Archive for Internet Security

Facial Recognition In The Classroom

A school in Hangzhou, capital of the eastern province of Zhejiang, is reportedly using facial recognition software to monitor pupils and teachers.

Intelligent Classroom Behaviour Management System

The facial recognition software is part of what has been dubbed The “intelligent classroom behaviour management system”. The reason for the use of the system is reported to be to supervise both the students’ learning, and the teachers’ teaching.

How?

The system uses cameras to scan classrooms every 30 seconds. These cameras are part of a facial recognition system that is reported to be able to record students’ facial expressions, and categorize them into happy, angry, fearful, confused, or upset.

The system, which acts as a kind of ‘virtual teaching assistant’, is also believed to be able to record students’ actions such as writing, reading, raising a hand, and even sleeping at a desk.

The system also measures levels of attendance by using a database of pupils’ faces and names to check who is in the classroom.

As well as providing the school with added value monitoring of pupils, it may also prove to be a motivator for pupils to modify their behaviour to suit the rules of the school and the expectations of staff.

Teachers Watched Too

In addition to monitoring pupils, the system has also been designed to monitor the performance of teachers in order to provide pointers on how they could improve their classroom technique.

Safety, Security and Privacy

One other reason why these systems are reported to be increasing in popularity in China is to provide greater safety for pupils by recording and deterring violence and questionable practices at Chinese kindergartens.

In terms of privacy and security, the vice principal of the Hangzhou No.11 High School is reported to have said that the privacy of students is protected because the technology doesn’t save images from the classroom, and stores data on a local server rather than on the cloud. Some critics have, however, said that storing images on a local server does not necessarily make them more secure.

Inaccurate?

If the experiences of the facial recognition software that has been used by UK police forces is anything to go by, there may be questions about the accuracy of what the Chinese system records. For example, an investigation by campaign group Big Brother Watch, the UK’s information Information Commissioner, Elizabeth Denham, has recently said that the Police could face legal action if concerns over accuracy and privacy with facial recognition systems are not addressed.

What Does This Mean For Your Business?

There are several important aspects to this story. Many UK businesses already use their own internal CCTV systems as a softer way of monitoring and recording staff behaviour, and as a way to modify their behaviour i.e. simply by knowing their being watched. Employees could argue that this is intrusive to an extent, and that a more positive way of getting the right kind of behaviour should (also) have a system that rewards positive / good behaviour and good results.

Using intelligent facial recognition software could clearly have a place in many businesses for monitoring customers / service users e.g. in shops and venues. It could be used to enhance security. It could also, as in the school example, be used to monitor staff in any number of situations, particularly those where concentration is required and where positive signals need to be displayed to customers. These systems could arguably increase productivity, improve behaviour and reduce hostility / violence in the workplace, and provide a whole new level of information to management that could be used to add value.

However, it could be argued that using these kinds of systems in the workplace could make people feel as though ‘big brother’ is watching them, could lead to underlying stress, and could have big implications where privacy and security rights are concerned. It remains to be seen how these systems are justified, regulated and deployed in future, and how concerns over accuracy, cost-effectiveness, and personal privacy and security are dealt with.

Data Breach Fine For UK University

The Information Commissioner (ICO) has imposed a fine of £120,000 on the University of Greenwich for a data breach that left the personal details of thousands of students exposed online.

What Happened?

The breach was discovered back in February 2016, but actually dates back to 2004 and concerns a microsite that was made for a training conference. In the incident that the University attributed to “unauthorised access to some data on the university’s systems”, the personal details of around 96,000 students were accidentally uploaded to the university’s website, as well as minutes from the university’s Faculty Research Degrees Committee. The microsite with the student details left on was not secured or closed down.

What was most shocking and distressing to many of those affected by the breach was the very personal nature of some of the data. For example, as well as the names, addresses, dates of birth, mobile phone numbers and even signatures of students, data concerning medical and other personal issues was also posted. Reports at the time indicated that in some cases, information concerning the mental health and other medical problems of some students were mentioned to explain why students had fallen behind with their work. Also, it was reported that comments about the students’ progress, and even emails between staff and students were revealed.

