Blog of the website «TechCrunch» Прогноз погоды

People

John Smith

John Smith, 48

Joined: 28 January 2014

Interests: No data

Jonnathan Coleman

Jonnathan Coleman, 32

Joined: 18 June 2014

About myself: You may say I'm a dreamer

Interests: Snowboarding, Cycling, Beer

Andrey II

Andrey II, 41

Joined: 08 January 2014

Interests: No data

David

David

Joined: 05 August 2014

Interests: No data

David Markham

David Markham, 65

Joined: 13 November 2014

Interests: No data

Michelle Li

Michelle Li, 41

Joined: 13 August 2014

Interests: No data

Max Almenas

Max Almenas, 53

Joined: 10 August 2014

Interests: No data

29Jan

29Jan, 31

Joined: 29 January 2014

Interests: No data

s82 s82

s82 s82, 26

Joined: 16 April 2014

Interests: No data

Wicca

Wicca, 36

Joined: 18 June 2014

Interests: No data

Phebe Paul

Phebe Paul, 26

Joined: 08 September 2014

Interests: No data

Артем Ступаков

Артем Ступаков, 98

Joined: 29 January 2014

About myself: Радуюсь жизни!

Interests: No data

sergei jkovlev

sergei jkovlev, 59

Joined: 03 November 2019

Interests: музыка, кино, автомобили

Алексей Гено

Алексей Гено, 8

Joined: 25 June 2015

About myself: Хай

Interests: Интерес1daasdfasf, http://apple.com

ivanov5056 Ivanov

ivanov5056 Ivanov, 69

Joined: 20 July 2019

Interests: No data



Main article: Security

<< Back Forward >>
Topics from 1 to 10 | in all: 544

Popular Android phones can be tricked into snooping on their owners

21:00 | 8 November

Security researchers have found several popular Android phones can be tricked into snooping on their owners by exploiting a weakness that gives accessories access to the phone’s underlying baseband software.

Attackers can use that access to trick vulnerable phones into giving up their unique identifiers, such as their IMEI and IMSI numbers, downgrade a target’s connection in order to intercept phone calls, forward calls to another phone or block all phone calls and internet access altogether.

The research, shared exclusively with TechCrunch, affects at least 10 popular Android devices, including Google’s Pixel 2, Huawei’s Nexus 6P and Samsung’s Galaxy S8+.

The vulnerabilities are found in the baseband firmware, the software that allows the phone’s modem to communicate with the cell network, such as making phone calls or connecting to the internet. Given its importance, the baseband is typically off-limits from the rest of the device, including its apps, and often come with command blacklisting to prevent non-critical commands from running. But the researchers found that many Android phones inadvertently allow Bluetooth and USB accessories — like headphones and headsets — access to the baseband. By exploiting a vulnerable accessory, an attacker can run commands on a connected Android phone.

“The impact of these attacks ranges from sensitive user information exposure to complete service disruption,” said Syed Rafiul Hussain, one of the co-authors of the paper, in an email to TechCrunch.

Hussain and his colleagues Imtiaz Karim, Fabrizio Cicala and Elisa Bertino at Purdue University and Omar Chowdhury at the University of Iowa are set to present their findings next month.

“The impact of these attacks ranges from sensitive user information exposure to complete service disruption.”
Syed Rafiul Hussain, Purdue University

Baseband firmware use a special language, known as AT commands, which control the device’s cellular functions. These commands can be used to tell the modem which phone number to call. But the researchers found that these commands can be manipulated. The researchers developed a tool, dubbed ATFuzzer, which tries to find potentially problematic AT commands.

In their testing, the researchers discovered 14 commands that could be used to trick the vulnerable Android phones into leaking sensitive device data, and manipulating phone calls.

But not all devices are vulnerable to the same commands or can be manipulated in the same way. The researchers found, for example, that certain commands could trick a Galaxy S8+ phone into leaking its IMEI number, redirect phone calls to another phone and downgrade their cellular connection — all of which can be used to snoop and listen in on phone calls, such as with specialist cellular snooping hardware known as “stingrays.” Other devices were not vulnerable to call manipulation but were susceptible to commands that could be used to block internet connectivity and phone calls.

