil to become the inventor, engineer and prognosticator he is today. �I started reading those books when I was about nine years old, and couldn't put them down,� he says. It wasn't just the solartrons, diving seacopters and triphibian atomicars that mesmerised him; it was the way the irrepressible Swift applied his mind, and the technology it conceived, to solve human, often personal, problems. �I was smitten by the power of ideas to change the world,� says Mr Kurzweil.

It is as good a way as any to explain how a shy boy growing up in a financially pinched household in Queens, New York, managed to transform himself into a restless thinker who has since founded nine businesses, written five books (with a sixth on the way), won the American National Medal of Technology and the Lemelson-MIT prize for invention and innovation, and who relentlessly preaches the gospel of accelerating technological advance that will soon strain our ability to comprehend what lies ahead.

Like his boyhood hero, Mr Kurzweil cannot seem to keep his fingers out of the future. He keeps venturing on to the bleeding edge�his critics say the lunatic fringe�of science to imagine futures where computers are as intelligent as we are, millions live in virtual reality and immortality is not only possible, but likely. It will all unfold, he says, over the next 25 years as overlapping technological revolutions in genetics, nanotechnology and robotics render the world radically different from the place it is today.

The futuristic landscapes that Mr Kurzweil paints have often been derided as outlandish. Nevertheless, he says he stands by his record. In his first book, �The Age of Intelligent Machines�, published in 1990, he predicted that in just a few years a global computer network would emerge. In late 1993, the web hit the mainstream and never looked back. He also predicted that a computer would defeat a chess champion by 1999: sure enough, IBM's Deep Blue defeated Garry Kasparov in 1997. �Well,� shrugs Mr Kurzweil, �I was off by a couple of years.�

Making predictions, particularly about the future, is a dangerous business, of course: long-awaited technologies such as flying cars, space hotels and videophones have yet to materialise (or, in the case of videophones, they have arrived, but nobody wants to use them). But Mr Kurzweil insists he is not trying to oversell the future. He works with a team of ten people, researching big technological trends, examining them closely, and then methodically plotting where they will lead. �I'm an engineer,� he says. �I like to measure things.� And if those measurements lead somewhere improbable, so be it. He is just passing the news along. He is not outlandish; the future is.

His predictions may sound wide-eyed, but Mr Kurzweil himself is not. As he sips a cup of green tea, his calmness makes it easy to imagine the shy, solitary boy who grew up reading books and tinkering with electronic circuits. And while he relishes wandering into controversial areas where he can play the role of agent provocateur, he maintains he has arrived at his conclusions scientifically. Being an inveterate measurer, he says he has looked back not decades, but eons, and has found that the organisation of information has been accelerating at an exponential pace for millions of years.

We are just beginning to see the results of this effect now, he argues, because we have reached the �knee of the curve�, where a slowly rising trend line suddenly rockets upward. That is why many of his predictions seem so implausible, he says: the notion that �exponential change is subtle� is what most futurists and scientists miss. Mr Kurzweil calls it the Law of Accelerating Returns, and it underpins most of his predictions.

�Ray takes ideas everyone accepts, and follows them to logical conclusions that almost no one accepts,� says Neil Gershenfeld, a professor at the Massachusetts Institute of Technology. Admittedly, at times Mr Kurzweil goes �a bit far� for specialists versed in the limitations of a particular field, �but he does it with care, and he does his homework,� says Dr Gershenfeld. �He filters out the clutter and identifies important trends with remarkable accuracy,� says Ralph Merkle, director of the Georgia Tech Information Security Centre and an expert in nanotechnology. Yet while accuracy is important, Mr Kurzweil's supporters say that his most important role lies in driving home to as many people as possible the idea that radical change lies just around the corner. �He plays at a valuable boundary between working scientists and futurists, visionaries and science-fiction kooks,� says Dr Gershenfeld. �It's useful to have such �points of infinity'.�

From the age of five, Mr Kurzweil says he knew he wanted to be an inventor. By the age of 12 he was building and programming computers, and as a young teenager he appeared on �I've Got a Secret�, a popular American quiz show. Mr Kurzweil walked on to the stage, played a classical piano piece for the celebrity panel and then shared his secret with the host and audience: the piece he had just played was written by a computer, and he had programmed the computer that created it. By the time he was an undergraduate at the Massachusetts Institute of Technology, studying computer science under artificial-intelligence guru Marvin Minsky and creative writing with playwright Lillian Hellman, Mr Kurzweil was finding ways to profit from his programming prowess.

�Mr Kurzweil plays at the boundary between scientists, futurists, visionaries and sci-fi kooks.�

In 1967, he hatched an idea for computer software that would help high-school students find a college that matched their interests and skills. Students filled out a form with 200 questions, and Mr Kurzweil's program compared their answers with a database of 2m facts about 3,000 colleges, all compiled by five Harvard students he had hired as researchers. After selling the resulting company in 1968, Mr Kurzweil went on to found Kurzweil Computer Products, where he developed breakthrough optical character-recognition technology that led to the world's first reading machine. Mr Kurzweil sold that company to Xerox in 1980.

