BolehVPN

Make Your Online Shopping Safer With Single Use “Burner” Credit Cards

March 29th, 2016

privacy

Every time you have made an online purchase, you probably would have had a moment of hesitancy and fear while typing in your credit card number to pay for your purchases. You are not alone, because there naturally is a level of uncertainty in the security of entering your credit card numbers online on the wide open web.

by Randy Glasbergen

Source: Randy Glasbergen

Privacy.com, a company who launched their free app on 24th March 2016, aims to ease that particular consumer fear by creating their “burner” digital Visa cards solution.

Privacy’s virtual, burner Visa credit cards were made to be randomly generated credit card numbers that can only be used once before the card number self-destructs. Your personal information is hidden when you make online purchases because it allows you to have a brand-new virtual card for every transaction you want to make, thereby keeping your actual credit card number safe. Besides having the option to create a one-time use credit card number, users can also opt to create an unlimited number of single- or recurring-use cards, or even use of merchant-specific cards (such as a card specific for Spotify subscriptions/iTunes purchases/Kickstarter investments).

At Privacy, its self-explanatory company name clearly outlines the value it hopes to bring for their users, a basic idea which has already struck up the interests of investors. The company announced in October that it had raised $1.2 million in seed funding from investors, including Jim Messina (former White House deputy chief of staff and main driver of President Obama’s 2012 re-election campaign) and Andy Roth (former Chief Privacy Officer of American Express.

And it’s no wonder as well that the start-up company is formed from a small line-up of security-conscious directors with notable credentials. CEO Boling Jiang studied math at the Massachusetts Institute of Technology, and came from a cryptocurrency background, while Andy Roth (that former Chief Privacy Officer of American Express one) is also pro bono counsel to Bitcoin Foundation and Human Rights Watch. Other team members include Jason Cruz (who worked at Expensify, a software company that develops a travel and expense web and mobile app) and David Nichols (who worked at Palantir, a software and services company specializing in data analysis).

Jiang believes that consumers have the right to not share personal information with a merchant if they are only going to buy something from them once. “It puts the control back in your hands as the consumer,” Jiang assures. “Our policy is we collect the minimum amount of information we need to operate and make your life easy and abide by the law…A lot of tech companies we’ve seen collect the maximum amount of information. That’s the ethos that separates us from others.”

 

The beauty of burner cards

Privacy chrome extension

Privacy icon on Google Chrome Extension

As long as your bank is supported as one of the institutions Privacy works with, you will be able to use the company’s Google Chrome/Firefox extension to auto-generate new Privacy cards whenever you want (they are also available in the iOS App store with support for Safari and Internet Explorer coming soon). You are able to keep using these cards or close them whenever you feel like it. The company presently works with a couple of major banks and institutions such as Bank of America, Citibank, Capital One 360, Wells Fargo, Chase, and a couple others, but have since been receiving a ton of requests from regional banks and credit unions to link up. Privacy’s app quickly reached number one on Product Hunt and received much attention on Hacker News.

The main advantage of Privacy’s burner cards is that having multiple cards linked to your bank account and locked to specific merchants is a good way of reducing credit card fraud. A thief would be far less interested with stealing your card number if all they could do with it was to use it for New York Times subscriptions, with maximum spending limits of $1,000 per day and $2,000 per month. The great thing is that if there was a leak, you could even track and see what merchant was responsible since there are multiple card numbers for each purchase. This goes for hidden charges, billing without consent, and for using the products you buy online to market to you.

Secondly, with Privacy, stop subscriptions and prevent against deceptive recurring billing when you forget to cancel your “30-day free trials” by disabling your virtual cards so that those pesky companies cannot bill you again. Additionally, a Privacy burner card works with any billing address, so if you choose to keep your personal credentials private, Privacy would give you the permission to do so.

Finally, the service is free, just that you will need to create an account and then link your bank to the site to sign up for the service. The company makes their money by processing transactions every time a user spends using a Privacy card. The interchange fees that merchants or websites pay to Visa and issuing banks are shared with Privacy.

