New York (CNN Business)Nintendo revealed on Friday that 160,000 accounts were breached since the beginning of April, by hackers using others’ Nintendo Network IDs without permission. The company announced users will no longer need to use these IDs to log into their accounts, and that passwords on accounts that may have been breached will be reset.
Security startups to the rescue.
As we continue to ride out the pandemic, security experts are closely monitoring the surge of coronavirus-related cyber threats. Just this week, Google’s Threat Analysis Group, its elite threat hunting unit, says that while the overall number of threats remains largely the same, opportunistic hackers are retooling their efforts to piggyback on coronavirus.
Some startups are downsizing and laying off staff, but several cybersecurity startups are faring better, thanks to an uptick in demand for security protections. As the world continues to pivot toward working from home, it has blown up key cybersecurity verticals in ways we never expected. To wit, identity startups are needed more than ever to make sure only remote employees are getting access to corporate systems.
Can the startups take on the giants at their own game?
THE BIG PICTURE
Another payments processor drops the security ball
For the third time this year, a payments processor has admitted to a security lapse. First it was Cornerstone, then it was nCourt. This time it’s Paay, a New York-based card payment processor startup that left a database on the internet unprotected and without a password. Worse, the data was storing full, plaintext credit card numbers.
Anyone who knew where to look could have accessed the data. Luckily, a security researcher found it and reported it to TechCrunch. We alerted the company; it quickly took the data offline, but Paay denied that the data stored full credit card numbers. We even sent the co-founder a portion of the data showing card numbers stored in plaintext, but he did not respond to our follow-up.
It was another week of social distancing or quarantine for most of the world, but Google published findings that it has seen 12 government-backed hacking groups undeterred by the pandemic and, in fact, trying to take advantage of those conditions for intelligence-gathering. Another report found that China, for one, has been busy during the pandemic hacking Uighurs’ iPhones in a recent months-long campaign.
We broke down how Apple and Google are using aggregate smartphone location data to visualize social distancing trends. And in an exclusive interview with WIRED, Federal Bureau of Investigation director Christopher Wray warned that domestic terrorism is a growing threat in the United States.
On top of all the other digital threats, researchers emphasized this week that so-called "zero-click" hacks that don't require any interaction from users to initiate may be more prevalent and varied than most people realize. Such attacks are difficult to detect with current tools.
And there's more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
On Wednesday, the video conferencing service Zoom announced a number of small but needed security improvements. As Zoom usage has increased during the pandemic, so has scrutiny on the service's security and privacy offerings. This week's announcement of incremental improvements is part of a 90-day plan the company announced to overhaul its practices. One change is that Zoom will now offer AES 256 encryption on all meetings, meaning data will be encrypted with a 256-bit key. Zoom previously used AES 128, a reasonable option, but a controversial one in Zoom's case, because the company claimed in documentation and marketing materials that it used AES 256 all along.
Facebook data from more then 267 million profiles is being sold on criminal dark web forums for £500, or about $618. The information doesn't include passwords, but does include details like users' full names, phone numbers, and Facebook IDs. Though such information can't be used to break into the accounts directly, it can fuel digital scams like phishing. Most of the trove seems to be the same as data found by researcher Bob Diachenko in an exposed cloud repository last month. Even after that bucket was taken down, though, a copy of the information plus an addition 42 million records popped up in a different repository.
A growing number of Nintendo users over the past few weeks had watched fraudsters take control of their accounts, and in many cases use saved credit cards or linked PayPal accounts to buy Nintendo games or currency for the popular game Fortnite. At the beginning of April, Nintendo encouraged users to turn on two-factor authentication to protect their accounts, but it had been unclear how hackers were breaking in. On Friday, the company confirmed that hackers had gained unauthorized access to accounts and announced it was discontinuing users' ability to log into their Nintendo Accounts using Nintendo Network IDs, from older Wii U and 3DS systems. Nintendo also says it will contact affected users about resetting passwords. On its US customer support page, the company writes, "While we continue to investigate, we would like to reassure users that there is currently no evidence pointing toward a breach of Nintendo’s databases, servers or services."
At a time when more transactions than ever are happening online, payments behemoth Stripe is announcing three new features to continue expanding its reach.
The company today announced that it will now offer card issuing services directly to businesses to let them in turn make credit cards for customers tailored to specific purposes. Alongside that, it’s going to expand the number of accepted local, large card networks to cut down some of the steps it takes to make transactions in international markets. And finally, it’s launching a “revenue optimization” feature that essentially will use Stripe’s AI algorithms to reassess and approve more flagged transactions that might have otherwise been rejected in the past.
