Month: August 2018

Apple is cracking down on apps that don’t communicate to users how their personal data is used, secured or shared. In an announcement posted to developers through the App Store Connect portal, Apple says that all apps, including those still in testing, will be required to have a privacy policy as of October 3, 2018.

Allowing apps without privacy policies is something of an obvious hole that Apple should have already plugged, given its generally protective nature over user data. But the change is even more critical now that Europe’s GDPR regulations have gone into effect. Though the app makers themselves would be ultimately responsible for their customers’ data, Apple, as the platform where those apps are hosted, has some responsibility here, too.

Platforms today are being held accountable for the behavior of their apps, and the data misuse that may occur as a result of their own policies around those apps.

Facebook CEO Mark Zuckerberg, for example, was dragged before the U.S. Senate about the Cambridge Analytica scandal, where data from 87 million Facebook users was inappropriately obtained by way of Facebook apps.

Apple’s new requirement, therefore, provides the company with a layer of protection – any app that falls through the cracks going forward will be able to be held accountable by way of its own privacy policy and the statements it contains.

Apple also notes that the privacy policy’s link or text cannot be changed until the developer submits a new version of their app. It seems there’s still a bit of loophole here, though – if developers add a link pointing to an external webpage, they can change what the webpage says at any time after their app is approved.

The new policy will be required for all apps and app updates across the App Store as well as through the TestFlight testing platform as of October 3, says Apple.

What’s not clear is if Apple itself will be reviewing all the privacy policies themselves as part of this change, in order to reject apps with questionable data use policies or user protections. If it does, App Store review times could increase, unless the company hires more staff.

Apple has already taken a stance on apps it finds questionable, like Facebook’s data-sucking VPN app Onavo, which it kicked out of the App Store earlier this month. The app had been live for years, however, and its App Store text did disclose the data it collected was shared with Facebook. The fact that Apple only booted it now seems to indicate it will take a tougher stance on apps which are designed to collect user data as one of their primary functions going forward.

According to a report from Bloomberg, Google and Mastercard have signed a secret deal so that Google could track retail sales using Mastercard transaction data. This is yet another proof that Google’s true customers are its advertising partners.

Online advertising have now overtaken all other advertising methods. Companies spend more on online ads than TV ads, newspaper ads and more.

And the reason why online ads have become so popular is that it’s much easier to track the effectiveness of your ad campaign. If you spend money on Google or Facebook ads, you can directly track the number of customers who end up on your online store because of your campaign. You can even see what they end up buying.

And yet, what if you see an online ad for a TV and then you buy a TV in store? Tech companies have tried for years to bridge the gap between online ads and offline sales. That’s why Google tracks your location all the time, even if you turn off location history. And that’s also why Google and Mastercard may have signed a deal.

According to Bloomberg, all Mastercard transaction data in the U.S. is encrypted and transmitted to Google. Google is paying Mastercard, and potentially other card networks, to access this information.

Google can’t see individual transactions. But the company can extract relevant information from this pile of data. For instance, it could match offline purchases with user profiles. And the company knows if a user clicked on an ad.

Advertisers can upload an email database to match up offline sales with Google profiles and ad clicks. Google sends them reports with total offline sales. Advertisers then see how much money they generated thanks to their online ad campaign.

It’s a good way to convince advertising clients that their campaign was effective. When those companies are thinking about their advertising budget, chances are they will end up spending more money on Google if they see that it leads to a lot sales.

This strategy shows once again that building an advertising business at scale requires some privacy concessions. It’s even more offensive that Google doesn’t talk about these deals more publicly. Users deserve to know what happens.

You can reportedly opt out of this Mastercard deal by turning off “Web and App Activity” in your Google account. But this setting is hard to find and encompasses a ton of stuff. Offline purchases are neither “web” nor “app” data for instance.

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast where we unpack the numbers behind the headlines.

