Posts tagged Hack
When I first spoke about Deliveroo scams for BBC Watchdog in 2016, I had hoped the fast food delivery service would have taken away some tips on how to keep its customers’ accounts safe from fraudsters.
Yet here we are in 2019 and once again I’m investigating – this time for The One Show – why Deliveroo can’t seem to be able to keep its customers’ accounts secure.
Three years on and it seems little has changed at Deliveroo HQ.
Desperate Deliveroo customers are still finding orders being placed without their consent and delivered to addresses they know nothing about. Victims are still discovering that their email address is being changed, passwords updated, payment details changed, refunds issued – and even their name changed – without any apparent verification or controls.
Deliveroo vehemently denies that its own systems have been hacked. Instead it deflects responsibility back to its customers, admonishing them for reusing passwords across multiple online services.
Deliveroo: You Get Stuffed
Deliveroo claims that criminals are using “credential stuffing” attacks to take over customer accounts. It says usernames and passwords leaked from other online services are used to try and log in to Deliveroo accounts. Because many of us use the same passwords for multiple services, this can be a fruitful method of attack for criminals looking to hijack others’ accounts.
In my opinion, this victim-blaming doesn’t let Deliveroo off the hook. Other online services also acknowledge that these kind of attacks take place – and take further sensible precautions to protect their users.
One method used by many online services to add an extra layer of security is two-factor authentication. With “2FA”, a text message containing a one-off security passcode is sent to the account owner’s smartphone. It works because even if a hacker has identified a potential victim’s username and password, it’s unlikely they will have access to their smartphone too.
Fixing Deliveroo’s Fraud Problem
At the time of writing, Deliveroo does not ask customers to validate updates made to their account. A change of email, new delivery address, payment details, even name – I mean, how often do you change your name? – go unchallenged by Deliveroo’s security systems. Yes, an email advising of a change is sent after the event, but by then it’s often too late for victims.
Adding an additional security step like this for significant or out-of-character account activities would, it seems to me, stem much of the fraud Deliveroo customers have been facing.
Deliveroo does say that it employs advanced machine learning technology to catch fraud. However, with its algorithms failing to identify seemingly bizarre patterns of behaviour, it appears that Deliveroo’s computer all too rarely says no.
During the investigation I discovered tutorials shared by hackers on how to break in to Deliveroo accounts – and other services such as Netflix, Spotify or Amazon Prime Video – many hidden online in plain sight. I saw the encrypted chat rooms where hijacked user accounts are bought, sold and requested in bulk.
I also found evidence of fraudulent Deliveroo shop-fronts that offer hefty discounts for ordering through them instead of directly with Deliveroo. These middle-men place orders on behalf of their clients using hijacked Deliveroo accounts, funded with victims’ details, stolen credit cards or refunded credit. They are paid a cut of the order value – typically 30 percent – using tough-to-trace cryptocurrencies.
On the surface, takeaway food crime may appear low-key – but there’s clearly more here than meets the eye.
My advice for Deliveroo customers is this:
- Use password manager software to create and store long, strong, unique passwords for your online accounts – including Deliveroo – that will be almost impossible for a hacker to guess. There is no such thing as infallible security, but in my opinion a password manager is the best choice you can make right now.
- For those accounts that support it – and there’s a long list of major online services do – enable two-factor authentication. Here’s hoping that, one day, Deliveroo joins that list.
Finally, and most important of all, if you don’t trust an online service to keep your account, your personal information or your payment details safe, then vote with your feet and use another service.
The new series of Rip Off Britain – series nine! – began on BBC1 this month and once I am on-hand as its resident technology expert.
Earlier this week, I spoke with Angela about how high-tech car criminals are able to hack their way past current keyless security systems. I also shared a few tips that may help concerned viewers prevent their cars being stolen. Here’s a quick taster:
Car crime has largely moved on from the coat hanger and hot-wire days of old, with crime rates decreasing by 80 percent since 1993 according to the Office for National Statistics. However, a new wave of tech-savvy car criminals is now making easy work of making off with many makes of car.
