Contactless Challenge Revisited: Final Thoughts

The Gemalto Contactless Challenge kicked off in the United States June 10th, with two bloggers from Austin, Texas and Salt Lake City, Utah, respectively, putting contactless payment infrastructure to the test.

The Isis Consortium of AT&T, T-Mobile and Verizon Wireless chose Austin and Salt Lake City to pilot its mobile wallet using near field communication (NFC) technology because both cities are innovative and tech savvy and have systems in place that accept NFC.

The Contactless Challenge was designed to show how anyone with basic tech skills can ditch his or her leather wallet and use a so-called digital wallet. One blogger used an Android phone that had NFC built in. But, like me, he owns an iPhone 5, which does not support NFC. My understanding is that there are plans to produce a snap-on case that supports the capabilities and features required to make NFC work on the iPhone—which would be essential for Contactless to work, as iPhones are almost 50 percent market share.

During the Challenge, one of the challenges was that contactless payments weren’t offered, or the payments failed at the point of sale, which frankly is a bit disappointing. As a society we are stuck on card technology, and the major card issuers haven’t really made it a priority to require merchants to accept contactless payments just yet. It will happen eventually; I just want it NOW!

As Josh Kerr, one of the bloggers in the Challenge, points out: “This technology is ready for mainstream. In fact, the only real thing holding it back is that not all merchants accept it. I see that changing over time as merchants upgrade their credit card terminals to ones that support wireless forms of payment. This will happen automatically, but it could take a while before it is ubiquitous.”

Agreed, Josh, agreed!

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Getting Cybersmart and Staying Dutifully Employed

Knowing what I know today, if a 15-year-old asked me what she should be when she grows up, I’d say cybersecurity professional. The unfortunate fact is that bad guys are everywhere—and if you are in the security industry, bad guys are good for business.

There are many ways and resources for people, especially young adults, to become cybersmart. It’s more than a trend; it’s an up-and-coming career area. USA Today reports, “For younger people, there are a growing number of cybereducational opportunities, starting even before the college level, which can make them particularly effective at thwarting cyberattacks and may spark their desire to pursue cybersecurity careers.”

Resources to become a cybersecurity professional.

CyberPatriot: This is the premier national high school cyberdefense competition. It was created by the Air Force Association to inspire high school students toward careers in cybersecurity or other science, technology, engineering and mathematics (STEM) disciplines critical to our nation’s future.

Maryland Cybersecurity Center (MC2): By targeting students as early as middle and high school, MC2 is stimulating early interest in the field of cybersecurity, providing students with the knowledge and preparation they need to be successful in their future post-secondary studies and eventual careers.

Center for Cybersecurity Education at the University of Dallas: This educational program has been designated by the National Security Agency (NSA) and Department of Homeland Security (DHS) as a National Center of Academic Excellence in Information Assurance.

Champlain College: This Vermont college provides a foundation for understanding how computers and networks communicate securely. It also builds on that foundation with courses designed to help students understand the nature and impact of cyberthreats, as well as how to prevent them.

Bellevue University Center for Cybersecurity: This Nebraska college’s center brings together the best cybersecurity education programs with highly qualified faculty who possess the kind of real-world experiences.

So do you have what it takes to be a chief security officer (CSO)? I believe CSOs are the future of technology, because without them, bad guys will take over technology and we will devolve into chaos.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Making a Case for Mobile Payment

Mobile payment can transform your shopping experience, making it more convenient and easy—and it’s secure, too!

Forbes reports, “Shopping has become very impersonal. Few people have a relationship with a salesperson who knows their style and preferences and can direct them to the right items at the right prices as soon as they walk in the door. But wouldn’t that be nice? Preferable, certainly, to wandering cavernous stores, fending off pushy salespeople who don’t even bother to learn our names, much less our favorite colors and fabrics.”

Mobile payment will mean much more one-to-one marketing—meaning specific deals and promos could be specially targeted to individual consumers based on their buying habits. Sooner rather than later, based on the information on a mobile phone app that consumers carry while shopping, they will be “recognized” as being in the store and recommendations, discounts, coupons—all in the form of specific customized offers—will pop up.