The vulnerabilities are not difficult to exploit, but require all of the right conditions to be met.

“The attacks can be easily carried out by an adversary with cheap Bluetooth connectors or by setting up a malicious USB charging station,” said Hussain. In other words, it’s possible to manipulate a phone if an accessory is accessible over the internet — such as a computer. Or, if a phone is connected to a Bluetooth device, an attacker has to be in close proximity. (Bluetooth attacks are not difficult, given vulnerabilities in how some devices implement Bluetooth has left some devices more vulnerable to attacks than others.)

“If your smartphone is connected with a headphone or any other Bluetooth device, the attacker can first exploit the inherent vulnerabilities of the Bluetooth connection and then inject those malformed AT commands,” said Hussain.

Samsung recognized the vulnerabilities in some of its devices and is rolling out patches. Neither Huawei nor Google provided comment at the time of writing.

Hussain said that iPhones were not affected by the vulnerabilities.

This research becomes the latest to examine vulnerabilities in baseband firmware. Over the years there have been several papers examining various phones and devices with baseband vulnerabilities. Although these reports are rare, security researchers have long warned that intelligence agencies and hackers alike could be using these flaws to launch silent attacks.

 


0

Google launches OpenTitan, an open-source secure chip design project

17:00 | 5 November

Google has partnered with several tech companies to develop and build OpenTitan, a new, collaborative open-source secure chip design project.

The aim of the new coalition is to build trustworthy chip designs for use in datacenters, storage, and computer peripherals, which are both open and transparent, allowing anyone to inspect the hardware for security vulnerabilities and backdoors.

It comes at a time where tech giants and governments alike are increasingly aware that hostile nation states are trying to infiltrate and compromise supply chains in an effort to carry out long-term surveillance or espionage.

OpenTitan builds off the success of Google’s own custom-built chip, Titan, which it uses in its multi-factor security keys and its own-brand Android phones. Critical to the chip’s success is its root-of-trust technology, which cryptographically ensures that the chip hasn’t been tampered with. Root-of-trust provides a solid foundation for the operating system and applications running on the chip.

Google said OpenTitan will be run by LowRisc, a non-profit community, and will rely on partnerships with ETH Zurich, G+D Mobile Security, Nuvoton Technology, and Western Digital to support the project.

OpenTitan will also be platform agnostic and can be adapted to almost any device or software, Google said.

It’s not the first project dedicated to building secure chip designs. The Open Compute Project, supported by Facebook, Intel and Google, was created to open-source designs for its core infrastructure servers as part of an effort to gain better efficiencies from datacenter operations.

Apple also has its own secure — albeit proprietary — custom silicon, the Apple T2, found in its latest MacBooks, which it uses to control a device’s security functions and store the user’s passwords and encryption keys.

 


0

Disinformation ‘works better than censorship,’ warns internet freedom report

08:01 | 5 November

A rise in social media surveillance, warrantless searches of travelers’ devices at the border, and the continued spread of disinformation are among the reasons why the U.S. has declined in internet freedom rankings, according to a leading non-profit watchdog.

Although Freedom House said that the U.S. enjoys some of the greatest internet freedoms in the world, its placement in the worldwide rankings declined for the third year in a row. Last year’s single-point drop was blamed on the repeal of net neutrality.

Iceland and Estonia remained at the top of the charts, according to the rankings, with China and Iran ranking with the least free internet.

The report said that digital platforms, including social media, have emerged as the “new battleground” for democracy, where governments would traditionally use censorship and site-blocking technologies. State and partisan actors have used disinformation and propaganda to distort facts and opinions during elections in dozens of countries over the past year, including the 2018 U.S. midterm elections and the 2019 European Parliament elections.

“Many governments are finding that on social media, propaganda works better than censorship,” said Mike Abramowitz, president of Freedom House.

Freedom House’s 2019 internet freedom rankings. (Image: Freedom House)

Disinformation — or “fake news” as described by some — has become a major headache for both governments and private industry. As the spread of deliberately misleading and false information has become more prevalent, lawmakers have threatened to step in to legislate against the problem.

But as some governments — including the U.S. — have tried to stop the spread of disinformation, Freedom House accused some global leaders — including the U.S. — of “co-opting” social media platforms for their own benefit. Both the U.S. and China are among the 40 countries that have expanded their monitoring of social media platforms, the report said.

“Law enforcement and immigration agencies expanded their surveillance of the public, eschewing oversight, transparency, and accountability mechanisms that might restrain their actions,” the report said.

The encroachment on personal privacy, such as the warrantless searching of travelers’ phones without court-approved warrants, also contributed to the U.S.’ decline.

Several stories in the last year revealed how border authorities would deny entry to travelers for the content of social media posts made by other people, following changes to rules that compelled visa holders to disclose their social media handles at the border.

“The future of internet freedom rests on our ability to fix social media,” said Adrian Shahbaz, the non-profit’s research director for technology and democracy.

Given that most social media platforms are based in the U.S., Shahbaz said the U.S. has to be a “leader” in promoting transparency and accountability.

“This is the only way to stop the internet from becoming a Trojan horse for tyranny and oppression,” he said.

 


0

Twitter says government demands for user data continue to rise

18:45 | 31 October

Twitter has reported a rise in the number of government demands for customer data.

In its latest transparency report covering the six-months between January and June, the social media giant said it received 7,300 requests for user data, up by 6% a year earlier, but that the number of accounts affected are down by 25%.

The company turned over some data in just under half of all cases.

U.S. government agencies demanded the most data, filing 2,120 demands for 4,150 accounts — accounting for about one-third of all requests. Japan was trailing behind with 1,742 demands for 2,445 accounts.

The company also had 33 requests for data on 86 Periscope video-streaming accounts, disclosing some information in 60% of cases.

Twitter also disclosed it was previously served with three so-called national security letters (NSLs), which can compel companies to turn over non-content data at the request of the FBI. These letters are not approved by a judge, and often come with a gag order preventing their disclosure. But since the Freedom Act passed in 2015, companies have been allowed to request the lifting of their gag orders.

The report also said Twitter saw a rise across the board in the amount of private information, sensitive media, hateful content, and abuse, but that it was continuing to take action.

Twitter said it removed 124,339 accounts for impersonation, and 115,861 accounts for promoting terrorism, a decline of 30% on the previous reporting period.

The company also removed 244,188 accounts for violations relating to child sexual exploitation.

 


0

NHS pagers are leaking medical data

11:30 | 30 October

An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time of medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities.

The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist’s computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig’s computer display.

Daley Borda, a security researcher and bug bounty hunter, was at home in Florida when he stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display.

“You can see details of calls coming in — their name, address, and injury,” he told TechCrunch.

TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services.

One message said a 98-year-old man had fallen at his home address. A few moments later, another message said 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents, medical emergencies, often including their home addresses.

benz app 2 2

Several screenshots of the amateur radio decoding software, revealing unencrypted pager messages from nearby NHS trusts. (Image: TechCrunch)

Borda spends much of his time scouring the internet for things that shouldn’t be online. He looks for exposed databases and devices and, like most other security researchers, privately reports them to their owners. If he’s lucky, the owner takes action. Better yet, they pay out a bug bounty for his efforts.

But he could not figure out who the rig belonged to. TechCrunch contacted the hobbyist’s internet provider to warn of the data exposure.

“Last night we contacted the customer to make them aware that there was a live webcam broadcasting on the open web from their household,” said a spokesperson from the internet provider. “The customer was unaware of the nature of the information being shown so has said that they will stop the feed on that particular camera.”

The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust.

“With some cheap, relatively basic, software it is possible for hobbyists to access these frequencies and decode the information being sent, which appears is what has occurred here,” the spokesperson said.

Old but reliable

Pagers — or beepers — may be a relic of the past, but remain a fixture in U.K. hospitals.

These traditionally one-way communication devices allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network. But pagers still offer benefits where newer technologies, like cell phones, fall down. Because they work a low frequency, pager radio waves are able to travel further and deeper inside large buildings — particularly hospitals — which have thickened walls to protect others from X-rays and other radiation. Pagers also work across long distances, including in cell service dead-spots.

But few were thinking about message security when pager use was at its peak.

“They aren’t secure,” Andy Keck, an electronics and amateur radio hobbyist, told TechCrunch. Keck said messages sent over the pager network are encoded when they are converted into a burst of radio waves and broadcast over the air.

“But people don’t necessarily understand the difference between encryption and encoding,” he said.

Because the two widely used pager protocols — POCSAG and FLEX — are not encrypted, it’s easy to understand what messages are broadcast over the airwaves using free and open-source software.

For years one of the largest barriers to intercepting and decoding pager messages — or any other radio waves — was that hobbyists needed custom, often expensive hardware. But with the advent of software-defined radios, most hobbyists can get by with a $20 plug-in dongle and an antenna.

“It’s just enter the command to start the application, sit back, and start decoding in real time on the screen,” he said.

130,000 NHS pagers

Although the number of pagers has dropped to near-zero from their height in the 1980s, pagers still carry a considerable amount of information every day.

Pager messages can travel over a large distance, said Keck, depending on how high the transmitter is located. Most major cities are covered with some pager service. Given the geography of the U.K., amateur radio hobbyists can often pick up pager messages from different sources.

The NHS still uses about 130,000 pagers, according to the U.K. government’s latest count, or about 10 percent of the world’s current pagers in use. But the NHS has been told to stop using pagers altogether by 2021.

But it’s not clear how many trusts are exposing medical information — if at all.  According to NHS spokesperson Oliver Michelson, “each NHS organization is responsible for its own IT equipment and security.”

GettyImages 128243077

Pagers receive encoded, but not encrypted messages. (Image: Getty Images)

One NHS trust we spoke to said they had around 1,600 pagers and are managed by the trust. (We are not naming the trust, as it would expose their communications.) When asked if the trust was aware that pager messages are not encrypted and can be intercepted by amateur radio hobbyists, the spokesperson responded: “Yes.”

Another trust we spoke to said they were “aware” that the handful of pagers it operates do not encrypt their messages. The trust said their pagers were managed by a third-party.

PageOne, the last remaining pager network in the U.K., says in a brochure that its pager service can deliver “real-time messaging cost effectively and securely to their staff.”

But a spokesperson told TechCrunch: “PageOne ensures customers are aware of the ability to intercept messages in its terms and conditions” and that encrypted services “are available if required.”

The company said the majority of NHS pagers are operated on private pager networks operated by the trusts themselves.

‘Trivially interceptable’

Amateur radio hobbyists know all too well the risks posed by unencrypted pagers.

Over the years there have been numerous headlines of hobbyists picking up signals from nearby hospitals, including patients’ names and medical information. Some have even turned eavesdropping on hospital pagers into an art project.

Last month, hospitals in Vancouver were found broadcasting unencrypted patient medical data across the city.

Sarah Jamie Lewis, executive director at Open Privacy, who first revealed the issue, said the hospital pager messages were “trivially interceptable” by anyone nearby.

“It tends to be pretty common knowledge in the amateur radio community that these kind of broadcasts are going on but it’s only recently that we started seeing a culture of disclosure,” said Lewis.

In the U.K., it’s legal for amateur radio hobbyists to scan the airwaves but unlawful to disclose the contents of messages. That’s put some security-focused hobbyists who disclose exposed sensitive messages in a tough legal spot.

“You get this horrible situation where not disclosing is bad, but people have a right to know that their health data is being breached,” said Lewis.

But the penalties could be far steeper for organizations that expose sensitive health data. Exposing personally identifiable and health information violates GDPR, the Europe-wide data protection laws that came into force last year. Organizations can be fined heavily for breaching the rules.

With more than a year on the clock before the NHS pager ban comes into effect, it’s not a problem that can be easily fixed.

The obvious solution would be not to send sensitive health or medical data over pager messages. Clearly, as seen by the amateur hobbyist’s radio rig, that message isn’t getting through.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

 


0

WhatsApp blames — and sues — mobile spyware maker NSO Group over its zero-day calling exploit

22:21 | 29 October

WhatsApp has filed a suit in federal court accusing NSO Group, an Israeli mobile surveillance maker, of creating an exploit that allowed the spyware’s operator to hack into a target’s phone and remotely spy on them.

The lawsuit, filed in a California federal court, said the mobile surveillance outfit “developed their malware in order to access messages and other communications after they were decrypted” on target devices.

The attack worked by exploiting an audio-calling vulnerability in WhatsApp. Users would appear to get an ordinary call, but the malware would quietly infect the device with spyware, giving the attackers full access to the device.

Because WhatsApp is end-to-end encrypted, it’s near-impossible to access the messages as they traverse the internet. But in recent years, governments and mobile spyware companies have begun targeting the devices where the messages were sent or received. The logic goes that if you hack the device, you can obtain its data.

Thats’s what WhatsApp says happened.

WhatsApp, owned by Facebook, quickly patched the vulnerability. Although blame fell fast on NSO Group, WhatsApp did not publicly accuse the company at the time.

In an op-ed, WhatsApp head Will Cathart said the messaging giant “learned that the attackers used servers and Internet-hosting services that were previously associated” with NSO Group, and that certain WhatsApp accounts used during the attacks were traced back to the company.

“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” said Cathart.

The attack involved disgusing the malicious code as call settings, allowing the surveillance outfit to deliver the code as if it came from WhatsApp’s signaling servers. Once the malicious calls were delivered to the target’s phone, they “injected the malicious code into the memory of the target device — even when the target did not answer the call,” the complaint read. When the code was run, it sent a request to the surveillance company’s servers, and downloaded additional malware to the target’s device.

In total, some 1,400 targeted devices were affected by the exploit, the lawsuit said.

Most people were unaffected by the WhatsApp exploit. But WhatsApp said that over a hundred human rights defenders, journalists and “other members of civil society” were targeted by the attack. Other targets included government officials and diplomats.

WhatsApp is asking for a jury trial.

We’ve reached out to NSO Group for comment, but did not hear back.

 


0

FCC proposes rules requiring telcos remove Huawei, ZTE equipment

21:26 | 28 October

The Federal Communications Commission said it will move ahead with proposals to ban telecommunications giants from using Huawei and ZTE networking equipment, which the agency says poses a “national security threat.”

The two-part proposal revealed Monday would first bar telecoms giants from using funds it receives from the the FCC’s Universal Service Fund, used by the agency to subsidize service to low-income households, from buying equipment from the Chinese telecom equipment makers.

The second proposal would mandate certain telecom giants remove any banned equipment they may have already installed.

In a statement, the FCC said it would offer a reimbursement program to help carriers transition to “more trusted” suppliers.

“We need to make sure our networks won’t harm our national security, threaten our economic security, or undermine our values,” said FCC chairman Ajit Pai in remarks. “The Chinese government has shown repeatedly that it is willing to go to extraordinary lengths to do just that.”

The FCC said Huawei and ZTE were already on the list of companies that pose a threat, but that the draft order would “establish a process for designating other suppliers that pose a national security threat,” potentially opening the door for new additions.

It’s the latest move by the government to crack down on technology providers seen as a potential homeland security threat. Chief among the fears are that Huawei and ZTE are subject to Chinese laws, and could be told to secretly comply with demands from Chinese intelligence services, which could put Americans’ data at risk of surveillance or espionage.

The claims first arose in 2012 following a House inquiry, which labeled the company a national security threat.

Earlier this year, the Trump administration banned federal agencies from buying equipment from Huawei and ZTE, but also Hytera and Hikvision.

Both Huawei and ZTE have long denied the allegations.

Chairman Pai said in an op-ed in the Wall Street Journal: “When it comes to 5G and America’s security, we can’t afford to take a risk and hope for the best. We need to make sure our networks won’t harm our national security, threaten our economic security or undermine our values.”

The FCC’s proposals are expected to be voted on during a meeting on November 19.

 


0

Revisiting Jumia’s JForce scandal and Citron’s short-sell claims

20:30 | 28 October

In advance of Jumia’s November financial reporting, it’s worth revisiting the company’s second quarter results, the downside of which included some negative news beyond losses.

The Africa focused e-commerce company — with online verticals in 14 countries — did post second-quarter revenue growth of 58% (≈$43 million) and increased its customer base to 4.8 million from 3.2 million over the same period a year ago.

But Jumia also posted greater losses for the period, €67.8 million, compared to €42.3 million in 2018.

What appears to have struck the market more than revenues or losses was Jumia offering greater detail on the fraud perpetrated by some employees and agents of its JForce sales program.

This was another knock for the firm on its up and down ride since becoming the first tech company operating in Africa to list on the NYSE in April. The online retailer gained investor confidence out of the gate, more than doubling its $14.95 opening share price after the IPO.

That lasted until May, when Jumia’s stock came under attack from short-seller Andrew Left, whose firm Citron Research, issued a report accusing the company of fraud. That prompted several securities related lawsuits against Jumia.

At quick glance, Citron’s primary claim — that Jumia’s SEC filing contained discrepancies in sales figures — shares some resemblance to Jumia’s own disclosures.

The company’s share-price has suffered due to both — falling to less than 50% of its opening in April.

This has all funneled into an ongoing debate

on Jumia’s legitimacy as an African startup, given its (primarily) European senior management. Some of the most critical voices have gone so far as to support Left’s claims on Jumia’s fraud — and accept Jumia’s August admission as validation.

Sound messy and confusing? We’ll, yes, it is. But so go some IPOs.

Jumia’s info vs. Citron’s claims

Evaluating Jumia’s J-Force scandal vs. Citron’s short-sell claims is really Chartered Financial Analyst stuff. Citibank Research issued a brief rebutting Left’s claims in May and then another in August — though the firm has not made either public.

Judging by Jumia’s share-price fluctuation and chatter that continues in Africa’s tech ecosystem, there’s still confusion around both matters.

A simple exercise is to lay out the core of what Jumia has released vs. the crux of Citron Research’s claims.

On the J-Force/improper sales matter, here are excerpts of Jumia’s statement. Note that GMV is Gross Merchandise Value — the total amount of goods sold over the period: 

As disclosed in our prospectus dated April 11, 2019, we received information alleging that some of our independent sales consultants, members of our JForce program in Nigeria, may have engaged in improper sales practices. In response, we launched a review of sales practices covering all our countries of operation and data from January 1, 2017 to June 30, 2019.

Jumia did disclose this in its IPO prospectus on page 34

In the course of this review, we identified several JForce agents and sellers who collaborated with employees in order to benefit from differences between commissions charged to sellers and higher commissions paid to JForce agents. The transactions in question generated approximately 1% of our GMV in each of 2018 and the first quarter of 2019 and had virtually no impact on our 2018 or 2019 financial statements. We have terminated the employees and JForce agents involved, removed the sellers implicated and implemented measures designed to prevent similar instances in the future. The review of this matter is closed.

And finally, Jumia noted this:

More recently, we have also identified instances where improper orders were placed, including through the JForce program, and subsequently cancelled. Based on our findings to date, we believe that the transactions in question generated approximately 2% of our GMV in 2018, concentrated in the fourth quarter of 2018, approximately 4% in the first quarter of 2019 and approximately 0.1% in the second quarter of 2019. These 0.1% have already been adjusted for in the reported GMV figure for the second quarter of 2019. These transactions had no impact on our financial statements. We have suspended the employees involved pending the outcome of our review and are implementing measures designed to prevent similar instances in the future. We continue our review of this matter.

That’s the gist of Jumia’s disclosure: a small number of employees cooked some sales numbers and commissions, it was negligible to our financials, we flagged the investigation in our IPO prospectus, we took action, we ended it.

The Citron Research report Andrew Left issued to support his short-sell position made several critical claims regarding Jumia, but labeled “the smoking gun” as alleged material inconsistencies between an October 2018, Jumia investor presentation and Jumia’s April SEC Form F-1.

