Posts tagged Consumer Champion
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
Make no mistake, hoverboards have been the hot technology of 2015.
Fuelled by Back to the Future fever and celebrity spots with Jamie Foxx, Justin Bieber et al, self-balancing scooters (to give them their proper name) have proven so popular with the public that online auction site eBay reported sales of one every twelve seconds earlier in December.
On Thursday I joined the ITV Good Morning Britain team to talk through the hoverboard phenomenon and the growing safety concerns that have led retailers around the world to stop selling and start refunding.
Negotiating an obstacle course on a hoverboard in windy conditions while answering Ben Shephard’s questions live on national television? No sweat!
There are two powerful safety angles to this story:
First up, hoverboards are heavy, powerful vehicles requiring skill, balance and practice to master. Unlike a Segway – considered the hoverboard’s forebear by many – there are no handlebars here, it’s just a motorised sideways skateboard.
Like the Segway, however, it is illegal to ride hoverboards on public streets and pavements in the UK. When the Crown Prosecution Service issued a statement reinforcing this guidance in October some argued the law (derived from the Highway Act of 1835 in England and Wales) was overbearing and heavy-handed. Then, last week, a 15 year-old lost control and was killed, run over by a London bus after losing balance on a hoverboard.
The other safety angle is the construction of the boards themselves. Leaping aboard the lucrative coat-tails of the hoverboard craze far-east manufacturers have mass produced hoverboards to lower price points with inevitable corner-cutting. Sadly, these short-cuts have been potentially lethal, with basic safety standards and common sense all but ignored. The main flashpoint has been the electronics.
One problem is that lithium-ion batteries used are notoriously unstable unless properly shielded. Major airlines are refusing to carry hoverboards in hold or checked luggage for risk of the batteries catching fire mid-flight. The other problem is that to keep costs low manufacturers are choosing to ship hoverboards with inferior quality poorly-shielded batteries, without thermal cutout circuitry or fuses in their plugs. Outcomes have included spontaneous explosions and fires and have been well-documented in various social media and the mainstream press. National Trading Standards claims to have examined thousands of self-balancing scooters at UK borders since October, with 88% (15,000) assessed to be unsafe and detained.
Eager to avoid a PR horror story major retailers have been quick to ground hoverboards, pulling stock from shelves and issuing health and safety advisories faster than you can say Great Scott. Amazon has been issuing automated refunds to customers and advising to dispose of hoverboards in WEEE approved sites.
“Hello, this is Mark, I’m calling from the Windows Technical Department. We have identified a problem with your computer…”
Have you ever received a phone call that begins like this? I have, too many times to count. The so-called ‘Microsoft Tech Support Scam’ is almost as old as the internet itself but, like a nasty virus, it refuses to go away. I’ve just filmed an investigation for the new series of BBC Watchdog to highlight the how the scam works and catch the fraudsters red-handed.
Despite being plagued by these calls, I am fortunate; I know that they are almost certainly from scammers intent on stealing my money, personal details or identity. However, thousands of people do fall victim to this fraud every year with many hundreds of thousands of pounds reported stolen in the UK alone.
According to the National Fraud Intelligence Bureau (NFIB) the average victim of ‘Computer Software Service Fraud’ will be 59 years old and £210 worse off as a result of the crime, although some report losses of up to £6,000. As with many nuisance calls these criminals work on volume, and for every one hundred calls they make, if only one is successful then it will have been worthwhile.
In the past legal action against the perpetrators has proved difficult (although there have been some successes) but by showing Watchdog viewers what to look out for we hoped to raise awareness and reduce the number of victims.
We decided the best way to do this was to capture the scam in action for the cameras — a first for UK television, we think, and no mean feat given how difficult it is to track down the fraudsters. What happened next was quite intense…
You can watch the full report here.
Watchdog Scams the Tech Support Scammers broadcasts on BBC1 at 7.30pm on Thursday 29th October 2015.
Of all the high-profile hacks and leaks of 2015 the TalkTalk Data Breach in October may prove to be one of the most significant yet, potentially impacting all four million of its UK customers.
While details of the breach are still emerging the leaked data appears to include unencrypted names, addresses, email addresses, bank account/credit card information, customer account numbers and more.
The ‘significant and sustained’ cyberattack, likely using a DDOS (distributed denial of service) attack as a smokescreen for their chosen method of entry and extraction, shows the hallmarks of highly-organised cybercrime.
Sadly, this isn’t the first time that the UK telco’s customers have had their personal details sneaked out of the back door. Data leaks in November 2014 and August 2015 exposed information that has been used to successfully defraud customers of thousands of pounds with phishing and vishing attacks.
- Treat incoming telephone calls purporting to be from a service provider – TalkTalk or otherwise – as potentially toxic. Regardless of any account number or information quoted, or the telephone number called from (Call Line IDs are easy to spoof), in my opinion phishing and vishing fraud is now so common that incoming calls are impossible to trust. A reputable/genuine caller will quite understand any concerns and give you an option to call back on a verified number found on your (for example) bank statement or the firm’s main website (not a link they send). However, make sure you call back from another number (maybe a mobile if you have one – but check call charges) or ensure your landline has been cleared first (wait 5 minutes or call a friend first).
- Check your bank statements, credit card bills and any online payment service accounts (eg Paypal). If there are any transactions you don’t recognise, no matter how small, query them. And then keep checking them – this is good practice anyway.