And mobile is secure, too. There are various mobile payment delivery options. Near field communication is a contactless delivery system that involves a chip that is either built into the phone itself, into a card within the phone, or a sticker attached to the phone. There are also new applications that facilitate mobile payments, most of which involve a barcode that the user scans at a store register.

As you increasingly use your phone for mobile payments, be aware that the phone correspondingly increases in value to thieves and hackers. So keep track of your cell phone. You wouldn’t leave your wallet on a bar and walk away, and you shouldn’t do that with your phone, either. And be cautious when visiting websites on your phone’s browser, clicking on links or responding to text messages.

So how do I conduct safe mobile payments?

  • Pay attention to your credit card statements to check that you are paying for what you actually purchased.
  • Only download mobile payment applications from a reputable app store. Check user reviews of the app and make sure to read the app’s privacy policy regarding what data of yours it is accessing and sharing.
  • Don’t conduct any mobile transactions over an unsecured WiFi connection. It’s much more secure to use your mobile data network.
  • Keep your mobile software current. This includes installing the latest updates for your operating system, mobile browser and mobile security software.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

5 No-brainers for Keeping Your Email Safe

It’s time to face the fact that for most of us, email is the single most important digital asset we own: more than anything else, it is our digital DNA. To some degree, email is connected to every online account we have; it contains the username, password reset, and an archive of most of our digital doings. It’s been said that if a criminal owns a person’s email, he owns the person.

With more and more people keeping tabs on their financial statements, contact information and other sensitive data via email, it’s time to double-check your email habits to see if you’re putting yourself at risk.

#1 Never use public PCs. A public computer can be likened to a public toilet. You don’t really know who’s used it before you and you don’t know what kind of virus you can catch from it. PCs in libraries, hotel business centers or internet cafés can easily have keyloggers or keycatchers installed that can steal your usernames and passwords. Checking email on an unsecured computer that you don’t have any control over is risky and, frankly, irresponsible.

#2 Use a VPN over wireless. Wireless was born to be convenient, not secure. Sniffers can read wireless communications over free public WiFi and get usernames and passwords. Always use a wireless VPN, such as Hotspot Shield, that encrypts your wireless access.

#3 Log out of your device when not in use. Staying logged in 24/7/365 is risky. Anyone that has access to your computer or mobile device at home or work can own your email. Contractors, cleaners, vendors, burglars and even a spouse can put you at risk.

#4 Delete phishing emails. Any emails you receive that request you to click links to updating accounts, shipped packages, problems with accounts or for special offers are suspect. Phishing leads to keyloggers or compromised username/passwords. If these emails end up in your spam folder, leave them there.

#5 Never click links. I only click links in emails when it’s a “confirmation” email from signing into a new account or when I’m communicating with a friend, family member, colleague or known contact who then sends me a link. Otherwise, I never click links in emails, including in online statements. I always use my favorites menu or a password manager to get where I need to go.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Digital Security Improves Our Lives

Our lives depend on the convenience of digital and require the security behind the scenes. Take contactless payment for example. Contactless payments are a faster, more convenient alternative to cash when making small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters.

These transactions are protected by multiple layers of security, which protect both retailers and consumers.

Some of these security features are incorporated within a card’s microprocessor chip, while others are part of the same networks that protect traditional credit and debit card transactions.

Think about how much more “digital” our lives have become. Digital assets include: entertainment files (e.g., music downloads), personal memories (e.g., photographs), personal communications (e.g., emails), personal records (e.g., health, financial, insurance) and career information (e.g., resumes, portfolios, cover letters, contacts), as well as any creative projects or hobbies involving digital files.

Every bit of this adds up to “more and better.” By this, I offer an example. I have a seven-year-old daughter who has evolved into a smarter, more well-rounded and aware child than I ever was. And, with the comfort of digital security, the technology that we expose her to makes much of that possible.

And this exposure is ubiquitous. While many people protect their PCs and digital assets from malware by installing antivirus software, they leave the doors open to criminals when it comes to smartphones, tablets and Macs, however. Bad guys are now targeting these devices, as their users’ complacency has made breaking into these devices the path of least resistance. Now more than ever, a multi-device security strategy is necessary.

But don’t fret. Enjoy your technology, be smart about it and make sure to exercise your security muscles.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

What Does it Mean to Have a Connected Home?