 

The sign-up process

Privacy pmt

Upon checking-out on a site, the Privacy icon appears in the card form

Privacy is all about simplicity for its users, and the sign-up process is just the same. The steps involved are to download the software, register, and link to a bank account, with an optional two-factor authentication for extra security. After installing the Google Chrome/Firefox extension, a Privacy icon will pop out next to a credit card form when Privacy users wrap up their online shopping and go to a cart to check-out their purchases. When users click the Privacy button, the service automatically generates a new virtual Visa debit card specifically for this website they are shopping on. Privacy will then connect to the user’s bank account so it can withdraw money from the bank account.

Privacy checkout

Privacy withdraws money from the chosen funding account

However, firstly to create an account which connects your bank account to the Privacy account, you need to hand over your banking account’s username and password, which requires users to place their trust on Privacy with all their bank information for the process to work.

The company states that login details are “passed to your bank over a secure TLS (SSL) connection.” The company also says it is Payment Card Industry (PCI) compliant and uses a 256-bit encryption key to secure all details.

After all the relevant accounts have been set-up, there are two methods to create a new card; clicking the ‘Create Card’ button on the web app or select ‘Create a New Card’ in the browser extension. If two-factor authentication was enabled, then the user will be asked to enter a TFA token.

There will be several options while creating a single-merchant card. Clicking the dollar sign icon symbol enables the user to set a purchasing limit which would otherwise be set on default to max out at $1,000 for the day and $2,000 for the month. Clicking the flame symbol would create a one-time use burner card, and select the text cursor to give your card a memorable name. The final step would be to click ‘Create card’ which will come complete with an expiry date and three-digit security code.

Privacy options

Source: PC World

Right now, Privacy is only available in the United States but if you would like to know more about the service, you can check out their official website.

 

Sources

[1] PC World

[2] Tech Times

[3] PC Mag

[4] Tech Crunch

[5] Inverse

 

Takeover of Free Public Wifi Kiosks All Over NYC Raises Privacy Concerns

March 26th, 2016

“Internet access is not a choice, it’s a modern-life necessity”.

Thirty-four million of Americans, nearly 10%, do not have basic broadband access to the Internet. This is something that the city of New York hopes to help change in the future through their LinkNYC project. LinkNYC is a citywide Wifi system with the plans for thousands of hospot kiosks to be placed throughout all 5 boroughs of the city. How many exactly? The goal is to have more than 7,500 Wifi hotspot hubs to replace old pay phones and will expect to have 500 LinkNYC stations set up across New York City by mid-July, with each hotspot hub giving off a Wifi radius of 400 feet.

 

Out with the old, in with the new

The LinkNYC program is offered through a partnership between the city with CityBridge, which is run by the large CityBridge group consisting of a consortium of companies taking care of the LinkNYC system. The free service would see the replacement of New York City’s old pay phone booths with the LinkNYC hubs that act as wireless routers providing fiber Internet.

LinkNYC2

Source: LinkNYC

While still only in beta mode, since its official launch last motnh, New York City municipal Wifi is already said to bring a blazing fast Wifi network through the nearly three dozen already up and working, Internet speeds are registered to be 10 times faster than the city’s current public Internet speeds which is all for free.

On top of that, at each station you can make free unlimited domestic phone calls, or charge your mobile with the USB charging ports for those running low on battery juice. Additional good news is that each station will also include built-in 911 emergency access, city maps and even Skype-calling capabilities.

The ability to provide these free services comes simply through advertising money by means of ads on the kiosks’ sides. Each hub doubles as large electronic advertising displays that could change multiple times throughout the day. The Verge estimates that the total ad revenue the city could potentially earn would be over $500 million by 2028.

linkNYC map

Locality plans for LinkNYC hubs. (Source: LinkNYC)

 

Three main privacy concerns

linknyc

Source: NYU Local

Sounding too good to be true? Well, the New York Civil Liberties Union (NYCLU) believes so too since they have expressed concerns about the privacy of people using these free Wifi hotspots to connect throughout the city. The privacy advocates had sent a letter to Mayor Bill de Blasio’s office voicing their concerns about the vagueness of the privacy policy involved.