- Check and change your passwords, particularly if you use the same password as your TalkTalk account across any other accounts? Email, social network, PayPal, auction sites etc?
TalkTalk has a dedicated page to keep those concerned updated with the latest news and advice on the data breach: http://help2.talktalk.co.uk/oct22incident
BBC Rip Off Britain LIVE returns for a second year to The One Show studios in Central London, and once again I will be on-hand to answer more viewers’ consumer technology questions. Last year I spoke about contactless payments and passwords – this year it’s online gaming.
In the first show of the week-long series I’m due to talk about how online gamers are increasingly being targeted by ‘bounty hunters’ eager to hijack their account to gain access to their games, achievements or even their credit card details (bear in mind that the show is live so anything could happen instead…!).
In a plot that quickly begins to sound like a video game in its own right, the fraudsters use a variety of tactics to trick high-value gamers into revealing their login details so that their gaming accounts and virtual identities can be stolen and sold on for real cash.
Earlier in the series Rip Off Britain spoke with two disgruntled gamers whose Sony Playstation accounts had apparently been hijacked, but other gaming platforms can be hot targets too. With over 4,500 games and 125 million gamers, PC gaming platform Steam is one of the largest gaming networks around and, inevitably, it is also a target for scammers.
Despite a well-publicised security flaw identified in July 2015 Steam generally has a sound reputation for security of its users’ data. However, this hasn’t stopped gamers from having their accounts compromised — in fact, the majority of fraud appears to be as a result of phishing and social engineering rather than any hacks of either Steam’s or its users’s systems.Posts like this on gamebanana go into some detail on the social engineering methods that scammers have successfully used to hijack accounts. It describes how scammers have used in-game instant messaging to pose as Steam administrators warning (ironically) that their account has been hacked and needs to be regenerated.
The post may be several years old, but sadly the same tactics are still in use. More recent scams may attempt to install malware onto your PC or into your browser, but they all involve convincing you to click a link or reveal your account information. Here’s another incredibly useful post that shows some scams in action, along with how to spot a Steam scam.
Steam Community: Avoiding Common Scams:
Vigilance, it seems, is the best defence, along with basic awareness of the tactics employed by the scammers.
But if you find yourself a victim of Steam account jacking then help is at hand – in fact, Steam has a special form to help recover stolen and hijacked accounts:
Recovering a Stolen or Hijacked Steam Account:
However, Valve bosses do acknowledge that Steam’s current customer service is far from good enough, with support tickets seemingly going unanswered or ignored, but it is working hard to remedy it.
Valve Explains Why Steam Customer Service Is Still Terrible:
Questions will inevitably be asked whether Valve, the parent company behind Steam, is active enough in trying to prevent this kind of fraud. In response Steam is currently introducing a two-factor authentication mechanism, Steam Guard Mobile Authenticator, which in theory should reduce some fraud.
Rip Off Britain LIVE airs on BBC1 from 9.15 until 10am from Monday 19th to Friday 23rd October 2015.
A new series of Rip Off Britain begins on BBC1 today, Monday 14th September, from 9.15 to 10.00am.
The popular consumer affairs show starring Angela Rippon, Gloria Hunniford and Julia Somerville is now in its seventh series of helping viewers tackle rip offs and scams. I’m delighted to have been involved for the last four as a digital consumer champion across everything from cybersecurity and nuisance calls to mobile roaming and online safety.
For one film this season I took a detailed look at how safe we are when using the Public Wi-Fi hotspots increasingly found in coffee shops, airports and hotels. Even I was staggered at just how much information hackers can see on wireless networks with relatively little equipment or, frankly, expertise. This information can include unencrypted usernames, passwords and other sensitive details that can easily be used to execute identity fraud or phishing attacks.
This ‘digital eavesdropping’ might be the perfect crime, with coffee shop surfers quite unaware of a fraudster syphoning off valuable personal data on an adjacent table. The first they might realise something is amiss is when they get locked out of their social networking accounts or their email inexplicably starts spamming their address book.
During research for the show I uncovered some shocking security holes from well-known online and high-street retailers who really should know better. I also discovered how I wasn’t immune to sharing sensitive and valuable data by accident too.
Rip Off Britain airs every weekday on BBC1 for four weeks from Monday 14th September at 9.15am; see here for episode information and iPlayer links to watch on demand.
Yes, it’s official: dashcams are now a thing.
Famously popular in Russia, these windscreen-mounted cameras have enjoyed an impressive boost here in the UK too with analysts GfK saying dashcam sales figures have skyrocketed by 918% in the last year alone.
What’s more, with so-called ‘crash for cash‘ and ‘flash for cash’ scams on the increase (not to mention malicious car-keying incidents) UK insurance companies are now beginning to offer substantial discounts to dashcam owners.
Writing a piece in The Metro newspaper last Friday I went hands-on and researched a glovebox full of dashcams from a variety of manufacturers. Eventually I whittled them down to my top three, highlighting a budget, mid-range and feature-packed high-end device.
I’m no sooth-sayer but I do predict dashcams will feature in many Christmas wishlists this year; I also expect to see dashcam features integrated into many new high-end and mid-range cars before too long; and that we will see dashcams being given out for free by insurance companies to entice new customers.