The internet-connected TV, PC, mobile and tablet are all connected to the home in ways like never before. All of these appliances are talking to one another in various ways. For example, many of us share media, display photos on various devices, or use different devices remotely for home security, HVAC control, access control, and on/off administration of various devices.

My own home is connected in various ways. Using my iPhone or any computer, I can access a cloud-based server that allows me to watch live footage from each of the 16 cameras I have installed in and around my property. The cameras also begin recording automatically whenever motion is detected, and that footage is stored in the cloud and available to me anywhere, anytime. It’s amazing how often I access these cameras when I’m on the road.

With home automation, I can use the cloud to remotely switch lights on and off and adjust the temperature control system. I also get alerts in the event of an intrusion or even a broken water pipe!

Another great example is the “Nest” thermostat and corresponding app. Control your home’s temperature from your iPhone, iPad, or iPod touch with the Nest Mobile app. Last-minute trip? Change the temperature from the ski slopes. Coming home early to a cold house? Turn up the heat on your way. The Nest Mobile app allows you to adjust your Nest Learning Thermostat from anywhere. Having a cloud-based, internet-connected home certainly provides an excellent layer of comfort, not to mention peace of mind.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Security Benefits of EMV for Consumers

Major banks and retailers are now pushing very hard to make EMV the new standard in the United States. Visa announced plans “to accelerate the migration to contact chip and contactless EMV chip technology in the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to accept and process chip transactions.”

EMV, which stands for Europay, MasterCard and Visa, refers to the chip-and-PIN credit card technology commonly used in Europe and elsewhere around the world. Credit cards that incorporate an embedded microprocessor chip are far more secure than any other form of credit card currently available, including the standard magnetic striped cards that are all too easy to skim at ATMs and point-of-sale terminals.

Gemalto reports, “As the U.S. continues its implementation of EMV chip cards, it’s lucky to be able to look to other countries that have adopted the technology for best practices, lessons learned and future benefits. As a Gemalto employee based in the U.S., I’ve been eagerly watching to see how our neighbor to the north, Canada, is benefiting from their EMV chip implementation, which started in earnest in 2007.”

“EMV” refers to Europay, MasterCard, and Visa, three financial service corporations that collaborated to establish a global standard for secure, reliable, and consistent credit and debit card transactions. These cards are also called “chip and PIN” cards because they incorporate an embedded microprocessor chip and require a personal identification number for authentication.

JPMorgan Chase began issuing cards with embedded microprocessor chips last year in response to requests from cardholders who are frequent international travelers. And more major card issuers have followed suit by incorporating EMV technology. American Express has announced plans to release chip-based cards in the United States, as part of a “roadmap to advance EMV chip-based contact, contactless and mobile payment for all merchants, processors, and issuers.”Not surprisingly, as the rest of the world has migrated to EMV chip technology, some fraud has shifted over to the United States because of the ease with which fraudsters can duplicate magnetic stripe cards. As a result, the U.S. has carried a disproportionate percentage of global fraud losses—until now. Through our adoption of EMV chips, we’re anticipating a reduction in fraud loss like in Canada, the UK and the 80 other countries in various phases of migration.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

I’ll Have an App with That

Cash may be king—but not if you like free coffee and sandwiches from Starbucks. Today, if you want rewards, points, discounts or anything free, mobile payment is the way to go. My dad is a perfect example of how and why this is. Here’s a guy who held out on using a smartphone until 2013. For years, he’d pay cash for his Starbucks coffee and religiously hand over his card to the barista for another credit toward that next free cup. Then, the baristas started to veer to clients to using their Starbucks app, with promises of more discounts and free stuff. My dad got his first iPhone 5 and wonders how he survived without it. Once he downloaded his first mobile payment app, he realized how much “free” he was missing out on.

USA Today reports:

Starbucks is producing more than three million mobile payments per week. That, says [Starbucks CEO] Schultz, exceeds the combined mobile payments of the next 10 companies closest to Starbucks. “This will result in a much deeper experience with our customers,” he says.”

That experience IS people like my dad, who plans his trip to Starbucks to get free stuff.