Spot the pattern

Then came Kurzweil Music Systems, the result of a collaboration with Stevie Wonder, a blind musician who was the first private customer to buy one of his reading machines. Mr Wonder contacted Mr Kurzweil after he heard about the machine in news reports, and asked if there might be some way to apply the power of computer technology to music. That led to the creation of electronic keyboards able to imitate the sound of a grand piano. Mr Kurzweil sold the company in 1990 to Young Chang of South Korea, the world's largest piano-maker.

The list goes on: Kurzweil CyberArt, Kurzweil Educational Systems, Kurzweil AI, the Medical Learning Company. All are run out of an unspectacular four-storey building in the picturesque town of Wellesley, Massachusetts, the products of Mr Kurzweil's Swift-like curiosity and enthusiasm. Mr Kurzweil's most active current venture is FatKat, which uses pattern-recognition software to spot trends and automate stockmarket transactions.

As wide-ranging as these enterprises appear, one common theme unites them: a fascination with pattern recognition, which Mr Kurzweil argues is at the heart of human intelligence. Many of his inventions�from optical character-recognition software to CyberArt's paintings to FatKat's transaction engine�attempt to imbue machines with something like human intelligence, and often blur the line between art and science. Perhaps the most unorthodox example is Ramona, a computer-generated female singer who is also Mr Kurzweil's virtual alter-ego.

Not even Tom Swift could have come up with this. At the TED (technology, entertainment, design) conference in 2001, Mr Kurzweil wanted to demonstrate how virtual reality can allow people to reinvent themselves. �That is one of the benefits of virtual reality,� he says. �You don't have to be the same boring person all the time.� Motion sensors tracked his movements and linked them to Ramona, whose image was projected on a large screen as Mr Kurzweil put on a show, complete with a rock band. �As I moved, Ramona moved in exactly the same way in real time, and my voice was transformed into Ramona's voice. We got a standing ovation,� he says. A team from Warner Brothers saw the performance and, says Mr Kurzweil, used it as the inspiration for �S1m0ne�, a movie about a Hollywood director who creates a virtual actress who takes on a life of her own.

The way Mr Kurzweil sees it, Ramona is a glimpse into the future. In ten years or so, he imagines that millions of people will spend large chunks of their time interacting in virtual worlds with other people masquerading as whoever they choose�a kind of elaborate masked ball in cyberspace that will eventually evolve into a full-blooded parallel universe. (Already, millions of people play online games, which are becoming ever more elaborate.) �We will have full-immersion virtual reality by 2010,� Mr Kurzweil predicts. �The images will be written directly to your retinas from your eyeglasses or contact lenses.� By the late 2020s, he expects virtual reality will be implemented using nanobots injected directly into the brain that will bypass the input from the outside world and generate the signals needed to create an alternative reality.

If all of this seems too outlandish to be believed, Mr Kurzweil doesn't care. As unnatural as these ideas may seem to others, he says they are just part of a natural evolutionary progression. Apes would have seemed impossible to the first lungfish. A civilisation of humans literally melding with their technology may seem impossible as well. But, he argues, that does not mean it will not happen.

All of which leads to the 57-year-old Mr Kurzweil's most outrageous prediction: immortality. In his new book, �Fantastic Voyage: Live Long Enough to Live Forever�, he and his co-author argue, in sometimes dense scientific detail, that death no longer need be a fact of life. Current advances in medicine, they say, will lead to major breakthroughs in genetics between 2015 and 2020 that will extend life spans. Then, by the late 2020s, advances in nanotechnology will make possible truly radical life extension and rejuvenation. So to achieve immortality, people alive today merely need to survive long enough to reach the first of these breakthroughs, which will in turn enable them to benefit from the second.

Mr Kurzweil has no time for sceptics who argue that human immortality is impossible, or that mortality is what makes life precious. �That's nonsense,� he says. �What makes the human species unique is that we insist upon going beyond our limitations. We are not staying within the limits of our biology. Life expectancy was 37 in 1800, 45 in 1900 and now it's over 80. Ageing is not a graceful process and death is a great tragedy, a profound loss of knowledge, skill, experience and relationships.� When asked if he expects to live forever, Mr Kurzweil answers without hesitation: �Yes. I expect I will.� After all, when you have as many ideas as Tom Swift, you need all the time you can get.

March 15, 2005 at 09:33 PM in Web lifestyle | Permalink | TrackBack (20) | Top of page | Blog Home

Dusting for digital fingerprints

Economist.com | REPORTS

Mar 10th 2005
From The Economist print edition
Forensic computing: As criminals and crime-fighters go digital, analysing clues from computers is a growing field

EVERY new technology leads to new forms of crime. As a Chicago policeman once put it: �No other section of the population avail themselves more readily and speedily of the latest triumphs of science than the criminal class.� He was speaking in 1888, about the electric telegraph. But he could just have easily been speaking about computers and networks today. As criminals adopt new technologies, crime-fighters must follow suit, devising new ways to gather and analyse evidence. In the case of modern digital technology, the result is the growing field of �forensic computing�.

The scope for using technology in criminal ways, and the complexities of catching people who do so, are illustrated by the case of a 42-year-old Maryland man who pleaded guilty last October to attempted extortion after sending threats and demands by e-mail, and was sentenced to 63 months in prison. For more than two years the man had sent sexually explicit e-mails to the clients of a patent firm using a forged e-mail address which made it appear as though the messages came from the company's own executives. Analysis of the company's computers ruled out the possibility of a malicious insider. Instead, further analysis of the e-mails revealed that they actually originated from multiple homes in a suburban area just outside of Washington, DC. The real culprit successfully created this confusion by driving around with a laptop and an antenna that could detect unsecured Wi-Fi wireless networks. Having found a network, he could then use it to send untraceable e-mails from his car.

