Posts tagged Cyber Security
October is National Home Security Month, the last week of which is Smart Home Security Week. Writing once again for The Metro newspaper I revealed six app-connected cameras for your connected home that give you piece of mind and, if necessary, help to catch crooks red-handed.
Amongst those I reviewed were flyaway Kickstarter success story Canary, home security heavyweight Piper nv and the innovative app-only Manything, which helps you to put to old smartphones to good use.
“Hello, this is Mark, I’m calling from the Windows Technical Department. We have identified a problem with your computer…”
Have you ever received a phone call that begins like this? I have, too many times to count. The so-called ‘Microsoft Tech Support Scam’ is almost as old as the internet itself but, like a nasty virus, it refuses to go away. I’ve just filmed an investigation for the new series of BBC Watchdog to highlight the how the scam works and catch the fraudsters red-handed.
Despite being plagued by these calls, I am fortunate; I know that they are almost certainly from scammers intent on stealing my money, personal details or identity. However, thousands of people do fall victim to this fraud every year with many hundreds of thousands of pounds reported stolen in the UK alone.
According to the National Fraud Intelligence Bureau (NFIB) the average victim of ‘Computer Software Service Fraud’ will be 59 years old and £210 worse off as a result of the crime, although some report losses of up to £6,000. As with many nuisance calls these criminals work on volume, and for every one hundred calls they make, if only one is successful then it will have been worthwhile.
In the past legal action against the perpetrators has proved difficult (although there have been some successes) but by showing Watchdog viewers what to look out for we hoped to raise awareness and reduce the number of victims.
We decided the best way to do this was to capture the scam in action for the cameras — a first for UK television, we think, and no mean feat given how difficult it is to track down the fraudsters. What happened next was quite intense…
You can watch the full report here.
Watchdog Scams the Tech Support Scammers broadcasts on BBC1 at 7.30pm on Thursday 29th October 2015.
Of all the high-profile hacks and leaks of 2015 the TalkTalk Data Breach in October may prove to be one of the most significant yet, potentially impacting all four million of its UK customers.
While details of the breach are still emerging the leaked data appears to include unencrypted names, addresses, email addresses, bank account/credit card information, customer account numbers and more.
The ‘significant and sustained’ cyberattack, likely using a DDOS (distributed denial of service) attack as a smokescreen for their chosen method of entry and extraction, shows the hallmarks of highly-organised cybercrime.
Sadly, this isn’t the first time that the UK telco’s customers have had their personal details sneaked out of the back door. Data leaks in November 2014 and August 2015 exposed information that has been used to successfully defraud customers of thousands of pounds with phishing and vishing attacks.
- Treat incoming telephone calls purporting to be from a service provider – TalkTalk or otherwise – as potentially toxic. Regardless of any account number or information quoted, or the telephone number called from (Call Line IDs are easy to spoof), in my opinion phishing and vishing fraud is now so common that incoming calls are impossible to trust. A reputable/genuine caller will quite understand any concerns and give you an option to call back on a verified number found on your (for example) bank statement or the firm’s main website (not a link they send). However, make sure you call back from another number (maybe a mobile if you have one – but check call charges) or ensure your landline has been cleared first (wait 5 minutes or call a friend first).
- Check your bank statements, credit card bills and any online payment service accounts (eg Paypal). If there are any transactions you don’t recognise, no matter how small, query them. And then keep checking them – this is good practice anyway.
- Check and change your passwords, particularly if you use the same password as your TalkTalk account across any other accounts? Email, social network, PayPal, auction sites etc?
TalkTalk has a dedicated page to keep those concerned updated with the latest news and advice on the data breach: http://help2.talktalk.co.uk/oct22incident
BBC Rip Off Britain LIVE returns for a second year to The One Show studios in Central London, and once again I will be on-hand to answer more viewers’ consumer technology questions. Last year I spoke about contactless payments and passwords – this year it’s online gaming.