The letter, signed by NYCLU Staff Attorney Mariko Hirose and Advocacy Directory Johanna Miller, lists three main concerns at hand:

1) how long user data will be retained

2) unclear language about government requests for user data

3) whether the “environmental sensors and cameras” that sit on the new Wifi hubs will feed into the Domain Awareness System, a city-wide police surveillance network

 NYCLU had raised privacy concerns regarding the possibility of users’ email addresses when they signed in to use the free service being retained by CityBridge along with the users’ browsing history. A great concern for them was also that somehow the new project was open to unwarranted NYPD surveillance as it is potentially creating a massive database that is within the ready grasp of the NYPD.

They have written that they’re “concerned about the vast amount of private information retained” in the system, specifically worrying that the policy’s stipulation that personally identifiable information must be deleted “after 12 months of user inactivity” could be “effectively an indefinite retention period for people who use LinkNYC in their daily lives.”

Similarly, the NYCLU group feels CityBridge’s collection of user data such as “what websites they visit on their devices, where and how long they linger on certain information on a webpage, and what links they click” could prove just as invasive as gathering other personal information on a person. NYCLU emphasizes that CityBridge should rightly be notifying the users via email about any requests for data from the government, unless there’s a “lawful judicial order barring” them from doing so.

 

LinkNYC’s & the Mayor’s office say

The Mayor and Citybridge responded quickly to the civil rights group’s letter. After receiving much criticism on the privacy issues the city responded to the privacy backlash by reiterating that the law enforcement do not have direct access to information and environmental sensors, that getting LinkNYC data would still require a subpoena, and mentions that the system takes steps to protect data, including encryption services to protect against would-be hackers.

Jen Hensley, general manager of LinkNYC, told The Huffington Post that the company would never sell a user’s private information and that law enforcement does not have unfettered access to the data.

“CityBridge would require a subpoena or similar lawful request before sharing any data with the NYPD or law enforcement, and we will make every effort to communicate government requests to impacted users,” Hensley stated.

Hensley also went on to address NYCLU’s third concern regarding LinkNYC’s cameras, assuring that LinkNYC does not collect or store any data on users’ personal web browsing on their own devices. If a government request for a user’s information is received, a spokesperson for LinkNYC said that “reasonable attempts” would be made to contact user via the email they provided to use the service.

Correspondingly, Natalie Grybauskas the New York City mayoral spokesperson who spoke on behalf of Mayor Bill de Blasio, told Huffington Post there are privacy protections in place on the public Wifi system and said the “privacy policy is the best way to protect New Yorkers and LinkNYC users while they safely and securely enjoy free superfast Wi-Fi across the five boroughs.”

“New York City and CityBridge have created customer-first privacy protections to ensure our users’ personal information stays that way – personal. We believe our privacy policy is the best way to protect New Yorkers and LinkNYC users while they safely and securely enjoy free superfast Wi-Fi across the five boroughs. We will continue to work to ensure legitimate concerns are addressed.”

As to the NYCLU’s concerns regarding the Domain Awareness system, Grybauskas also confirmed that LinkNYC’s cameras and environmental sensors do not feed into the Domain Awareness System and that the NYPD would have to subpoena to obtain any information from the LinkNYC system as well as echoed the statement by Jen Hensley that no personal information will be shared or sold for third-party use unless a subpoena or court order requires it.

Sources

[1] Tech Times

[2] Fast Company

[3] Huffington Post

[4] Gizmodo

[5] State Scoop

[6] CBS News

[7] Fusion

Payments By 2CO Ceased

March 23rd, 2016

Dear Bolehians,

We would like to apologise that unfortunately we are no longer able to support payments by 2CheckOut.

However, we do still support payments through Paypal, BitCoin (via Coinbase), Dash (via Coinpayments), XEM, & also manually process telegraphic transfers.

For Malaysian users, we accept direct bank-ins & ATM cash deposits.

Thank you for your continuous support & we apologise again for any inconveniences.

Sincerely,

The BolehVPN Team


 

Issues With 2CO Payments

March 23rd, 2016

Dear Bolehians,

We may be temporarily experiencing some issues with 2CheckOut payments.

To avoid encountering any disruptions, payments by Paypal would be preferred for the moment while we resolve the issue. Thanks guys!