Together the three features underscore how Stripe is continuing to scale up with more services around its core payment processing APIs, a significant step in the wake of last week announcing its biggest fundraise to date: $600 million at a $36 billion valuation.
The rollouts of the new products are specifically coming at a time when Stripe has seen a big boost in usage among some (but not all) of its customers, said John Collison, Stripe’s co-founder and president, in an interview. Instacart, which is providing grocery delivery at a time when many are living under stay-at-home orders, has seen transactions up by 300% in recent weeks. Another newer customer, Zoom, is also seeing business boom. Amazon, Stripe’s behemoth customer that Collison would not discuss in any specific terms except to confirm it’s a close partner, is also seeing extremely heavy usage.
But other Stripe users — for example, many of its sea of small business users — are seeing huge pressures, while still others, faced with no physical business, are just starting to approach e-commerce in earnest for the first time. Stripe’s idea is that the launches today can help it address all of these scenarios.
“What we’re seeing in the COVID-19 world is that the impact is not minor,” said Collison. “Online has always been steadily taking a share from offline, but now many [projected] years of that migration are happening in the space of a few weeks.”
Stripe is among those companies that have been very mum about when they might go public — a state of affairs that only become more set in recent times, given how the IPO market has all but dried up in the midst of a health pandemic and economic slump. That has meant very little transparency about how Stripe is run, whether it’s profitable and how much revenues it makes.
But Stripe did note last week that it had some $2 billion in cash and cash reserves, which at least speaks to a level of financial stability. And another hint of efficiency might be gleaned from today’s product news.
While these three new services don’t necessarily sound like they are connected to each other, what they have underpinning them is that they are all building on top of tech and services that Stripe has previously rolled out. This speaks to how, even as the company now handles some 250 million API requests daily, it’s keeping some lean practices in place in terms of how it invests and maximises engineering and business development resources.
The card issuing service, for example, is built on a card service that Stripe launched last year. Originally aimed at businesses to provide their employees with credit cards — for example to better manage their own work-related expenses, or to make transactions on behalf of the business — now businesses can use the card issuing platform to build out aspects of its customer-facing services.
For example, Stripe noted that the first customer, Zipcar, will now be placing credit cards in each of its vehicles, which drivers can use to fuel up the vehicles (that is, the cards can only be used to buy gas). Another example Collison gave for how these could be implemented would be in a food delivery service, for example for a Postmates delivery person to use the card to pay for the meal that a customer has already paid Postmates to pick up and deliver to them.
Collison noted that while other startups like Marqeta have built big businesses around innovative card issuing services, “this is the first time it’s being issued on a self-serving basis,” meaning companies that want to use these cards can now set this up more quickly as a “programmatic card” experience, akin to self-serve, programmatic ads online.
It seems also to be good news for investors. “Stripe Issuing is a big step forward,” said Alex Rampell, general partner at Andreessen Horowitz, in a statement. “Not just for the millions of businesses running on Stripe, but for credit cards as a fundamental technology. Businesses can now use an API to create and issue cards exactly when and where they need them, and they can do it in a few clicks, not a few months. As investors, we’re excited by all the potential new companies and business models that will emerge as a result.”
Meanwhile, the revenue “optimization” engine that Stripe is rolling out is built on the same machine learning algorithms that it originally built for Radar, its fraud prevention tool that originally launched in 2016 and was extended to larger enterprises in 2018. This makes a lot of sense, since oftentimes the reason transactions get rejected is because of the suspicion of fraud. Why it’s taken four years to extend that to improve how transactions are approved or rejected is not entirely clear, but Stripe estimates that it could enable a further $2.5 billion in transactions annually.
One reason why the revenue optimization may have taken some time to roll out was because while Stripe offers a very seamless, simple API for users, it’s doing a lot of complex work behind the scenes knitting together a lot of very fragmented payment flows between card issuers, banks, businesses, customers and more in order to make transactions possible.
The third product announcement speaks to how Stripe is simplifying a bit more of that. Now, it’s able to provide direct links into six big card networks — Visa, Mastercard, American Express, Discover, JCB and China Union Pay, which effectively covers the major card networks in North and Latin America, Southeast Asia and Europe. Previously, Stripe would have had to work with third parties to integrate acceptance of all of these networks in different regions, which would have cut into Stripe’s own margins and also given it less flexibility in terms of how it could handle the transaction data.
