Posts tagged Cyber Security
The weekly podcast takes a lighter look at the serious business of cyber security, and I appear to have been pigeon-holed as the show’s resident cyber-sex reporter. Oh well.
In last week’s episode I reported on AgeID, the latest attempt by a leading adult-content outlet to adhere to the UK’s upcoming age verification legislation which seeks to protect under-18s from accessing explicit online material.
We’ve never had so many people download an episode of the “Smashing Security” podcast as quickly as our latest one:
“Hijacked homes, porn passports, and ransomware regret”
— Graham Cluley (@gcluley) March 19, 2019
Clearly, there are a lot of challenges with this piece of law – practically, technically and morally – which is why the UK government has struggled with guidance and deadlines. At the time of writing, we’re still no clearer when the go-live date will be or how effective any block may prove.
Also in the episode we ask when it makes sense to pay off that ransomware fee, and uncover the ‘$150 million mansion hijack’.
Tap here to catch the full episode, or find it in your favourite podcast player.
I was back in the BBC Watchdog studio last night for an item on how Nectar card fraud has been leaving some viewers with a decidedly sour taste in their mouths.
Reports of fraudsters targeting the Nectar loyalty scheme aren’t new, but a recent spate of activity has brought it back to the top of the Watchdog mailbag.
Nectar began rewarding shoppers in 2002, and now around 20 million members collect and spend points at a variety of high-street and online retailers. In February this year, Nectar was bought by supermarket chain Sainsbury’s, which now also owns catalogue chain Argos.
In the fraud, Nectar points are redeemed – often in high street stores – to buy goods. The first victims know is when they try to spend their Nectar balance and find instead that their account is empty. So prolific are the fraudsters that, in some cases, victims have even found they‘be been left with a negative balance.
There are some patterns to the fraud:
- Victims are adamant that their physical Nectar card – which is required to redeem points for goods in store – hasn’t been stolen, mislaid or even in the same town as where the points were redeemed
- Argos appears to be a hot-spot for fraudsters redeeming Nectar points
How does Nectar card fraud work?
That is the million Nectar point question. On the surface, this is very straightforward:
Click to read on
The new series of Rip Off Britain – series nine! – began on BBC1 this month and once I am on-hand as its resident technology expert.
Earlier this week, I spoke with Angela about how high-tech car criminals are able to hack their way past current keyless security systems. I also shared a few tips that may help concerned viewers prevent their cars being stolen. Here’s a quick taster:
Car crime has largely moved on from the coat hanger and hot-wire days of old, with crime rates decreasing by 80 percent since 1993 according to the Office for National Statistics. However, a new wave of tech-savvy car criminals is now making easy work of making off with many makes of car.
I’ve been following the high-tech car crime trend closely, trying to understand the ways in which criminals are able to bypass or subvert car keyless security systems – whether through signal amplification, wireless jamming or keyless code capture. Criminals often steal to order, targeting high-value vehicles that are driven to so-called ‘chop-shops’ and sold on for parts.
Next week I travel to Glasgow for BBC Rip Off Britain Live. I find the live shows particularly enjoyable because we are able to be responsive to news stories as they break. As such, I can’t say yet exactly which stories I’ll be covering, but I believe we’ll be discussing how the Internet of Things has made our homes vulnerable to hackers.
I turned the internet’s air blue as I guested on this week’s Smashing Security podcast.
I’ve been listening to and enjoying the Smashing Security podcast since it began late last year.
So, I had no hesitation when Graham asked if I might appear as a guest on the show. I suspect he may hesitate before asking me again though…
Tasked with covering some of the week’s news, I quickly rounded on three sex stories:
- how the UK government plans to enforce age verification for sites serving adult content by April 2018
- how the owner of the Ashley Madison website has set aside $11 million to settle with disgruntled users following the 2015 data leak
- how one online adult service has introduced biometric authentication for male members
Needless to say, we covered the news with a professionalism befitting the material. Well, mostly. Hear for yourself:
To check out further episodes of the show, and to subscribe, visit the Smashing Security website.
In today’s Metro I investigate whether the CIA really can ‘hackcess all areas’. Plus, I ask if wearable tech has fallen from fashion. Hold on tight, it’s time to Connect…
Last week’s WikiLeaks document dump professes to reveal how the CIA has – with help from agencies including MI5 – been collecting and developing an arsenal of hacking tools, exploits and cyber skeleton keys to pick its way into the devices we use every day.
We shouldn’t be surprised. Covert surveillance is a tool widely used by intelligence agencies to maintain national security and counter terrorism.
But if the good guys can find a backdoor into our connected kit, surely the bad guys can too? Read on in the Metro e-edition…
The Apple Watch launched less than two years ago. I know this because on the day of the launch I confidently declared that ‘wearable tech is the next big thing’ on stage at the Gadget Show Live, enthusing about the upcoming Pebble Time smartwatch and the latest Jawbone and Fitbit gear.
How times change.
Less than two years on and the wearables phenomenon has failed to catch on, leading analysts to rein in their optimism.
Back to the Apple Watch.
Many – myself included – saw the launch of Apple’s highly-anticipated wearable as a watershed moment. Indeed it was, but rather than sparking a wearables revolution it had the opposite effect. ‘Oh, is that it?’, was the consensus.