Made Without The University’s Knowledge

It has been reported that the main reason that the breach was not noticed earlier is that the training microsite was made by one of the University’s departments without the knowledge of the University, which is the data controller.

Fine

Bearing in mind the seriousness and nature of the breach, and the number of people affected, the ICO have imposed a fine of £120,000 or £96,000 for early payment. It is understood that the University will not appeal against the decision.

Changes Made

The ICO saw no need for enforcement action in this case because the University of Greenwich is reported to have made a number of changes to upgrade security. These changes include investing in new security architecture, tools and technologies, hiring new dedicated internal security experts, conducting vulnerability testing across the entire organisation every day, making information security training mandatory for all staff; reforming the system of internal IT governance, and developing a rapid incident response to tackle threats as they arise and learn from incidents.

What Does This Mean For Your Business?

Even though this incident dates back many years to a time when online security was given less priority by many businesses and organisations, it is an illustration of how things can easily slip through the net with regards to security, particularly in larger organisations and / or where full checks / audits are not carried out and where there is clear no clear line of responsibility for data matters e.g. data controllers and DPOs.

This story is particularly poignant because of the introduction of GDPR on Friday, and should be another reminder to companies that as well as the distress caused to victims of breaches, the ICO will take breaches seriously and can impose stiff penalties.

In this case, the University (which had also suffered another high profile data breach after this one) took the opportunity to seriously upgrade its security, and this will no doubt go a long way to making it GDPR compliant, as all businesses now need to be in order to retain the trust of customers, maintain supplier relationships, protect the business reputation, avoid fines, and deter and protect against attacks by cyber-criminals.

TalkTalk Super Router Security Fears Persist

An advisory notice from software and VR Company IndigoFuzz has highlighted the continued potential security risk posed by a vulnerability in the WPS feature in TalkTalk’s Super Router.

What Vulnerability?

According to IndigoFuzz, the WPS connection is insecure and the WPS pairing option is always turned on i.e. the WPS feature in the router is always switched on, even if the WPS pairing button is not used.

This could mean that an attacker within range could potentially hack into the router and steal the router’s Wi-Fi password.

Tested

It has been reported that in tests involving consenting parties, IndigoFuzz found a method of probing the router to steal the passwords to be successful on multiple TalkTalk Super Routers.

The test involved using a Windows-based computer, wireless network adapter, a TalkTalk router within wireless network adapter range, and the software ‘Dumpper’ available on Sourceforge. Using this method, the Wi-Fi access key to a network could be uncovered in a matter of seconds.

Scale

The ease with which the Wi-Fi access key could be obtained in the IndigoFuzz tests has prompted speculation that the vulnerability could be on a larger scale than was first thought, and a large number of TalkTalk routers could potentially be affected.

No Courtesy Period Before Announcement

When a vulnerability has been discovered and reported to a vendor, it is normal protocol to allow the vendor 30 days to address the problem before the vulnerability is announced publicly by those who have discovered / reported the vulnerability.

In this case, the vulnerability was first reported to TalkTalk back in 2014, so IndigoFuzz chose to issue the advisory as soon as possible.

Looks Bad After Last October

News that a vulnerability has remained unpatched after it was reported 4 years ago to TalkTalk looks bad on top of major cyber attack and security breach there back in October 2017. You may remember that the much publicised cyber-attack on the company resulted in an estimated loss of 101,000 customers (some have suggested that the number of lost customers was twice as much as this figure). The attack saw the personal details of between 155,000 and 157,000 customers (reports vary) hacked, with approximately 10% of these customers having their bank account number and sort code stolen.

The trading impact of the security breach in monetary terms was estimated to be £15M with exceptional costs of £40-45M.

What Does This Mean For Your Business?

It seems inconceivable that a widely reported vulnerability that could potentially affect a large number of users may still not have been addressed after 4 years. Many commentators are calling for a patch to be issued immediately in order to protect TalkTalk customers. This could mean that many home and business customers are still facing an ongoing security risk, and TalkTalk could be leaving itself open to another potentially damaging security problem that could impact its reputation and profits.