The investigators used clinical psychologists to create a profile of the person behind the extortion attempts, and found that the home owners from whose networks the messages had originated did not match the profile. The man was also sending messages from several local university computer laboratories, using false or stolen accounts. The investigators responded to one of his messages, embedding tiny invisible graphics called �web bugs� in their replies in an attempt to determine the network address of the recipient's machine. But he spotted their ruse.

Finally, he issued a $17m extortion demand in an e-mail that contained personal details consistent with a primary suspect who had, by this time, been identified by the psychologists. The suspect was followed as he drove to one of the university computer laboratories from which incriminating e-mails had been sent. He was then arrested, and a search of his house produced evidence of his campaign against the patent firm, along with hand-grenade components and ingredients for the deadly toxin ricin.

This kind of computer-based investigative work, which involves tracing the digital footprints left by criminals on machines and networks, is becoming ever more important. In 1999, America's Federal Bureau of Investigation helped to launch the first Regional Computer Forensics Laboratory (RCFL) to support federal, state and local law-enforcement agencies. There are now six such labs across the country, and seven more will open by the end of this year. Last year the labs processed 107.9 terabytes of data, roughly equivalent to more than 4.5m boxes of paper filled with text. Douglas Schmidtknecht of the RCFL National Programme Office says the amount of data being analysed is growing exponentially.

While the public perception of computer crime is that it is carried out by malicious hackers and �script kiddies�, the greatest threat is often from within. �There's a huge rise in the number of cases of intellectual-property theft,� says Gordon Stevenson, managing director of Vogon International, a forensic-computing and data-recovery firm based in Bicester in England. Most of Vogon's forensic work involves conducting investigations for corporations that suspect employees of wrongdoing�and half of these cases concern intellectual-property theft. Mr Stevenson points out that employees can easily make copies of crucial data, from corporate databases to product blueprints. �They can e-mail it to themselves at home,� he says.

Tools of the trade

Forensic computing, like traditional forensic science, relies on a range of tools and techniques. Special software is used to gather evidence from storage devices and to apply cryptographic tags to verify that it has not been tampered with during the investigation. There are specialist search tools, e-mail scanning tools and disk-analysis tools; tools to gather information over a corporate network when investigating internal incidents; tools that monitor network traffic for suspicious behaviour; administrative tools to keep track of evidence from multiple cases, to plot events on timelines for analysis, and to generate reports. The leading vendor of forensic-computing tools is Guidance Software of Pasadena, California. Its EnCase software, which bundles together these sorts of features in various combinations, has 14,000 government and corporate users worldwide and is used by over 90% of America's law-enforcement agencies.

The first step in most investigations is to make a copy of the original evidence, typically by removing the hard disk from a computer and making a perfect copy of its contents without altering the original. To do this, the source disk is copied to a target disk using a tool known as a �write blocker� which only permits a one-way flow of information. The resulting stream of data can then be reconstructed into its original files (which are usually sprinkled in chunks across the disk) by consulting the disk's directory, a table that lists the locations of the constituent chunks of each file. Further analysis can reveal leftover chunks from deleted files, or previous versions of documents.

�Evidence can be gathered from hard disks, networks, and devices such as mobile phones.�

Similar tools are available to consumers to recover data from corrupted disks or �undelete� lost files. But forensic investigators can go one step further, using �spin stand testers��devices normally used by disk-drive manufacturers to test their products. These rely on the fact that modern disks generally store information in narrow, concentric circles on each disk, along a track about 400 nanometres (billionths of a metre) wide. Since the track is so narrow, new data do not always get written directly on top of old, slivers of which remain at the track's edges. By picking up this information, it is sometimes possible to reconstruct files that have been deleted or deliberately overwritten.

Network traffic can also be used as the basis of an investigation. Recording all the data flowing across a network is impractical, but it is possible to monitor patterns of traffic, types of traffic, attempts to access particular machines or parts of a network, and so on. So-called �intrusion-detection systems� do just that, sounding an alarm when something suspicious happens. The logs generated by such systems can therefore reveal telling details about network activity. Other network tools examine the contents of data packets zipping across the network, and record selected streams of data for subsequent playback and analysis. Such systems can capture e-mails to or from specified people, reconstruct instant-messaging conversations and even record and replay voice-over-internet phone calls.

As well as gathering evidence from hard disks and network traffic, investigators must also stay abreast of the rapid evolution of portable devices. Data can be copied on to a music player or keychain flash drive, or hidden on the memory card of a digital camera. These devices provide new sources of evidence, but also create new challenges for investigators, says Eoghan Casey of Stroz Friedberg LLC, a computer-security and forensic consultancy that took part in the investigation that followed the collapse of Enron, an energy company, in 2001. �The fact that many handhelds are connected to networks increases the amount of data they generate,� says Mr Casey, who also edits Digital Investigation, a quarterly journal.

