Timesdelhi.com

January 18, 2019
Category archive

spokesperson

Flutterwave and Visa launch African consumer payment service GetBarter

in africa/Android/Apple/cameroon/ceo/Column/credit cards/Delhi/e-commerce/Economy/Facebook/Finance/flutterwave/Ghana/greycroft/India/kenya/M-Pesa/mastercard/money/Nigeria/online payments/Politics/rave/San Francisco/South Africa/spokesperson/Uber/Uganda/visa/Vodafone by

Fintech startup Flutterwave has partnered with Visa to launch a consumer payment product for Africa called GetBarter.

The app based offering is aimed at facilitating personal and small merchant payments within countries and across Africa’s national borders. Existing Visa card holders can send and receive funds at home or internationally on GetBarter.

The product also lets non card-holders (those with accounts or mobile wallets on other platforms) create a virtual Visa card to link to the app.  A Visa spokesperson confirmed the product partnership.

GetBarter allows Flutterwave—which has scaled as a payment gateway for big companies through its Rave product—to pivot to African consumers and traders.

Rave is B2B, this is more B2B2C since we’re reaching the consumers of our customers,” Flutterwave CEO Olugbenga Agboola—aka GB—told TechCrunch.

The app also creates a network for clients on multiple financial platforms, such as Kenyan mobile money service M-Pesa, to make transfers across payment products, national borders, and to shop online.

“The target market is pretty much everyone who has a payment need in Africa. That includes the entire customer base of M-Pesa, the entire bank customer base in Nigeria, mobile money and bank customers in Ghana—pretty much the entire continent,” Agboola said.

Flutterwave and Visa will focus on building a GetBarter user base across mobile money and bank clients in Kenya, Ghana, and South Africa, with plans to grow across the continent and reach those off the financial grid.

“In phase one we’ll pursue those who are banked. In phase-two we’ll continue toward those who are unbanked who will be able to use agents to work with GetBarter,” Agboola said.

Flutterwave and Visa will generate revenue through fees from financial institutions on cards created and on fees per transaction. A GetBarter charge for a payment in Nigeria is roughly 40 Naira, or 11 cents, according to Agboola.

With this week’s launch users can download the app for Apple and Android devices and for use on WhatsApp and USSD.

Founded in 2016, Flutterwave has positioned itself as a global B2B payments solutions platform for companies in Africa to pay other companies on the continent and abroad. It allows clients to tap its APIs and work with Flutterwave developers to customize payments applications. Existing customers include Uber, Facebook, Booking.com, and African e-commerce unicorn Jumia.com.

Flutterwave has processed 100 million transactions worth $2.6 billion since inception, according to company data.

The company has raised $20 million from investors including Greycroft, Green Visor Capital, Mastercard, and Visa.

In 2018, Flutterwave was one of several African fintech companies to announce significant VC investment and cross-border expansion—see Paga, Yoco, Cellulant, Mines.ie, and  Jumo.

Flutterwave added operations in Uganda in June and raised a $10 million Series A round in October that saw former Visa CEO Joe Saunders join its board of directors.

The company also plugged into ledger activity in 2018, becoming a payment processing partner to the Ripple and Stellar blockchain networks.

Flutterwave hasn’t yet released revenue or profitability info, according to CEO Olugbenga Agboola.

Headquartered in San Francisco, with its largest operations center in Nigeria, the startup plans to add operations centers to South Africa and Cameroon, which will also become new markets for GetBarter.

News Source = techcrunch.com

Fortnite bugs put accounts at risk of takeover

in computer security/cryptography/Delhi/fortnite/Gaming/Hack/hacking/India/Password/Politics/Prevention/Security/security breaches/software testing/spokesperson/vulnerability by

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm who says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they’ve entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: the user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to login first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

News Source = techcrunch.com

Flaws in Amadeus’ airline booking system made it easy for hackers to change passenger records

in airline/American-Airlines/Business/Delhi/facial recognition/Hack/India/Politics/Security/spokesperson/Technology/Transportation by

You might not know Amadeus by name, but hundreds of millions of travelers use it each year.

