Data Security

Fraud Reported on Deliveroo and Just Eat App

Some Deliveroo and Just Eat customers have reported that their accounts have been used to buy food that they didn’t order, but both companies deny a data breach.

What Happened?

Several Deliveroo customers are reported to have been sent an email from the company stating that the email address linked to their account had been changed, after which it was found that food had been ordered through their account by using credit which an unknown person had obtained by claiming refunds for previous orders.

In the case of Just Eat, some customers also reported having their card details used to purchase food that they had not ordered.

Another Source

Both companies are reported to have denied that their systems had been breached and have said that the customer details used to fraudulently order the food were obtained from another, third-party source.

Password Sharing

Deliveroo is reported as saying that cyber-criminals know that people re-use passwords for multiple online services and that they can obtain login credentials gained from other breaches on other sites to try to access Deliveroo accounts.  This clearly indicates that Deliveroo believes that password sharing may have been a key factor in this fraud.

Expect To Lose Money To Online Fraud

Online fraud is now so prevalent that it appears that many people are resigned to the fact that they will be directly affected, and the message about the dangers of password sharing is not getting through.

For example, the UK National Cyber Security Centre research from April shows that 42% of Brits expect to lose money to online fraud by 2021.

The UK Cyber Survey found also that 70% believe they will likely be a victim of at least one specific type of cyber-crime over the next two years, and that 37% of those surveyed agree that losing money or personal details over the internet is unavoidable these days. The survey also found that fewer than half of those questioned used a separate, hard-to-guess password for their main email account.

1234 Still Most Popular + Dark Net

It’s not just password sharing that’s the problem but also that many people still appear to be choosing obvious passwords.  For example, the NCSC’s recent study into breached passwords revealed that 123456 featured 23 million times, making it still the most widely used password on breached accounts.

Also, recent Surrey University research showed that cyber-criminals now have their own invisible Internet on the so-called ‘dark net’ to allow them to communicate and trade beyond the view of the authorities, and that login details obtained from previous breaches are relatively cheap and easy to buy there.

Not The First Time For Deliveroo

It should be noted that, even though Deliveroo appears to have put the burden of responsibility elsewhere for these recent attacks, some customers had their accounts hacked and unordered food purchases were made back in 2016.  At the time the company also blamed the problems on passwords that had been stolen from another service in a major data breach, although some security commentators have suggested that Deliveroo should now look at whether its security systems are secure enough.

What Does This Mean For Your Business?

If Deliveroo and Just Eat’s claims are to be believed, users of these and many other services may be leaving themselves open to fraud by making bad password choices and/or may be unaware that they are using login credentials that have already been stolen or can be obtained by methods such as credential stuffing. Making good password choices is a simple but important way that we can protect ourselves, and Action Fraud suggests that we should all use strong, unique passwords for online accounts and enable two-factor authentication where it is available.

Ideally, passwords should never be shared between accounts because if one breach has taken place on one site, login details can very quickly be tried on other sites by cyber-criminals.  For example, in January a collection of credential stuffing lists (login details taken from other site breaches) containing around 2.7 billion records, including 773 million unique email address and password combinations was discovered being distributed on a hacking forum.

Websites such as https://haveibeenpwned.com/ enable you to check whether your email address and login details have already been stolen in data breaches from other websites and platforms.

Suspected Russian Disinformation Campaign Rumbled

An investigation by the Atlantic Council’s Digital Forensic Research Lab (DFRLab) claims to have unearthed a widespread disinformation campaign aimed at influencing online conversations about several topics, that appears to originate in Russia.

Facebook Accounts

Sixteen suspected Russian fake accounts that were closed by in early May 2019 led researchers to an apparent campaign which stretched across 30 social networks and blogging platforms and used nine languages. The campaign appeared to be focused away from the main platforms such as Facebook and Twitter and was played out instead on blogging sites, subreddits, and online forums.

Even though the scale of the apparent disinformation operation appears to be beyond the abilities of  a small or ad hoc group (the scale has been described as “remarkable”), and that the operation appears to have been working out of Russia,  the DFRLab has pointed out that there is not enough real evidence to suggest that the Russian state / Kremlin is behind it and that the investigation is still ongoing.

What Kind Of Disinformation?