Making the case

When presenting digital evidence in court, investigators must be able to demonstrate its integrity and provenance. �You don't just walk into the court and say �Here's a hard drive',� says Mark Pollitt, the former head of the FBI's RCFL network who is now an independent security consultant. As with physical evidence, which must be stored and handled appropriately, this can involve procedures (such as timestamping) to ensure that digital evidence has not been tampered with or mixed up. The need to take these extra steps has not discouraged people from introducing digital evidence. Mr Pollitt notes that five years ago, a motion for electronic discovery in a civil lawsuit was the exception rather than the rule. Now, he says, virtually every lawsuit involves this type of request.

A decade ago, companies offering forensic-computing and data-recovery services dealt mostly with government requests. But these days they are often called on directly by businesses and lawyers investigating intellectual-property theft or inappropriate use of corporate systems by insiders. A common complaint from specialist investigators in such cases, however, is that investigations by incompetent staff can contaminate the evidence. �What they don't realise is that they've muddied the water,� laments Nouman Mir, a forensic-computing specialist at Data Recovery UK, a British firm.

That companies are unaware how to handle digital evidence is not surprising, since such cases are generally hushed up. That, in turn, causes the scale of the problem to be underestimated. But there are ways around this. Britain's National High-Tech Crime Unit (NHTCU) lets companies provide details about security breaches in confidence. This contributed to a five-fold increase in the number of firms participating in the NHTCU survey last year, compared with 2003. Better data, ever more elaborate tools and greater awareness will be needed if the crime-fighters are to keep up with the criminals.

March 15, 2005 at 09:31 PM in Online crime | Permalink | TrackBack (27) | Top of page | Blog Home

Security through viral propagation

Economist.com | MONITOR

Dec 2nd 2004
From The Economist print edition

Security technology: A new kind of door lock combines low-tech and high-tech approaches to enhancing security�but is it really safer?

IN THE security industry today, one part is decidedly sexier than the other. The sexy part deals with digital security, which includes everything from fighting computer viruses and fending off malicious hackers to controlling which employees have access to which systems. All of this has overshadowed the less glamorous part of the industry, which deals with physical security�in essence, door locks and that sort of thing. At parties, the digital guys come across as cutting-edge, whereas the door-lock guys soon have to admit that their last truly stunning innovation, the pin-tumbler lock, was devised in ancient Egypt but then got lost for 4,000 years until Linus Yale, an American inventor, rediscovered it. And even that was a century and a half ago.

Assa Abloy, a Swedish company that is the world's largest lockmaker, wants to change that. So it has teamed up with CoreStreet, a software company based in Cambridge, Massachusetts, to merge digital and physical security into a single system. The idea is that the same computer database that gives employees of a firm or government access privileges online also opens (or closes) doors for them. The twist, however, is that the doors need not have a permanent, hard-wired connection to the central computer.

Today, the only way to allow door locks to authenticate (�Are you who you claim to be?�) and validate (�Are you supposed to be entering at this hour?�) people in real time is to install electronic card-readers on doors, and then hook those readers up to a secure computer network. If an employee named Jane then gets fired, the central database will immediately inform all the connected card-readers, which will stop accepting Jane's key card.

The problem is that this sort of network is very expensive. An electronic lock costs between $3,000 and $5,000, 80% of which is the cost of network wiring, says Phil Libin of CoreStreet. Wiring up all the locks of, say, a nuclear power plant, university campus, airport, or military base therefore becomes extremely costly. Hard-wiring the doors of trucks, containers, aeroplanes and other moving things is out of the question. This is why, even in the most secure settings, at most 3% of locks tend to be connected.

CoreStreet's solution is �to make the cards themselves the network�, explains Mr Libin. There is still one central access list that says who is allowed to open what, and it is regularly sent out to the 3% of locks that are connected. The cunning part is how the list is propagated to other, unconnected locks: by the users themselves. Whenever an employee swipes his card through a connected lock, the list is copied, in encrypted form, on to the card. As he then walks through unconnected doors, the card transfers the latest copy of the list on to their locks, replacing their older versions. These locks in turn pass the new list on to any other cards passing through, and so on.

As long as people keep moving through doors, says Mr Libin, the freshest list of privileges spreads by �viral propagation�. The trick is to position the few connected locks carefully, to ensure that updates to the list spread within minutes to all the other doors. That way, Jane, having been fired, will find that her card no longer works. The new �intelligent� locks from Assa Abloy and CoreStreet that do all this cost about $1,000 each.

Not everyone is convinced, however. Marc Tobias, an expert on locks who has literally written the book on the subject� all two volumes and 1,400 pages of it�has heard grand claims being made about new kinds of lock before. He has been picking locks since he was 15, though he has not yet picked one of the new Assa Abloy locks (which have so far been supplied to ten trial customers). But, he says, �I'd be really paranoid about this until it has been thoroughly vetted.� As Bruce Schneier, a security expert, likes to point out, security is like a chain, and is only as strong as its weakest link. The new system's security depends on protecting both the encrypted access list and the network that links up the connected doors. Making physical locks as secure as computer networks, in other words, means precisely that.

March 15, 2005 at 09:30 PM in Smart Cards | Permalink | TrackBack (12) | Top of page | Blog Home

March 13, 2005

Data Under Siege

Yahoo! News - Data Under Siege

By Jonathan Krim and Robert O'Harrow Jr., Washington Post Staff Writers

Identity thieves have penetrated another company that collects and sells personal information on millions of U.S. consumers, the latest in a series of breaches that is throwing a spotlight on the practices and safeguards of a booming data-collection industry.