Whether you’re traveling for work or vacation, most consumers book their flights through one of a handful of bespoke reservation systems used across the commercial aviation industry. Amadeus is one of the largest reservation systems, serving customers of Air France, British Airways, Icelandair, and Qantas and more. And each reservation system has to be able to talk to each other through the global distribution system backchannel.

Without these interconnected systems, most governments have no idea who’s coming and going.

Even in this day and age of passwords for everything and facial recognition at the departure gate, all that sits between you and someone rebooking a flight is a passenger’s surname and the booking reference on your ticket, known as the passenger name record — or PNR.

But these outdated and archaic passenger records systems needed to share travelers’ data internationally never considered security on the scale that’s needed today, and are woefully inadequate in keeping passenger records safe.

Israeli security researcher Noam Rotem knows all too well.

He found that any airline using Amadeus made it easy to edit and change someone’s reservation with just their booking reference number. No surname needed. In some cases, he didn’t even need to obtain someone’s booking number.

Rotem explained in a write-up, shared with TechCrunch before his public disclosure, that he could plug in anyone’s booking reference in a buggy web address on Israeli airline El Al’s website — in spite of being required to enter a surname on the website’s check-in page.

That not only lowers the bar for someone wanting to manipulate a person’s booking, such as changing seats and rerouting frequent miler numbers, said Rotem, but it’s also easy to obtain a person’s personal information, such as their phone number, and email and home addresses, from the airline.

How secure is the six-digit booking reference itself? History says that it’s still far too easy to obtain.

If your six-digit booking reference isn’t already on your boarding pass, ticket or luggage tag, you’ll still find it embedded in the barcode. That barcode, decrypted several years ago, can be easily read by most mobile barcode apps, making it easy for criminals to walk around the check-in area or departure’s lounge and scan a photo of your ticket when you’re not looking.

Worse, the average hacker wouldn’t have to leave their house. Dozens of people post their boarding passes — and their barcodes — to Twitter and Instagram every day, under the hashtags #boardingpass and #planetickets.

Some of the many boarding passes posted to Twitter and Instagram in a single day. (Image: TechCrunch)

But Rotem said that inherent weaknesses in how reservation systems generate passenger name record numbers in the first place made it easy to brute-force any Amadeus-linked airline website with a hacker’s own generated booking references.

Because Amadeus’ system didn’t limit how many requests could be processed at any given time, Romet could run a script generating booking references at random, which he says were “simply guessed,” then plugging them into the vulnerable web address and waiting for a positive response to return.In some cases, the script found booking references attached to real customers. Because parts of each Amadeus-generated booking references are sequential, it makes it easy to continue the attack on passengers with similar or the same surname. And, there were no rate limits, allowing the researcher to run as many requests each minute as he wanted, speeding up the process. (TechCrunch saw a short video of the script generating booking reference numbers, but didn’t verify any as logging in with someone else’s booking reference would be unlawful.)

A skilled attacker could, for example, use this technique to book their own flights or siphoning off accumulated air miles. A bored hacker, however, could wreak havoc on any number of passengers’ credit cards.

In all, Amadeus’ website claims it supports more than 200 airlines. We were curious how far the vulnerability went.

Using cookie data collected from El Al, TechCrunch was able to find dozens of other affected airlines using data collected by RiskIQ, a cyber threat intelligence firm, which scours the web for information. “During RiskIQ’s crawls, our crawlers act like the browser they are instructed to emulate, which means they will maintain cookies and other site-specific metadata,” said Yonathan Klijnsma, a threat researcher at RiskIQ.

We reached out to several of the larger airlines believed to be affected by the vulnerability, but nobody from Air France, British Airways, Icelandair, and Qantas commented when reached prior to publication.

