Category: technology

Faster Payments – Will tech eat the banks?

pexels-photo-870902
Checks and Pony Express

At last the big, big tech companies are driving the US Federal Reserve to sponsor and get behind a faster payments initiative.

Amazon, Apple, Google, PayPal, Square, Stripe and Intuit, have all co-signed a letter supporting the the Fed being in charge of the development of a system that can connect all the banks and credit unions in the U.S. to speed up payments. I’ve long complained here that the US System is laughably out of date, and the system Automated Clearing House and its associated network is still loosely based on the delivery times of the Pony Express and definately around checks.

The ACH itself still describes itself as a using batch processing and a store-and-forward system. And that’s exactly the problem, the store-and-forward part and the regional centers deployed to support it are largely based on the old Pony Express delivery model. The ACH and it’s partners have pivoted since the push by the tech giants, to lauding their fraud and safety. Largely the only reason they can is because of the huge inefficiency and delays built into their system, rather that the inherent security qualities they’ve developed.

While a fast payments network should not be implemented over the public Internet, it’s simply both unbelievable, and unacceptable that my bank cannot not directly send money from my account to your account. This isn’t about Bitcoin and similar nonsense, it does require databases that have the attributes of a Blockchain, but it doesn’t require a Blockchain. This isn’t spin to invest in some imaginary new technology, it is merely a plea to move to a modern switching network, with updated apps.

I don’t transfer money around in Europe or the UK anymore, maybe once a year or so. However, I’ve been able to use the UK Fast Payments network via my UK Bank, FirstDirect, to instantly pay other banks/accounts in the UK, as well as transfer money from UK Pounds Sterling to Euro’s in a German bank in less than 2-hours, all at not cost to me, and using a single system, rather than a secondary system, branded app, or external service. Faster Payments isn’t just a year or two ahead of the US, it’s currently celebrating its 10th Anniversary, and will likely be on its 15th before the US has anything.

That’s mostly why services like PayPal, Stripe, Square, PopMoney exist. To allow the banks and credit unions offer a service they themselves can’t offer. Also, when originally launched it was a way of charging extra for a service that was faster and more flexible than their ACH system offered. Any institution currently charging for these services is charging for lipstick on a big now.

pronto

I first came to the USA in 1983 to work on the server-side of worlds first home banking system, Pronto, at Chemical Bank in New York; in 1987, I was hired by IBM UK in their London Banking Branch, to help London banks like Lloyds Bank, NatWest and TSB, as well as Abbey National, prepare their systems to start Year 2000 (Y2K) testing.

Finally, in 1998, was the Chief Architect for IBM in their NatWest (Business) Online implementation. The first at-scale version of Internet banking at National Westminster Bank, after failed projects by Sun Microsystems and Microsoft.

nwol

I have some idea of the complexity of updating and integrating batch, hub and spoke systems, it’s no cheap or easy. While it’s easy to assert the banks don’t want to change because as everyone believes, “they are making money out of the delays”. They are really not, in any meaningful way. What they are doing is simply avoiding making key investments and dressing it up under the guise of safety and security. Now they are blaming the “lack of a mandate“.

as everyone believes, “they are making money out of the delays”

And that’s what is likely to be their undoing. They’ll continue to push back and resist, until so much of their business has shifted to non-core systems. While the likes of Amazon and Google have to be in the ACH, and have Fed backing and security, they can increasingly provide a home run around the traditional banks.

An Apple a day keeps the Doctor Employed.

apple drCNBC has an interesting article about the number, and quality of Doctors they employ.  I’ve no idea what’s going on an Apple, for a number of reasons, I’ve never bought a single product of theirs.

However, given their deep pockets and ability to play a strategically long-game, I for one would be surprised if this isn’t significantly more than just about the watch and apps that can diagnose conditions based on data in collects.

Here are my thoughts, in the form tweets to @charlesarthur original tweet and link to his daily Startup link list overflow.

 

What’s a #blockchain?

I posted the above to twitter, but its not really a joke. #blockchain has become the emperor’s new clothes and to some degree, @AARP is right.  The original article may be a little more aimed at humour than technical depth, but it’s not wrong.

A few of my friends have already been cold called and offering blockchain backed securities and similar. We know that’s mostly just marketing BS, but they don’t know. So this is, whatever you think, a good way to get them thinking about it.

For 90+ percent of the AARP readers these are good enough descriptions. The people who are AARP members who need to know about Bitcoin and Blockchain, already do and won’t be influenced by @brucehorovitz full article.