LexisNexis, a worldwide provider of legal and business data, announced yesterday that information about 32,000 consumers was fraudulently gathered in a series of incidents. The data include names, addresses and Social Security (news - web sites) and driver's license numbers.

The breaches occurred at the company's recently acquired Seisint Inc. subsidiary, a Florida firm that sells data amassed from extensive public records searches to law enforcement agencies, businesses, private investigators and others.

Kurt Sanford, president and chief executive of the LexisNexis corporate and federal markets unit, said company investigators discovered that fraud artists had assumed the identities and used the passwords of legitimate customers to download the customer data.

"LexisNexis very much regrets this and will be notifying all the individuals concerned and providing them with ongoing credit monitoring and practical support to ensure that any identity theft is quickly detected and addressed," the company said in a news release.

The breaches occurred in January, and the company is continuing to investigate, working with the Secret Service.

The announcement comes just weeks after a LexisNexis competitor, ChoicePoint Inc., revealed an even larger security lapse that enabled fraud artists posing as legitimate businessmen in Los Angeles to access personal information about at least 145,000 people around the country.

Investigators are exploring whether the suspect in that case also compromised LexisNexis and other information services.

The ChoicePoint disclosure last month was followed by revelations that Bank of America Corp. had lost computer tapes containing financial data on 1.2 million federal workers, including U.S. senators.

Then late Tuesday, shoe retailer DSW Inc. revealed that credit card numbers of people who shopped at 103 of its 175 stores had been obtained by hackers.

The company is not saying how many consumers might be affected but is recommending that shoppers at any DSW store monitor their credit card activity closely. The company has several stores in the Washington area.

The breaches have spurred plans for several hearings on Capitol Hill that begin today. The relatively obscure information-broker business will get particular scrutiny, with its major companies maintaining and selling names, Social Security numbers, driver's license information, credit card data and other records on virtually every U.S. adult.

Seisint alone claims to have 20 billion records in its system.

"This is the latest window on security weaknesses that jeopardize the personal information that data brokers hold . . . and the view is a chilling one," said Sen. Patrick J. Leahy (news, bio, voting record) (Vt.), the top Democrat on the Senate Judiciary Committee (news - web sites). "Data brokers are also increasingly partners with the government in important law enforcement and homeland security efforts, and their performance in protecting data is one of the important criteria in evaluating those relationships."

Sen. Arlen Specter (news, bio, voting record) (R-Pa.), who heads the Judiciary Committee, said the breaches are "becoming an epidemic. It's very serious. Privacy is one of our most prized values."

Sanford, the LexisNexis executive, said the breach at his firm was discovered in January by a team of LexisNexis employees examining the security and authentication procedures used by Seisint.

The team was trying to figure out how to "sync everything up" between the LexisNexis and Seisint computer systems, Sanford said.

LexisNexis Group acquired Seisint last summer for $775 million in cash. At the time, Seisint was best known as the company behind a counter-terrorism supercomputer called the Matrix, which enabled law enforcement and intelligence authorities to blend investigative files with billions of public records.

In buying Seisint last summer, LexisNexis aimed to compete more aggressively with ChoicePoint for lucrative homeland security and law enforcement contracts. Seisint's main product is Accurint, a service that markets the possibility of giving police, private investigators, lawyers and others access into every corner of society.

"Instantly FIND people, their assets, their relatives, their associates, and more," the company's marketing material said. "Search the entire country for less than the cost of a phone call -- a quarter."

March 13, 2005 at 12:18 PM in Phishing & identity theft | Permalink | TrackBack (6) | Top of page | Blog Home

Europe, U.S. Separated by Telephone Cultures

Yahoo! News - Europe, U.S. Separated by Telephone Cultures

By David Lawsky

BRUSSELS (Reuters) - European and American culture differ in language, automobiles, sports and -- less obvious but no less important -- the way they use telephones.

Choices made by governments and companies can mean that teenagers in Athens, Georgia, talk on their fixed line phone for four hours a day while those in Athens, Greece, are sending four text messages on their mobile phones.

The European Commission (news - web sites) in Brussels is proud of its role in helping promote a uniform telephone standard across the European Union (news - web sites). The Federal Communications Commission (news - web sites) in Washington is proud of its role in letting the market decide.

Europe touts the broad use of the GSM standard as a measure of success. It is now used in more than 100 countries around the world and has ushered in sophisticated multimedia telephone service in many countries.

The GSM system exists in the United States but so do other, inconsistent systems, reflecting the U.S. policy of letting the market decide what technology to adopt.

"Wireless communications is by far the most competitive and innovative market in the Commission's purview," FCC (news - web sites) Chairman Michael Powell said last year.

An FCC report said American mobile users talk more and pay less than Europeans, citing it as "evidence that the U.S. market is effectively competitive" compared to Europe and Japan.

But eight of 10 European Union residents have mobile phone numbers while only six of 10 Americans do.

And Western Europe mobile operators pulled in $142 billion of revenue in 2004, compared to only $104 billion in the United States, according to Marta Munoz of Ovum a consulting firm in London.

But the United States is catching up. U.S. revenues grew at 11 percent, compared to only 9 percent for Western Europe, Munoz said.