It has been reported that the broad topic areas of the disinformation appear to reflect Moscow’s foreign policy goals e.g. Ukraine, Armenia, opposition to NATO, although conversations have been started and steered around subjects relating to Brexit, Northern Ireland, the recent EU elections, immigration, UK and US relations, the recent turmoil in Venezuela and other issues. Some of the disinformation is reported to have included:

Fake accounts in 2018 of an alleged plot, apparently discovered by Spanish intelligence, to assassinate Boris Johnson.

Shared screenshots of a false exchange between Democratic Unionist Party leader, Arlene Foster, and chief EU Brexit negotiator, Michel Barnier, which appeared to show a secret negotiation behind Theresa May’s back. Also, false information was spread about the Real IRA.

The publishing of a fraudulent letter in French, German, and broken English, featuring a screenshot of a letter allegedly written by Italian-Swedish MEP Anna Maria Corazza was published on various platforms as an attempt to influence the European Parliament elections in May 2019.

Failed and Discovered

The main reasons why the disinformation essentially failed and was discovered were that:

  • Communications were generally not sent via the main, most popular social media platforms.
  • The campaign relied on many forged documents and falsehoods which were relatively easy to spot.
  • So much trouble was taken to hide the source of the campaign e.g. each post was made on a single-use account created the same day and not used again, that the messages themselves hardly saw the light of day and appeared to lack credibility.

What Does This Mean For Your Business?

The fact that someone / some power is going to the trouble to spread disinformation on such a scale with regard to influencing the politics and government of another country is worrying in itself, and the knowledge that it is happening may make people more sceptical about the messages they read online, which can help to muddy the waters on international relations even more.

If messages from a foreign power are used to influence votes in a particular way, this could have a serious knock-on effect on the economy and government policy decisions which is likely to affect the business environment and therefore the trading conditions domestically and globally for UK businesses.  Some have described the current time as being a ‘post-truth’ age where shared objective standards for truth are being replaced by repeated assertions of emotion that are disconnected from real details.  This kind of disinformation campaign can only feed into that and make things more complicated for businesses that need to be able to have reality, truth, clear rules, and more predictable environments to help them reduce risk in business decisions.

Florida Town Pays £475,000 To Hackers To Restart Municipal Computer Systems

Hackers who shut down the municipal computers of Riviera Beach (a suburb of Palm Beach) in a ransomware attack have just earned themselves $600,000 (£475,000) when the local council decided they had no choice but to pay them.

What Happened?

An email containing a virus was opened by an employee.  The result was that the ransomware (malware) shut down Riviera Beach’s computer systems and encrypted the files.  This meant that the email system, the system that allowed 911 dispatchers to be able to enter calls into the computer, water pump stations, and staff pay systems were all seriously disrupted.  Staff were forced to revert to a manual, paper-based admin system.

Vote

The local Council, which has since voted to spend $1 million on new computers and hardware to prevent further hacks, voted to pay the hackers their $600,000 (£475,000) ransom demand to unlock the computer systems and prevent file deletions.  The money was paid in the bitcoin crypto-currency and the payment has been covered by the town’s insurance policy.

No Guarantees

One of the problems of paying hackers who have acted dishonestly in the first place is that there is no guarantee that they will honour their agreement and turn systems back on, which is why many online security experts advocate never paying hacker demands.  Also, if, as in this case, a large ransom is reported to have been paid, this may embolden other hackers to keep using this method of attack e.g. on other council systems.

Fastest Growing Malware Threat

In the US, the Department of Homeland Security has reported that ransomware is the fastest growing malware threat, with City governments in Atlanta, Newark, N.J. and Sarasota all being hit by ransomware schemes. Ransomware attacks have caused major problems with baggage displays and email at Cleveland Hopkins International Airport, computers at the Port of San Diego, (back in 2018) the 100-bed Hancock Regional Hospital in the suburbs of Indianapolis, and threats have even been made to entire towns and cities e.g. city of Leeds, Alabama was attacked and a $55,000 ransom was demanded.

Other Examples of Ransomware Attacks

Back in 2017, guests at the Brandstaetter hotel at the Romantik Seehotel Jaegerwirt resort in Austria were locked out of their rooms and other areas of the hotel including the bar after the hotel was targeted by a ransomware attack.  The hotel paid the €1,500 demand.