Launching the revenue optimization by being able to apply machine learning to the transaction data is one example of where and how it might be able to apply more innovative processes from now on.
While Stripe is mainly focused today on how to serve its wider customer base and to just help business continue to keep running, Collison noted that the COVID-19 pandemic has had a measurable impact on Stripe beyond just boosts in business for some of its customers.
The whole company has been working remotely for weeks, including its development team, making for challenging times in building and rolling out services.
And Stripe, along with others, is also in the early stages of piloting how it will play a role in issuing small business loans as part of the CARES Act, he said.
In addition to that, he noted that there has been an emergence of more medical and telehealth services using Stripe for payments.
Before now, many of those use cases had been blocked by the banks, he said, for reasons of the industries themselves being strictly regulated in terms of what kind of data could get passed across networks and the sensitive nature of the businesses themselves. He said that a lot of that has started to get unblocked in the current climate, and “the growth of telemedicine has been off the charts.”
Digits, a fintech startup hailing from the same team that built and sold Crashlytics to Twitter, is officially launching today after two years of development. It’s also announcing a $22 million Series B round of funding led by GV, as it makes its public debut.
While the company had been fairly quiet about product details while in stealth mode, it’s today unveiling its first product: a visual, machine learning-powered expense monitoring dashboard aimed at startups and small businesses.
The dashboard, called Digits for Expenses, helps business owners track how their company is spending money, by showing things like spend by category, by identifying vendors and recurring expenses and by offering real-time alerts, among other features.
Instead of requiring business owners to make a switch from their existing financial solutions, Digits connects with the accounting software, banks, payroll providers, financial packages, sources of revenue and credit cards the business already uses — like Xero, QuickBooks, NetSuite, Citi, Bank of America or Chase, for example.
At launch, the list includes more than 9,000 banks, with support for Xero and NetSuite coming soon.
After setup, Digits will then automatically analyze the company’s spend and visualize it, in real time.
While visualizations of data may be reminiscent of personal finance startup Mint, Digits’ web-based solution is more technical in nature and offers an expanded analysis of the data on hand. Plus, as a business solution, it has to offer features like security, permissioning and collaborative workflows, which results in a more sophisticated product.
Digits also uses machine learning technology to predictively categorize transactions as they happen and the software can alert users to anomalies — like suspicious activity or unexpectedly large transactions — in real time. Business owners can use the dashboard to find out things like how quickly expenses are growing, what the cash flow looks like, where costs can be trimmed, what services are being paid for on a recurring basis and more, and can search for transactions.
The software also supports the ability to comment on transactions, loop in a colleague to ask for clarification about a charge and upload missing receipts. Everything uses HTTPS along with TLS and certificates so data is encrypted between Digit’s services and at rest.
The original idea for Digits came from a problem that co-founders Wayne Chang and Jeff Seibert faced themselves when building Crashlytics. As they explained previously, their focus as entrepreneurs was on solving technical challenges, not on the operational side of running a business.
Many entrepreneurs also find themselves in this same space. They’re trying to solve a problem or crack a tough engineering puzzle, but instead have to redirect their time and resources to spreadsheets, financial reports, transaction records and other paperwork required to actually run the business.
“Startups and small businesses today simply don’t have the resources to manage their finances internally. Most of them still settle for spreadsheets, and the lucky ones work on an hourly basis with external accountants,” explains Seibert. “As a result, their accounting itself is seen as a cost-center, and they pay for little beyond the basic monthly financial statements — Profit & Loss, Balance Sheet, etc. By the time those statements are delivered — weeks after the end of each month — they’re already out of date,” he said.
That means things businesses need — like updates, one-off reports and new budgets — can require additional costs and longer wait times, so they get skipped.
The COVID-19 pandemic has put even more pressure on small businesses, many of which are now struggling to even survive. As a result, Digits has decided to launch the product for free to those who sign up — not a free trial, but actually free. It plans to later charge for additional products and paid upgrades to support its own business.
Digits is able to make this offer because of its now-expanded venture funding.
Already, the company had raised $10.5 million in Series A funding in a round led by Benchmark. That round had included a sizable 72 angel investors as well, including founders and CEOs from companies like Box, GitHub, Tinder, Twitch, StitchFix, SoFi and several others — entrepreneurs with an understanding of the problems Digits is aiming to solve.
Today, Digits is announcing an additional $22 million led by Jessica Verrilli at GV, who also now joins Digits’ board alongside Benchmark’s Peter Fenton. (Benchmark also participated in the new round).