Back in August last year, the Fortinet Global Threat Landscape Report highlighted the fact that 9 out of 10 businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and many even have patches available for them. This should remind businesses to stay up to date with their own patching routines as a basic security measure.

Last year, researchers revealed how the ‘Krack’ method could take advantage of the WPA2 standard used across almost all Wi-Fi devices to potentially read messages, banking information and intercept sensitive files (if a hacker was close to a wireless connection point and the website doesn’t properly encrypt user data). This prompted fears that hackers could turning their attention to what may be fundamentally insecure public Wi-Fi points in e.g. shopping centres / shops, airports, hotels, public transport and coffee shops. This could in turn generate problems for businesses offering WiFi.

BYODs Linked To Security Incidents

A study by SME card payment services firm Paymentsense has shown a positive correlation between bring your own device (BYOD) schemes and increased cyber -security risk in SMEs.

BYOD

Bring your own device (BYOD) schemes / policies have now become commonplace in many businesses, with the BYOD and enterprise mobility market size growing from USD $35.10 Billion in 2016 to USD $73.30 Billion by 2021 (marketsandmarkets.com).

BYOD policies allow employees to bring in their personally owned laptops, tablets, and smart-phones and use them to access company information and applications, and solve work problems. This type of policy has also fuelled a rise in ‘stealth IT’ where employees go outside of IT and set up their own infrastructure, without organizational approval or oversight, and can, therefore, unintentionally put corporate data and service continuity at risk.

Positive Correlation Between BYOD and Security Incidents

The Paymentsense study, involving more than 500 SMEs polled in the UK found a positive correlation between the introduction of a BYOD policy and cyber-security incidents. For example, 61% of the SME’s said that they had experienced a cyber-security incident since introducing a BYOD policy.

According to the study, although only 14% of micro-businesses (up to 10 staff) reported a cyber-security incident since implementing BYOD, the figure rises to 70% for businesses of 11 to 50 people, and to 94% for SMEs with 101 to 250 employees.

Most Popular Security Incidents

The study showed that the most popular types of security incidents in the last 12 months were malware, which affected two-thirds (65%) of SMEs, viruses (42%), DDoS distributed denial of service (26%), data theft (24%), and phishing (23%).

Positive Side

The focus of the report was essentially the security risks posed by BYOD. There are, however, some very positive reasons for introducing a BYOD policy in the workplace. These include convenience, cost saving (company devices and training), harnessing the skills of tech-savvy employees, perhaps finding new, better and faster ways of getting work done, improved morale and employee satisfaction, and productivity gains.

Many of these benefits are, however, inward-focused i.e. on the company and its staff, rather than the wider damage that could be caused to the lives of data breach victims or to the company’s reputation and profits if a serious security incident occurred.

What Does This Mean For Your Business?

This is a reminder that, as well as the benefits of BYOD to the business, if you allow employees or other users to connect their own devices to your network, you will be increasing the range of security risks that you face. This is particularly relevant with the introduction of GDPR on Friday.

For example, devices belonging to employees but containing personal data could be stolen in a break-in or lost while away from the office. This could lead to a costly and public data breach. Also, allowing untrusted personal devices to connect to SME networks or using work devices on untrusted networks outside the office can put personal data at risk.
Ideally, businesses should ensure that ensure that personal data is either not on the device in the first place, or has been appropriately secured so that it cannot be accessed in the event of loss or theft e.g. by using good access control systems and encryption.

Businesses owners could reduce the BYOD risk by creating and communicating clear guidelines to staff about best security practices in their daily activities, in and out of the office. Also, it is important to have regular communication with staff at all levels about security, and having an incident response plan / disaster recovery plan in place can help to clarify responsibilities and ensure that timely action is taken to deal with situations correctly if mistakes are made.