When reached, Amadeus confirmed it was alerted to an issue and took “immediate action,” said a spokesperson. “We are working closely with our customers and we regret any disruption this situation may have caused.”

“We work with our customers and partners in the industry to address PNR security overall. The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale. Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which requires industry collaboration,” the statement added. “At Amadeus, we give security the highest priority and are constantly monitoring and updating all of our products and systems.”

Rotem suggested bot protection mechanisms and limits to how many requests can be submitted during a certain period of time could prevent automated attacks in the future, but that the underlying problems remain. That isn’t likely to change without an industry-wide effort to change how reservations are made.

In reality, we’re stuck with PNR for a while — and it’s a problem that’s not going away any time soon.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

News Source = techcrunch.com

Scooter startup Bird tried to silence a journalist. It did not go well.

in bank/blogs/Boing Boing/China/copyright law/cyberpunk/Delhi/digital media/electronic/India/Internet/journalist/lawsuit/online rights/Politics/reporter/Security/spokesperson/Startups/Transportation by

Cory Doctorow doesn’t like censorship. He especially doesn’t like his own work being censored.

Anyone who knows Doctorow knows his popular tech and culture blog Boing Boing, and anyone who reads Boing Boing knows Doctorow and his cohort of bloggers. The part-blogger, part special advisor at the online rights group Electronic Frontier Foundation, has written for years on topics of technology, hacking, security research, online digital rights, and censorship and its intersection with free speech and expression.

Yet, this week it looked like his own free speech and expression could have been under threat.

Doctorow revealed in a blog post on Friday that scooter startup Bird sent him a legal threat, accusing him of copyright infringement and that his blog post encourages “illegal conduct.”

In its letter to Doctorow, Bird demanded that he “immediately take[s] down this offensive blog.”

Doctorow declined, published the legal threat, and fired back with a rebuttal letter from the EFF accusing the scooter startup of making “baseless legal threats” in an attempt to “suppress coverage that it dislikes.”

The whole debacle started after Doctorow wrote about about how Bird’s many abandoned scooters can be easily converted into a “personal scooter” by swapping out its innards with a plug-and-play converter kit. Citing an initial write-up by Hackaday, these scooters can have “all recovery and payment components permanently disabled” using the converter kit, available for purchase from China on eBay for about $30.

In fact, Doctorow’s blog post was only two paragraphs long and, though didn’t link to the eBay listing directly, did cite the hacker who wrote about it in the first place — bringing interesting things to the masses in bitesize form in in true Boing Boing fashion.

Bird didn’t like this much, and senior counsel Linda Kwak sent the letter — which the EFF published today — claiming that Doctorow’s blog post was “promoting the sale/use of an illegal product that is solely designed to circumvent the copyright protections of Bird’s proprietary technology, as described in greater detail below, as well as promoting illegal activity in general by encouraging the vandalism and misappropriation of Bird property.” The letter also falsely stated that Doctorow’s blog post “provides links to a website where such Infringing Product may be purchased,” given that the post at no point links to the purchasable eBay converter kit.

EFF senior attorney Kit Walsh fired back. “Our client has no obligation to, and will not, comply with your request to remove the article,” she wrote. “Bird may not be pleased that the technology exists to modify the scooters that it deploys, but it should not make baseless legal threats to silence reporting on that technology.”

The three-page rebuttal says Bird used incorrectly cited legal statutes to substantiate its demands for Boing Boing to pull down the blog post. The letter added that unplugging and discarding a motherboard containing unwanted code within the scooter isn’t an act of circumventing as it doesn’t bypass or modify Bird’s code — which copyright law says is illegal.

As Doctorow himself put it in his blog post Friday: “If motherboard swaps were circumvention, then selling someone a screwdriver could be an offense punishable by a five year prison sentence and a $500,000 fine.”

In an email to TechCrunch, Doctorow said that legal threats “are no fun.”