“Jeff and Wayne are masterful at creating intuitive, high-utility products from complicated data,” said Verrilli about the GV investment. “I saw this up close with Crashlytics and Twitter, and I’m thrilled to partner with them on Digits as they reimagine financial software for startups,” she added.
The startup, now a team of 18 and hiring, was already offering its software solution to a group of customers ahead of today’s public launch, who effectively operated as beta testers allowing Digits to refine its product. Digits isn’t able to share its customer names, for the most part. However, it noted that Coda was one of early adopters and provided valuable feedback.
It also has over 10,000 companies who joined its waitlist over the past two years who are now being let in.
At the time of its Series A, Digits saw more than $1.5 billion in transaction value flowing across its production systems. That number has since grown to $8 billion.
The software is free starting today for U.S.-based small businesses. The company plans to add support for international markets later this year.
London (CNN)The makeshift poster is displayed proudly in the window of a London home. “We love the NHS” is written in children’s handwriting above a picture of a rainbow. A few doors down the street, another colorful arch is daubed on a bed sheet hanging from a balcony.
The origin story
(CNN)The new normal will be anything but ordinary.
Staggered schools days and smaller class sizes
Disposable menus and masked servers
Empty stadiums and concert halls
Tracking of location and other personal information
Changes at airports and limited travel
Face masks may become an everyday accessory
The student loan crisis has crescendoed to even worse heights. As universities shut down across the country due to the outbreak of COVID-19 and employment opportunities dim with the rapidly decelerating economy, today’s students and post-grads need better tools than ever to navigate their finances.
Unfortunately, student loans in the United States are extraordinarily complicated, with literally hundreds of variations on loan terms, repayment methods and public interest forgiveness options. For borrowers, what are the best ways to minimize their total burden while staying within the rules?
Washington, DC-based Savi wants to make student loan borrowers “savvy” to the best options available to them, and now it has even more capital to take on this pressing challenge. The company announced today that it has raised a $6 million Series A led by Nyca Partners, one of the most influential investing firms in the fintech space.
Finance startups often have misaligned incentives between users and their own revenue models — a financial health app may make quiet referral revenue by peddling new credit cards and loans, exactly what a user doesn’t need.
What makes Savi interesting is that the company was designed from the beginning to make sure that it always placed the interests of its users first. It’s organized as a public benefit corporation and founded by two idealistic founders who came together over improving the outcomes of the nation’s youth.
After graduating from Georgetown Law, Aaron Smith founded and spent four years running Young Invincibles, a youth-focused think tank and advocacy organization that was originally created to bring attention to youth issues during the healthcare reform discussions in the early years of the Obama administration. Meanwhile, Savi’s other co-founder, Tobin Van Ostern, worked on youth voter engagement for Obama’s first presidential campaign as the head of Students for Barack Obama before heading to the liberal Center for American Progress.
Together, they decided to found Savi to bring their progressive mission orientation to helping young people around student debt. The student loan world is “fairly complicated, and while obviously I think there needs to be continued improvement on the policy side, we needed solutions for student loan borrowers right now,” Smith explained. “And so that was sort of the impetus behind Savi — to use technology to create those kind of solutions.”
Savi ingests student loan data from users and then begins crunching the numbers to calculate the best options for repayment or forgiveness while taking into account the goals of its users.
While student lending is a trillion-dollar-plus market, Savi — owing to its progressive roots — has been particularly focused on offering its platform to users like social workers, teachers and service workers. One of their largest partners is NEA, the largest teachers union in the United States with around 3 million members, and Savi is offered as a benefit to its members.
Organizations offer Savi’s student loan assessment tool to their employees and members to help them understand their financial picture. That tool is free for users, but from there, Savi charges a subscription to actively manage a user’s student loans, such as automating the process for filling out paperwork. Users can calculate their savings using Savi before committing to paying a subscription, ensuring that no user pays if Savi can’t help them save money. The company says that the average borrower sees $140 in savings per month and pays a $5-a-month subscription fee.
Given the typical employment of its users, Savi has a particular specialty on loan forgiveness, an option that many student loans offer for people in public-interest careers. Such options often have byzantine rules for eligibility though, and so Savi works to ensure that borrowers seeking forgiveness stay within the rules of their loan programs. Currently, the company handles more than 150 forgiveness and repayment options.
New York (CNN Business)Meg Atteberry had been gearing up for her work’s busy season.