However, as Bill Gates once quipped, we tend to over-estimate the impact of a technology in its first two years but underestimate its impact in ten. It might be in the depths of the trough of disillusionment but I can’t see anything other than wearable tech to playing a huge part in our future.
My feature on how to secure your Amazon Echo was published in TechRadar last week. Here is my take on why securing these intelligent home hubs is of vital importance.
Buttons are obsolete. Simply by conversing with my Alexa I can control my central heating and the lighting around my house and garden; I can buy products with my voice, check my personal calendar, set alarms or reminders, update my things to do list, read my favourite book or play any song, album or playlist on Spotify. With my voice.
Hear no Evil
The convenience this offers is staggering and, in a little over three months since I plugged it in and powered it on, my Amazon Echo has already changed many behaviours in our household. For the better? I think so. However…
With convenience comes compromise, especially when it comes to security. We should never be blinded by the utility of any new piece of technology.
I made one mistake in extolling the virtues of our Amazon Echo above. You see, all of these amazing things and more can be commanded not only with my voice, they can be asked by anybody’s voice.
Voice Recognition versus Speech Recognition
While Alexa has enviable speech recognition – the ability to understand and interpret natural language input by speech – she has yet to learn the skill of voice recognition. Often confused, voice recognition is the ability to uniquely distinguish between different people’s voices by analysing physical and behavioural characteristics.
With voice recognition Alexa would know whether it was me (ie authorised) ordering that Nintendo Switch console from Amazon Prime, or if it was my Mario Kart-loving daughter trying her luck (sorry, denied). Did I just ask Alexa for a 2am alarm call or was somebody outside my living room window attempting to play a prank?
Amazon has no plans to introduce voice recognition into the Amazon Echo just yet. Nevertheless, there are steps that Echo owners can take to make sure they enjoy the convenience of a virtual assistant without the worry of being woken up by a 2am prank alarm call.
Pop over to TechRadar to read my 8 top tips to lock down your Alexa.
On BBC Watchdog tonight I appear in an item highlighting gaping holes in home food delivery service Deliveroo’s security and fraud prevention systems.
Victims of so-called ‘Deliveroo fraud’ report having their credit and debit cards emptied of many hundreds of pounds on food and drink orders they never placed, to addresses many hundreds of miles from where they live.
Deliveroo’s standard response to claims of a security breach has left those affected with a bitter taste in their mouths, suggesting victims look to their own security failings instead.
The first a victim knows of the fraud is when they receive an email from Deliveroo confirming an order has been placed.
Deliveroo insists that its own systems have not been the subject of a hack or data breach; instead, the firm advises that customers should not reuse passwords and usernames across multiple online accounts.
Sound advice on its own, but a critical mass of Deliveroo victims all suffering the same fraud might suggest that Deliveroo should look again at its own security measures.
- Smart fraud prevention mechanisms, if present at all, appear to be ineffectual here. Purchases that are so out of character – such as those highlighted in the show – should easily be picked up by automated systems and subjected to additional verification.
- Similarly, a change of delivery address should also trigger additional verification – a PIN sent to the account holder’s smartphone, for example.
- Deliveroo chooses not to authenticate customer card payments with a CVV2 code.
The Card Verification Value is one of the names given for the additional security numbers printed on the signature strip or front of the card. Deliveroo is far from the only retailer to forego ‘card not present’ security – Amazon, with its 1-click purchase, is another. However, this lack of verification allows fraudsters to place orders on credit cards that are not theirs with no challenge at all.
Deliveroo’s light touch on security can be put down to one thing: sales. Here’s how skimping on security benefits Deliveroo’s bottom line:
- When we buy something, the more hoops we have to jump through to make that purchase, the more likely we’ll drop out and go somewhere else.
- Understandably Deliveroo wants to make placing an order with them as simple a process as possible by cutting out as many hoops as it can.
- However, some of those hoops are there for reasons of security; in removing those, Deliveroo is not only making it easier for its customers to place an order, it’s making it easier for them to be defrauded.
The new series of Rip Off Britain begins this Monday on BBC1 resuming its mission to expose shams, scams and poor customer service.
In this series I look at how failures in Vodafone’s billing systems and customer services have left subscribers out of pocket and with costly black marks on their credit history; also I investigate how freely available information might be used by identity thieves to build up detailed profiles of their victims.
One item that I hope to be covering more of is the future of passwords.
Like a stuck record, over the last four or so seasons on Rip Off Britain I’ve made the point again and again about the importance of good password hygiene to minimise the risk of hacks.
But recent developments in voice biometrics technology might be part of a move to make our live online much safer. In fact, customers of some major UK banks and service providers are already using just their voices to securely log-in to their online accounts.
The software claims to analyse around one hundred different behavioural and physical characteristics of our voices (for example accent or length of vocal folds) and is being used by customers of TalkTalk and HSBC among others. Its developer, Nuance, says the technology is so sophisticated that it can even distinguish between identical twins.
We took a special version of the voice recognition app to the BBC pop up shop at the Trafford Centre in Manchester to discover whether shoppers there felt secure using their voice as their password.
Rip Off Britain airs on BBC1 Monday to Friday from 12th September at 9.15am.