This week, we were a man down, with the excellent Alex Wilhelm of Crunchbase News on a vacation that someone seems to have sanctioned, though it was not us, as we don’t believe in vacations. (Wilhelm, get back here.) We did, happily, have the very knowledgeable Kirsten Korosec of TechCrunch join us on the line; we were also joined by this week’s personable in-studio guest: Lauren Kolodny, a partner at the San Francisco-based, early-stage venture firm Aspect Ventures.

It was the perfect mix to talk about car makers and more car makers, including Tesla and CEO Elon Musk’s seemingly ill-planned plans to take the publicly traded company private, then vacillating a bit before changing his mind again, much to the chagrin of his board, the company’s shareholders, and poor Kirsten, who was trying to enjoy her evening last Friday when Musk decided (for now) to leave well enough alone and drop the whole cockamamie idea of switching out Tesla’s investor base.

We also talked about Toyota’s announcement this week that it’s sinking $500 million into Uber and forming an intriguing if confusing driverless-car pact in the process. And we lingered on Nio, a four-year-old, Shanghai-based electric car vehicle that, if it has its way, will begin trading on the New York Stock Exchange in roughly two weeks — even though it only made $7 million in the first half of this year and reported a net loss of $503 million. Who’s counting, though? Not U.S. investors, it hopes.

Speaking of IPOs, we knew we’d be remiss not to talk about the IPO filing this week of SurveyMonkey, a now 19-year-old, San Mateo, Ca., company that’s beloved by both personal and business users of its analytical tools and surveys, but which is still not making money, owing in part to expensive debt that the company is currently servicing (and will pay down using its IPO proceeds). Will public shareholders embrace the company, which was last valued at $2 billion during its last private round in 2014 but whose value has subsequently been marked down by fully 25 percent since by fund manager Fidelity? Stay tuned!

We did not get to our favorite topic of scooters, running out time to chat about this major development and also this one. Knowing how much we love to toot about les scoots, rest assured that they will back next week, as will we, so tune in again then!

Equity drops every Friday at 6:00 am PT, so subscribe to us on Apple Podcasts, Overcast, Pocket Casts, Downcast and all the casts.

Line, the Japanese messaging app firm that’s best known for its cutesy characters and stickers, is pushing deeper into crypto after it launched its own token to help grow its stagnant user base.

Line went public two years ago with 218 million monthly active users, but it hasn’t been able to kick on. The company no longer gives out its worldwide user number, but the number of active users in its four biggest markets has fallen from 169 million in Q2 2017 to 164 million in its recent Q2 2018 period.

Link — Line’s token — isn’t being minted through an ICO, instead, it’ll be given out to Line users as an incentive for using certain services. Line hasn’t said exactly how it can be earned yet, although it is likely that it’ll be tied to specific activities to promote engagement.

The token will be listed on Bitbox — Line’s crypto exchange — and it’ll be used it to buy content like stickers and webcomics, as well as other Line services. It’ll also be possible to use Link to get a lower commission rate on trading in the same way that Binance, the world’s largest exchange, uses its BNB token.

Line currently has a virtual currency for its in-app content and services, and you’d imagine that Link will replace it in the future.

It’s worth noting, however, that Link hasn’t launched in Japan yet. That’s because Line is awaiting regulatory approval for its token and exchange, so, for now, those in Japan — which is Line’s largest market — will earn virtual tokens which can be traded for Link in the future.

Link will launch next month, and it follows the announcement of BitBox in July and the launch of a dedicated crypto fund in early August.

Line has dodged the legal questions around token sales by not holding an ICO, and the fact it is using the currency to incentivize user engagement and activity isn’t a huge surprise. Line went public in a dual U.S-Japan IPO that raised over $1 billion in 2016 but, despite user numbers declining, it has grown its revenue through additional services.