This month in the UK’s biggest private forensic company, Eurofins Forensic Services, which carries out DNA testing, toxicology, firearms testing and computer forensics for UK police forces was hit with a ransomware attack which has caused disruption to its IT systems in several countries.

What Does This Mean For Your Business?

Ransomware is a popular attack tool because it is often relatively cheap to create and use, it can spread easily (like WannaCry), the attackers can remain anonymous, and it yields the main motivation for many attacks – financial gain. In the case of Riviera Beach, the attackers focused on local government networks as they were most likely to be easy to penetrate and attack, in this case using a phishing email and relying on human error of staff to open it.

UK businesses and other organisations should, therefore, be warned that all staff should be made aware of the threat of suspicious emails and updates, how to spot them, and what to do (and not do) if they identify one.  Keeping security software up to date and regularly backing up critical data is important, as is assessing the possible danger and false economy of staying with old operating systems as long as possible.

In order to provide maximum protection against prevalent and varied threats businesses should adopt multi-layered security solutions and accept that there is a real likelihood that they will be targeted, thereby helping them to make better preparations.  Businesses should implement the most up to date security solutions, keep up to date with virtual patching, and education of employees in order to mitigate risks from as many angles (‘vectors’) as possible.

Having workable and well-communicated Disaster Recovery and Business Continuity Plans in place is also an important requirement.

UK National Surveillance Camera Day

In a world first, the UK played host to an awareness-raising National Surveillance Camera Day on 20 June as part of the National Surveillance Camera Strategy.

National Surveillance Camera Day

The National Surveillance Camera Day, which is part of the UK government’s National Surveillance Camera Strategy for England and Wales consisted of events around the country that were designed to raise awareness, inform and lead to a debate about the many different aspects of CCTV camera use (and facial recognition use) in the UK. The Surveillance Camera Commissioner (SCC) wanted the public to take the day as an opportunity to have their say about the future of surveillance cameras with the regulators and service providers listening.

It is hoped that points raised in the debates triggered by the day could help inform policymakers and service providers about how the public feels about surveillance practices and how surveillance camera system use fits with society’s needs and expectations.

One of the key events to mark the day was the “doors open” initiative to allow the public to see first-hand how surveillance camera control centres are operated at the premises of signatories to the initiative e.g. local authorities, police forces, hospitals, and universities.

What / Who Is The SCC?

The Surveillance Camera Commissioner (SCC) for England and Wales is appointed by the Home Secretary as set out in the Protection of Freedoms Act 2012 (PoFA) and it is the Commissioner’s role to ensure surveillance camera systems in public places keep people safe and protect and support them. The current SCC is Tony Porter.

What Is The National Surveillance Camera Strategy?

The National Surveillance Camera Strategy is the government document, presented by the SCC that outlines the plans for surveillance camera use going forward.  The 27-page document is available online here:  https://www.gov.uk/government/publications/national-surveillance-camera-strategy-for-england-and-wales

Two Related World Firsts

Another related world first that took place on the same day as National Surveillance Camera Day was the launch by the SCC of a “secure by default” list of minimum requirements for manufacturers of video surveillance systems, designed for manufacturers by manufacturers.  The hope is that where manufacturers meet the new “secure by default” minimum requirements, this should ensure that the default settings of a product are as secure as possible, and therefore less likely to be vulnerable to cyber-attacks that could lead to data breaches.

What Does This Mean For Your Business?

Most of us are used to (and often no longer notice) CCTV cameras in use in business premises and public spaces, and we accept that they have a value in protecting us and our businesses in terms of deterring criminals and playing an important role in identifying them, and in providing valuable evidence of crime.

Holding a National Surveillance Camera day highlights the fact that new and emerging technologies e.g. facial recognition and AI are currently causing concern in terms of possible infringements to civil liberties, privacy and security, and an ‘open-day’ style approach could have benefits both ways.  For example, it could serve to reassure the public and at least let them feel that their views and concerns will be listened to, while at the same time giving policy-makers an opportunity to gauge public opinion and gather information that could help guide their strategy and communications.

It is good news that manufacturers are setting themselves minimum security standards for their CCTV systems as part of “secure by default”, as this could have knock-on positive effects in protecting our personal data.

Samsung’s Advice To Virus-Check TVs Causes Customer Concern

Samsung’s recent release of a how-to virus check video coupled with the advice to complete the check “every few weeks” has caused confusion and concern among customers.