1535400878477-lost_and_foundIf you are really interested in the concept, and a non-tech example of #blockchain, Vice has one of the best examples I know of. It explains how, since 1995, how the theory of a blockchain and public ledger have been used in a non-technical solution. It covers and explains the use of a digital document store. The key to their store, was in fact to publish the unique hash for every document, and rather than use a technology solution as the public ledger, simply to publish the unique hash in the New York Times.

A more technical explanation is by Steve Wilson, on Constellation Research, called Blockchain Plain and Simple, covers the subject, and keeps on topic.

Your infrequent reminder, Facebook is evil

They figured out how do you tweak people’s vanities and their passions and their susceptibilities and their desires in order to keep them on the site.

Source: The Central Question Behind Facebook: ‘What Does Mark Zuckerberg Believe In?’ : NPR

If you have not heard it, the above NPR Fresh Air interview by Dave Davies with Evan Osnos, a New Yorker Staff writer is well worth the listen.

Since that interview, we’ve had two more announcements of significance from Facebook.

October 11th, the evil empire announced that they’d disabled some 66 accounts or what Facebook described as:

dozens of accounts and profiles belonging to Russian database provider SocialDataHub

SocialDataHub provides analytical services to the Russian government. Facebook said SocialDataHub were “scraping” peoples information. Who knows how much information, how they used it, or who they sold it too. Facebook don’t. It looks live another 50-million accounts at least. [Check here if your account was compromised.]

The October 8th, Facebook announced their “Portal”, basically a tablet and web cam that allows you to make video calls to other Portal-users, and follows you around the room. Facebook of course says Privacy is

‘Very, Very, Very Important’

But let’s be honest, are you really willing to stay on facebook? Who in their right mind would allow facebook to live video them and not screw up the privacy, and even if they don’t, they’ll be analysing the Sh*t out of everything in every frame to identify things to sell to advertisers about you.

Can facebook do this securely and respecting your privacy? You bet your life not.

#DELETEFACEBOOK Start doing it now. #DELETFACEBOOK, and the women you will wow. (With apologies to Cole Porter).

https://www.facebook.com/help/delete_account

My other facebook posts.

Delete your Google+ profile

Google+ is what happens when you try to take on an incumbent, don’t communicate your vision, and then leave the rotting carcass to fester and be eaten by the maggots. In this case the maggots were a

security vulnerability that exposed the private data of up to 500,000 users

It turns out Google knew about the vulnerability back in March 2018, but decided not to disclose it as, as far they know, it hadn’t been exploited. If your data was upto date and complete, there was enough there to perform a rudimentary phishing attack.

In my case, my phone number, location and a number of other items were out of date, so I didn’t wait to find out what Google were going to do, I just went ahead and deleted my Google+ account. Google has also announced they will kill Google+ although it’s not clear completely what will be removed.

In the post Google+ world, it’s been clear for a while that Google is moving much of the community and information sourcing features into Google Maps.

Here is a link if you want to go ahead and delete your Google+ profile instead of waiting for Google to clean up the mess.

Source: Delete your Google+ profile – Google+ Help

Why You Shouldn’t Use Facebook to Log In to Other Sites – The New York Times

This is a good explanation of why it is way past time to stop using your Facebook ID to login to other sites. Personally while I still occasionally wish I could login to facebook to check on relatives, otherwise I don’t miss it at all.

No matter what facebook do, there will continue to be security and privacy breaches like this. Facebook wanted to become “the web” and along with that aspiration, they also became a focal point for all the hackers, scammers, and those wishing to game the system.

#deletefacebook

 

Source: Why You Shouldn’t Use Facebook to Log In to Other Sites – The New York Times

Data Interchange and Interoperability in Healthcare

I recently had to go for x-rays on my hip. The imaging company called saying they’d received the “order” from my chiropractor for a knee arthrogram without contrast.

Apparently, this was both wrong and confusing. It’s wrong, because the “order” said hip, but they couldn’t read it; also it’s confusing because, well something to do with x-ray and contrast.

After a short discussion, it turned out the imaging company received the order by fax. Yes, real actual paper fax. The US medical profession still seems to run on faxes. My prior cardiology hospital sent my medical records to my new cardiology Dr via, yes, paper fax. Hospital-1 printed the records to a fax based printer driver, which sent them uing a fax protocol to Hospital-2. Apparently Hospital-2 receives as images in a variation of the TIFF file format.

In the case of my PT, no such luck. Handwritten, manually faxed, received by paper. Even if there had been no problem this created a HIPPA privacy and security cost. In this instance, the cost to clear up the confusion likely cost almost as much as the actual hip x-ray, as that was all that was needed.

While I know there are data interchange standards in the USA for medical records, or as they are called PHRs, it seems there still nothing that is universally adopted. When I contacted my new cardiology hospital and offered my PHR in (Epic Systems) Lucy format, they declined and asked for them to be faxed.

There are a growing number of apps for both ios and android that support EHRs (electronic health records) however, for the most part these are tied to a specific hospital and/or medical group. A good example is the Epic Systems MyChart app. It can read the data from my former cardiology provider, including details of my ER/and cardio surgery and the prescriptions I was given. I can export the data using the Hospital groups website, and that’s it.

Unless you choose your medical providers not on their medical excellence, but their ability to import your lucy records, this is no use at all.

The Big Boys are doing data interchange

My interest was sparked by the recent announcement from Google, Microsoft, Twitter and Facebook introducing the open-source Data Transfer Project (DTP). For the more technically interested, you can read the DTP Overview here.

Ultimately it doesn’t look that different from the Enterprise Service Bus implementations we were working on 15-18 years ago. Same core concept, n-n interchange and interoperability. Same basic extensability through adapters and shared protocols.

I have to say, the use cases given for DTP are pretty weak. Conceptually, though there is much potential for this architected “Share…” facility. One of the key failings of DTP is that there is no ability to delete data, sure you can share your data to more sites/services but the DTP as specified doesn’t allow you to leave.

However, the most disappointing thing about this announcement is it’s aimed at allowing you to move your videos/photo’s, social media posts, and hopefully subscription platforms among the services supported.

To become a supported platform there are a few fairly simple architecture docs and then you have to build plugins or adapters to interface to the service to be able to send/receive data.

Ho hum. Boring. There is definitely space for big tech co’s to innovate around data interchange, but who cares about social media. I want to be able to pay for a PHR service, where I can store and control my medical record. Where I can grant access rights and authorise medical providers to retrieve my data, where I can see my medical records from across the providers etc.

I’m hoping that someone will point out this already exists, or that Nigel or Tom, who both now work in Helathcare will tell me why this isn’t a good idea. The USA is in desperate need for data interchange but it isn’t for social media.

FURTHER READING:

  1. Paper on moving from paper to electronic records and the associated problems.
  2. Review of numerous leading healthcare records mobile apps.

 

Why we can’t have nice things

Subtitle: How we get nice things and then they make them too expensive.

Recently contractors for Comcast/Xfinity have been all over Louisville drilling holes along the utility easement to lay conduit for fiber optic cabling for Internet and cable. The city has a brief here on the project which is supposed to be complete by the end of October 2018. Bad news if you are a customer in the service area, the city release says:

Comcast customers will experience an outage from 30 minutes to 6 hours with the typical outage being 2 ½ hours. Any outages for this kind of scheduled work is typically done between 7:00 AM and 4:00 PM.

The full Comcast Q&A/FAQ is here.

Once the conduit/piping was laid at my house along the outside of back fence, things went quiet. Then today there were literally 15 trucks outside and across the street while they had a team meeting.

If you are stuck with little more than dial-up modem Internet speed, either because of cost, or because a faster service is not available to you, no doubt you’d think this is great. I already have CenturyLink 1Gbps fiber service, and this will likely be very good in the short term as competition drives down prices.

In the long term, this isn’t good news. The only winners will be Comcast.

Legislating hacking/data exposure responses

I don’t know enough about the European Union General Data Protection Regulation (GDPR) but at least on basic reading it seems inadequate in meaningful individual action requirements and legislation that benefits the actual user/person whose information has been exposed.

I’ve been signed up for haveibeenpwned an excellent website by Troy Hunt. You enter your email, and it tells you what breaches your personal information has been found in.

I was going to say “if any”. But of course your data will be there, especially after breaches like the River City Media (RCM) “spammer gate” where 1.4 billion peoples’ email accounts, full names, IP addresses, and often physical address, were exposed. Suffice to say, my two primary email addresses have been exposed in more than 20-breaches.

haveibeenpwned was a great start. CapitalOne, at least among my financial providers, has stepped up the game significantly. Their creditwise arm has incorporated Credit & Identity Alerts in to the app and website. Numerous times recently I’ve received alerts, and while initially the alerts didn’t contain enough information to take action, the most recent alerts have had all the detail I needed.

Creditwise Email
Email alert from Creditwise
Creditwise Alert
via website or app

Among the websites my data has been exposed this year include:

  • linkedin.com
  • kickstarter.com
  • ticketfly.com
  • bitly.com
  • myspace.com
  • last.fm
  • zomato.com

Some of these websites did individually send emails disclosing the breach. Of these, only ticketfly had any form of financial data that might have been breached. I have all my emails from them going back to 2012. Not a single word about a data breach or other exposure of my personal data.

The same is true for more sites than not. No notification. When you login to the site to at the very least, change your password to a new unique one, they more often than not also give you no indication. For many of them it’s also nearly impossible to find out how to delete your account. In the case of ticketfly, I submitted a trouble ticket asking how to delete my account but retain tickets for future events, so far nothing but a generic ‘we’ll get back to you’ response.

It’s time for legislation about what websites/businesses are required to do when they find a data breach. They must be held accountable, and not just through financial penalties that mostly just go into government coffers.

I’d like to see at a minimum:

  1. Mandatory requirement to notify by email, and if the business has a real mail address, by mail.
  2. A default opt-out and deletion period. At discovery, if data breached includes significant personal and/or financial data, the account must be deactivated. After notification, if the business has not heard from the user whose data is breached within 14-days, and the account is not already deactivated, it should be deactivated.
  3. Recovery of a deactivated account should NOT depend on any data exposed in the breach.
  4. When the user whose data is breached logs-in to their account following notification or during account recovery, they must be presented with clear information on what data was exposed. Two, they must be given a simple option at this point to permanently delete their account.
  5. If the user opts to delete their account, any consequences of the deletion must be made obvious at that time. For example, in the case of ticketfly, where I’ve already paid for tickets to future events, those tickets must still be available to me, even after my account is deleted.

In the era of “big data” and “everything online” the only way these businesses/websites will really put privacy and security first is not fines. It’s the actual loss of the customer/user and their data. These companies are often over valued, and paying government fines is just moving magic money from one bucket to another. It has a short term impact on their profitability, their quarterly results, not much else.

Google and Voice

You’d think given the proliferation of voice activated home technology like Alexa, Siri, Google Voice Assistant, Cortana etc. we’d be on the home stretch for voice activation in cars, where distraction is a real life threatening problem.

I don’t travel much now, I don’t drive more than 6k miles per year, which is a good thing based on today’s experience with Google. I’ll admit, I didn’t do any scientific research, I’ve no idea what other brands do, but I got stuck in traffic today heading into Boulder. I asked Google Assistant to read a web article from Vox.

My Google Pixel 2 phone is running android pie 9, I’m a Google ProjectFi cellphone network subscriber, and the phone is paired via Bluetooth to my 2013 Mercedes Benz. I switched the car audio via a car hardware button to Bluetooth. And asked Google Assistant to read what was on my screen.

It soon started to read out loud over bluetooth, HTML and CCS. This got pretty pointless, pretty quick. I switched back to FM Radio.

I called my wife using nothing but voice activation on the Mercedes with the paired bluetooth phone. While we were talking another call came in. I ignored it, it went to voicemail. When I’d finished talk to my wife, I pressed a button on the car to end the call.

I asked the Mercedes to “call voicemail” it did. The first thing the Project Fi voicemail system asked was for my voicemail PIN. There is no way around this, I sat there trying to get Fi to recognize the PIN by saying
nine, seven, nine, six, nine, five(*1)
It was pointless… it wasn’t enabled for voice prompts. I pulled over, pressed the phone buttons for the PIN followed by the # key. I went straight to the options key-4, and there was no voice activation option.

Next-up, I tried the Google Assistant to try.

OK Google, call my voicemail

I said in my best English accent, with my best annunciation and trying not to sound “mockney“.

Google Assistant: calling

Project Fi: to access your voicemail, please enter your PIN. followed by the # key

ME: nine, seven, nine, six, nine, five

Suffice to say, it didn’t work.

Even if it had, worryingly, even when you use the keypad to logon and navigate your voicemail, after hearing individual voicemails, the only options are:

mark this message as read press 7
keep this message as new press 9

There is a more options, it’s just message details, and play message again.

If you press 7, you go back to the main menu, where the only option is 4, change your settings. No ability to re-hear messages marked as read.

All in all a pretty disappointing experience. Especially true given it’s a 100% Google experience, add in the heightened requirement to reduce distracted driving and the fact that touching your phone while driving is illegal in my cities, States and Countries.

I know for sure that 10-15 years ago, voicemail could be voice driven.
To listen to your voicemail, press or say 1.

To delete the voicemail, press or say 3

etc.
Android phone app voicemail screenYes, I do know that I can press the voicemail button on the phone app in Android, and that would bring up a screen like this with a voice to text translation of the voicemail, the ability to play the voicemail, and the ability to delete it… but that all requires physical interaction with the phone.

*1 PIN isn’t really this…