Increased competition from the likes of Facebook Messenger and WhatsApp is likely its biggest threat, so incentivizing users is a logical strategy. Of course, that depends on how useful Link becomes. If users can exchange it for a decent amount of cash or credits inside Line’s platform it may gain appeal, but if they just pick up trivial amounts, it may be less interesting to them. The bigger picture will be when Link replaces Line’s virtual currency for all purchases but that alone isn’t likely to boost user engagement.

Line also plans to use Link — and the blockchain it has developed to power it — to host decentralized applications (dapps) that will connect to its messaging platform. The company already does a lot more than messaging — for example payments, ride-hailing, music and videos — and it plans to tap third-party developers to build dapps. Generally, though, dapps haven’t taken off. The collectibles game Cryptokitties did blow up late last year, but studies have suggested user activity is massively down this year as the fad has slowly worn off.

Crypto enthusiasts will no doubt take positives from Line’s latest move — it is arguably the largest company to embrace crypto, in terms of end-user audience reach — but it remains to be seen whether Link and its dapps platform can help it crack its user growth and retention issues.

“Over the last seven years, Line was able to grow into a global service because of our users, and now with Link, we wanted to build a user-friendly reward system that gives back to our users. With Link, we would like to continue developing as a user participation-based platform, one that rewards and shares added value through the introduction of easy-to-use dapps for people’s daily lives,” said Line CEO Takeshi Idezawa in a statement.

Unlike Bitcoin, which is mined, Line has minted a total of one billion Link tokens which it said will be “gradually issued according to how this ecosystem develops.” The company plans to keep 200 million tokens, with the remaining 800 million made available as user rewards.

Note: The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.

Research scientists at Queen’s University’s Human Media Lab have built a prototype touchscreen device that’s neither smartphone nor tablet but kind of both — and more besides. The device, which they’ve christened the MagicScroll, is inspired by ancient (papyrus/paper/parchment) scrolls so it takes a rolled-up, cylindrical form factor — enabled by a flexible 7.5inch touchscreen housed in the casing.

This novel form factor, which they made using 3D printing, means the device can be used like an erstwhile rolodex (remember those?!) for flipping through on-screen contacts quickly by turning a physical rotary wheel built into the edge of the device. (They’ve actually added one on each end.)

Then, when more information or a deeper dive is required, the user is able to pop the screen out of the casing to expand the visible display real estate. The flexible screen on the prototype has a resolution of 2K. So more mid-tier mobile phone of yore than crisp iPhone Retina display at this nascent stage.

[gallery ids="1702214,1702215,1702211,1702212,1702213"]

 

 

The scientists also reckon the scroll form factor offers a pleasing ergonomically option for making actual phone calls too, given that a rolled up scroll can sit snugly against the face.

Though they admit their prototype is still rather large at this stage — albeit, that just adds to the delightfully retro feel of the thing, making it come over like a massive mobile phone of the 1980s. Like the classic Motorola 8000X Dynatac of 1984.

While still bulky at this R&D stage, the team argues the cylindrical, flexible screen form factor of their prototype offers advantages by being lightweight and easier to hold with one hand than a traditional tablet device, such as an iPad. And when rolled up they point out it can also fit in a pocket. (Albeit, a large one.)

They also imagine it being used as a dictation device or pointing device, as well as a voice phone. And the prototype includes a camera — which allows the device to be controlled using gestures, similar to Nintendo’s ‘Wiimote’ gesture system.

In another fun twist they’ve added robotic actuators to the rotary wheels so the scroll can physically move or spin in place in various scenarios, such as when it receives a notification. Clocky eat your heart out.

“We were inspired by the design of ancient scrolls because their form allows for a more natural, uninterrupted experience of long visual timelines,” said Roel Vertegaal, professor of human-computer interaction and director of the lab, in a statement.

“Another source of inspiration was the old rolodex filing systems that were used to store and browse contact cards. The MagicScroll’s scroll wheel allows for infinite scroll action for quick browsing through long lists. Unfolding the scroll is a tangible experience that gives a full screen view of the selected item. Picture browsing through your Instagram timeline, messages or LinkedIn contacts this way!”