For the year 2017, there’s a difference of 600,000 active customers and 10,000 merchants in Jumia’s reporting between the fall 2018 investor presentation and the recent 2019 F-1, according to Citron Research. Citron also goes on to press concerns with GMV:

In order to raise more money from investors, Jumia inflated its active consumers and active merchants figures by 20-30% (FRAUD).

The most disturbing disclosure that Jumia removed from its F-1 filing was that 41% of orders were returned, not delivered, or cancelled.

This was previously disclosed in the Company’s October 2018 confidential investor presentation. This number is so alarming that is screams fraudulent activities. Instead, Jumia disclosed that “orders accounting for 14.4% of our GMV were either failed deliveries or returned by our consumers” in 2018.

TechCrunch connected with Jumia’s CEO Sacha Poignonnec and Citron Research’s Andrew Left since the August earnings reporting and disclosures.

On whether Jumia’s revelation of improper sales practices validated the fraud claims in Citron’s Brief, “It’s not the same,” Poignnonec,” told me on a call last month.

“For every one of those allegations,” he said referring to Left’s research, “there is a clear and simple answer for each of them and we have provided those,” said Poignnonec.

Where is Andrew Left on the matter? “I’m no longer short the stock” he told TechCrunch in a mail this week.

“But that does not mean the stock is a buy whatsoever,” he added — sticking to the fundamentals of his May brief.

What to make of it all?

It appears that what Jumia disclosed in its April prospectus (and added more detail to in August) does not provide one-to-one validation of the claims in Citron Research’s May report.

But then again, the entire matter — the data, the similar terminology, the multiple docs and disclosures — is still all a bit confusing.

That was evident in an exchange between Sacha Poignonnec and CNBC contributor John Fortt after Jumia’s 2nd quarter earnings call (see 1:19). Fort pressed Poignonnec on Left’s claims vs. Jumia’s admissions and still came away a bit puzzled.

The market, too, appears to be impacted by the fuzziness around Jumia’s disclosure of improper sales practices and Andrew Left’s claims.

Jumia’s share price plummeted 43% the week Left released his short-sell claims, from $49 to $26.

The company’s stock price has continued to decline since Jumia’s August earnings call (and sales-fraud disclosure) to $6.52 at close Tuesday.

That’s 50% below the company’s opening in April and 80% below its high before Citron’s Research brief and Andrew Left’s short-sell position.

Jumia Stock Snapshot To October 28 2019

Jumia’s core investors appeared to show continued confidence in the company this month, when there wasn’t a big selloff after the IPO lockup period expired.

Even so, Jumia’s 3rd quarter earning’s call on November 12 could be a bit make or break for the company with investors given all the volatility the e-commerce venture has faced since listing and its rapid loss in value.

As a public company now, the most direct way for Jumia to revive its share-price (and investor confidence) would be demonstrating it has reduced losses while maintaining or boosting revenues.

Of course, that’s the prescription for just about any recently IPO’d tech venture.

What Jumia may want to evaluate pre-earnings call is the extent to which its own sales-fraud disclosure and Andrew Left’s allegations are still being mashed together and impacting brand-equity in Africa and investor confidence abroad.

From there it could be wise to address both head on and explain — in a way that is as easy as possible for people to understand — how the two are not the same and don’t have a bearing on Jumia’s brand or business model.

 

 

 

 

 

 

 

 

 

 

 

 


0

American Cancer Society’s online store infected with credit card stealing malware

18:00 | 28 October

The American Cancer Society’s online store has become the latest victim of credit card stealing malware.

Security researcher Willem de Groot found the malware on the organization’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden, and Newegg.

The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.

de Groot said in a blog post explaining the breach, shared exclusively with TechCrunch, that the code was designed to send collected credit card numbers to a third-party server, operated by the attacker. The code was malformed, leading to it being inserted twice. When the malicious code was decoded, it revealed the web address of the the hacker’s third-party server.

acs magecart

The card skimming malware on the American Cancer Society’s store’s website. (Image: TechCrunch)

Trend Micro said the domain is known to be used by Magecart. The domain is registered in Moscow, but the website itself loads nothing more than a decoy page.

