Bungled bank robberies

Banana peel

There’s nothing quite so entertaining as an incompetent bank robber. Alas, as digital banking marches forward, we may see fewer and fewer of them. Before the art all but disappears, here are some favorite tales of mishaps and ineptitude.

• Never underestimate a teller. In Dallas, a would-be robber demanded a teller hand over the money in her till. Fine, she said, but first she would need to see two forms of ID. Which—I’m not making this up—the man produced. She took her time copying down his information, giving police plenty of time to greet him as he exited the bank. AOL.

• The Royal Bank of Scotland in the town of Rothesay has two unique robbery prevention devices. One is a revolving door. A trio of men bent on robbing the branch entangled themselves in it and needed help from bank staff to free themselves. A bit embarrassed, they left to regroup. They successfully navigated the door on their second foray, although it took some doing to convince amused bank personnel that they were serious about committing robbery. It was then that the second prevention device, a counter, went to work. It dealt a broken ankle to the robber who tried to jump over it. His accomplices tried to flee, but in their haste forgot to beware the revolving door. They remained trapped until police came. Anvari.

• After dashing out of a Virginia Beach bank with stolen cash, a robber decided he’d better return and retrieve his robbery note. Whew, he must have thought, that was close. His next thought might have been, Crap! I left the car keys at the bank. Opting not to return for them, he ran home and told his roommate that someone had stolen the car. The roommate, who was the car’s owner, reported the alleged theft. Police found the car, matched it to the keys left at the bank, and arrested the robber. The roommate was no doubt relieved to be spared the uncomfortable “you’ll need to find someplace else to live” conversation. Dumb Criminals.

• The car keys thing may be going around. In January of this year in Taylorsville, Utah, a man left his car keys at the credit union he had just robbed. Taking off on foot, he snagged and tore his bagful of cash. He could only watch (and, possibly, swear a blue streak) as the wind carried some of his booty into hands of eager passersby and the rest of it down a storm drain. To add to his ill luck, police promptly apprehended him. With this incident and his already-lengthy criminal history, I suspect he is in jail as I write. Miami Herald.

• The note seemed clear enough: “I have a gun. Gimme your money or else.” But to the robber’s bafflement, the teller handed back the note unread. This was Harbor Bank of Maryland, she explained, and she couldn’t accept a Maryland National transaction slip (on which he’d written the unread demand). The man took his note and left, leaving the teller unaware that she had just thwarted a robbery attempt. We’d be unaware, too, and the would-be robber might not have been apprehended if not for a woman who, waiting in line behind him, read the note over his shoulder. Baltimore Sun.

• Two of my favorites happened close to home in Salt Lake City. In one, a man handed a robbery note to a teller only to learn, the hard way, that two armed FBI agents were in line behind him. In the other, a man ordered a teller to empty her till into a paper sack. When she handed him back the back, he shoved it down the front of his pants and fled the bank. Seconds later, he, too, learned something the hard way: Dye packs burn at about 400 degrees. Apprehending the man wasn’t difficult. Neither was identifying him. Personal conversations.

• Thieves who rely on robbery notes would do well to invest in blank paper. A man arrested in Englewood, Colorado, wrote the robbery note on one of his personalized checks. To his credit, first he blacked out his name. Not to his credit, he didn’t black it out very well. Neowin.

• Another fellow at least had the good sense to use a nameless starter check. But the thing about checks, even starter checks, is that they have account numbers. Tracing the check’s account number to the thief was an easy matter. Barstool Sports.

• A Pennsylvania robber was smart enough not to use a personalized document, but he managed to make up for it in other ways. Asking the teller for a blank deposit slip, he wrote, “Just give me the money and nothing else will happen”—and then signed his own nameNorfolk Daily News.

I hope you enjoyed reading these anecdotes as much as I enjoyed sharing them. Fair being fair, I’m going to wrap up with a story where ineptitude took place on the side of the law. It happened a while ago, so I won’t be embarrassing any of Idaho’s finest.

You have doubtless heard of Butch Cassidy, famous for making withdrawals at gunpoint. (His former hideout is a few hours’ drive from my home.) In 1896, Cassidy and two accomplices robbed the Bank of Montpelier, Idaho, making off on horseback with $13, worth roughly $352 today. Instead of chasing the robbers on horseback as any sane person would do, the first responding deputy hopped on one of themthar newfangled bicycles. He didn’t get far. 

Every town is entitled to its claim to fame. Montpelier celebrates the robbery with an annual Butch Cassidy Cook Off and Reenactment. The town even has its own Butch Cassidy Museum, and, out front, a Hollywood-style sidewalk star pays tribute to the robbery.

Posted in Uncategorized by Matt. No Comments

The CLOUD Act
or
Look what rode
in on the omnibus

Cloud spyYou may have heard of the Fourth Amendment. It says, in essence, that if the cops want to search your home, they’d better convince a judge to issue a warrant.

In theory, anyhow. It’s another matter in practice, for things have changed since the Amendment’s ratification in 1792. For instance, we didn’t have trash collection back then. Madison might have been amused—or appalled—to see that, a year short of two centuries later, none other than the U.S. Supreme Court would have to weigh in on when cops can legally dig through your trash.[1]

There were other things besides trash collection that no one foresaw in 1792, such as hidden cameras and microphones, tracking devices, radar that detects motion through walls, and camera-carrying drones, to name a few. And we didn’t have cloud technology.

Warrants collided with the cloud in Microsoft Corporation v. United States of America.

It all began with a 2013 drug trafficking case in New York. The government jumped through the right hoops and obtained a warrant for documents stored on Microsoft servers. Microsoft said—I’m paraphrasing somewhat liberally here—“Sure, fine, you can search our servers located in the U.S., but some of the data you want resides on servers in Ireland, where you have no jurisdiction, so, no.”

A series of suits followed. A federal magistrate judge ordered Microsoft to furnish the data residing in Ireland. Microsoft appealed to a federal district judge, who agreed with the magistrate judge. Next Microsoft appealed to the Second Circuit Court of Appeals. This time, Ireland weighed in, saying they’d kind of like a say as to who accesses data stored on their soil. The district judge overturned the earlier decisions.

So, the government took the matter to the Supreme Court, which heard arguments in February.

A decision is due later this year. Or not.

Microsoft and the government have since filed a motion with the Supreme Court that says, and again I paraphrase, “Yeah, about that? Never mind.”

That’s because the situation appears resolved by the CLOUD Act, a bill quietly attached to the 2,232-page, $1.3 trillion omnibus spending bill that U.S. Congress passed last month. “CLOUD” is for “Clarifying Lawful Overseas Use of Data.”[2] The CLOUD Act lets “qualifying foreign governments” and the United States access information from servers on each other’s respective soil.

In what might at first blush seem a sudden turnabout, the government and Microsoft both support the CLOUD Act. So do Apple, Google, and others. But that would be curious only if Microsoft’s earlier resistance had been grounded on Fourth Amendment principles. It now appears that Microsoft et al may have been less concerned about individual privacy rights and more concerned about being sued or prosecuted for handing over information. The CLOUD Act provides tech companies complete protection from civil and criminal actions for compliance with government requests.

There are a couple of wrinkles.

Under the CLOUD Act, a “qualifying foreign government” can demand and obtain access to your U.S.-based records without approval from the United States. And, as pointed out by the Electronic Frontier Foundation (EFF) on February 8, not all qualifying governments have privacy laws as stringent as ours.

And then, this question popped into my devious, loophole-seeking mind: Couldn’t a U.S. president skip the whole obtaining-a-warrant thing by asking a foreign country to obtain data—from servers in the U.S.? Apparently the same thing has popped into other devious, loophole-seeking minds. As EFF reported on March 22, this and other issues have more than a few people concerned.

But perhaps we are being unduly paranoid. Never in history have high-ranking U.S. officials abused their power. Right?


[1] Answer: The moment you leave it at the curb. See California v. Greenwood.

[2] Congress and their acronyms. So cute.

Posted in Uncategorized by Matt. No Comments

Welcome to the
Facebook Follies

FB & CapitolI needn’t tell readers of this blog what apparently came as news to a U.S. Senator: Advertising revenues keep the lights on at Facebook and account for Mark Zuckerberg’s $62.2 billion net worth.

Nor need I point out that the more targeted an advertising medium, the more valuable it is to advertisers, and that it is with targeting that Facebook shines. 

With every Facebook action, and with every personality test (Which Muppet are you?), users reveal a good deal more about themselves than their fondness for kitten videos. Facebook abounds with opportunities to disclose your age, location, interests, reading choices, product preferences, religion, sexual orientation, political leanings, eating habits, TV and movie favorites, clothing preferences, music choices, favorite activities, travel habits, marital status, and more. That data is compiled, and it is sortable. 

So, say your product is ideal for married vegan Trekkies who like reggae, drive a Prius, and own a dog. Facebook lets you select and show your ads only to people fitting that profile. (I’m not making that up.) That much seems to upset a lot of people, though it needn’t. Each Facebook is a data point among billions. Advertisers aren’t interested in peering into your individual life. They’re interested in not wasting money trying to sell steaks to vegans.

Data-driven targeting benefits users, too. It cuts down the number of irrelevant ads showing up in your feed. (Yes, without it, you’d see even more irrelevant ads.) It lets you enjoy Facebook—and oodles of content that come with it—without having to shell out. If the thought of your data being amassed no matter how it’s used creeps you out on general principle, that’s one thing. Otherwise, Facebook data gathering is arguably helpful.

Then came Cambridge Analytica.

The seeds for trouble spilled onto rich soil shortly after academic psychologist and data scientist Aleksandr Kogan obtained a boatload of data from Facebook. He obtained it in accordance with Facebook policy, so that much wasn’t the problem. The problem was that then he turned around and gave the data, which wasn’t his to give, to British political consulting firm Cambridge Analytica

There’s a reason Facebook is in hot water even though it was Kogan who broke the rules. “Unlike other recent privacy breakdowns,” wrote TIME’s Lisa Eadicicco earlier this month,

“… thieves or hackers did not steal information. [Facebook] actually just handed the data over, then didn’t watch where it went.” [Italics added.]

What puts Facebook in even hotter water is that Cambridge Analytica’s clients didn’t use the data to sell mac and cheese or hand soap, but to promote political causes and candidates—from Brexit, to Ted Cruz, to Donald Trump.

(Time to pause for a disclaimer: This isn’t about Brexit or Trump. It’s about data.)

The way Cambridge Analytica may have applied the data has people upset. The New York Times painted a scary picture:

One recent advertising product on Facebook is the so-called “dark post”: A newsfeed message seen by no one aside from the users being targeted. With the help of Cambridge Analytica, Mr. Trump’s digital team used dark posts to serve different ads to different potential voters, aiming to push the exact right buttons for the exact right people at the exact right times.

Imagine the full capability of this kind of “psychographic” advertising. In future Republican campaigns, a pro-gun voter whose Ocean score ranks him high on neuroticism could see storm clouds and a threat: The Democrat wants to take his guns away. A separate pro-gun voter deemed agreeable and introverted might see an ad emphasizing tradition and community values, a father and son hunting together.

In this election, dark posts were used to try to suppress the African-American vote. According to Bloomberg, the Trump campaign sent ads reminding certain selected black voters of Hillary Clinton’s infamous “super predator” line. It targeted Miami’s Little Haiti neighborhood with messages about the Clinton Foundation’s troubles in Haiti after the 2010 earthquake. Federal Election Commission rules are unclear when it comes to Facebook posts, but even if they do apply and the facts are skewed and the dog whistles loud, the already weakening power of social opprobrium is gone when no one else sees the ad you see—and no one else sees “I’m Donald Trump, and I approved this message.”

(Time for another disclaimer: This isn’t about the Republican Party, either. Examples focus on the GOP because in the U.S. Cambridge Analytica refuses to work for other parties.)

The fear is less that dark posts might change minds and more that it might push fence-sitting minds to the message-sender’s side. Cambridge Analytica reportedly knows how to identify and push the hot buttons of large numbers of people by sending them tailored messages. If they present misleading or even false information, there’s pretty much no one to call them on it, because those likely to object don’t see those messages.

This, as reported by Reuters, has not helped ease concerns:

The suspended chief executive of Cambridge Analytica said in a secretly recorded video broadcast on Tuesday that his UK-based political consultancy’s online campaign played a decisive role in U.S. President Donald Trump’s 2016 election victory.

Yet some voices are skeptical.

Vox quite bluntly states, “There’s nearly no evidence these ads could change your voting preferences or behavior.”

To be sure, advertising is oft accused of persuasion power it doesn’t have. And as yet no hard data support the claim that dark posts affected the outcome of the Brexit vote or the U.S. 2016 elections. Consider, for instance, that the first U.S. politician to retain Cambridge Analytica was Ted Cruz. As you may have heard, Cruz didn’t secure the nomination.

For that matter, targeted messaging is nothing new. The only difference is that technology can amass data faster, in greater volume, and in near real-time; has sharpened marketers’ aim; and facilitates matching messages to audiences in a way never before seen.

But it’s equally true that it’s premature to dismiss claims about dark data’s potential to influence undecideds. It may simply be that dark data is so new that there hasn’t been time to execute valid tests. We can assuredly expect those tests very soon.

On a lighter note

Shall we end on a lighter note? Here are three of my favorite questions put to Mark Zuckerberg by U.S. Senators in last week’s hearing:

Is Twitter the same as what you do? —Senator Lindsey Graham, R, South Carolina

I’m communicating with my friends on Facebook, and indicate that I love a certain kind of chocolate. And, all of a sudden, I start receiving advertisements for chocolate. What if I don’t want to receive those commercial advertisements? —Senator Bill Nelson, D, Florida

How do you sustain a business model in which users don’t pay for your service? —Senator Orrin Hatch, R, Utah (where I live). (Zuckerberg: Senator, we run ads.)

How reassuring it is to know that powerful people who don’t understand Facebook are investigating Facebook on our behalf.

Posted in Uncategorized by Matt. No Comments

Love blockchain?
Thank a spammer.

blockchain-3019120_1280These days blockchain technology shows up in the news with regularity. Deservedly so. It promises a new level of security for a host of online transactions,[1] and not just for cryptocurrency. Blockchain has proved useful for ensuring the security of stock trades, currency exchanges, retail sales, contracts, diamond and gold exchanges, health care data, and more.

Blockchain presents a rather daunting challenge to would-be hackers. It is, essentially, an online ledger with identical copies distributed around the world. Hacking one copy would instantly betray it as out of sync with its myriad copies; and hacking all copies at once is, as of this writing, beyond the technological reach of even the most adept hackers.

In an interview published by Harvard Business Review, Harvard Business School professor and co-founder of the HBS Digital Initiative Karim Lakhani explained blockchain technology this way:

When a transaction is posted on the network between two parties, other nodes on the network compete to solve a mathematical proof that locks that transaction into everybody else’s ledger as well. So if you wanted to go back and hack the Blockchain ledger, you would have to undo every single other prior transaction. And that proof of work and the chain aspect of the block—a block is a transaction—is chained to all prior blocks, is what makes this the interesting technological innovation that the Blockchain is.

Looking for someone to thank for blockchain? Try spammers.

In popular lore, breakthrough technologies are born overnight thanks to a lone visionary. It makes for inspiring storytelling, but it’s almost never true.

Take, for instance, iPhone. IBM explored touchscreen technology for phones 47 years before iPhone’s debut. And the idea for developing touch-screen tablets didn’t come from Jobs. A skunkworks at Apple pursued it in secret until they dared show it to their capricious and unpredictable boss—who at first dismissed it out of hand.[2]

Likewise, contrary to what many believe, blockchain technology didn’t pop into existence overnight, nor did bitcoin’s pseudonymous creator Satoshi Nakamoto invent it. On the contrary, the series of events that led to blockchain as we know it today were set in motion by none other than spam. But then, perhaps email deserves the credit, since spam was set in motion by email’s rapid popularity gains in the early 1990s. (Email was no overnight creation or sensation, either, its having been under development since 1965.)

In 1992, the growing spam problem promoted computer scientists Cynthia Dwork and Moni Naor to produce a paper entitled, “Pricing via Processing or Combatting Junk Mail.” In it, they proposed filtering out cyber attacks by posing problems human minds could readily solve but computers couldn’t. The idea proved useful. Soon dubbed a proof-work-system, or POW for short, it found its way into a number of applications we now all encounter every day. When you must prove you’re not a robot—say, by correctly typing in CAPTCHA characters or identifying related photos on a grid—you’re dealing with a derivative of Dwork’s and Naor’s proposal.

In 1997, British cryptographer and crypto-hacker Adam Back proposed a proof-of-work-based spam filter he called Hashcash. It proved significant, for Microsoft improved on Hashcash’s technology to create proof-of-work-based spam filters for Exchange, Outlook, and Hotmail. And it was Hashcash’s technology that Satoshi Nakamoto adapted when he (she?) used blockchain as the underlying technology for an electronic P2P based cash system, namely, bitcoin.

Today, one industry after another has glommed on to blockchain. As Chief Technology Officer Marc West and I blogged last year for our employer, Fiserv:

Pick a service that involves moving assets, and it’s likely blockchain has the potential to play a role. It could transform person-to-person payments, data sharing, person-to-business money transfers, securities exchanges or even movement of frequent-flyer miles, to name a few …

… The security features work toward enhancing confidence in the network and driving cost benefits in areas such as exchanges. The real-time functionality may lead to shorter, and less costly, settlement cycles on trade day.

… blockchain has transformative potential for those who dig in and understand it. Top organizations are testing its use cases. Now is the time to take a long-term, purposeful approach to finding the most valuable areas and smart ways to leverage the value that blockchains create.

I couldn’t have said it better myself.

Posted in Uncategorized by Matt. No Comments

ComboJack:
Never say never

silhouette-3129148_1280Never trust an absolute. (Irony intended.)

The historical floor is littered with axioms once immune to challenge because, according to circular reasoning at the time, everyone knew they were true. Take, for instance: Running a mile in under four minutes is physiologically impossible, we’ll never put a human on the moon, only people use tools, guitar bands are on their way out, and there is no reason anyone would want a computer in their home.

Thanks to the ingenuity of the criminal mind, we now have a more recent absolute to discard: Blockchain technology is secure.

Blockchain technology’s roots stretch back to a 1992 idea for combatting junk email, later dubbed a Proof-of-Work system (POW). The original idea was to present challenges daunting to computer but not human processing. Everyone’s favorite annoyance, CAPTCHA, is an example. This in time led to Hashcash, a spam-stopper notably used by Microsoft in various applications. Full-fledged blockchain technology emerged when “Satoshi Nakamoto,” whose true identity remains a mystery, used Hashcash’s proof-of-work function as the mining core for Bitcoin. Medium’s Aleksandr Bulkin wrote:

… the way Satoshi combined [Hashtag’s POW] and other existing concepts — cryptographic signatures, merkle chains, and P2P networks — into a viable distributed consensus system, of which cryptocurrency is the first and basic application, was quite innovative.

Blockchain is “similar to an enormous ledger,” reports Fraedom, that “… stores transaction data across vast networks of computers that constantly check and verify information with each other.” To hack innumerable, identical copies of a transaction spread around the globe is a near impossibility at this time. That is the essence of the technology’s imperviousness to mischief.

It wasn’t long before industries with no interest in Bitcoin nonetheless showed an interest in blockchain. Since its essential features—distribution, transparency, and permission—made online counterfeiting and fraud pretty much impossible, blockchain seemed to promise an ideal way to conduct secure transactions online.

The problem with “pretty much impossible” are those words “pretty much.” Blockchain has not turned out to be invulnerable.

Enter ComboJack

ComboJack may sound like a cholesterol-laden breakfast offering on the menu at Denny’s, but in fact it’s a malware application designed to steal online currency—including Bitcoin, Ethereum, Litecoin and Monero. Self-described next-generation security company Palo Alto Networks discovered the app and named it ComboJack “… because of how it attempts to hijack a combination of digital currencies.”

According to Palo Alto, ComboJack targets cryptocurrencies and online wallets …

… by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet. This technique relies on victims not checking the destination wallet prior to finalizing a transaction … ComboJack targets both a range of cryptocurrencies as well as digital currencies such as WebMoney and Yandex Money.

ComboJack finds its ways into computers via an innocent-looking email and is unleashed by clicking on an attached PDF. The malware relies on the fact that humans aren’t fond of typing and retyping digital wallet addresses, preferring to copy and paste them. I wouldn’t call the preference laziness, but pragmatism. Just yesterday, as I moved some cryptocurrency from my coinbase account to a hardware wallet, I saw for myself how cumbersome those strands of code are for anyone self-punishing enough not to use copy-and-paste.

On the reassuring side, according to SC Magazine, CrytoJack’s “… early results don’t appear impressive.” Still, there is prudence in looking at malware the likes of ComboJack as an initial foray. Nastier iterations are likely coming. For that matter, ComboJack is itself something of an iteration of CyptoShuffler, a trojan that, as also reported by SC Magazine last October, had by then absconded with $145,000 worth of Bitcoin.

As I have noted before, cyber security is an arms race. The moment the good guys come up with new levels of security, the bad guys rise to the challenge and look for ways to beat them. If I had to come up with something positive out of that, I suppose I could say that the perpetual nature of the arms race provides job insurance for both sides.

All of which spells an opportunity in the wallet software space. I’m betting that operating system manufacturers the likes of Microsoft, Apple, Google, and others will not be long in offering support for labeling, or at least simplifying, wallet address management.

Posted in Uncategorized by Matt. No Comments