Froud on Fraud – Cybersecurity Predictions for 2020

In 2016 I predicted that:

  1. Identity Management will begin to replace single-factor authentication;
  2. Identity Management will be decentralised onto consumer mobile devices;
  3. HOW you pay will become increasingly irrelevant;
  4. Value-Add Services and Customer Service will be the only differentiator;
  5. Loyalty Programs will begin to centralis;

Even 3 years later only 1 of these things is becoming [slightly] true (#1).

In 2017 I predicted that:

Continue reading

Froud on Fraud: Cybersecurity Predictions for 2017

This time last year I wrote Froud on Fraud: Top 5 Predictions for 2016. Unsurprisingly, none of these things has transpired. At least not yet anyway [embarrassed silence].

So why do this again, when it’s fairly clear that any insight I have – if any – is aimed more towards potential long-term trends than to short-term results?

The reason I’m taking another stab is I can’t help feeling that 2017 is going to something of a watershed year for cybersecurity. At least I hope so, because there is so much hype, scaremongering and dross out there that something needs to change. And it must change soon, before cybersecurity professionals get lumped into the same category as the better known examples of sleaze; used car salesmen, estate agents, and lawyers (no offence Sis).

The last few years has been bad for the cybersecurity/privacy profession. From Snowden, to the Snooper’s Charter, from Target to Yahoo there has been no good news. Forget that the press will not print good news if they can possibly help it, things actually are getting worse. State sponsored attacks, organised crime, numerous vulnerabilities in Android and iOS, irresponsible Internet of Things manufacturers, there is little to smile about.

But instead of coming to the rescue, the cybersecurity industry seems Hell-bent on making it worse by cashing in on the confusion. From biometrics vendors disgracefully overstating their worth, to consulting practices doing everything in their power to cross-sell and upsell their wares, it’s becoming increasingly difficult to know where to turn.

The only bright side? Legislation.

Yes, legislation. The Payments Service Directive (PSD2) and the General Data Protection Regulation (GDPR) – for example – are both designed to start putting things right in payments and data privacy respectively. No one with a vested interest in keeping things the same was ever going to do anything themselves, so now they’ll have to. Banks, large retail, you name it, there will now be a price to pay for how you treat the consumer.

And let’s face it, it’s all about the consumer.

So with the above in mind, these are my predictions for 2017:


  1. ISO 27001 certification will be increasingly important: Unlike PCI which is entirely prescriptive, no other regulation that I have ever seen requires anything other than ‘appropriate‘ or ‘reasonable‘ security measures. Appropriate and reasonably to whom is always the first question. ISO 27001, and other frameworks like it, perform one overarching function; to provide demonstrable evidence that an organisation is taking security seriously. Whether the organisation is actually taking security seriously is another matter, but it is hard to fake certification. Not impossible mind you, just difficult. ‘Compliance’ with GDPR, and other data privacy regulations globally will look to ISO for help.
  2. Biometrics vendors will keep pushing their wares, and fail: OK, so this one is more of a wish than a prediction, but I am so sick of the hype around biometrics that I need to vent. Yes, biometrics if very important, yes, it’s better than a password in most scenarios, but it is NOT an answer by itself. Biometrics will not replace the password, nor will it ever be a solution all by itself. It will do what every other form of authentication should do; take its rightful place in the arsenal of identity management systems.
  3. Amazon GO will be the new model for brick & mortar: Any brick and mortar retailer not terrified by the opening of the Amazon GO store in Seattle is completely missing the point. The point is that consumers don’t care how they PAY, they care how they BUY. Cash, credit cards, even the Apple Pays and their ilk are just forms of payment, they are not relevant to how we choose the products and services we actually BUY. We demand a lot more from our merchants than a glorified cash register. In Invisible Payments, Are They Real? (Aug ’15) I went a little further than Amazon did, and will go even further in a week or so. And while I don’t expect 2017 to see a sharp increase in GO-esque stores, it’s definitely a glimpse of the near future.
  4. Containerised Security Services: Anyone who has looked to Amazon Web Services or Azure for hosting their e-commerce systems often do so in order to outsource security as well. The fact that neither of these services provide much is often a nasty surprise. Yes, the merchants asked the wrong questions (or none at all), but it is incomprehensible to me that vendors like AWM DON’T provide comprehensive security wrappers. 2017 will see an increase in modular and full-service security programs (at least to PCI minimums) from all of the major providers. Hopefully these will be easily understandable and transparent to non-experts, because even the better service providers do a piss-poor job of getting their point across.
  5. Automated Governance, Risk & Compliance: GRC is a fantastic concept, implemented poorly. However, with the ever increasing regulatory landscape, larger organisations simply can’t keep up with the audit  ommitments. GRC tools have traditionally been mostly manual in nature, which explains their lack of adoption. More and more GRC vendors are looking to automate compliance baseline input by providing APIs to end-point vendors (A/V, SIEM, vulnerability scanning etc) for automated input of production system data. 2017 will see GRC vendors finally focusing on the only thing that makes sense; asset management and automated baseline comparisons of known-good profiles.