Video

At the heart of Samsung’s virus-checking information release was a 19-second video guide that Samsung said had been posted simply to educate and inform customers. The video guide, which was watched more than 200,000 times, was presented to customers via a tweet which it is reported, has since been deleted.

The video showed Samsung TV owners how to access the sub-menu and go to the System Manager to conduct their own “Smart Security Scan”.

Although this feature is already built-in to Samsung TVs, it was the fact that the tweeted video contained the advice that customers would need to carry out the scan themselves every few weeks to prevent malicious software attacks that caused concern that there were known attack attempts or that their QLED TVs were vulnerable in some way.

Misunderstanding

Samsung is since reported to have said that the video was simply for information and was a proactive way to remind and educate customers that the feature existed and how to operate it as a preventative measure and that the video was not sent as a reaction to a specific current threat.

What Are The Risks?

A smart TV is essentially an IoT device, and as such, faces similar potential risks to other IoT devices, although Samsung TVs don’t appear to be at any more of risk than other devices.  In fact, back in 2017, after claims that many zero-day vulnerabilities had been found in Samsung’s smart TV operating system, the company reminded users that its TVs already contained features that allowed them to detect malicious code at platform and application levels.

That said, Samsung’s Smart TVs are likely to have a built-in microphone, an Internet connection with streaming apps, and customers may enter credit card details for buying on-demand video content. All this means that the potential privacy and security risks exist.

What Does This Mean For Your Business?

It appears that security and privacy are very sensitive subjects for consumers and that an attempt to remind customers about a security feature ended up highlighting one of the risks of owning a smart TV, leading to concern and an unnecessary PR gaffe.

In the light of the tweet and video, some security commentators have criticised Samsung for making security checks the responsibility of the customer rather than the company sending out automatic security updates.  Also, the company may be expecting too much of some of its customers to ask them to delve into the perhaps complicated sub-menu to find the virus scan feature, and to do so on a regular basis.

ICO’s Own Website Fails GDPR Compliance Test

Irony and embarrassment are the order of the day as the Information Commissioner’s Office, which is responsible for ensuring GDPR compliance in the websites of businesses and organisations has been forced to admit that its own website is not GDPR compliant.

Cookie Consent Notice

The problem, as pointed out to the ICO by Adam Rose, a lawyer at Mishcon de Reya, is that the ICO’s website currently uses implied consent to place cookies on mobile devices, which is prohibited under the Electronic Communications Regulations (PECR) 2003.  These Regulations operate alongside GDPR, and as highlighted on the ICO’s own website, consent needs to be clearly given for cookies (e.g. by a tick box) and where they are set, the website needs to give users, mobile or otherwise, a clear explanation of what the cookies do and why.

Article 6

It has been reported that Mr Rose argued that the ICO’s own website’s cookie consent tools were at odds with Article 6 of PECR.

ICO’s Own Guide

For example, in the ICO’s own online guide, in terms of getting marketing consent, it states that “some form of very clear positive action” is needed, “for example, ticking a box, clicking an icon, or sending an email – and the person must fully understand that they are giving you consent”.

Cookies Admission

Under “Cookies” in the guide, and in admission of not being fully compliant itself at the moment, the ICO now states that “We use a cookies tool on our website which relies on implied consent of users.  In recognition of the fact that the implementation date for the revised e-Privacy Regulation remains unknown, we are taking reasonable steps now to align our use of cookies the standard of consent required by GDPR.  This means that we are in the process of updating the tool (Civic Cookie Tool) which, by default, requires explicit opt-in action by users of our website.”

This means that the ICO has yet to upgrade to the version of the Civic Cookie Tool which includes explicit opt-in, and therefore, the ICO isn’t currently compliant with the laws that it is supposed to help implement and uphold.

Why?

Even though the ICO announced back in May last year that it would be upgrading to the new version of the Civic Cookie Tool, this has not yet happened. This appears to indicate a possible failure on the ICO’s part in the planning and implementation aspects of this particular tool on its website.

Also, as some tech and security commentators have pointed out, there is still a lack of clear legal rules on cookie compliance, and this has even led to confusion on some points among data protection experts.