For consumers, that will mean much more one-to-one marketing, says Schultz. That is, specific deals and promos could be specially targeted to individual consumers based on their buying habits. Sooner than later, Schultz projects, regular customers might not even have to belly-up to the bar to order. Rather, based on the information on a mobile phone app that they’re carrying, they could be “recognized” as being in the store—and baristas will have the option to start preparing their usual favorites, without them ever having to actually order.

Starbucks has cracked the code in the evolving mobile payment market, and others are quickly joining in. Head to your favorite app store and search for “mobile payment,” or see what your favorite e-tailer or retailer has to offer.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Why Your Employer Needs Social in the Workplace

Social media is the fifth form of mainstream media. It encompasses all media, making it the king of all media. At this point, most people know how to use social media and how to navigate the various websites. But many employers are still on the fence.

Hootsuites’ CEO says, “The world’s top brands—like Pepsi, Virgin, NHL and American Express—[are] now embracing [social media] company-wide.”

MarketingDonut reports, “One of the simplest ways to convince your boss that social media is the future is [by] showing how much profit [the company] can make. Show how your competitors are using social content to attract potential clients, showing the strengths and weaknesses of their campaigns. Use your website analytics to monitor the flow of visitors to your website from Facebook, Twitter or organically, and how many convert to leads or sales.”

And social isn’t just for business-to-consumer communications. It’s also great for connecting employees too. SHRM reports, “Social networking platforms may allow organizations to improve communication and productivity by disseminating information among different groups of employees in a more efficient manner, resulting in increased productivity.”

As you are setting up social media as an effective tool, you must consider the security implications.

  • Implement policies. Without some type of policy in place to regulate employee access and guidelines for appropriate behavior, social media could be problematic. Teach employees effective use by providing training on proper use—including, especially, what not do, too.
  • Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure.
  • Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  • Maintain updated security. Whether you’re using hardware or software, anti-virus or critical security patches, make sure you are up to date.
  • Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  • Register your company name and all your officers at every social media site. You can do this manually or by using a very cost-effective service called Knowem.com.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

4 Completely Different Ways to Share Photos

Back when dinosaurs roamed the earth, people took pictures of the Tyrannosaurus Rex with film-based cameras that required them to drop their pics off at a Fotomat for processing. Then, instant pics in the form of Polaroid cameras came along and the term “instant gratification” was born. Today, most of us snap pics on phones because cameras are just another device that we don’t want to carry.

Now, documenting a person’s day, week, month, year, vacation or any event consists of hundreds if not thousands of photos because digital is easy and free. So what’s the best way to share all your pics in a fun, friendly and secure way? Well, that all depends on your lifestyle.

  • Facebook: When taking pics from your phone, you can easily upload and instantly share your images with your connections. The beauty of Facebook photos is that all 3,000 of your friends can enjoy them and comment on them. Using your PC is even easier when you are uploading entire albums. The bad thing is, once you upload to Facebook, you can’t expect the photos to ever be private. Even though you might lock down your privacy settings so only your friends can see them, it’s still very possible that your pics can be leaked.
  • Flickr: Flickr is a photo sharing site that you can always have in your back pocket via apps for iPhone, Windows 7, Android and more. Or use m.flickr.com from any mobile device to upload and share photos on the go. Share photos only with the people you want to with Flickr’s easy privacy settings. Flickr’s backed storage system makes sure you never lose another photo again.
  • Instagram: Share your photos in a simple photo stream with friends to see – and follow your friends’ photos with the click of a single button. Every day you open up Instagram, you’ll see new photos from your closest friends, and creative people from around the world. Share to Facebook, Twitter, and Tumblr too – it’s as easy as pie. It’s photo sharing, reinvented.
  • Dropbox: Most people don’t think of photo sharing when they think about Dropbox because Dropbox isn’t explicitly a photo sharing site. Dropbox is a free service that lets you bring together all your photos, docs and videos from anywhere. This means that any file you save to your Dropbox will automatically save to all your computers, phones and even the Dropbox website.

All of these sites require usernames and passwords for access. And like all web-based portals, I suggest a different password for each. If you install an application on your mobile, make sure your device is password protected. Another layer of protection (albeit inconvenient) is to set up these apps to require a password every time you access them.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures