Posts tagged Cyber Security
I was back in the BBC Watchdog studio last night for an item on how Nectar card fraud has been leaving some viewers with a decidedly sour taste in their mouths.
Reports of fraudsters targeting the Nectar loyalty scheme aren’t new, but a recent spate of activity has brought it back to the top of the Watchdog mailbag.
Nectar began rewarding shoppers in 2002, and now around 20 million members collect and spend points at a variety of high-street and online retailers. In February this year, Nectar was bought by supermarket chain Sainsbury’s, which now also owns catalogue chain Argos.
In the fraud, Nectar points are redeemed – often in high street stores – to buy goods. The first victims know is when they try to spend their Nectar balance and find instead that their account is empty. So prolific are the fraudsters that, in some cases, victims have even found they‘be been left with a negative balance.
There are some patterns to the fraud:
- Victims are adamant that their physical Nectar card – which is required to redeem points for goods in store – hasn’t been stolen, mislaid or even in the same town as where the points were redeemed
- Argos appears to be a hot-spot for fraudsters redeeming Nectar points
How does Nectar card fraud work?
That is the million Nectar point question. On the surface, this is very straightforward:
- In order for Nectar points to be redeemed in-store, a card bearing the customer’s name must be produced (as per Argos T&Cs)
- Yet, victims report that their cards haven’t been lost stolen at the time of the fraud – some were even in different countries
So, a natural conclusion would be that the fraud involves card cloning, whereby fake copies of victims’ cards are being made by fraudsters which are then used in-store.
Whatever Nectar knows about the fraud, however, it remains tight-lipped. Its typical response is:
We take security extremely seriously at Nectar and have an active programme of monitoring and remediation.
We ask people to treat their Nectar cards like they do their bank cards, in that if they notice suspicious activity or if it goes missing, we ask that they report it, so that we can block their accounts, protect their points and conduct a thorough probe.
We encourage customers to help minimise exposure to suspicious activity by embracing good cyber hygiene such as using complex passwords for online accounts and changing these on a regular basis.
We have rigorous processes and procedures in place to constantly monitor for fraudulent activity and we regularly invest in new technologies to protect our customers’ accounts.
Two things occur to me here:
- Nectar suggests we exercise “good cyber hygiene”. While that’s always sound advice, reading between the lines here it suggests that Nectar is concerned that its online accounts are part of the fraud. This could be how criminals are able to identify Nectar accounts with large balances.
- Nectar also asks members to treat Nectar cards like bank cards. This makes me angry, as Nectar clearly isn’t meeting its side of the bargain: once Nectar implements chip and PIN, multi-factor authentication and more robust fraud detection on its own systems, only then does it have the right to talk about bank-like security.
How to keep your Nectar points safe
Nectar card fraud is a real cause for concern for its members, but Nectar’s security is not – in my opinion – doing a good enough job of preventing it. As we don’t know for sure exactly how it’s happening, it’s difficult to give specific advice, but here’s what I do recommend:
- Regularly login to your Nectar account online to check your balance for any unrecognised transactions; immediately flag up to Nectar if anything doesn’t look right
- Check your Nectar password is different to any you use for your other online accounts; I recommend using a password manager app to generate unique passwords and keep them safe
Watchdog airs on Wednesday nights, BBC One at 8pm and is available on-demand from BBC iPlayer.
The new series of Rip Off Britain – series nine! – began on BBC1 this month and once I am on-hand as its resident technology expert.
Earlier this week, I spoke with Angela about how high-tech car criminals are able to hack their way past current keyless security systems. I also shared a few tips that may help concerned viewers prevent their cars being stolen. Here’s a quick taster:
Car crime has largely moved on from the coat hanger and hot-wire days of old, with crime rates decreasing by 80 percent since 1993 according to the Office for National Statistics. However, a new wave of tech-savvy car criminals is now making easy work of making off with many makes of car.
I’ve been following the high-tech car crime trend closely, trying to understand the ways in which criminals are able to bypass or subvert car keyless security systems – whether through signal amplification, wireless jamming or keyless code capture. Criminals often steal to order, targeting high-value vehicles that are driven to so-called ‘chop-shops’ and sold on for parts.
Next week I travel to Glasgow for BBC Rip Off Britain Live. I find the live shows particularly enjoyable because we are able to be responsive to news stories as they break. As such, I can’t say yet exactly which stories I’ll be covering, but I believe we’ll be discussing how the Internet of Things has made our homes vulnerable to hackers.
I turned the internet’s air blue as I guested on this week’s Smashing Security podcast.
I’ve been listening to and enjoying the Smashing Security podcast since it began late last year.
So, I had no hesitation when Graham asked if I might appear as a guest on the show. I suspect he may hesitate before asking me again though…
Tasked with covering some of the week’s news, I quickly rounded on three sex stories:
- how the UK government plans to enforce age verification for sites serving adult content by April 2018
- how the owner of the Ashley Madison website has set aside $11 million to settle with disgruntled users following the 2015 data leak
- how one online adult service has introduced biometric authentication for male members
Needless to say, we covered the news with a professionalism befitting the material. Well, mostly. Hear for yourself:
To check out further episodes of the show, and to subscribe, visit the Smashing Security website.
In today’s Metro I investigate whether the CIA really can ‘hackcess all areas’. Plus, I ask if wearable tech has fallen from fashion. Hold on tight, it’s time to Connect…
Last week’s WikiLeaks document dump professes to reveal how the CIA has – with help from agencies including MI5 – been collecting and developing an arsenal of hacking tools, exploits and cyber skeleton keys to pick its way into the devices we use every day.
We shouldn’t be surprised. Covert surveillance is a tool widely used by intelligence agencies to maintain national security and counter terrorism.
But if the good guys can find a backdoor into our connected kit, surely the bad guys can too? Read on in the Metro e-edition…
The Apple Watch launched less than two years ago. I know this because on the day of the launch I confidently declared that ‘wearable tech is the next big thing’ on stage at the Gadget Show Live, enthusing about the upcoming Pebble Time smartwatch and the latest Jawbone and Fitbit gear.
How times change.
Less than two years on and the wearables phenomenon has failed to catch on, leading analysts to rein in their optimism.
Back to the Apple Watch.
Many – myself included – saw the launch of Apple’s highly-anticipated wearable as a watershed moment. Indeed it was, but rather than sparking a wearables revolution it had the opposite effect. ‘Oh, is that it?’, was the consensus.
However, as Bill Gates once quipped, we tend to over-estimate the impact of a technology in its first two years but underestimate its impact in ten. It might be in the depths of the trough of disillusionment but I can’t see anything other than wearable tech to playing a huge part in our future.
My feature on how to secure your Amazon Echo was published in TechRadar last week. Here is my take on why securing these intelligent home hubs is of vital importance.
Buttons are obsolete. Simply by conversing with my Alexa I can control my central heating and the lighting around my house and garden; I can buy products with my voice, check my personal calendar, set alarms or reminders, update my things to do list, read my favourite book or play any song, album or playlist on Spotify. With my voice.
Hear no Evil
The convenience this offers is staggering and, in a little over three months since I plugged it in and powered it on, my Amazon Echo has already changed many behaviours in our household. For the better? I think so. However…
With convenience comes compromise, especially when it comes to security. We should never be blinded by the utility of any new piece of technology.
I made one mistake in extolling the virtues of our Amazon Echo above. You see, all of these amazing things and more can be commanded not only with my voice, they can be asked by anybody’s voice.
Voice Recognition versus Speech Recognition
While Alexa has enviable speech recognition – the ability to understand and interpret natural language input by speech – she has yet to learn the skill of voice recognition. Often confused, voice recognition is the ability to uniquely distinguish between different people’s voices by analysing physical and behavioural characteristics.
With voice recognition Alexa would know whether it was me (ie authorised) ordering that Nintendo Switch console from Amazon Prime, or if it was my Mario Kart-loving daughter trying her luck (sorry, denied). Did I just ask Alexa for a 2am alarm call or was somebody outside my living room window attempting to play a prank?
Amazon has no plans to introduce voice recognition into the Amazon Echo just yet. Nevertheless, there are steps that Echo owners can take to make sure they enjoy the convenience of a virtual assistant without the worry of being woken up by a 2am prank alarm call.
Pop over to TechRadar to read my 8 top tips to lock down your Alexa.