SPUTTERING PHONES

Europe's single-standard GSM, which stands for 'global system of mobile communications' reaches a broader audience than America's multiple-standard system.

"You can't use every phone everywhere in the United States, so that puts a limitation on the end user," Munoz observed of the three incompatible American systems.

U.S. cell phones sputter and fail in an apartment near the National Institute of Standards and Technology in the Maryland suburbs of Washington, a U.S. agency created to set consistent standards, and in ranch houses in the Los Angeles suburbs. A land line is a necessity.

Europeans can skip fixed lines altogether. Why bother? A GSM works nearly everywhere -- not just in houses, apartments and offices but at the bottom of a salt mine in Poland or on a wind-swept beach in County Donegal in northwest Ireland. The only real problem occurs on trains.

GSM includes the short messaging system (SMS), which works on every phone in Europe. Some Americans have SMS or BlackBerry Wireless, but not everyone.

Americans have made voicemail a way of life, where it often replaces the busy signal. A conversation can be supplanted by voice mail exchanges.

Europeans often skip voicemail, although they have sophisticated versions. Their mobiles automatically send a note saying "1 missed call," and tell them who called. People call back even without a message.

People often use SMS to leave messages, which have a "feel" different from voice mail, e-mail or snail mail.

MINUTE BY MINUTE

Telephone charges are primarily responsible for shaping the different telephone cultures in the U.S. and Europe.

"Price affects behavior with telephones, just as it does in every other aspect of life," said Dermot Glynn, chairman of Europe Economics, a consultancy based in London.

Europeans traditionally pay by the minute for both fixed lines and mobiles. Teenagers save money using cheap SMS messages instead of mobile calls, and pay nothing to receive. Those Americans who have SMS must pay to send and receive.

Americans traditionally paid a monthly flat rate for unlimited local calls on wireline. But now they can pay to extend that to the whole country, no matter how many calls or for how long.

As a result of the differing economics of the phone systems, there are different practices:

--Americans talk more. Flat-rate charges also helped get the Internet off the ground there because dial-up lines were not charged by the minute as in Europe.

--Europeans give out their cell phone number and put them on their business cards. They pay nothing to receive mobile phone calls in their home country.

--Americans traditionally have paid to receive mobile phone calls and tend to be less free about giving out cell phone numbers.

--American mobile subscribers get an allotment of minutes for a monthly fee and competition led to packages offering free nationwide calls nights and weekends.

--Europeans buy more limited packages -- especially geographically. Despite investigations by the European Commission mobile phone companies in Europe charge as much as one euro per minute to send or receive calls abroad.

--Europeans buy their own phones and easily switch phone companies or numbers by swapping tiny SIM card chips. So travelers sometimes buy inexpensive SIM cards to use abroad, receiving calls for free on a new, local number.

But a sun-seeking Briton in Spain is more cautious about making mobile calls than a sun-seeking Minnesotan in Florida.

Now, the advent of 3G high-speed data phones will soon create its own cultural changes -- likely to be different in the United States than Europe.

(additional reporting by Jeremy Pelofsky in Washington and Kirstin Ridley in London)

March 13, 2005 at 12:14 PM in Web lifestyle | Permalink | TrackBack (14) | Top of page | Blog Home

March 11, 2005

Collecting, and stealing, personal information is big business

Economist.com | Identity theft

PLATO asked "What is man?" and St Augustine asked "Who am I?" A new breed of criminals has a novel answer: “I am you!�� Although impostors have existed for ages, the growing frequency and cost of identity theft is worrisome. Around 10m Americans are victims annually, and it is the leading consumer-fraud complaint over the past five years. The cost to businesses was almost $50 billion, and to consumers $5 billion, in 2002, the most recent year that America's Federal Trade Commission collected figures.

After two recent, big privacy disasters, people and politicians are calling for action. In February, ChoicePoint, a large data-collection agency, began sending out letters warning 145,000 Americans that it had wrongly provided fraudsters with their personal details, including Social Security numbers. Around 750 people have already spotted fraudulent activity. And on February 25th, Bank of America revealed that it lost data tapes that contain personal information on over 1m government employees, including some Senators. Although accident and not illegality is suspected, all must take precautions against identity theft.

Faced with such incidents, state and national lawmakers are calling for new regulations, including over companies that collect and sell personal information. As an industry, the firms�such as ChoicePoint, Acxiom, LexisNexis and Westlaw�are largely unregulated. They have also grown enormous. For example, ChoicePoint was founded in 1997 and has acquired nearly 60 firms to amass databases with 19 billion records on people. It is used by insurance firms, landlords and even police agencies.

California is the only state with a law requiring companies to notify individuals when their personal information has been compromised�which made ChoicePoint reveal the fraud (albeit five months after it was noticed, and after its top two bosses exercised stock options). Legislation to make the requirement a federal law is under consideration. Moreover, lawmakers say they will propose that rules governing credit bureaus and medical companies are extended to data-collection firms. And alongside legislation, there is always litigation. Already, ChoicePoint has been sued for failing to safeguard individuals' data.

Yet the legal remedies would still be far looser than in Europe, where identity theft is also a menace, though less frequent and costly. The European Data Protection Directive, implemented in 1998, gives people the right to access their information, change inaccuracies, and deny permission for it to be shared. Moreover, it places the cost of mistakes on the companies that collect the data, not on individuals. When the law was put in force, American policymakers groaned that it was bad for business. But now they seem to be reconsidering it.