Police Face Recognition Software Flawed

Following an investigation by campaign group Big Brother Watch, the UK’s information Information Commissioner, Elizabeth Denham, has said that the Police could face legal action if concerns over accuracy and privacy with facial recognition systems are not addressed.

What Facial Recognition Systems?

A freedom of information request sent to every police force in the UK by Big Brother Watch shows that The Metropolitan Police used facial recognition at the Notting Hill carnival in 2016 and 2017, and at a Remembrance Sunday event, and South Wales Police used facial recognition technology between May 2017 and March 2018. Leicestershire Police also tested facial recognition in 2015.

What’s The Problem?

The two main concerns with the system (as identified by Big Brother Watch and the ICO) are that the facial recognition systems are not accurate in identifying the real criminals or suspects, and that the images of innocent people are being stored on ‘watch’ lists for up to a month, and this could potentially lead to false accusations or arrests.

How Do Facial Recognition Systems Work?

Facial recognition software typically works by using a scanned image of a person’s face (from the existing stock of police photos of mug shots from previous arrests), and then uses algorithms to measure ‘landmarks’ on the face e.g. the position of features and the shape of the eyes, nose and cheekbones. This data is used to make a digital template of a person’s face, which is then converted into a unique code.

High-powered cameras are then used to scan crowds. The cameras link to specialist software that can compare the camera image data to data stored in the police database (the digital template) to find a potential ‘match’. Possible matches are then flagged to officers, and these lists of possible matches are stored in the system for up to 30 days.

A real-time automated facial recognition (AFR) system, like the one the police use at events, incorporates facial recognition and ‘slow time’ static face search.

Inaccuracies

The systems used by the police so far have been criticised for simply not being accurate. For example, of the 2,685 “matches” made by the system used by South Wales Police between May 2017 and March 2018, 2,451 were false alarms.

Keeping Photos of Innocent People On Watch Lists

Big Brother Watch has been critical of the police keeping photos of innocent people that have ended up on lists of (false) possible matches, as selected by the software. Big Brother Watch has expressed concern that this could affect an individual’s right to a private life and freedom of expression, and could result in damaging false accusations and / or arrests.
The police have said that they don’t consider the ‘possible’ face selections as false positive matches because additional checks and balances are applied to them to confirm identification following system alerts.

The police have also stated that all alerts against watch lists are deleted after 30 days, and faces in the video stream that do not generate an alert are deleted immediately.

Criticisms

As well as accusations of inaccuracy and possibly infringing the rights of innocent people, the use of facial recognition systems by the police has also attracted criticism for not appearing to have a clear legal basis, oversight or governmental strategy, and for not delivering value for money in terms of the number of arrests made vs the cost of the systems.

What Does This Mean For Your Business?

It is worrying that there are clearly substantial inaccuracies in facial recognition systems, and that the images of innocent people could be sitting on police watch lists for some time, and could potentially result in wrongful arrests. The argument that ‘if you’ve done nothing wrong, you have nothing to fear’ simply doesn’t stand up if police are being given cold, hard computer information to say that a person is a suspect and should be questioned / arrested, no matter what the circumstances. That argument is also an abdication from a shared responsibility, which could lead to the green light being given to the erosion of rights without questions being asked. As people in many other countries would testify, rights relating to freedom and privacy should be valued, and when these rights are gone, it’s very difficult to get them back again.

The storing of facial images on computer systems is also a matter for security, particularly since they are regarded as ‘personal data’ under the new GDPR which comes into force this month.

There is, of course, an upside to the police being able to use these systems if it leads to the faster arrest of genuine criminals, and makes the country safer for all.

Despite the findings of a study from YouGov / GMX (August 2016) that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics represents a good opportunity for businesses to stay one step ahead of cyber-criminals. Biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies are now using them.

Facial recognition systems have value-adding, real-life business applications too. For example, last year, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.

Efail – Encryption Flaw

A German newspaper has released details of a security vulnerability, discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption.

What Is PGP?