Apple Just Realised There’s a Flaw in iMessage

March 22nd, 2016

Apple’s squeaky clean security image seems to be unravelling more and more these days, especially since news was released recently of their Apple Macs being victims of ransomware for the first time ever.

Yet again, another security hole has been uncovered by a group of John Hopkins University researchers in Baltimore, Maryland; led by cryptographer and computer science professor Matthew D. Green. Green and his team of graduate students have found a bug in Apple’s iMessage encryption and Green spotted the potential weakness when he read an Apple security guide. The team mounted a staged attack on iMessage after alerting the company to the issue, an attack which would enable an attacker to decrypt photos and videos sent on iMessage running off iPhones and iPads versions prior to iOS 9.

IMG_8327-crop

The research team; Gabe Kaptchuk, Mike Rushanan, Ian Miers, Christina Garman.

Apple’s encryption on its iMessage serves to protect its users’ messages by scrambling them using advanced mathematics, so that they can only be read by the sender and recipient. When a user sends an iMessage, their device opens a secure connection with Apple’s servers. Messages are encrypted on the phone using a private key, sent to Apple’s servers which is then delivered to the recipient. The recipient’s phone will then decrypt the message.

Thus, after reading a report on Apple’s encryption, Green guessed that he might be able to exploit iMessage by mimicking Apple’s servers and intercepting iMessages sent between devices running older versions of Apple’s iOS software, finding a link to a photo stored in iCloud. The Washington Post reported that the security researchers successfully targeted phones using pre-2011 versions of iMessage and were able to download a photo from Apple’s servers after a few months. However, Green warned that a modified version of the attack could also be used to target more recent versions of the operating system, given an attacker with nation-state level hacking skills and resources.

“Apple works hard to make our software more secure with every release,” the company said in a statement. “Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”

Green emphasizes that this is the exact reason why the government should not be forcing Apple to intentionally weaken the security of its own software, when the reality is that perfect encryption is incredibly hard if not impossible to achieve. As Green stated:

“Even Apple, with all their skills—and they have terrific cryptographers—wasn’t able to quite get this right… So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

 

“The user never sees it, the phone never displays anything”

apple-worm

Source: CNN

According to RT, to intercept a file in an encrypted transmission, the team first designed a special software to emulate an Apple server. The scientists then chose the encrypted transmission they wanted to decrypt: each containing a link to the photo in iCloud, as well as a 64-digit key to decrypt the photo or video. Nevertheless, the team discovered that while the keys were not visible, they were able to take as many guesses as they wanted, by changing a digit or a letter in the key and sending it back to the device they were targeting because iMessage does not lock out invaders after multiple attempts to decrypt. By way of brute-force, each time a guess was correct, the targeted phone accepted the digit, so they only had to keep guessing a few thousand times before they had the key and were able to decrypt the media file. (Wired says roughly about 130,000 attempts). Additionally, because the server gives the phone an invalid download location of the target file that causes it to ultimately ignore every request, that entire interaction with the intended recipient’s phone will not be shown in any notifications popping up on his or her screen.

 

The fix

The controlled hack clearly outlines how important it is to download and install patches for your devices, as encryption may not always be perfect. There will always be security holes and hackers to find them. While Apple said it partially fixed the problem when it released its iOS 9 operating system, it aims to fully address the problem through security improvements in its latest operating system (iOS 9.3) which users should update as soon as possible to fix the major flaw.

The good news is that the iOS 9.3 released by Apple today along with a parallel update Apple is releasing for the desktop version of iMessage, fixes the flaw which was allowing encrypted content to be unscrambled. On the other hand, the bad news is that for those who did not install the update to both their iPhone and their OSX iMessage client could still potentially have files that are sent to them decrypted using the technique.

FYI note: The recipient (not the sender), is the one whose devices must be patched to fully prevent the attack.

 

If you have yet to be notified of the new software, you can get the update now through the “Settings > General menu”, and read more on the John Hopkin’s research team’s blog detailing their attack on Apple’s iMessage.

 

Sources

[1] Washington Post

[2] RT

[3] Sky News

[4] Wired

[5] Tech Crunch