AUSTIN, TX – MARCH 10: Journalist Cory Doctorow speaks onstage at “Snowden 2.0: A Field Report from the NSA Archives” during the 2014 SXSW Music, Film + Interactive Festival at Austin Convention Center on March 10, 2014 in Austin, Texas. (Photo by Travis P Ball/Getty Images for SXSW)

“We’re a small, shoestring operation, and even though this particular threat is one that we have very deep expertise on, it’s still chilling when a company with millions in the bank sends a threat — even a bogus one like this — to you,” he said.

The EFF’s response also said that Doctorow’s freedom of speech “does not in fact impinge on any of Bird’s rights,” adding that Bird should not send takedown notices to journalists using “meritless legal claims,” the letter said.

“So, in a sense, it doesn’t matter whether Bird is right or wrong when it claims that it’s illegal to convert a Bird scooter to a personal scooter,” said Walsh in a separate blog post. “Either way, Boing Boing was free to report on it,” she added.

What’s bizarre is why Bird targeted Doctorow and, apparently nobody else — so far.

TechCrunch reached out to several people who wrote about and were involved with blog posts and write-ups about the Bird converter kit kit. Of those who responded, all said that they had not received a legal demand from Bird.

We asked Bird why it sent the letter, and if this was a one-off letter or if Bird had sent similar legal demands to others. When reached, a Bird spokesperson did not comment on the record.

All too often, companies send legal threats and demands to try to silence work or findings that they find critical, often using misinterpreted, incorrect or vague legal statutes to get things pulled off from the internet. Some companies have been more successful than others, despite an increase in awareness and bug bounties, and a general willingness to fix security issues before they inevitably become public.

Now Bird becomes the latest in a long list of companies that have threatened reporters or security researchers, alongside companies like drone maker DJI, which in 2017 threatened a security researcher trying to report a bug in good faith, and spam operator River City, which sued a security researcher who found the spammer’s exposed servers and a reporter who wrote about it. Most recently, password manager maker Keeper sued a security reporter claiming allegedly defamatory remarks over a security flaw in one of its products. The case was eventually dropped but not before over 50 experts, advocates, and journalist (including this reporter) signed onto a letter calling for companies to stop using legal threats to stifle — and silence security researcher.

That effort resulted in several companies — notably LinkedIn and Tesla — to double down on their protection of security researchers by changing their vulnerability disclosure rules to promise that the companies will not seek to prosecute hackers acting in good-faith.

But some companies have bucked that trend and have taken a more hostile, aggressive — and regressive — approach to security researchers and reporters.

“Bird Scooters and other dockless transport are hugely controversial right now, thanks in large part to a ‘move-fast, break-things’ approach to regulation, and it’s not surprising that they would want to control the debate,” said Doctorow.

“But to my mind, this kind of bullying speaks volumes about the overall character of the company,” he said.

News Source = techcrunch.com

Facebook and PayPal pull pages of far right British activist filmed intimidating public figures

in computing/deal/Delhi/digital media/Europe/European Union/Facebook/hate speech/head/India/PayPal/Politics/smartphones/Social/social media/Speaker/spokesperson/TC/The Guardian/United Kingdom/world wide web by

Facebook has confirmed it has removed the pages and profiles of a far right political activist in the UK after concerns were raised in parliament about aggressive intimidation of politicians and journalists trying to go about their business in and around Westminster.

PayPal has also closed an account that was being used to solicit donations for “political activism”.

The intimidation is being conducted by a small group of extreme Brexit supporters who have — ironically enough — lifted the ‘yellow vest’ dress code from French anti-government protestors, and are also making use of mainstream social media and crowdfunding platforms to fund and amplify attacks on public figures in an attempt to squash debate and drive an extreme ‘no deal’ Brexit. (Context: The clock is ticking down to March 29; the date when the UK is due to leave the European Union, with or without a withdrawal deal.)