It could also be argued that a lack of regulatory enforcement against cookie compliance breaches may mean that most website operators can still put consent rules to the bottom of the list of business priorities with no fear of consequence.  It’s also unclear if the regulator would or would not be able to carry out some kind of enforcement of the law against itself.

What Does This Mean For Your Business?

Many businesses may be thinking that, aside from the obvious irony of the regulator not being totally compliant, what hope do the rest of us have of getting it right if the ICO can’t?

This story could also act as a reminder to businesses that consent is a complicated area in data protection, and that it may be worth revisiting what cookie consent tools are in place on their websites and whether they are up to date and compliant.  For example, as the ICO has discovered, if you’re responsible for implementing the updated version of tools relating to your GDPR compliance, the planning and implementation needs to be managed in order to avoid unwittingly leaving the organisation open to possible infringements of current regulations.

Facial Recognition Glasses For Covert Surveillance

The “iFalcon Face Control” AR glasses that incorporate an 8-megapixel camera in the frame and NNTC facial recognition technology (are due to go on sale next year) are reported to have already been deployed into several security operations.

US / Dubai Manufactured

The facial recognition-enabled smart glasses are made by American company Vuzix and use facial recognition algorithms from Dubai-based company NNTC.  It has been reported that the NNTC facial recognition algorithms rank in the top three for accuracy in the US government’s Face Recognition Vendor Test and can detect up to 15 faces per frame per second, thereby enabling them to identify a specific individual in less than a second.

To date, only 50 pairs of the facial recognition-enabled glasses have been produced, all of which have been sold to security and law enforcement and are, according to NNTC, being used as part of security operations in the United Arab Emirates capital Abu Dhabi.

The iFalcon Glasses Won’t Need An Internet Connection

The iFalcon Face Control glasses that are due to go on sale next year will come with a portable base station.  This will mean that they will have a portable connection to a stored a database of targets, thereby giving the user greater mobility as they won’t need an Internet connection for the software to function.

Similar Used In China

Facial recognition glasses have already been used by police forces in China last year in order to keep blacklisted people e.g. certain journalists, political dissidents, and human rights activists away from the annual gathering of China’s National People’s Congress.

Other Deployments

Known use of facial recognition for law enforcement already happens in the US through its incorporation with body cameras and CCTV cameras, and in the UK it has been used in deliberately overt trials and deployments e.g. a two-day trial in Romford, London by the Metropolitan Police in December 2018 using use vehicle-mounted cameras, at the Champions League final at the Millennium Stadium in Cardiff 2017, and at the Notting Hill Carnival in 2016 and 2017.

Criticism and Problems

The use of facial recognition technology at events and trials in the UK has, however, come under fire over several issues including poor levels of accuracy, a lack of transparency in how it is used, the possible infringement of privacy and data security rights e.g. what happens to images, and value for money in terms of deployment costs versus arrests.

This led to ICO head Elizabeth Dunham launching a formal investigation into how police forces use facial recognition technology (FRT) in the UK.

Data security and privacy are such thorny subjects for agencies, organisations and businesses alike that even though using facial recognition to help organise photos has been a standard feature across the social media industry, Microsoft is now issuing an update to its Windows 10 Photos app that prompts users to perform the almost impossible task of confirming that all appropriate consents from the people in the user’s photos and videos have been obtained in order to use facial recognition to find photos of friends and loved ones.  This move shifts the burden of responsibility away from Microsoft to the user.

What Does This Mean For Your Business?

The covert and mobile nature of these new glasses not only seems to be somewhat dystopian and ‘big brother’ but could, in theory, provide a way for users to simply get around existing data protection and privacy laws e.g. GDPR.

As a society, we are to an extent, used to being under surveillance by CCTV systems, which most people recognise as having real value in helping to deter criminal activity, locate and catch perpetrators, and provide evidence for arrests and trials. The covert use of facial recognition glasses is, however, another step further on from this and from the deliberately overt and public trials of facial recognition in the UK to date.  As such, to be used in the UK, it will require faith to be put in the authorities that it is used responsibly, and that its accuracy is proven, and that rights groups are able to access facts, figures, and information about the technology, where and how it is used, and the results.  Presumably, the ICO may also have questions about the use of such glasses.

If there is no public transparency about their use, this could also result in suspicion, campaigning against their use and a possible backlash.