PGP (Pretty Good Privacy) is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications. As well as being used to encrypt and decrypt email, PGP is also used to sign messages so that the receiver can verify both the identity of the sender and the integrity of the content. PGP works using a private key that is kept secret, and a public key that the sender and receiver share.

The technology is also known by the name of GPG (Gnu Privacy Guard or GnuPG), and is a compatible GPL-licensed alternative.

What’s The Flaw?

The flaw, which was first thought by some security experts to affected the core protocol of PGP (which would make all uses of the encryption method, including file encryption, vulnerable), is now believed to be related to any email programs that don’t check for decryption errors properly before following links in emails that include HTML code i.e. email programs that have been designed without appropriate safeguards.

‘Efail’ Attacks

The flaw leaves this system of encryption open to what have been called ‘efail’ attacks. This involves attackers trying to gain access to encrypted emails (for example by eavesdropping on network traffic), and compromising email accounts, email servers, backup systems or client computers. The idea is to reveal the plaintext of encrypted emails (in the OpenPGP and S/MIME standards).

This type of attack can be carried out by direct exfiltration, where vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird can be abused to directly exfiltrate the plaintext of encrypted emails, or by a CBC/CFB gadget. This is where vulnerabilities in the specification of OpenPGP and S/MIME are abused to exfiltrate the plaintext.

What Could Happen?

The main fear appears to be that the vulnerabilities could be used to decrypt stored, encrypted emails that have been sent in the past (if an attacker can gain access). It is thought that the vulnerabilities could also create a channel for sneaking personal data or commercial data and business secrets off devices as well as for decrypting messages.

What Does This Mean For Your Business?

It is frustrating for businesses to learn that the email programs they may be using, and a method of encryption, supposed to make things more secure, could actually be providin a route for criminals to steal data and secrets.

The advice from those familiar with the details of the flaw is that users of PGP email can disable HTML in their mail programs, thereby keeping them safe from attacks based on this particular vulnerability. Also, users can choose to decrypt emails with PGP decryption tools that are separate from email programs.

More detailed information and advice concerning the flaw can be found here: https://efail.de/#i-have

Twitter Says Change Your Password

Twitter has advised all users to change their passwords after a bug caused the passwords to be stored in easily readable, plain text on an internal computer log.

The Bug – Passwords Visible Before ‘Hashing’

Twitter reported on their own blog that the bug that stored passwords had been ‘unmasked’ in an internal log. The bug is reported to have written the passwords into that internal log before Twitter’s hashing process had been completed.

The hashing process disguises Twitter passwords, making them very difficult to read. Hashing uses the ‘bcrypt’ function which replaces actual passwords with a random set of numbers and letters. It is this set of replaced characters that should be stored in Twitter’s system, as these allow the systems to validate account credentials without revealing customer password.

Millions Affected?

The fact that the passwords were revealed on an internal server, albeit for what is estimated to be for several months, and that there appears to be no evidence of anyone outside the company seeing the passwords, and no evidence of a theft or passwords turning up for sale on hacker site, indicates that it is unlikely that many of the 330 million Twitter users have anything real to fear from the breach.

Big Breaches

In this case, Twitter appears to have behaved responsibly and acted quickly by reporting the bug to regulators, fixing the bug, and quickly and publicly advising all customers to change their passwords.

Twitter’s behaviour appears to be in stark contrast to the way other companies have handled big breaches. For example, back in November 2017 Uber was reported to have concealed a massive data breach from a hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.

Breaches can happen for all kinds of reasons, and while Twitter’s breach was very much caused and fixed by Twitter internally, others have been less lucky. For example, an outsourcing provider of the Red Cross Blood Service in Australia accidentally published the Service’s entire database to a public web server, thereby resulting in Australia’s largest ever data breach.

What Does This Mean For Your Business?

If you have a Twitter account, personal or business, the advice from Twitter is quite simply to change your password, and change it on any other service where you may have used the same password. Twitter is also advising customers to make the new password a strong one that isn’t reused on other websites, and to enable two-factor authentication. You may also want to use a password manager to make sure you’re using strong, unique passwords everywhere.