“Eventually, our hope is to design the device so that it can even roll into something as small as a pen that you could carry in your shirt pocket,” he added. “More broadly, the MagicScroll project is also allowing us to further examine notions that ‘screens don’t have to be flat’ and ‘anything can become a screen’. Whether it’s a reusable cup made of an interactive screen on which you can select your order before arriving at a coffee-filling kiosk, or a display on your clothes, we’re exploring how objects can become the apps.”

The team has made a video showing the prototype in action (embedded below), and will be presenting the project at the MobileHCI conference on Human-Computer Interaction in Barcelona next month.

While any kind of mobile device resembling the MagicScroll is clearly very, very far off even a sniff of commercialization (especially as these sorts of concept devices have long been teased by mobile device firms’ R&D labs — while the companies keep pumping out identikit rectangles of touch-sensitive glass… ), it’s worth noting that Samsung has been slated to be working a a smartphone with a foldable screen for some years now. And, according to the most recent chatter about this rumor, it might be released next year. Or, well, it still might not.

But whether Samsung’s definition of ‘foldable’ will translate into something as flexibly bendy as the MagicScroll prototype is highly, highly doubtful. A fused clamshell design — where two flat screens could be opened to seamlessly expand them and closed up again to shrink the device footprint for pocketability — seems a much more likely choice for Samsung designers to make, given the obvious commercial challenges of selling a device with a transforming form factor that’s also robust enough to withstand everyday consumer use and abuse.

Add to that, for all the visual fun of these things, it’s not clear that consumers would be inspired to adopt anything so different en masse. Sophisticated (and inevitably) fiddly devices are more likely to appeal to specific niche use cases and user scenarios.

For the mainstream six inches of touch-sensitive (and flat) glass seems to do the trick.

On the heels of Google rebranding Tez to Google Pay in India, and Walmart acquiring a majority stake in e-commerce marketplace Flipkart, Amazon is also making a run in India to hone in on the country’s growing economy.

According to multiple reports, Amazon has paid around $40 million to acquire Tapzo, a startup that aggregates a number of app-based services — such as Uber, Ola, food delivery services Swiggy and Zomato, Book My Show, bill payment service BillDesk and more — into a single app. Amazon is reportedly paying between $30 million and $40 million, and its intention is to leverage Tapzo’s one-stop services app to help grow Amazon Pay usage in the country.

Amazon Pay has reportedly been seeing a wider global push to spur adoption of the service. But in India, the drive to get people to use Apple Pay may be particularly strong. Rival wallet services like Paytm, PhonePe, Google Pay, Mobikwik and others have swooped in a market where payment card usage is not that widespread, and consumers are conducting a growing number of transactions on their mobile devices. If you can get traction for your mobile wallet, that puts you into a strong position for dominating in all kinds of commerce and transactions in Asia’s second-largest economy.

We’d heard talks between Tapzo and Amazon have been in the works for a while, but now that a deal has been done, the two seem to be downplaying the details.

Messages sent to Tapzo founder and CEO, Ankur Singla, did not get responses. Another Tapzo executive we reached on the phone said he could not comment but also didn’t deny the report. And in a statement provided to TechCrunch, Amazon also did not explicitly confirm the deal, nor did Amazon deny it.

“Our commitment to the vision of a less-cash India remains the same,” a spokesperson said. “Our goal is to make it easier than ever before for customers to make digital payments by improving the customer experience, affordability and daily routines.”

An email to one of Tapzo’s investors, Sequoia, also did not get a response. Tapzo had in all raised about $23 million, with other investors including Ru-Net, American Express and RB Investments.

The deal pairs together a startup that has had held a lot of promise but has also has been through several rebrands and pivots in search of a viable business model; with an e-commerce leviathan that has already invested billions of dollars money into India but is looking for a way of expanding its reach in beyond its own marketplace.