In the first show of the week-long series I’m due to talk about how online gamers are increasingly being targeted by ‘bounty hunters’ eager to hijack their account to gain access to their games, achievements or even their credit card details (bear in mind that the show is live so anything could happen instead…!).
In a plot that quickly begins to sound like a video game in its own right, the fraudsters use a variety of tactics to trick high-value gamers into revealing their login details so that their gaming accounts and virtual identities can be stolen and sold on for real cash.
Earlier in the series Rip Off Britain spoke with two disgruntled gamers whose Sony Playstation accounts had apparently been hijacked, but other gaming platforms can be hot targets too. With over 4,500 games and 125 million gamers, PC gaming platform Steam is one of the largest gaming networks around and, inevitably, it is also a target for scammers.
Despite a well-publicised security flaw identified in July 2015 Steam generally has a sound reputation for security of its users’ data. However, this hasn’t stopped gamers from having their accounts compromised — in fact, the majority of fraud appears to be as a result of phishing and social engineering rather than any hacks of either Steam’s or its users’s systems.Posts like this on gamebanana go into some detail on the social engineering methods that scammers have successfully used to hijack accounts. It describes how scammers have used in-game instant messaging to pose as Steam administrators warning (ironically) that their account has been hacked and needs to be regenerated.
The post may be several years old, but sadly the same tactics are still in use. More recent scams may attempt to install malware onto your PC or into your browser, but they all involve convincing you to click a link or reveal your account information. Here’s another incredibly useful post that shows some scams in action, along with how to spot a Steam scam.
Steam Community: Avoiding Common Scams:
Vigilance, it seems, is the best defence, along with basic awareness of the tactics employed by the scammers.
But if you find yourself a victim of Steam account jacking then help is at hand – in fact, Steam has a special form to help recover stolen and hijacked accounts:
Recovering a Stolen or Hijacked Steam Account:
However, Valve bosses do acknowledge that Steam’s current customer service is far from good enough, with support tickets seemingly going unanswered or ignored, but it is working hard to remedy it.
Valve Explains Why Steam Customer Service Is Still Terrible:
Questions will inevitably be asked whether Valve, the parent company behind Steam, is active enough in trying to prevent this kind of fraud. In response Steam is currently introducing a two-factor authentication mechanism, Steam Guard Mobile Authenticator, which in theory should reduce some fraud.
Rip Off Britain LIVE airs on BBC1 from 9.15 until 10am from Monday 19th to Friday 23rd October 2015.
A new series of Rip Off Britain begins on BBC1 today, Monday 14th September, from 9.15 to 10.00am.
The popular consumer affairs show starring Angela Rippon, Gloria Hunniford and Julia Somerville is now in its seventh series of helping viewers tackle rip offs and scams. I’m delighted to have been involved for the last four as a digital consumer champion across everything from cybersecurity and nuisance calls to mobile roaming and online safety.
For one film this season I took a detailed look at how safe we are when using the Public Wi-Fi hotspots increasingly found in coffee shops, airports and hotels. Even I was staggered at just how much information hackers can see on wireless networks with relatively little equipment or, frankly, expertise. This information can include unencrypted usernames, passwords and other sensitive details that can easily be used to execute identity fraud or phishing attacks.
This ‘digital eavesdropping’ might be the perfect crime, with coffee shop surfers quite unaware of a fraudster syphoning off valuable personal data on an adjacent table. The first they might realise something is amiss is when they get locked out of their social networking accounts or their email inexplicably starts spamming their address book.
During research for the show I uncovered some shocking security holes from well-known online and high-street retailers who really should know better. I also discovered how I wasn’t immune to sharing sensitive and valuable data by accident too.
Rip Off Britain airs every weekday on BBC1 for four weeks from Monday 14th September at 9.15am; see here for episode information and iPlayer links to watch on demand.
September has been a busy month for television appearances. As well as new seasons of BBC1 Rip Off Britain and Planet of the Apps for Ginx TV, twice I’ve been up bright and early sitting on the ITV Good Morning Britain sofa.