Criminal Secrets Of The Dark Net Revealed

Recent Surrey University research, ‘Web Of Profit’ commissioned by virtualisation-based security firm Bromium has shown that cyber-criminals are moving to their own invisible Internet on the so-called ‘dark net’ to allow them to communicate and trade beyond the view of the authorities.

What Is The Dark Net?

The dark net describes parts of the Internet which are closed to public view or hidden networks and are associated with the encrypted part of the Internet called the ‘Tor’ network where illicit trading takes place.  The dark net is not accessible to search engines and requires special software installed or network configurations made to access it e.g. Tor, which can be accessed via a customised browser from Vidalia.

Deeper

Infiltration and closing down of some of the dark net marketplaces by the authorities are now believed to have led to cyber-criminals moving to a more secure, invisible part of the dark net in order to continue communicating and trading.

How?

Much of the communication about possible targets and tactics between cyber-criminals now takes place on secure apps, forums and chatrooms.  For example, cyber-criminals communicate using the encrypted app ‘Telegram’ because it offers security, anonymity, and encrypted channels for the sale of prohibited goods.

Diverse Dark Net Marketplace

Posing as customers and getting first-hand information from hackers about the costs a range of cyber-attacks, the researchers were able to obtain shocking details such as:

  • Access to corporate networks is being sold openly, with 60% of the sellers offering access to more than 10 business networks at a time. Prices for remote logins for corporate networks ranged from only £1.50-£24, and targeted attacks on companies were offered at a price of £3,500.
  • Phishing kits are available for as little as $40, as are fake Amazon receipts and invoices for $52.
  • Targeted attacks on individuals can be purchased for $2,000, and even Espionage and insider trading are up for sale from $1,000 to $15,000.

Corporations Targeted

One thing that was very clear from the research is that cyber-criminals are very much focusing on corporations as targets with listings for attacks on enterprises having grown by 20% since 2016. The kinds of things being sold include credentials for accessing business email accounts.

Specific Industries

The research also showed that cyber-criminals are moving away from commodity malware and now prefer to tailor tools such as bespoke versions of malware as a way of targeting specific industries or organisations.  For example, the researchers found that 40% of their attempts to request dark net hacking services targeting companies in the Fortune 500 or FTSE 100 received positive responses from sellers, and that the services on offer even come with service plans for conducting the hack, and price tags ranging from $150 to $10,000, depending on the company to be targeted.

The industries that are most frequently targeted using malware tools that are being traded on the dark net include banking (34%), e-commerce (20%), healthcare (15%) and even education (12%).

Researchers also uncovered evidence that vendors are now acting on behalf of clients to hack organisations, obtain IP and trade secrets and disrupt operations.

What Does This Mean For Your Business?

The dark net is not new, but some commentators believe that the heavy-handed nature of some of the police work to catch criminals on the dark net is responsible for pushing criminal communication and trading activity further underground into their own invisible areas.  End-to-end encrypted communications tools such as Telegram mean that cyber-criminals can carry on communicating beyond the reach of the authorities.

The research should show businesses that there is now real cause for concern about the sensitive, informed and finely tuned approach that cyber-criminals are taking in their targeting of organisations, right from the biggest companies down to SME’s.  This should be a reminder that cyber-security should be given priority, especially when it comes to defending against phishing campaigns, which are one of the most successful ways that criminals gain access to company networks.

Law enforcement agencies also need to do more now to infiltrate, gather intelligence, and try to deter and stop the use of different forums, channels and other areas of the dark net in order to at least prevent some of the more open trading of hacking services and tools.

Mastercard’s AI-Based Digital Wellness Could Make Online Purchasing Easier and Safer

Mastercard has announced the introduction of its Digital Wellness program which utilises AI-based click-to-pay technology and new standards in order to provide an easier and safer online shopping experience.

The Program

The Mastercard Digital Wellness program provides tips and resources that are designed to help businesses (especially small and independent businesses) protect themselves from cyber-attacks and data breaches. The program includes Secure Remote Commerce, Mastercard’s Cyber Readiness Institute (a collective of business leaders), and The Global Cyber Alliance which provides SMBs with free cyber-security tools.

New Click-To-Pay Checkout System

Coming out of the Digital Wellness Program is Mastercard’s new click-to-pay checkout system which is enabled by Mastercard’s deployment of EMVCo’s (Europay, Mastercard, Visa) specification. The standards that make up EMVCO’s specification provide a foundation that enables the processing of e-commerce transactions in a consistent, streamlined fashion over a variety of digital channels and devices, including smartphones, tablets, PCs and other connected devices.

