In the wake of the VTech hack I answer ITV Good Morning Britain viewers’ concerns on the safety of their kids’ personal details.
Another week, another high-profile online hack.
In August 2015 the Ashley Madison scandal climbed the mainstream news agenda based largely on how the outed data transcended the all-too-commonplace bank details and password leaks.
The breach of tech-toy manufacturer VTech’s data last week has achieved a similar degree of infamy: six million sets of children’s personal details – including photos and chat transcripts – were swiped with apparent ease.
It’s of scant consolation that the hacker chose to share the story (and data) with a journalist rather than the denizens of the dark web: the Hong Kong firm hadn’t a clue that its online defences had even been breached until the journalist contacted them, begging the question of whether VTech’s website has been breached before? Nobody, not even VTech, can be sure.
The very nature of the VTech hack is disappointing but, if there is a positive, also a cautionary tale for remainder of the online industry.
‘SQL injection’ attacks are the oldest in the book, literally child’s play to execute, with plug-and-play exploitation toolkits and tutorials freely available online.
Like TalkTalk before it, VTech should have known better. As well as poorly-secured passwords (hashed with fatally insecure MD5 but not salted, therefore crackable with little more than a Google search) were plain-text secret questions and non-existent SSL security, all of which indicates a business quite simply not taking seriously its duty of care with users’ most sensitive data.
That in 2015 high-profile online services are still open to rudimentary exploitation signifies – to me at least – a distinct immaturity of the web as a whole. If any good comes of this attack it will be the wake-up call to other service providers to get real with their online security.
While VTech might make it through the immediate blip in its seasonal sales, time will tell whether it can survive the longer reputational damage. I hope so: as a parent I’ve found VTech’s tech toys to be among the best in class. I just hope it now takes less of a toy-town approach to its online services and its users’ data.
In the same Good Morning Britain episode I also talked viewers through how to enable parental restrictions, controls and security measures for other Christmas gadgets – the full story is available on the ITV website.
October is National Home Security Month, the last week of which is Smart Home Security Week. Writing once again for The Metro newspaper I revealed six app-connected cameras for your connected home that give you piece of mind and, if necessary, help to catch crooks red-handed.
Amongst those I reviewed were flyaway Kickstarter success story Canary, home security heavyweight Piper nv and the innovative app-only Manything, which helps you to put to old smartphones to good use.
“Hello, this is Mark, I’m calling from the Windows Technical Department. We have identified a problem with your computer…”
Have you ever received a phone call that begins like this? I have, too many times to count. The so-called ‘Microsoft Tech Support Scam’ is almost as old as the internet itself but, like a nasty virus, it refuses to go away. I’ve just filmed an investigation for the new series of BBC Watchdog to highlight the how the scam works and catch the fraudsters red-handed.
Despite being plagued by these calls, I am fortunate; I know that they are almost certainly from scammers intent on stealing my money, personal details or identity. However, thousands of people do fall victim to this fraud every year with many hundreds of thousands of pounds reported stolen in the UK alone.
According to the National Fraud Intelligence Bureau (NFIB) the average victim of ‘Computer Software Service Fraud’ will be 59 years old and £210 worse off as a result of the crime, although some report losses of up to £6,000. As with many nuisance calls these criminals work on volume, and for every one hundred calls they make, if only one is successful then it will have been worthwhile.
In the past legal action against the perpetrators has proved difficult (although there have been some successes) but by showing Watchdog viewers what to look out for we hoped to raise awareness and reduce the number of victims.
We decided the best way to do this was to capture the scam in action for the cameras — a first for UK television, we think, and no mean feat given how difficult it is to track down the fraudsters. What happened next was quite intense…
You can watch the full report here.
Watchdog Scams the Tech Support Scammers broadcasts on BBC1 at 7.30pm on Thursday 29th October 2015.
Of all the high-profile hacks and leaks of 2015 the TalkTalk Data Breach in October may prove to be one of the most significant yet, potentially impacting all four million of its UK customers.
While details of the breach are still emerging the leaked data appears to include unencrypted names, addresses, email addresses, bank account/credit card information, customer account numbers and more.
The ‘significant and sustained’ cyberattack, likely using a DDOS (distributed denial of service) attack as a smokescreen for their chosen method of entry and extraction, shows the hallmarks of highly-organised cybercrime.
Sadly, this isn’t the first time that the UK telco’s customers have had their personal details sneaked out of the back door. Data leaks in November 2014 and August 2015 exposed information that has been used to successfully defraud customers of thousands of pounds with phishing and vishing attacks.
- Treat incoming telephone calls purporting to be from a service provider – TalkTalk or otherwise – as potentially toxic. Regardless of any account number or information quoted, or the telephone number called from (Call Line IDs are easy to spoof), in my opinion phishing and vishing fraud is now so common that incoming calls are impossible to trust. A reputable/genuine caller will quite understand any concerns and give you an option to call back on a verified number found on your (for example) bank statement or the firm’s main website (not a link they send). However, make sure you call back from another number (maybe a mobile if you have one – but check call charges) or ensure your landline has been cleared first (wait 5 minutes or call a friend first).
- Check your bank statements, credit card bills and any online payment service accounts (eg Paypal). If there are any transactions you don’t recognise, no matter how small, query them. And then keep checking them – this is good practice anyway.
- Check and change your passwords, particularly if you use the same password as your TalkTalk account across any other accounts? Email, social network, PayPal, auction sites etc?
TalkTalk has a dedicated page to keep those concerned updated with the latest news and advice on the data breach: http://help2.talktalk.co.uk/oct22incident
BBC Rip Off Britain LIVE returns for a second year to The One Show studios in Central London, and once again I will be on-hand to answer more viewers’ consumer technology questions. Last year I spoke about contactless payments and passwords – this year it’s online gaming.