The code was injected into the online store at some point late last week. de Groot informed the organization of the incident as soon as he found the code on Thursday by calling its anti-fraud hotline, but the code was not immediately removed. After we reached out Friday, the code was no longer present.

American Cancer Society spokesperson Kathi Dinicola did not return requests for comment.

It’s not known how many users were affected, but anyone who entered information through the American Cancer Society late last week should contact their payments provider.

 


0

Lawmakers ask US intelligence chief to investigate if TikTok is a national security threat

21:13 | 24 October

Two lawmakers have asked the government’s most senior U.S. intelligence official to assess if video sharing app TikTok could pose “national security risks” to the United States.

In a letter by Sens. Charles Schumer (D-NY) and Tom Cotton (R-AR), the lawmakers asked the acting director of national intelligence Joseph Maguire if the app maker could be compelled to turn Americans’ data over to the Chinese authorities.

TikTok has some 110 million downloads to date and has spiked in popularity for its ability to record short, snappy and sharable videos across social media networks. But the lawmakers say because TikTok is owned by a Beijing-based company, it could be compelled by the Chinese government to turn over user data — such as location data, cookies, metadata and more — even if it’s stored on servers it owns in the United States.

Both Schumer and Cotton warn that TikTok’s parent company, ByteDance, is “still required to adhere” to Chinese law.

“Security experts have voiced concerns that China’s vague patchwork of intelligence, national security, and cybersecurity laws compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party,” the letter, dated Wednesday, said. “Without an independent judiciary to review requests made by the Chinese government for data or other actions, there is no legal mechanism for Chinese companies to appeal if they disagree with a request.”

That same legal principle works both ways. U.S. companies have been shut out, or had their access limited, in some nation states — including China — over fears that they could be compelled to spy on the behalf of the U.S. government.

In the aftermath of the Edward Snowden disclosures, which revealed the U.S. government’s vast surveillance operation, several major tech companies were all dropped from China’s approved state purchases list amid fear of U.S. cooperation in surveillance.

The senators also said they are concerned that the app was censoring content “deemed politically sensitive” to Beijing. In September, The Guardian revealed that the app’s moderators actively censor content relating to Tibetan independence, the Tiananmen Square massacre, or the banned religious group Falun Gong.

They also said the app could pose a “counterintelligence” threat as it could be used as a foreign influence tool as seen in the 2016 U.S. presidential election.

When reached, a spokesperson for the Office of the Director of National Intelligence would not comment.

TikTok said it was “carefully reviewing” the letter.

“We will not be offering any further comment on it at this time other than to reaffirm that TikTok is committed to being a trusted and responsible corporate citizen in the U.S., which includes working with Congress and all relevant regulatory agencies,” said TikTok spokesperson Josh Gartner.

 


0
<< Back Forward >>
Topics from 1 to 10 | in all: 544

Site search


Last comments

Walmart retreats from its UK Asda business to hone its focus on competing with Amazon
Peter Short
Good luck
Peter Short

Evolve Foundation launches a $100 million fund to find startups working to relieve human suffering
Peter Short
Money will give hope
Peter Short

Boeing will build DARPA’s XS-1 experimental spaceplane
Peter Short
Great
Peter Short

Is a “robot tax” really an “innovation penalty”?
Peter Short
It need to be taxed also any organic substance ie food than is used as a calorie transfer needs tax…
Peter Short

Twitter Is Testing A Dedicated GIF Button On Mobile
Peter Short
Sounds great Facebook got a button a few years ago
Then it disappeared Twitter needs a bottom maybe…
Peter Short

Apple’s Next iPhone Rumored To Debut On September 9th
Peter Short
Looks like a nice cycle of a round year;)
Peter Short

AncestryDNA And Google’s Calico Team Up To Study Genetic Longevity
Peter Short
I'm still fascinated by DNA though I favour pure chemistry what could be
Offered is for future gen…
Peter Short

U.K. Push For Better Broadband For Startups
Verg Matthews
There has to an email option icon to send to the clowns in MTNL ... the govt of India's service pro…
Verg Matthews

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short