Tapzo has attempted to address a particular niche in the Indian market: Smartphone usage has taken off in India, with many using mobile handsets as their primary “computer” for getting online. That creates an opportunity for companies looking to connect with customers, but also a challenge: there is a lot of app churn, and an added pressure on publishers to provide lasting value to consumers whose devices might be space-constrained and wallets cash-constrained to use and pay for anything but the most top-priority data services.

“One of the worst-kept secrets of the mobile app industry is that almost all apps (except for the top 5-8 apps) see 60-80 percent uninstall rate within 90 days of users installing the app,” Singla wrote in a blog post when explaining the challenge in the market. “India probably has the highest uninstall rate in the world, so when an app says it has 20 million installs, you can do your math.”

Enter Tapzo: the idea is that by loading the Tapzo app with multiple services, it makes the whole app much more valuable to users, and having all the services existing within one app also means that a users of Tapzo do not need to dedicate as much space to multiple apps that could be more likely to get uninstalled on their own.

That formula appears to have hit the right note in the market: Tapzo claims to have over 5 million users across some 100 cities in India turning to Tapzo to connect with more than 40 different services. It says that to date it’s enabled over 25 million transactions.

But Tapzo’s success has not come quickly nor smoothly. The company has been through a number of pivots and rebrands since 2010, starting first as Akosha, a platform for businesses to communicate with customers; then becoming Helpchat, a personal assistant and chatbot; and lastly its most recent pivot to Tapzo. (And the company owning all three of these has yet a different name, Coraza Technologies.) VC Circle earlier this year reported that Coraza’s last round in January this year was a down round, from a peak valuation of about $85 million in 2016.

Tapzo in its latest incarnation potentially plays directly into Amazon’s strategy to build out its presence in India by way of Amazon Pay, Amazon’s payment processing service that competes against the likes of Google Pay, PayPal and the rest.

Tapzo and Amazon Pay had already been working together on promotional efforts: to encourage more people to integrate and use Amazon Pay for transactions on Tapzo, the two have run multiple promotions where users could get money back and discounts on a wide range of services you can access through Tapzo.

A closer relationship by way of acquisition could not only see Amazon Pay becoming a (the only?) default payment option, but it could give Amazon the chance to use the app to promote its own network of services and merchants, whether it’s for restaurant delivery or for a deal on a new mixing bowl to cook it yourself — a twist on the company’s classic marketplace model.

Amazon could also use it as a loyalty and points service: book your next Ola car through Tapzo, pay for it with Amazon Pay, and get money towards your next purchase on Amazon.in. That could be one way of fulfilling Amazon’s goal “to make digital payments by improving the customer experience, affordability and daily routines,” with Amazon getting a cut on those payments.

We’ll update this post as we learn more.

California’s state Assembly voted 58-17 on Thursday to advance a bill, called S.B. 822, that would implement the strongest net neutrality provisions in the U.S.

The bill now heads back to the Senate for final approval. If a vote is not held by end of day tomorrow — the deadline for lawmakers to pass any legislation until 2019 — it won’t get the official green, or red, light until next year.

The bill, written by Democratic Senator Scott Wiener, would not only bring back Obama-era net neutrality rules ousted by the FCC in December, but go a step further, adding new protections for internet users. The bill prohibits internet service providers from blocking or throttling lawful content, apps, services or non-harmful devices. Plus, it bans paid prioritization, the practice of directly or indirectly favoring some traffic over other traffic in exchange for money, typically.

Here’s where it goes above and beyond the policy developed under the Obama administration: The bill also bans zero rating, which allows service providers to charge customers for data use on some websites but not on others. If you want to dive deeper into the nitty-gritty, take a look at the bill here.

The decision is a blow to Comcast and AT&T, for obvious reasons. They’ve been advocates for ending net neutrality and had lobbied aggressively against the bill. Net neutrality lobbying groups, on the other hand, are pleased with the results.

“No one wants their cable or phone company to control what they see and do on the internet,” said Evan Greer, deputy director of Fight for the Future, a nonprofit advocacy group for digital rights, in a statement. “California just took a huge step toward restoring protections that prevent companies like AT&T and Comcast from screwing us all over more than they already do.”

“This historic Assembly vote is a testament to the power of the internet. Big ISPs spent millions on campaign contributions, lobbyists and dark ads on social networks, but in the end, it was no match for the passion and dedication of net neutrality supporters using the internet to sound the alarm and mobilize.”

In December, the FCC voted to kill Obama-era net neutrality regulations developed in 2015 to keep the internet open and fair. The organization is led by Ajit Pai, a Republican appointed to the role by President Donald Trump.

The decision from California’s Assembly comes a day after Northern California congressional members asked that the FTC investigate Verizon’s throttling of the Santa Clara County Fire Department, which had reportedly exceeded their monthly allotment of 25 gigabytes when they were making calls and handling personnel issues amid fighting a massive wildfire.

Demand for sustainable coffee is growing, a boon for socially conscious coffee lovers — but many small growers are missing out because they lack the ability to verify that their coffee beans are grown using fair labor and eco-friendly practices. In fact, verification is often accessible only to large coffee estates or cooperatives. Enveritas wants to change that. The nonprofit, which recently completed Y Combinator’s accelerator program, uses geospatial analysis to make the process more efficient, enabling it to offer free verification to small farms.

Enveritas’ goal is to end poverty in the coffee sector by 2030. Before founding Enveritas in 2016, CEO David Browning and head of operations Carl Cervone worked at TechnoServe, a nonprofit that serves businesses in developing economies. Browning led TechnoServe’s global coffee practice, while Cervone advised coffee growers in Africa, Asia and Latin America about sustainability trends.

Browning tells TechCrunch that TechnoServe’s coffee team spent a lot of time working with small farmers, many of whom don’t have access to sustainability verification because their farms are too remote or small. The typical coffee grower served by Enveritas has less than two hectares of land, lives on less than $2 a day and relies on cash crops for their family’s income.

“The existing solutions work well for large estates and it can also be effective for farmers organized into cooperatives, but many of the world’s coffee farmers are smaller farmers and not organized into estates,” Browning explains. “For those farmers, the existing solutions can be more difficult to access.”

Part of the reason is because many verification solutions rely on field workers who visit farms and track sustainability standards using pen and paper, a time-consuming and costly process.

To develop a more efficient and scalable system, Enveritas uses geospatial and machine learning to identify coffee farms through satellite imagery and monitor for issues like deforestation. Though it still relies on local partners to visit farms and confirm that sustainability standards are being followed, its technology enables Enveritas to provide verification services for free.

Enveritas checks for 30 standards, which it divides into three categories: social, environmental and economic. “Social” includes no child labor and workers’ rights; “environmental” checks for problems like deforestation, pollution or banned pesticides; and “economic” covers fair wages, ethical business practices and transparent pricing, among other standards.

The organization currently operates in 10 countries, including Uganda, Indonesia, Ethiopia, Nicaragua and Costa Rica, with plans to expand into more markets.

Sustainable coffee isn’t just in demand by caffeine lovers with a penchant for social justice. Many of the world’s biggest coffee companies, including Illy and Starbucks, have launched sustainability initiatives as part of their corporate responsibility measures. Offering coffee grown using fair labor or environmentally friendly practices also helps differentiate their products in a crowded marketplace. Research by the National Coffee Association, an American trade group, recently found that many millennials prefer sustainable coffee, with up to two-thirds of 19 to 24-year-olds surveyed said they pick their coffee based on whether it was grown using environmentally friendly practices and fair labor.

While coffee is currently its main focus, Browning says Enveritas’ system can be applied to other agricultural products that need more visibility in their supply chains. For example, it also can be used to verify the sustainability of cocoa, cotton and palm oil.