In this case, Twitter has acted quickly, appropriately and transparently, thereby minimising risks to customers and risks to its own brand reputation. Twitter will want this message of responsibility to be received loud and clear, particularly at a time where GDPR (and its hefty fines) is just around the corner, and a time when other competing social networks i.e. Facebook have damaged customer trust by acting less responsibly with their data through the Cambridge Analytica scandal.

8 More Security Flaws Found In Processors

Following on from the revelation in January that 2 major security flaws are present in nearly all modern processors, security researchers have now found 8 more potentially serious flaws.

Eight?

According to reports by German tech news magazine c’t, the 8 new security flaws in chips / processors were discovered by several different security teams. The magazine is reported to have been given the full technical details of the vulnerabilities by researchers and has been able to verify them.

The new ‘family’ of bugs have been dubbed Spectre Next Generation (Spectre NB), after the original Spectre bug that was made public along with the ‘Meltdown’ bug at the beginning of the year.

90 Days To Respond

The researchers who discovered the bugs have followed bug disclosure protocols, and have given chip-makers and others 90 days to respond and to prepare patches before they release details of the bugs. The 90 day time limit ran out on Monday 7th May.

Co-ordinated Disclosure

Intel is reported to have been reluctant to simply acknowledge the existence of the bugs, preferring to have what it calls a ‘co-ordinated disclosure’, presumably near the end of the protocol time limit, when there has been time to prepare patches and to mitigate any other issues.

It is not yet clear if AMD processors are also potentially vulnerable to the Spectre-NG problems.

How Serious Are The Flaws?

There have been no reports, as yet, of any of the 8 newly-discovered flaws being used by cyber-criminals to attack firms and extract data. According to the magazine C’t, however, Intel had classified half of the flaws as “high risk”, and the others as “medium risk”.

It is believed that one of the more serious flaws could provide a way for attackers access a vulnerable virtual computer, and thereby reach the server behind it, or reach other software programs running on that machine. It has been reported that Cloud services like Amazon’s AWS may be at risk from this flaw.

Meltdown and Spectre

The original Meltdown and Spectre flaws were found to have been present in nearly all modern processors / microchips, meaning that most computerised devices are potentially vulnerable to attack, including all iPhones, iPads and Macs.

Meltdown was found to leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre, which was found to affect Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

What Does This Mean For Your Business?

The discovery of a family of 8 more flaws on top of the original 2 ‘Spectre’ and ‘Meltdown’ flaws is more bad news for businesses, particularly when they are trying to make things as secure as possible for the introduction of GDPR. Sadly, it is very likely that your devices are affected by the several or all of the flaws because they are hardware flaws at architectural level, more or less across the board for all devices that use processors. The best advice now is to install all available patches and make sure that you are receiving updates for all your systems, software and devices.

Although closing hardware flaws using software patches and updates is a big job for manufacturers and software companies, it is the only realistic and quick answer at this stage to a large-scale problem that has present for a long time, but has only recently been discovered.

Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.

Fake Online Reviews Investigation

A recent investigation as part of a BBC 5 Live programme has led to the underground trade in fake online reviews coming under the spotlight.

What Reviews and Why Does It Matter?

The kinds of reviews of products and services that can allegedly be purchased and displayed online in order to influence purchasing decisions are reported to be those on sites such as Trustpilot and Amazon.

Three quarters of UK adults use online review websites, and the government’s Competition and Markets Authority estimates that such reviews potentially influence £23 billion of UK customer spending every year.

Younger consumers are thought to be particularly influenced by the reviews of others / their peers when it comes to purchasing decisions.

The key motivator for businesses buying fake reviews is, orf course, to rank top for your product because this can lead to a lot of extra sales.

How Bad Is The Problem?

A Chartered Institute of Marketing (CIM) Study shows that almost half of UK adults believe they have seen fake reviews, and according to US analysts, as many as half of the reviews for some products posted on international websites like Amazon may be potentially unreliable

What’s Been Happening?