March 11, 2005 at 01:44 PM in Phishing & identity theft | Permalink | TrackBack (11) | Top of page | Blog Home

Australian banks to introduce two-factor authentication

Finextra: Australian banks to introduce two-factor authentication

Australian banks are set to introduce an industry standard for two-factor authentication for verifying online banking customers later this year.

David Bell, CEO of the Australian Bankers Association (ABA) told reporters that each bank will be free to choose its own method of secondary identification for Web banking customers.

He says research by the bankers group has found that customers do not want to use biometric devices for authentication. Instead, banks are likely to adopt mobile messaging systems or token-based random number generators.

The plans were revealed as ABA member banks and the Australian High Tech Crime Centre (AHTCC) launched an advertising campaign warning customers about protecting personal details online. According to ABA figures, Australia's banks lost A$10 million to online fraud last year.

Mick Keelty, commissioner, Australian Federal Police, says: "Figures show that round 40% of the Australian population bank online and there are simple steps they can take to protect themselves from becoming victims of Internet-based fraud."

Bell says that all users of the Internet have a responsibility to protect themselves against online crime.

"In the same way they buy cars with safety and security features to protect themselves, anti-virus and firewall protection should be installed on the home or business computer," he adds.

March 11, 2005 at 08:13 AM in Financial Services | Permalink | TrackBack (6) | Top of page | Blog Home

March 10, 2005

Under my keyboard the desk shakes. The bloggers are on the march

Under my keyboard the desk shakes. The bloggers are on the march - Comment - Times Online

Simon Jenkins
SINCE THE DAYS of Caxton the tools of my trade have been familiar. Whatever I write is somehow transformed into letters incised in relief. This miracle — the printing craft was called “the mystery�� — has not changed in essence since the Middle Ages. The surface is duly smeared with ink and pressed on to dead trees, to be carried out into the street and read. The gods of print served impartially Chaucer and Shakespeare, the Bible, The Times and Playboy magazine. Civilisation’s most glorious invention, I assumed, would see me out.

I am not so sure. When the internet arrived I thought it was like the non-stick pan or the self-lighting match, a novelty of uncertain necessity or future. The web, I wrote, would be of interest to law researchers and sex fiends. Who else would want the Library of Congress on their kitchen table and a club bore ranting on their desk? When the chat room and the web-log (blog) arrived, they were surely of use only to librarians, lonely hearts and those suffering rare tropical diseases.

This week I attended a seminar in Washington on the future of opinion journalism. Normally such seminars are places where underworked neophiliacs fry each other�s brains. This time I felt the earth shake. The talk was dominated by bloggers. They were everywhere, permanently online to each other through 3G handsets. The dedicated blogger updates his site two or three times day, as if no gossip must go unpassed and no abuse go unanswered. It is manic.

These people claim to be the unofficial legislators of free opinion. They quake, rant, muckrake, scream like 17th-century Puritans. Most of the blog sites regurgitate and spin what the mainstream media (dismissively the �MSM�) has spent millions finding and checking. Most are fanatically conservative. All you need is a taste for exhibitionism and a fancy name: mediabistro, FishBowlDC, wonkette. One Yahoo blogger, Ted Rall, gives warning of the blogosphere: �A new sheriff�s in town. He�s drunk. He�s mean, and he works for the bad guys.� The web is the Bushites� revenge on the liberal media establishment. A blog polarises or dies.

The web has undoubtedly honoured its claim to be the democracy of the air. Every columnist�s motto may be Milton�s �Opinion in good men is but knowledge in the making�. But to what end? On the web, opinion travels first class while facts go steerage. The opinion blogs that I occasionally read � one is formed every seven seconds � show scant respect for the disciplines of journalism. This is a game anyone can play. A case before a California court is seeking to establish if bloggers are �journalists� and can thus enjoy legal protection under the Constitution. The bloggers protest that they are merely doing what newspapers fail to do, �keeping the bad guys honest�, but that begs the question. The Apple corporation, beset by employees blogging its trade secrets, is desperate to defend itself.

What is clear is that the blogosphere has taken the press temporarily by storm. I have spent most of my life reading of the death of newspapers. I took comfort from the French portraitist, Delaroche, who declared on seeing the first photograph, �From this day painting is dead�. Newpapers have been upstaged successively by the teleprinter, radio, television and now the internet. Each barbarian wave arrives at the gates of Rome and claims to be � resetting the agenda�. Each assimilates into the local population.

Certainly the dead trees edition of The Times is bought by some 700,000 people while five times as many visit the Times Online worldwide. The e-mail response to what I and others write has soared. Producing a formal newspaper has become an electronic conversation between screens and keyboards. I can well see that buying a paper may come to be a luxury when it is available on screen everywhere for nothing. But then plays seemed a luxury with the coming of movies, concerts with the coming of records, cinemas with the coming of DVDs, books with the coming of everything. Somehow the old media survived, and prospered.

In large part the success of the blog in America is a function of the rapid decline in newspaper competition, a classic of monopoly capitalism in league with monopoly labour. An academic observer, Philip Meyer, has calculated that at the present rate of fall the last newspaper will be read in April, 2040 (and still looking as if it was designed in the 1930s). Small wonder media schools are teaching �convergence journalism�, much as chefs teach fusion cuisine. They are trying to instil the disciplines of journalism to the web. The problem is that the appeal of the blog is precisely that it can escape those disciplines. Many are just noise, the dial set to the frequency of a particular prejudice.

The problem for conventional journalism is to prove that such qualities as newsgathering and reliability are worth more than a scream of opinion, enough to get people to part with money. I notice how often blogs refer to items witnessed on television or read in The New York Times. Someone must gather this stuff, check it, source it, write and edit it. These are not professional trivia but the essence of open debate. The mainstream media have to make money or the blog�s professional resource will die. With newspaper sales declining and news bureaux shutting down across the world, the outlook is not good. It was never more true that opinion is free, facts are expensive.

British papers need not worry � as yet. Such much-cited blog triumphs as the toppling of Eason Jordan, the CNN executive, and the humiliation of CBS�s Dan Rather would not have needed the web to expose them in Britain. They would have been splashed across every tabloid. The American press remains timid. The Patriot Act suffered nothing like the press mauling given to Tony Blair�s control order legislation.

I have great respect for American journalism. Despite its frequent pomposity, it remains the central platform for �speaking truth to power�. In the madhouse of the American media, institutions such as The New York Times, The Wall Street Journal, The Washington Post and the news networks can seem the last fingertips by which American opinion grips a hold of external reality. But they are monolithic. When they ignore a story, they lay themselves open to the howling of the blog. British journalism howls in print, day and night.

Yet the ground did shake under me. Earlier threats to the press came from new conduits of news and information. Today�s goes to the heart of my trade. It peddles opinion. I can pretend to occupy a higher plane. I can try pleading factual accuracy, consistency, uncorruptibility and a quote or two from Shakespeare. But in truth I too am a blogger, snatching at some item of passing news to argue a case and persuade. And I charge for it. The blogger does it for nothing. I am on my mettle as never before.

So move over, Caxton, the mystery is no more. The whistle-blowers, e-babies, inside-outers, wonkettes, quacks and cranks have globalised Speakers� Corner. They have rebuilt the Tower of Babel and put microphones on top of it. Amid the noise, a still small voice of reason will still be heard. But it may require the help of Microsoft, not dead trees.

simon.jenkins@thetimes.co.uk

March 10, 2005 at 08:17 PM in Blogging & feeds | Permalink | TrackBack (13) | Top of page | Blog Home

March 08, 2005

What's in a name?

Economist.com | Identity theft

Mar 3rd 2005
From The Economist print edition

Collecting, and stealing, personal information is big business

PLATO asked “What is man?�� and St Augustine asked “Who am I?�� A new breed of criminals has a novel answer: “I am you!�� Although impostors have existed for ages, the growing frequency and cost of identity theft is worrisome. Around 10m Americans are victims annually, and it is the leading consumer-fraud complaint over the past five years. The cost to businesses was almost $50 billion, and to consumers $5 billion, in 2002, the most recent year that America's Federal Trade Commission collected figures.

March 8, 2005 at 12:00 PM in Financial Services | Permalink | TrackBack (52) | Top of page | Blog Home

July 2009
Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Internet Changes Everything

March 31, 2005

Banks urged to act on Net security fears

Crowned at last

Power at last

Comment: Jill Kerby: Internet offers banks window of opportunity

March 29, 2005

Yahoo ups free email storage to 1 gigabyte

Stolen Laptop Exposes Data of 100,000

Microsoft to Implement EU's Windows Changes

Grokster and StreamCast face the music

March 25, 2005

Grokster and StreamCast face the music

March 23, 2005

Banking on a Distinctive Identity

Inside the branches

Growth Formula: Mergers and Retail Strength (Wachovia)

Bank branch transformation: The new multi-channel reality

Yahoo Ups Free Email Storage to 1 Gigabyte

Managing IT as a business for the business

March 20, 2005

Physical security becoming an IT problem

March 19, 2005

Agence France Presse sues over Google News

Growth of Wireless Internet Opens New Path for Thieves

March 18, 2005

Police foil �220m plot by cyber thieves to rob bank

SMBC Fraud ($420MM)

March 17, 2005

Web tools blaze trail to the past

Report of the UKERNA Computer Security � Protecting Computers conference held at the Royal Geographical Society, London on 22 November 2000

Moonlight Maze

London police foil huge bank raid

MTFG Plaza architect - Neil M.Denari

Shirokane MTFG Plaza

Japan: Bank Services With A Smile?

MTFG to open Shibuya MTFG Plaza

March 16, 2005

Chip and PIN security flaw uncovered

Smart Cards at the Crossroads:

Digital Authentication and Consumers' Privacy

A nation of communicators

Getting the message across - directly

Online security: can you bank on it?

Mobile phone gigs: they could be the next best thing to being there

Web of deceit

Barclays advances plans for online card authentication

March 15, 2005

United we find

The future, just around the bend

Dusting for digital fingerprints

Security through viral propagation

March 13, 2005

Data Under Siege

Europe, U.S. Separated by Telephone Cultures

March 11, 2005

Collecting, and stealing, personal information is big business

Australian banks to introduce two-factor authentication

March 10, 2005

Under my keyboard the desk shakes. The bloggers are on the march

March 08, 2005

What's in a name?

My other Blogs

Recent Posts

Categories

Search

Archive

Archives