In the first show of the week-long series I’m due to talk about how online gamers are increasingly being targeted by ‘bounty hunters’ eager to hijack their account to gain access to their games, achievements or even their credit card details (bear in mind that the show is live so anything could happen instead…!).
In a plot that quickly begins to sound like a video game in its own right, the fraudsters use a variety of tactics to trick high-value gamers into revealing their login details so that their gaming accounts and virtual identities can be stolen and sold on for real cash.
Earlier in the series Rip Off Britain spoke with two disgruntled gamers whose Sony Playstation accounts had apparently been hijacked, but other gaming platforms can be hot targets too. With over 4,500 games and 125 million gamers, PC gaming platform Steam is one of the largest gaming networks around and, inevitably, it is also a target for scammers.
Despite a well-publicised security flaw identified in July 2015 Steam generally has a sound reputation for security of its users’ data. However, this hasn’t stopped gamers from having their accounts compromised — in fact, the majority of fraud appears to be as a result of phishing and social engineering rather than any hacks of either Steam’s or its users’s systems.Posts like this on gamebanana go into some detail on the social engineering methods that scammers have successfully used to hijack accounts. It describes how scammers have used in-game instant messaging to pose as Steam administrators warning (ironically) that their account has been hacked and needs to be regenerated.
The post may be several years old, but sadly the same tactics are still in use. More recent scams may attempt to install malware onto your PC or into your browser, but they all involve convincing you to click a link or reveal your account information. Here’s another incredibly useful post that shows some scams in action, along with how to spot a Steam scam.
Steam Community: Avoiding Common Scams:
Vigilance, it seems, is the best defence, along with basic awareness of the tactics employed by the scammers.
But if you find yourself a victim of Steam account jacking then help is at hand – in fact, Steam has a special form to help recover stolen and hijacked accounts:
Recovering a Stolen or Hijacked Steam Account:
However, Valve bosses do acknowledge that Steam’s current customer service is far from good enough, with support tickets seemingly going unanswered or ignored, but it is working hard to remedy it.
Valve Explains Why Steam Customer Service Is Still Terrible:
Questions will inevitably be asked whether Valve, the parent company behind Steam, is active enough in trying to prevent this kind of fraud. In response Steam is currently introducing a two-factor authentication mechanism, Steam Guard Mobile Authenticator, which in theory should reduce some fraud.
Rip Off Britain LIVE airs on BBC1 from 9.15 until 10am from Monday 19th to Friday 23rd October 2015.
September is one of the busiest periods in the technology calendar as manufacturers race to announce and release the consumer products they hope will make their Christmas a happy one.
Not only a great time of year to be working in technology but a great time to be reporting on it too. Over the last few weeks I’ve joined the technology desk at International Business Times UK to report on breaking news from Apple, Samsung, Sony and more.
Alongside announcements of new smartphones, tablets and watches I wrote about topics as diverse as Virtual Reality video and fallen enterprise mobile player Blackberry and its attempts to remain relevant.
However, I want to share a couple of video stories here. First up is my bite-sized take on the major announcements at IFA 2015:
New smartphone announcements by Apple are a highlight for many tech-watchers but, frankly, they do go on a bit. I produced an extremely cut-down version of the Apple press conference revealing everything you need to know in roughly three minutes - saving you about an hour and forty minutes of your life.
A new series of Rip Off Britain begins on BBC1 today, Monday 14th September, from 9.15 to 10.00am.
The popular consumer affairs show starring Angela Rippon, Gloria Hunniford and Julia Somerville is now in its seventh series of helping viewers tackle rip offs and scams. I’m delighted to have been involved for the last four as a digital consumer champion across everything from cybersecurity and nuisance calls to mobile roaming and online safety.
For one film this season I took a detailed look at how safe we are when using the Public Wi-Fi hotspots increasingly found in coffee shops, airports and hotels. Even I was staggered at just how much information hackers can see on wireless networks with relatively little equipment or, frankly, expertise. This information can include unencrypted usernames, passwords and other sensitive details that can easily be used to execute identity fraud or phishing attacks.
This ‘digital eavesdropping’ might be the perfect crime, with coffee shop surfers quite unaware of a fraudster syphoning off valuable personal data on an adjacent table. The first they might realise something is amiss is when they get locked out of their social networking accounts or their email inexplicably starts spamming their address book.
During research for the show I uncovered some shocking security holes from well-known online and high-street retailers who really should know better. I also discovered how I wasn’t immune to sharing sensitive and valuable data by accident too.
Rip Off Britain airs every weekday on BBC1 for four weeks from Monday 14th September at 9.15am; see here for episode information and iPlayer links to watch on demand.
Yup, it’s official: dashcams are now a thing.
Famously popular in Russia, these windscreen-mounted cameras have enjoyed an impressive boost here in the UK too, with analysts GfK saying dashcam sales figures have skyrocketed by 918% in the last year alone.
What’s more, with so-called ‘crash for cash‘ and ‘flash for cash’ scams on the increase (not to mention malicious car-keying incidents) UK insurance companies are now beginning to offer substantial discounts to dashcam owners.
Writing a piece in The Metro newspaper last Friday I went hands-on and researched a glovebox full of dashcams from a variety of manufacturers. Eventually I whittled them down to my top three, highlighting a budget, mid-range and feature-packed high-end device.
I’m no sooth-sayer but I do predict dashcams will feature in many Christmas wishlists this year; I also expect to see dashcam features integrated into many new high-end and mid-range cars before too long; and that we will see dashcams being given out for free by insurance companies to entice new customers.