According to the recent BBC investigation of the problem, buyers are offered full refunds on products bought on Amazon in exchange for positive reviews. This practice is believed to be something that was driven underground back in 2016 after Amazon introduced measures designed to prohibit ‘incentivised reviews’ i.e. businesses offering customers free goods in exchange for positive reviews.

The BBC 5 Live team investigators have reported that they were offered deals for Amazon reviews, and were able to use eBay to purchase a false 5-star review on Trustpilot.
Denied

In response to the findings of the BBC investigation, Amazon has stated that it does not permit reviews in exchange for compensation of any kind and that customers and Marketplace sellers who don’t follow review guidelines are subject to action including potential termination of their account.

Trustpilot has said that it uses specialist software to screens reviews against 100’s of data points around the clock in order to automatically identify and remove fakes, and that it has a zero-tolerance policy towards any misuse.

E-bay has also stated that the sale of fake reviews is banned from its platform, and that any listings will be removed.

What Does This Mean For Your Business?

The potential rewards of more sales an profits, getting a competitive edge, and boosting brand awareness are powerful motivators for some businesses who may feel that when weighed up against the lack of any serious penalties, buying fake reviews may appear to be worth the risk. For the vast majority of review-reading customers, however, this is a deceptive practice that may cause them to purchase products that do not meet their needs or expectations.

The proliferation of fake reviews also undermines public trust in reviews, and this can be particularly unfair for those companies who have worked hard to get genuine positive reviews through simply providing superior products and service levels.

There is an argument that more preventative action needs to be taken by these platforms to stop fake reviews being published in the first place, and that stronger penalties are needed for those caught selling fake reviews.

Sadly, many commentators believe that we are currently in a ‘post-truth era’ where many people get their news from social media and where we are becoming conditioned to put less emphasis on the need for objective facts. It is with this backdrop that the trade in fake reviews has been allowed to grow.

There is still a strong argument, however, that there is no substitute for striving to provide quality products and great customer service as these strengthen a business anyway, ensure that reviews are positive, and should ultimately win over short-term deceptive practices.

Google Chrome Leads Digital Certificate Clean Up

The Google Chrome Browser is being equipped with transparency logs that are designed to prevent potentially costly digital certificate errors by Certificate Authorities (CAs) and to guard against cyber-criminals issuing their own certificates.

Stopping Misuse

The move has been designed to improve all-round transparency, and to better protect both users and companies from becoming victims of certificate misuse.

Triggers A Warning Message If Not Logged

The change means that all CAs must now log every digital certificate they issue in certificate transparency logs so that any website with a secure socket layer (SSL) or transport layer security (TLS) certificate that isn’t logged will trigger a browser warning. The warning will tell users the website’s certificate doesn’t comply with Google Chrome’s transparency policy, and therefore, may not be safe.

In fact, any part of a website that’s served over an https connection that doesn’t comply with Google’s policy will not load and will display an error in Chrome DevTools.

The change applies to all TLS server certificates issued after 30 April, 2018.

Driving Positive Change

With Google Chrome reportedly being used by 60% of web users, this move is being seen by some as Google using its market dominance to drive better practices. It is expected, therefore, that most other major browsers will follow Google’s example.

What Does This Mean For Your Business?

This is really just an industry change that primarily affects parties issuing the certificates e.g. a Certificate Authority. The change isn’t retroactive and so isn’t going to affect SSL certificates that were issued but not logged before April 30, 2018. This change will not (immediately) directly affect end users, although the clean-up effect that it may have on the whole business around certificates, and in thwarting some of the activities of cyber criminals could contribute towards a more secure internet generally. For example, cyber-criminals have been able to target internet users by finding ways to issue their own certificates.

The change should also give businesses a way to take action to protect themselves and their customers against any potential damage done to their business by mis-issuance of certificates.

This story should also be a reminder that from June, if your website doesn’t have a secure certificate i.e. if it doesn’t have https in the URL, Chrome will post a security warning to visitors which could mean that you lose enquiries and sales. Not having a secure certificate could also potentially mean that your website could suffer in the search engine rankings.