On BBC Watchdog tonight I appear in an item highlighting gaping holes in home food delivery service Deliveroo’s security and fraud prevention systems.
Victims of so-called ‘Deliveroo fraud’ report having their credit and debit cards emptied of many hundreds of pounds on food and drink orders they never placed, to addresses many hundreds of miles from where they live.
Deliveroo’s standard response to claims of a security breach has left those affected with a bitter taste in their mouths, suggesting victims look to their own security failings instead.
The first a victim knows of the fraud is when they receive an email from Deliveroo confirming an order has been placed.
Deliveroo insists that its own systems have not been the subject of a hack or data breach; instead, the firm advises that customers should not reuse passwords and usernames across multiple online accounts.
Sound advice on its own, but a critical mass of Deliveroo victims all suffering the same fraud might suggest that Deliveroo should look again at its own security measures.
- Smart fraud prevention mechanisms, if present at all, appear to be ineffectual here. Purchases that are so out of character – such as those highlighted in the show – should easily be picked up by automated systems and subjected to additional verification.
- Similarly, a change of delivery address should also trigger additional verification – a PIN sent to the account holder’s smartphone, for example.
- Deliveroo chooses not to authenticate customer card payments with a CVV2 code.
The Card Verification Value is one of the names given for the additional security numbers printed on the signature strip or front of the card. Deliveroo is far from the only retailer to forego ‘card not present’ security – Amazon, with its 1-click purchase, is another. However, this lack of verification allows fraudsters to place orders on credit cards that are not theirs with no challenge at all.
Deliveroo’s light touch on security can be put down to one thing: sales. Here’s how skimping on security benefits Deliveroo’s bottom line:
- When we buy something, the more hoops we have to jump through to make that purchase, the more likely we’ll drop out and go somewhere else.
- Understandably Deliveroo wants to make placing an order with them as simple a process as possible by cutting out as many hoops as it can.
- However, some of those hoops are there for reasons of security; in removing those, Deliveroo is not only making it easier for its customers to place an order, it’s making it easier for them to be defrauded.
The new series of Rip Off Britain begins this Monday on BBC1 resuming its mission to expose shams, scams and poor customer service.
In this series I look at how failures in Vodafone’s billing systems and customer services have left subscribers out of pocket and with costly black marks on their credit history; also I investigate how freely available information might be used by identity thieves to build up detailed profiles of their victims.
One item that I hope to be covering more of is the future of passwords.
Like a stuck record, over the last four or so seasons on Rip Off Britain I’ve made the point again and again about the importance of good password hygiene to minimise the risk of hacks.
But recent developments in voice biometrics technology might be part of a move to make our live online much safer. In fact, customers of some major UK banks and service providers are already using just their voices to securely log-in to their online accounts.
The software claims to analyse around one hundred different behavioural and physical characteristics of our voices (for example accent or length of vocal folds) and is being used by customers of TalkTalk and HSBC among others. Its developer, Nuance, says the technology is so sophisticated that it can even distinguish between identical twins.
We took a special version of the voice recognition app to the BBC pop up shop at the Trafford Centre in Manchester to discover whether shoppers there felt secure using their voice as their password.
Rip Off Britain airs on BBC1 Monday to Friday from 12th September at 9.15am.
A lot of my work right now is around cyber crime and cyber safety. My Hackageddon feature this week’s Connect section in The Metro illustrates some ways in which our online data might be vulnerable.
While there are precautions we can all heed and best practices we can each adopt when online – good password hygiene among the most important – we are still at the mercy of the organisations we trust to safeguard our data. Sadly, too many of these have been found wanting, with poor security contributing to the estimated 500,000,000 personal records that were leaked or lost in 2015 alone (source: Symantec).
In the Metro feature I look at passwords and password managers, the rise of ransomware, and how to check if your data has already been leaked. We also see how Facebook boss Mark Zuckerberg may take care to keep his details safe now, but how his previous poor security choices recently came back to bite him.
Read the full feature in the Metro e-edition here.
As a side note, the feature coincides with season two of Golden Globe-winning cybercrime drama Mr Robot airing on Amazon Prime Video. I enjoyed the first series – it’s a good drama with plenty of technical authenticity – and can’t wait now to get stuck into the second.