Talking at cross purposes: Where credit union cybersecurity goes awry

by Robert McGarvey

For years I have pondered a puzzle: why do financial institutions spend so much on cybersecurity and employ wonderfully smart and talented people – but the results are not as good as one would hope.

Frequently financial institutions simply are whipped by their criminal opponents.

Just look back on how DDOS – distributed denial of service – brought innumerable institutions to their knees a few years ago.  It took months for credit unions to get it together to repel the attack.

Then look at ATM jackpotting. New account opening fraud. ATM skimming. The list could go on and on but you get the message: criminals often outwit credit unions and banks and that is despite the money spent and the talent employed.

Why don’t credit unions gain the upperhand?

Hear the related podcast with Authentic8 CEO Scott Petry here.

A new report, sponsored by cybersecurity firm Authentic8, involves a survey of 163 financial services professionals, and it tackles just that question: why do financial services firms so often fall victim to cyberattacks?

Here’s a hint at the reason: “Financial firms have some of the best-funded IT departments of any industry, that’s no secret,” said Scott Petry, CEO of Authentic8. “What’s perplexing to me, with data breaches and privacy violations at an all-time high, is how deep the divide still runs between IT, compliance and legal professionals in many firms.”

The report’s title spells out the problem: “Surprising Disconnect Over Compliance and Secure Web Use at Financial Firms.”

Keep reading at CUInsight

Why Hoteliers Suck at Tech


by Robert McGarvey

Just one quotation in a Hotel Management “think” piece on hotels and tech (“HM roundtable takes look at transformative technology“) tells us all we need to know about why hotels so often fumble tech innovation and play catch up, perhaps for decades.

I give you in-room phones, in-room TVs with content to sell us, lame and unsafe hotel WiFi, unreliable room key cards, resistance to voice controls, and the list goes on and on.

Why is the question.

Mike Mueller, president of Wyndham’s Super 8 brand, pithily tells us exactly why: “Mike Mueller, president of franchised economy brand Super 8 by Wyndham, observed it’s often difficult to get buy-in from owners on new technology. ‘We have to prove out that the investment is going to have [a return on investment] before we ask somebody to make that investment. So, we spend a lot of time thinking about how do we introduce new opportunities at our hotels that guests are willing to pay more for? Because if they’re not willing to pay more for it than we shouldn’t really be doing it,’ said Mueller. “

That’s saying if we can’t monetize it we ain’t doing it.

I don’t mean to pick on Mueller. I’ve heard exactly the same from various senior hotel execs, generally off the record. Mueller is on the record so he gets the bullseye on his back. But know that he is just one of many singing the same sad song.

Here is how miserly hotels are regarding security: “Data from Statista presented to the Business Travel Association’s winter conference in London revealed food and hospitality companies had only invested an average £1,080 in internet security during 2019 – the least compared with 11 other sectors including construction and education.”

Dead last. How it did the industry get to this woeful state?

Because most hotel groups are “asset light” – meaning they manage but don’t own their properties – they must persuade the owners to spend on upgrades and owners, they say, don’t want to open their purses unless they are told the ROI. No ROI, no spend.

So it’s our fault hotel technology sucks because we won’t pony up for better. So they seem to say.

Let me ask you: are you willing to pay more for secure hotel computer technology so that your personal information is not feasted on by hackers – and hackers have been pillaging hotel data for years, including that of Wyndham’s guests?

Of course you aren’t willing to pay more because the safety and security of your data that is entrusted to a third party such as a hotel should be accepted as obligation on the part of that third party (a bank, a retailer, and of course a hotel).

Even giant Starwood suffered a breach of its guest reservations system that apparently began in 2014 and lasted at least into 2018.

And little operations too have been breached – the Trump hotels for instance suffered three breaches in as many years.

Let me ask you this: do you feel your data is safer today at a hotel than it was a half decade ago? I do not. Hotels simply do not have the appetite to aggressively spend on combating hackers – and we are the victims.

The hacks keep happening.

That’s not the only for instance. A few years ago I bluntly asked a very senior hotel executive – this was a personal conversation, not on the record – why his hotels’ wifi sucked. It was so bad I couldn’t imagine anyone using it. He agreed. But he added there was nothing that could be done because the owners were not willing to spend on upgrades.

I hear the same about the key cards that fail – not our fault, owners won’t pay for mobile door locks.

I have to wonder if part of the popularity of Airbnb with many consumers is that some of those owners are investing in 21st century technology.

The reality is that most of the tech investments I personally make don’t have a significant ROI. But they do make my life a bit easier. Do I need an Alexa or Google device in every room in my home? Nope. But they are there because I like the convenience of asking for a light to be turned on or for a weather report.

I’d like same in my hotel rooms but, no, I’m not willing to pay extra for it.

I invested in Google mesh to upgrade my home/office WiFi because I wanted the speed. Is there an ROI? Maybe, maybe not. But I sure do like the speed.

The bottomline for hoteliers is that technology nowadays is a necessity. In 1970 would a guest pay more for a room with AC? I doubt it. In 1950 maybe. In 1970, nope. He/she just wouldn’t book a room in a hot place that didn’t have it.

That’s the real message for hoteliers to smack owners with: spend on technology or lose guests. Deliver fast WiFi, strong cellular signals, mobile door locks, voice controlled lights and drapes, and all the rest of the cool stuff I have in my home.

Or I will go elsewhere for it.

I won’t pay more for it. I just won’t pay anything when it’s absent. I’ll stay elsewhere – and I believe so will increasing numbers of guests.

Upgrade or perish.

CU 2.0 Podcast Episode 75 Milind Borkar Illuma Labs

Passwords are broken. You know that.

But do you know call centers are heading that way?

Call centers are under attack by criminals. Smart criminals. And they are targeting credit unions.

Credit unions are responding by asking more members ever harder questions. Just one problem. As the questions get more obscure – what was the make of the second car you owned – more members give wrong answers.

Fraudsters incidentally often can perform quite well on these tests because they have amassed data via the dark web.

They probably know the name of that kindergarten teacher that you have forgotten.

Tough questions are no cure.

The better solution is to implement biometric authentication that eliminates the need for answering a series of obscure questions. Enter Illuma Labs which is focused on helping small and mid sized financial institutions – that means you, credit unions – implement passive voice recognition.

As for what passive recognition means it’s that it happens in the background, the member needs do nothing special. In a matter of quick seconds he/she is authenticated and you can get down to business.

That means quicker call times, lower costs, happier members and happier call center staff.

This podcast is a guided tour into how voice rec works, how to implement it quickly and at low costs, and why this is the 21st century solution to a lot of the fraud credit union call centers are experiencing.

Listen here

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

Cybersecurity in 2020, Roadwarrior Edition


By Robert McGarvey

Now is the time to take stock of our defenses and I’m not talking about pickpockets and hotel safe thieves. What I mean is guarding against cybercriminals who, unfortunately, prey on business travelers particularly – everywhere from coffee shops to airports to hotels, even whole foreign countries.

A few steps will keep your data safe on the road and it is vastly more valuable than the devices themselves. At least in my case where I usually travel with a five yearold Chromebook, somtimes an iPad Air 2 , neither having much value. The Pixel 3 XL phone has a little value but not much. A suggestion: always travel with disposable tech gear that you won’t miss.

It’s the data that I am concerned about because a criminal could feast on my financial accounts and maybe find a way to monetize data gleaned from emails and documents, many thousands of both on my devices.

Here are my steps towards safe travels.

Countries That Spy on You

Whole countries? You bet.  Visit China and you will hear that the “Great Firewall” means you cannot access Gmail and lots of other websites. You will also hear that, psst, use a VPN – only certain vendors pass muster and the list is a changing target – and you will be able to surf to Gmail, Facebook, you name it.

But you have to wonder: is the Chinese government monitoring that VPN traffic and do they have keys that decode it?

Know too that high level security consultants – with clients inside the Beltway and on the highest floors of Fortune 100 office towers – urge their clients to bring a clean computer and a clean phone, no business data on either, and to never access sensitive information while in China because your devices will be copied on your travels.

Not might be. Will be.

Maybe not the gear of Bob Schub, average citizen, but if there is a reason to think you might have interesting info on your computer or phone know it will be copied.

Do not bring your every day business computers or phones to China. Don’t.

China is not alone. Here’s a map of the world with nations that heavily monitor Internet traffic highlighted. There are places you might not go – Saudi Arabia – and there are places you might go that monitor at least some traffic (Russia, Turkey).  Know before you go and, when in doubt, use clean devices when traveling overseas.

Password Protect Your Phone

At least once a month a friend or neighbor asks me, what do I do, I was traveling and I lost my phone?

Sometimes they say it was stolen.

It doesn’t matter.  You probably will never see it again.

Know this happens, take steps now to protect yourself.

Set up Find My Device (Android) or Find My iPhone in Settings.  Now. When you lose a device it may help you find it and – crucially – it may let you wipe the device which means erasing all personal data.

Also, lock the phone, with a PIN or biometric, in Security (Android) or TouchID and Passcode (Apple).  That simple step will keep most criminals away from your data and, in most cases, they only want the phone hardware anyway.

The data is more valuable than the hardware but most criminals are grab and run small change crooks and that’s the good news.

Just take the two simple steps above and, yes, you can cry about losing a $1000 piece of hardware but at least your data and bank accounts will stay safe and that is what matters.

Never Use a Public Phone Recharging Station

You see them in airports, also at meeting venues. Don’t use them.  They are a fast track to getting hacked. It’s tempting. Your phone is beeping for juice.  Just let it die. Or always carry a plug when on the road, as I do. Often there are two in my bag.  They do get forgotten in hotels, a spare is a good idea.

Don’t Use Public WiFi

Never, don’t.  That means no public WiFi at airports, coffee shops, and definitely not hotels.

You say you are protected because you use a VPN.  Good luck with that (read about China above). Know that there are known vulnerabilities in consumer facing VPNs and there also are vulnerabilities with enterprise grade VPNs.

Personally I sometimes use Google’s VPN on a Google Fi phone when accessing the Internet but generally I am reading the news or checking a website and if that traffic is hijacked, so be it.

My preference is to create a cellphone hotspot and access the Internet via cellular data networks. A few clicks in setting and you are in business.

You really think public WiFi is faster and of course it usually is cheaper? There is one safe way to use public WiFi – read the next step.

Use a Secure Cloud Based Browser

When on the road and accessing sensitive data via public WiFi, I use Silo, a remote browser that processes all data remotely, in the cloud. (Here’s a paper on the technicalities.) It then transmits an encrypted display of the data to you so you “see” the web page but any computing functions have occurred in the cloud, at a remove from your computer.

There are other remote browsers.

Whichever you use, know that when you look at a page with toxic code, no prob, the bad stuff happens in the cloud. Not on your computer.

And eavesdroppers – who often listen in on public WiFi sessions – will only see an encrypted data steam that won’t mean a thing to them.

That’s five steps. Take them and there’s no guarantee of data security on the road. But you can know you are taking steps to secure your phone, your computer, your Internet traffic. And that puts you in a safer place than 99% of travelers

Immobile mobile banking: Stuck in the mud

by Robert McGarvey

How many of your members do most of their banking via a mobile app?

How many should?

Milestones to remember before answering:

  • iPhone introduced June 2007
  • SMS banking via phone debuted in Europe 1999
  • Mobile banking smartphone apps take off in 2010

We are 20 years into the banking by mobile revolution and 10 years into the banking by smart app revolution so tell me this: why do roughly half of us not use a mobile banking app, according to a 2018 Harland Clarke report.

About half plain never use the thing.  Never.

Continued at CUInsight

Meetings WiFi Sucks – So What?

by Robert McGarvey

The question isn’t does meetings and events wifi suck – of course it does – the real question is why and maybe, honestly, the realer question is so what?

Let’s unravel this. For at least a decade event attendees have kvetched about wifi – mainly its slowness, sometimes its plain unavailability. I still recall, with a crooked smile on my lips, a travel tech conference I attended around 10 years ago at a plush Scottsdale meetings hotel where even the press table lacked wifi. Picture a half dozen travel tech reporters cursing and, well, you have the picture. Personally I giggled because I knew what I was witnessing was a lot better story than what I would have filed had the press table been equipped with functioning wifi.

The venue simply had underestimated demand for wifi and the demand crushed the inadequate signal that was provided.

How funny is that at a tech conference? Of course even I started to curse when I discovered my cellphone hotspot had no signal in the hotel basement where this event was held.

Incidentally, I don’t think that hotel was doing anything nefarious to block my hotspot – I believe it was just the location. But know that in the past some hotels in fact have blocked hotspots and had their wrists slapped by the FCC. Marriott even paid a $600,000 fine for such misdeeds.

Flashforward to now and I believe the usual wifi problem remains too many devices accessing too anemic a signal. Why? Usually it’s an unwillingness to spend what would be required to provide an adequate signal. That was true in 2009 and it is true today. In fact not much has changed over the past decade. Ask event planners and some 58% of meeting planners say weak or unavailable wifi has negatively impacted their events, according to data via EventMB.

This is an occasion for much teeth gnashing – vide the recent Skift article, Why Is Wi-Fi at Events Still So Bad? Reported Skift; “Sluggish internet speeds, a network that suddenly cuts out, and odd corners of the room that somehow have adequate service as long as you hold your phone at a specific angle. These are the problems that nearly every conference attendee, trying in vain to use the provided Wi-Fi, has faced at least once, especially at a large event.

“In fact, providing good Wi-Fi is one of the top challenges meeting planners face, with over half reporting ongoing issues with it.”

But maybe it is for the better entirely.

How so? There’s a long history of fake and malicious event wifi that usually aim at harvesting user log in data, sometimes have loftier aims such as downloading malware to users’ computers. It’s easy enough. Under $1000 in gear, usually put in a cheap travel bag, will create the wifi network, then name it, Free Event WiFi or [Hotel] Meetings WiFi.

If you build it, and say it is free, they will log in.

There’s also no real guarantee of safety when using genuine event wifi. Public wifi networks – especially at hotels (airports too) – have a long history of hacker eavesdropping. Public wifi just is not safe. Is it fine for checking scores on ESPN and the front page at WAPO? Probably. How about your checking account? Nope.

What about company email? Nope.

Here’s the deal: I don’t whine about feeble event wifi because, very probably, I won’t use it. I prefer to use a cellphone hotspot. Sure, I pay a few cents in data use – but to me that is a small price to pay for enhanced security.

When the cellphone hotspot isn’t powerful enough, lately I’ve used the built in VPN on my Google Fi phone to add protection to wifi access. Sure, I know VPN isn’t the security fix-all – but when public wifi is all I have on my cellphone I will use VPN to add at least a little security. And I will still mind what sites I access. My rule of thumb: if you don’t mind if a cyber criminal is looking over your shoulder as you surf, the sites are fine for access via public wifi with a VPN.

Bottomline: event wifi sucks. But that is okay by me. I don’t trust it, I urge you to similarly approach it with suspicion, and that is how to stay safe. If use it you must, use a VPN – even better use a secure browser such as Silo.

But stop complaining. Accept that wifi at your next event will suck, and be thankful. When you don’t use it you are safe.

The Eyes Have It: Cameras Are Spying on Travelers

By Robert McGarvey

On a May 5th United flight from San Diego to Houston, an unnamed female passenger in first class entered the bathroom where she noticed a blinking blue light. She did not know what it was but she took the device to the flight crew. United Corporate Security subsequently determined it was a video recording device.

Then, per a document compiled by the FBI, “After viewing the information on the device, a male was caught on video installing the device in the first class lavatory of this particular flight.”  Apparently the man’s face wasn’t visible but – using his clothing and also jewelry – an ID was made. The arrest of Choon Ping Lee, who works for Halliburton, an oil field service company, followed.  

Creeped out? Justifiably. But here’s the grim reality: throughout your travels, very probably you are being spied on.  In some cases it’s by state sponsored security forces. In other cases it’s by miscellaneous creeps, perverts, and miscreants.

Does it really matter who?  Is it more comforting to know the Chinese government has eavesdropping devices in your Beijing hotel room – which it probably does and it also probably has your cellphone tapped – than it is to know that your Airbnb host is a perv who has cameras in rooms?

Guess what, it’s nothing new. In 1983 I co-wrote a book called The Complete Spy, which detailed the hundreds of legally available devices that let ordinary citizens spy on their spouses, children, neighbors, co-workers, bosses, you name it.  A theme of the book was that our privacy was evaporating and we seemed uninterested in fighting back.  

It is much, much worse today.

You don’t have to be Erin Andrews to have your privacy robbed. But a take away from the Andrews caper is that a determined eavesdropper can – with few roadblocks – easily spy on us in hotels.  And spying in hotels is surprisingly common

There’s even a claim that a hidden camera was found in a cruise ship cabin.

Why would anyone want to spy on me or you? Who the hell knows.  

Some nation states spy compulsively.  The Soviet Union and East Germany did it routinely (and if you visited either, you were eavesdropped upon. This is beyond question).  Today, Russia ranks high among nations that eavesdrop on foreign visitors. But China does likewise (maybe even more so).  The Saudis do too. Ditto the Israelis.  But you also hear about the French, Singapore, and many, many more nations. It’s not just nation states however.

As for who else eavesdrops in hotels, it can be anything from a business competitor to a jealous spouse or a just plain weirdo.  Remember Gay Talese’s The Voyeur’s Motel, where he documents a motel owner who systematically spied on guests.

Don’t say it can’t happen where you are staying.  Especially not because spying has gotten easier.

What’s new today is that eavesdropping has become very cheap and very low skill.

Around $40 will buy you a perfectly good spy camera.

For a few extra bucks, you can get a camera disguised as a clock or a bluetooth speaker.

Such cameras are usually wireless and battery powered. It takes essentially no skill to set up a camera.  

That’s a scary difference. A generation ago, cameras were expensive but also high maintenance.  Now cameras are installed by dropping them in place and, very probably, forgetting about them. Who needs to retrieve something so cheap?

How can you fight back?  The good news is that self-defense detection weaponry too is proliferating.

Now for Spy vs. Spy. There is plenty of technology that says it can find hidden eavesdropping technology and that has a prima facie credibility in that these devices typically connect via wiFi and/or Bluetooth. A device, or app, that hunts for Bluetooth and WiFi in the immediate vicinity may well pinpoint a nearby camera.

Some also hunt for a glint from the lens of a hidden camera and they just may find them.

But they may not, too. The better, pricier eavesdropping tools are built to foil the cheap detectors.

Dial up the price of the detector to north of $50, or even better, north of $100 and your odds of finding spy gear escalate.

Experts also recommend an oldfashioned physical inspection. Look for what’s out of place – a blinking blue light in a United lavatory – and you’ll hit the bullseye without any tech.

But even with preventative steps, don’t count on having privacy wherever your travels take you.  For 40 years people have asked me what I do to avoid being spied upon. My answer has always been the same: nothing.  I assume I may be spied upon, I act accordingly, and if I am spied upon, so be it.

I really cannot think of any surer strategy. Especially not today.  

Sign Off That Hotel WiFi Right Now!

by Robert McGarvey

If you are reading this on hotel WiFi, sign off now.  A new Bloomberg report underlines how porous hotel WiFi networks are. This is a long look at the problem and that’s good because it is a grim reality that savvy travelers need to know about.


Do you care if hackers have your credit card numbers, maybe passport info, possibly driver’s license details, hotel loyalty program log in and password, and probably more? Because they do. Because hotels do not care about your privacy. They just don’t.

Of course this week’s news is about airlines and breaches – specifically BA – and they have a sorry history of poor defense against hackers. Don’t get distracted however. Airlines are bad at this. But hotels are simply the worst.

Forgive me a Cassandra moment. I have been writing about how much hotel WiFi sucks for at least a decade. The stories are manifold and they always say the same: hackers long ago figured out that hotels have essentially no protections on their wifi networks so it is very much a wild west where an Internet caveat emptor prevails.

Except the odds are stacked against you: the hackers are very good at their work, which is stealing salable data.  Hotels are very bad at protecting our data. Hotel group after hotel group has fallen victim to hackers. TrumpHard Rock. Hilton. Marriott

Information security blogger Brian Krebs has reported that the Marriott (Starwood) breach involved 500 million of us.  

In a mea culpa, Marriott said: “The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

As for who hacked these hotels, nobody knows.  In many cases it doubtless is ordinary, common criminals.  In other cases, something else may be afoot. Noted Bloomberg: “Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders.”

Yep.  The Chinese are believed to be voluminous acquirers of data. But the Russian aren’t slouches. Several European governments are in the game too.  And the US government increasingly is active. In that last case it is difficult to see a hack on a domestic company. But impossible? Not really.

Understand this: hotels are truly bad at protecting data. It’s an industrywide malady.  And hotels are lots worse than most other industries. Bloomberg posits a theory: “Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture.”

That rings true to me.

Bloomberg went on: “There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions.”

In the big chains the vast majority of hotels are owned by “asset holders” – everything from pension funds and big insurance companies to wealthy individuals.  They have to be persuaded to fund big ticket campaigns. And often they haven’t been.

The result in the hotel business is a patchwork of old, cruddy, unreliable technology.

But you do not have to be a victim. There is nothing we can do to strengthen the defenses around a hotel’s property management system, etc. But we can take steps to protect ourselves when it involves WiFi.

You have three options.  Definitely use them in hotels, but also in airports, coffee shops, and airport lounges. I don’t guarantee your safety but I promise you will be much, much safer than if you don’t take such steps.

O Create a personal hotspot with your cellphone and log in via it.  Cellular data is much, much more secure than is hotel network data. Not perfect. But good enough for most of us. This has been my go to for some years.

O Use VPN, a virtual private network.  There are known limitations to the security delivered by VPNs.  I personally no longer use one. But I know many companies require their traveling execs use a vpn and if that’s policy, it is much, much better than logging on naked to a hotel network.  

O Use Silo or a similar secure browser. The secure browser processes all web data inside a secure container so even if a user accesses malware it’s no harm, because the data won’t reach the user’s computer. Silo also encrypts traffic to shield it from prying eyes. A tool such as Silo offers more robust protection than do VPNs.  (Note: I have been paid by Silo’s developer for past work. That company had no involvement in this column and did not pay me for this.)

That’s three choices.  On your next hotel stay when you log into the Internet use one of the three and know that you will be a lot safer than the guests who log into the hotel’s computer. There is no excuse for not protecting yourself.  Not when you know just how perilous hotel networks are and will almost certainly remain.