This means that the click-to-pay checkout system can be used for all kinds of online shopping, across multiple devices, and across cards, and can replace old key-entry checkout systems.

Tokenization and NuData

The click-to-pay checkout system incorporates tokenization and NuData, which represent Mastercard’s AI and machine learning tech. NuData can prevent fraud by (for example) monitoring website traffic changes, analysing changes in browsers and web surfing speeds, and verifying all the user data that makes a user unique (such as an individual’s scroll speed on their device).

The inclusion of AI technology means greater security and no need for customers to enter passwords when they pay.

The Advantages

The key advantages of the click-to-pay checkout system from the Digital Wellness Program are that:

  • It tackles the problem that customers feel unease when it comes to paying for things online because of the added security.
  • It’s fast and easy – the instant click-to-pay with no need for passwords tackles the reluctance of online shoppers to create a new user account.
  • Merchants who adopt the system have a system from a known and trusted provider that could give them a better chance of preventing fraud.

These factors mean that the system could make customers more likely to feel comfortable shopping for things on smaller websites or with unknown retailers.

What Does This Mean For Your Business?

For Mastercard, this is a way of selling its services to the huge market of smaller and independent businesses.

For merchants, it’s a way for them to leverage the latest AI tech to protect themselves and their customers from fraud, and tackle popular known barriers to purchases from smaller retailers online i.e. worries about security and the unwillingness to take the time to set up a new user account when they want to buy something.

For customers, the system should provide a safe and fast purchasing experience which can only reflect well on the merchant.  It remains to be seen, however, how many merchants take up the new system and what the cost versus benefit implications will be.

Premium, Paid For Version Of Mozilla’s Firefox Planned

It has been reported that Mozilla will be introducing a (paid for) premium subscription-based Firefox service this October to run alongside the free, open-source Firefox browser.

Why?

Mozilla’s share of the (free) browser market has been squeezed by some heavy competition from Google’s Chrome browser and although the Firefox browser is present on many computers and is used to sell people services, it isn’t actually making Mozilla any money.  Also, Mozilla relies heavily on revenue that it receives from search companies that pay to be featured in the Firefox browser, with much of that money coming from its competitor Google. Mozilla, therefore, is looking to diversify and find a way to build its own additional independent revenue stream from the bundling of value-adding services that it already has.

What?

Reports indicate that the new paid for bundled service could include:

  • VPN bandwidth that exceeds what’s available (free) via Mozilla’s ProtonMail VPN partnership i.e. giving paying customers for its new service access to a premium level VPN bandwidth.
  • An as yet, unspecified allotment of secure cloud storage.

Other possible parts of the bundled subscription service could include (although this has not been confirmed):

  • Mozilla’s free file transfer service “Firefox Send”.
  • Mozilla’s password manager “Lockwise”.
  • Firefox Monitor, Mozilla’s service, similar to HaveIBeenPwned.com, which allows you to check whether your personal information has been compromised by any of the numerous data breaches.
  • The “Pocket” application, also known as “Read It Later” which helps with managing a reading list of articles from the Internet by letting you save web pages and videos to Pocket in just one click. Mozilla acquired this service in 2017, and it already has a Premium version available for $45 per year.
  • Tools from ‘Scroll’ (a start-up working with Mozilla) that could result in users of the new premium service getting access to certain news sites.

How Much?

Current reports indicate that the premium Firefox service could cost users around the $10 per month mark.

Still Free Firefox

Mozilla has announced that it won’t charge for existing Firefox features as part of its shift to offering subscription services and that the free Firefox browser will continue to run as normal.

What Does This Mean For Your Business?

For Mozilla, this offers a way to diversify and generate a stream of revenue that isn’t connected to Google and monetises the synergies that it can get from a bundle of some of the products and services that it already owns. It’s also another way to compete in a tough browser market where there is one very strong and dominant market leader that already monetises popular advertising services that display across other browsers and platforms.

For users, access to a premium level VPN bandwidth and secure cloud storage from a known and trusted brand may justify a monthly subscription, particularly with some of the other value-adding services that could be bundled in and may not have been tried businesses to date.