OK, so 5. is a bit of a stretch, but there’s no way my OCD would allow for only 4 predictions.

What are your predictions?

[If you liked this article, please share! Want more like it, subscribe!]

Internet of Things Cybersecurity

Of Course the Internet of Things Isn’t Perfect

Can you name one invention that changed the course of human history that was perfect out of the gate?

Farming? Domestication of animals? Transportation?

OK, what about something a little more fundamental like utilities? Water, electricity, telephone and so on. Things so taken for granted in developed countries that we barely give them a second’s thought.

How about something actually appropriate to my subject; The Internet itself?

Not only weren’t any of these things perfect when first introduced, they still aren’t. Not by a long shot, and nor will they ever be. So why are we expecting more from the Internet of Things?

As a security expert, I cannot imagine anything more horrifying than billions of connected devices built almost entirely for function. Where race to market is the primary motivator because any competitive advantage is all but gone in a matter of days. And security, if it was even considered during development, was only done so perfunctorily, and likely with a fair degree of annoyance.

However, as a tech geek and a lazy git, the Internet of Things also fills me with anticipation bordering on joy. With the things that are already possible, my life has become significantly easier. With what’s to come, I can see a positive impact on the only thing that has ever mattered to me;

Having more time. Or perhaps more to the point; making better use of the time I have left.

Everyone talks about the risks and the inevitable disasters related to IoT, because that’s what sells column inches (like this recent event). Or they talk about increased efficiency, convenience, and quality of life because that’s what sells products. But what it all boils down to is this; What price do we have to pay for more time? How much of our privacy, or even our physical safety are we prepared to put at risk for a better life? A life spent doing the things we want to do, not the things we have to do just to get by.

Unfortunately, in our society, we are being allowed to accept less and less responsibility for our actions. From ‘Caution, Contents Hot’ labels on our coffee cups, to political correctness, to affirmative action, we are completely devolving accountability for our own lives to external entities.

This must stop. When it comes to the Internet of Things, we must make our own choices, and we absolutely must accept the consequences. It does not matter how many regulations and standards the Government puts into place, the IoT will always be far from perfect. Bad people WILL make bad things happen. Should organisations be held liable for gross negligence? Of course. Does that help the person whose pacemaker was hacked through their iPhone? No, it doesn’t.

‘Educated consumer’ is right up there with ‘religious tolerance’ in being a perfect oxymoron. But educated consumers is exactly what we all need to be. We now have a lot of control about how much of our identity is available online. Again, it’s not perfect, but with account insurance, regulatory compliance and such, the rewards from our online functionality far outweigh the risks.

But what happens when everything from the front door to the contents of our cupboards is available in the Internet? When every appliance, every utility, our location, health, finances, are all just a hack away? Will the amazing convenience that can be  achieved outsourcing ‘control’ of those things be worth the risk of total loss?

Only you can make that choice, and you cannot point fingers at anyone else if things go wrong. There is no recourse open to you, and the only defence you have is to educate yourself.

Start by assuming that everything you put online can be lost in its entirety. Are you prepared for that, because it’s not an exaggeration?

[If you liked this article, please share! Want more like it, subscribe!]

The End of Household Food Waste?

How much food do you throw away each year because it’s past the expiration date, or worse, you find it in the back of your fridge supporting a new furry ecosystem?

In my ever extending string of blogs based entirely on speculation, I would say that I throw away in the region of £400 – £600 worth per year. And I’m not saying it’s my wife’s fault (certainly not to her face anyway), although she does all the grocery shopping and cooking (don’t worry, it’s not like that, I do pretty much all the cleaning and jar opening). 🙂

There’s actually no blame here, it’s just that way WE are. We are not planners when it comes to our weekly meals, which would alleviate much of this issue. But, like everyone else in our brave new it’s-not-my-fault,-someone-else-should-do-something-about-it society, I want to have this take care of itself, automatically.

We can, and I believe we are not that far off, it just needs to be put together.

First, the actual growers of the produce need to take the first step by ensuring that their shipments are labelled with enough information to begin the countdown process. i.e. from ripe to rotten, we should by now have a pretty good idea how long a lettuce (for example) is going to last. I don’t care if it’s organic (which will clearly reduce its life cycle), with refrigeration, preservatives, and whatever else happens to our food without our knowledge, from farm, to supermarket shelf, to your fridge, to your plate, the lettuce has only x days to live (plus or minus).

Let’s say this is done with a QR tag, and each step in the logistics is added to the embedded information, by the time you scan the code in the supermarket you will have at your fingertips all the information you need to make an informed decision related to your purchase. These lettuces in this box are 2 days newer than those ones, but the older ones are half price and so on. Instant coupons is a given.

I won’t go into the payment method, I’ve written enough on the future of payments, but you will not only have an instant receipt, you have automatically added these items to a database of all the food in your house, along with its weight / quantity, expiration date, and so on.