The stories I covered were both Apple-focused but, it’s fair to say, at different ends of the good news spectrum.
The ‘iCloud Celebrity Photo Hack’ (or “The Fappening”, as it has also come to be known) is an altogether different news item, made more difficult because there’s a lot that’s still unknown about how private photos of celebrities came to be leaked in the first place – not least, whether Apple’s iCloud is even culpable.
I’ve uploaded my notes on the iCloud Celeb-gate story (do keep in mind that’s exactly what they are, just notes), and I’ll be sure to update them as regularly as I can while the story develops.
The new series of Rip Off Britain is well underway, airing on BBC1 throughout September and October.
It’s been a busy series for me: as well as appearing in the Popup Shop in the West Midlands I’ve been covering a variety of topics including online password security, nuisance call blockers, how online advertising works, and taking care when connecting to public Wi-Fi hotspots.
One item that has generated a lot of interest is online password security.
On average we have 26 online logins each in the UK, with 25-34 years old managing up to 40. Most worrying of all is that Experian, who conducted the research, found that despite the number of accounts we manage, we each use an average of just 5 different passwords!
When researching the item I tried to count how many online accounts I owned: I stopped when I reached 90. I know I’ve many more, and it’s a number that’s only going to grow. I also realised that it’s very rare that I go back to delete an account that I no longer use, particularly if it’s with an online retailer I’ve used just the once to buy a gift.
In the show I ran a workshop in a shopping centre to highlight the challenges of safely managing our online accounts. Of course, it’s a big subject with too much to share in a short item on television, so to help further I put together a leaflet.
My “How to manage and remember your online passwords” leaflet contains tips on how to make your online accounts as safe as possible, including choosing passwords and passphrases that are difficult for fraudsters to guess or crack, and an introduction to password management software. You can download the leaflet from the BBC website.
Watch Rip Off Britain on BBC iPlayer or to see clips of the show and further tips visit the BBC Rip Off Britain website. Also, look out for details of the Rip Off Britain Live show on BBC1 from 20th-24th October 2014.
Here’s what we know about Heartbleed (as of today – it’s a developing story) plus some pointers about what you need to do to protect yourself:
What is the Heartbleed Bug? The Heartbleed Bug (or CVE–2014-0160 to give it its official name) is a vulnerability in OpenSSL, the fundamental bit of code used by as many as 500,000 websites to encrypt the data we send online. The upshot is that sensitive data such as our usernames, passwords and credit card details could potentially have been exposed to hackers. It doesn’t matter what device you’re using to connect to the web – a laptop, Mac, Windows, iPhone or Android – the vulnerability is on the web server that you’re connecting to.
Is it serious? Heartbleed is a serious enough vulnerability that it’s forced website owners all over the world to update, to patch their web servers. And we’re talking about the big players, like Yahoo and its services such as Flickr and Tumblr; some banks and even the FBI’s website are impacted too, an estimated half a million sites in total. Some sites such as Google and Facebook managed to patch their services early on or before the vulnerability was made public, but that doesn’t mean they weren’t vulnerable beforehand. And it’s not just websites that use OpenSSL, it’s email and instant messaging services too.
Who has exploited it? Concerningly, even though the Heartbleed Bug has only just been made public (by researchers at Google and Codenomicon) this vulnerability has been around for a couple of years. Perhaps nobody knew it was there until the last week. Perhaps (and this is speculation) some people did know but, having free access to privileged and sensitive data, chose to keep quiet about it. As it’s difficult to trace if and when the vulnerability has been exploited, we may never know.
What can we do? Some of the knee-jerk advice online has been ‘don’t go to work until you’ve changed all of your passwords’, but that might actually put you at more risk until the affected servers get patched with the fixed version of the OpenSSL code. Good advice is to check whether your service was impacted by the bug – this link on Mashable is pretty comprehensive – and as per the advice change your password only when safe to do so. Whatever you don, don’t use the same password for multiple accounts – consider using a secure password manager to keep track of them all. And, as always, keep a close eye on your bank statements for suspicious transactions.