As a nonprofit, Enveritas faces different funding challenges from other tech startups. Browning says it is currently at the equivalent of being ready for a Series A. Much of its backing comes from coffee companies (Enveritas can’t disclose which ones) that hope to benefit from Enveritas’ solutions.

“One of the advantages of this system is that it reduces the cost for coffee companies relative to the traditional pen and paper system, but it’s also simultaneously free for farmers,” Browning says. “That’s one of the most compelling innovations, so it’s a win-win for both.”

Weebly is part of Square now, but it continues to update as a standalone product. This week, for example, the company announced a number of new e-commerce features for the Weebly mobile app.

Those features include the ability to ship and print labels, to respond to customer questions (via Facebook Messenger, which can be embedded on Weebly sites), to approve customer reviews, to create branded coupon codes and to edit every aspect of your store, including product listing and pricing — all from the app.

Much of this functionality already existed on desktop, so the announcement is about moving these capabilities onto smartphones. In a blog post, the company outlined a vision for the mobile phone to become “the new back office.”

Weebly CEO David Rusenko told me that as his team has been adding more features for merchants, he wants people to think of Weebly “increasingly as an e-commerce platform,” not just a simple website builder. And support for mobile was an important part of that.

“This is what our customers were requesting,” Rusenko said. “Basically, people are taking their entrepreneurial lifestyle and having the freedom to work on things wherever you are.”

And apparently mobile usage is already up significantly, with a 75 percent increase over the past year in customers using the Weebly mobile app to manage orders, as well as a 120 percent increase in mobile usage to manage product listings.

If the security community could tell you just one thing, it’s that “nothing is unhackable.” Except John McAfee’s cryptocurrency wallet, which was only unhackable until it wasn’t — twice.

Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value — like a phone number — to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure.

But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen.

Using this “cold boot attack,” it’s possible to steal funds even when a Bitfi wallet is switched off. There’s a video below.

The researchers, Saleem Rashid and Ryan Castellucci, uncovered and built the exploits as part of a team of several security researchers calling themselves “THCMKACGASSCO” (after their initials). The two researchers shared them with TechCrunch prior to its release. In the video, Rashid is shown setting a secret phrase and salt, and running a local exploit to extract the keys from the device.

Rashid told TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware without erasing the memory. From there, an attacker can extract the memory and find the keys. The exploit takes less than two minutes to run, Rashid said.

“This attack is both reliable and practical, requiring no specialist hardware,” said Andrew Tierney, a security researcher with Pen Test Partners, who verified the attack.

Tierney was one of the hackers behind the first Bitfi attack. The McAfee-backed company offered a $250,000 bounty for anyone who could carry out what its makers consider a “successful attack.” But Bitfi declined to pay out, arguing that the hack was outside the scope of the bounty, and instead resorted to posting threats on Twitter.

This new attack, Tierney says, “meets the requirements of the bounty in spirit, even if it does not meet the specific terms that Bitfi have set.”

McAfee earlier this month said, “the wallet is hacked when someone gets the coins.”

Bill Powel, vice president of operations at Bitfi, told TechCrunch in an email that the company defines a hack “as anything that would allow an attacker to access funds held by the wallet.”

“Because the device does not store private keys, that is what prompted the unhackable claim,” he said.

When pressed, Powel did not address the specific claims of the cold boot attack. McAfee, who was copied on the email to Bitfi, did not respond.

Within an hour of the researchers posting the video, Bitfi said in a tweeted statement that it has “hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers.”

“Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers,” it added.

The statement also said it will no longer use the “unhackable” claim on its website.

Rashid said he has no immediate plans to release the exploit code so as to prevent the estimated few thousand Bitfi users from being put at risk.

Just last month, Bitfi won the Pwnie Award for Lamest Vendor Response, a traditional award given out at the Black Hat conference for companies that react the worst in response to security issues.