In incidents widely shared on social media this week, individuals from the group were filmed live streaming harassment of Remain supporting Conservative MP Anna Soubry who was mobbed and shouted at as she walked down the street to return to parliament after being interviewed live on TV in front of the Palace of Westminster where the group heckled her with repeat chants of “nazi”.

Members of the same group were also filmed with fisted smartphones, chasing and hurling abuse at left-wing commentator Owen Jones as he walked down a London street.

In another video one of the individuals leading the verbal attacks, who has been identified in the press and online as a man called James Goddard, can be seen swearing viciously at Met Police officers and threatening to bring “war”.

The speaker of the House of Commons said today that he had written to the head of the Met Police to urge action against the “aggressive, threatening and intimidating behaviour towards MPs and journalists” around Westminster.

The Guardian reports that at least 115 MPs have written to police requesting extra protection.

Contacted today about Goddard’s presence on its platform, Facebook later confirmed to us that it had pulled the plug. “We have removed James Goddard’s Facebook Pages and Groups for violating our policies on hate speech,” a spokesperson told us. “We will not tolerate hate speech on Facebook which creates an environment of intimidation and which may provoke real-world violence.”

Earlier today one of his pages was still live on Facebook, and in a post from December 14 Goddard can be seen soliciting donations via PayPal so he can continue “confronting” people.

We also asked PayPal about Goddard’s use of its tools, pointing to the company’s terms of use which prohibit the use of the platform for promoting “hate, violence, racial and other forms of intolerance that is discriminatory”.

PayPal declined to comment on “any specific customer’s account”, citing its privacy policy but a spokesperson told us: “We do review accounts that have been flagged to us for possible breaches of our policies, and we will take action if appropriate.”

A few hours later PayPal also appeared to have pulled the plug on Goddard’s account.

A Patreon page he had seemingly been using to solicit donations for “political content, activism” is also now listed as ‘under review’ at the time of writing.

But Goddard remains on Twitter, where he is (currently) complaining about being de-platformed by Facebook and PayPal to his ~4k followers, and calling other people “fascists”.

How should mainstream tech platforms respond to people who use their tools for targeted harassment? If you read companies’ terms and conditions most prohibit abusive and intimidating conduct. Though in practice plenty flows until flagged and reviewed. (And even then takedowns frequently fail to follow.)

For all the claims from platforms that they’re getting better about enforcing their claimed community standards there are countless of examples of continued and very abject failure.

Facebook’s 2.2BN+ users especially make for an awful lot of content to wrangle. But none of these platforms is renowned for being proactive about weeding out violent types of speech they claim to forbid. And when intimidation is dressed up as political speech, and public figures are involved, they appear especially paralyzed.

Social media-savvy Far Right groups grokked this loophole long ago (see: Gamergate for a rough start date); and are continuing to exploit default inaction to get on with the violent business of megaphoning hate in the meanwhile.

You could say platforms are being gamed but the money they make off of accelerated outrage makes them rather more complicit in the problem.

The irony is it’s free speech that suffers in such a thuggish and febrile atmosphere. Yet platforms remain complicit in its undoing; doing nothing to stop hate mongers turning hugely powerful high tech soapboxes into abuse funnels.

They do this by choosing to allow groups with fascist ideologies to operate freely until enough reports are filed and/or high level political attention frowns down on particular individuals that they’ll step in and act.

Facebook’s community standards claim it aims to prevent “real-world harm”. But with such a narrow prescription it’s failing spectacularly to prevent deliberate, malicious and co-ordinated harassment campaigns that are designed to sew social division and upend constructive conversation, replacing the hard won social convention of robust political debate with mindless jeering and threats. This is not progress.

There’s nothing healthy for society or speech if mainstream platforms sit on their hands while abusive users bludgeon, bully and bend public debate into a peculiarly intolerant shape.

But we’re still waiting for the tech giants to have that revelation. And in the meanwhile they’re happy to let you watch a live streamed glimpse of mob rule.

News Source = techcrunch.com

1 2 3 5
Go to Top