Now everything edible in your house, from canned goods, to herbs & spices, to meats, to vegetables are all tracked in your database. All you need do now is set your alerts so that ANYTHING that is about to expire becomes an item in your next meal. Of course, you will need to tell this database whether or not you put something in the freezer, the fridge, to left it on the counter, but the smart-fridges or smart-cupboards of the very near future will be able to track this for you by scanning your groceries as you put them away. This will in turn be added to the database so you need never spend half an hour hunting for your Fingers of Fudge.

Not only that, because you have a complete record of everything, you can get immediate help on what to do with it. Every chef in the world will want to sign up to a service whereby they can apply their recipes to what you have available, or more importantly, what is about to expire. Yes, both the chefs and the providers of this service will try to get you to buy additional items to make an amazing meal, but you will always have a choice.

Also, if you DO choose a fancy menu, this can immediately alert your preferred supermarket who can tell you whether to not the items are available, then maybe even deliver them to you.

And we’re still not done. Beyond the immediate benefits of saving a butt-load of money, these are other advantages for every player in the cycle (in no particular order);

  1. You can have your weekly menus designed for you based on your preferences in terms of likes/dislikes, calorific intake, budget and so on.
  2. Growers will eventually be able to track global trends on food purchase, and possibly be able to adjust their supply to the demand.
  3. Supermarkets can automatically alert their customers to deals on soon-to-expire produce a hopefully reduce their waste. Maybe provide free delivery if you purchase enough of these items.
  4. You’ll learn to cook far more meals than you could have ever conceived yourself.
  5. You’ll be able to track your calorie intake if you follow the menus explicitly. Good for dieters, and excellent for diabetics.
  6. By having the ingredients of everything you buy available to you, you can ensure you never buy anything, or accept a recipe for meals that contain something, to which you or a loved one are allergic.
  7. You will undoubtedly stop buying things that sit in your cupboards for years on end, like that can of string beans that seemed like a good idea at the time.
  8. You can make your food database available to your friends so that you can create a meal together without having to buy everything yourself. Dinner party anyone?

I could go on all day, and I’m sure that if you have read this far you have had several ideas of your own.

All we need now is the supermarket chains to buy in …and the growers …and the name brand goods ….and …


Can Identity Management and Privacy Co-Exist?

In the near future, most of us will want to:

  1. be able to walk into the supermarket, collect our stuff, and walk straight out with the payment already processed in the background
  2. receive instant coupons, or 2-for-1 offers, or other value add services WHILE shopping
  3. receive a warning if an item contains something to which we are allergic
  4. receive a reminder from your fridge / freezer / cabinets that you are low on certain products while you are walking down the relevant aisle
  5. …and so on.

However, you cannot have any of these things unless you made the necessary information available to the supermarket chain you are in. And they will not make these things available TO you unless they have good assurance that you, are in fact, you.

To enable just those 4 things listed above, you had to release a significant amount of personal data, all of which can have privacy implications:

  1. requires a number of things – from biometrics (facial recognition for example) to financial account access
  2. requires a comprehensive and always growing record of your choices, preferences, and habits
  3. requires details of certain bits of medical data
  4. requires your entire kitchen / bathroom / bedroom to be enabled for the Internet of Things, as well as a highly detailed geolocation on your whereabouts
  5. …and so on.

Are you OK with that?

I am, but I know many who are not, and I also know that as the generations progress, there will be less and less concern over these ‘conveniences’, as they will have become common place. I will go as far as to say that within the next 10 years, any supermarket NOT providing some of all of these services will not be able to compete, and possibly become Internet-Free corner stores where you’ll find the world’s ‘privacy paranoid’ shopping for their tin-foil helmets and electronic cloaking devices.

The bottom line is that the concept of privacy itself is changing. The generation of kids in secondary schools today has never known life without the Internet, and in most industrialised nations, every kid has a mobile phone. They are always plugged in, always connected, and, as never before, a vast majority of their lives is recorded somewhere online. They are active on social media, SMS, chat, email, and every other technology designed to stay in touch 24/7.

Our idea of privacy is not theirs, and everything from racial prejudice to the stigma attached to nudity will standardise and globalise, and I cannot help but think for the better. Your children’s education will no longer be tied entirely to the doctrines of the previous generations, and self perpetuating ignorance has no place in a time when every piece of knowledge is at your fingertips. Not that this will stop those determined to be an arse.

I’m certainly not talking about some utopia here, ignorance in all its forms will never go away, but if the vast majority of your life is an open and available book, your complete identity becomes an ultimate form of authentication, and the security OF your identity only gets better as your life progresses.

The current ability to authenticate only against static data will no longer suffice (passwords, secret questions etc.), and the coming methods of identity management and authentication will completely change the face of privacy.

I see this as a good thing, but I’ll leave it to the folks hiding away in Faraday cages to make sure that Big Brother doesn’t get everything his way.