I’ve been following the high-tech car crime trend closely, trying to understand the ways in which criminals are able to bypass or subvert car keyless security systems – whether through signal amplification, wireless jamming or keyless code capture. Criminals often steal to order, targeting high-value vehicles that are driven to so-called ‘chop-shops’ and sold on for parts.
Next week I travel to Glasgow for BBC Rip Off Britain Live. I find the live shows particularly enjoyable because we are able to be responsive to news stories as they break. As such, I can’t say yet exactly which stories I’ll be covering, but I believe we’ll be discussing how the Internet of Things has made our homes vulnerable to hackers.
I turned the internet’s air blue as I guested on this week’s Smashing Security podcast.
I’ve been listening to and enjoying the Smashing Security podcast since it began late last year.
So, I had no hesitation when Graham asked if I might appear as a guest on the show. I suspect he may hesitate before asking me again though…
Tasked with covering some of the week’s news, I quickly rounded on three sex stories:
- how the UK government plans to enforce age verification for sites serving adult content by April 2018
- how the owner of the Ashley Madison website has set aside $11 million to settle with disgruntled users following the 2015 data leak
- how one online adult service has introduced biometric authentication for male members
Needless to say, we covered the news with a professionalism befitting the material. Well, mostly. Hear for yourself:
To check out further episodes of the show, and to subscribe, visit the Smashing Security website.
In today’s Metro I investigate whether the CIA really can ‘hackcess all areas’. Plus, I ask if wearable tech has fallen from fashion. Hold on tight, it’s time to Connect…
Last week’s WikiLeaks document dump professes to reveal how the CIA has – with help from agencies including MI5 – been collecting and developing an arsenal of hacking tools, exploits and cyber skeleton keys to pick its way into the devices we use every day.
We shouldn’t be surprised. Covert surveillance is a tool widely used by intelligence agencies to maintain national security and counter terrorism.
But if the good guys can find a backdoor into our connected kit, surely the bad guys can too? Read on in the Metro e-edition…
The Apple Watch launched less than two years ago. I know this because on the day of the launch I confidently declared that ‘wearable tech is the next big thing’ on stage at the Gadget Show Live, enthusing about the upcoming Pebble Time smartwatch and the latest Jawbone and Fitbit gear.
How times change.
Less than two years on and the wearables phenomenon has failed to catch on, leading analysts to rein in their optimism.
Back to the Apple Watch.
Many – myself included – saw the launch of Apple’s highly-anticipated wearable as a watershed moment. Indeed it was, but rather than sparking a wearables revolution it had the opposite effect. ‘Oh, is that it?’, was the consensus.
However, as Bill Gates once quipped, we tend to over-estimate the impact of a technology in its first two years but underestimate its impact in ten. It might be in the depths of the trough of disillusionment but I can’t see anything other than wearable tech to playing a huge part in our future.
A lot of my work right now is around cyber crime and cyber safety. My Hackageddon feature this week’s Connect section in The Metro illustrates some ways in which our online data might be vulnerable.
While there are precautions we can all heed and best practices we can each adopt when online – good password hygiene among the most important – we are still at the mercy of the organisations we trust to safeguard our data. Sadly, too many of these have been found wanting, with poor security contributing to the estimated 500,000,000 personal records that were leaked or lost in 2015 alone (source: Symantec).
In the Metro feature I look at passwords and password managers, the rise of ransomware, and how to check if your data has already been leaked. We also see how Facebook boss Mark Zuckerberg may take care to keep his details safe now, but how his previous poor security choices recently came back to bite him.
Read the full feature in the Metro e-edition here.
As a side note, the feature coincides with season two of Golden Globe-winning cybercrime drama Mr Robot airing on Amazon Prime Video. I enjoyed the first series – it’s a good drama with plenty of technical authenticity – and can’t wait now to get stuck into the second.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
The leak of personal details from the Ashley Madison extramarital dating website is one of the significant breaches of sensitive information in the web’s history.
High-profile data leaks have outed private customer data from internet service providers, online retailers and high-tech toy manufacturers in the last few months alone. As a result, cyberattacks have been elevated from trade-press niche news to stop-the-press nine o’clock news.
Yet the Ashley Madison data-breach is different: it wasn’t just email addresses and credit card details that were liberated this time, it was data of the most personal nature. Changing your passwords after a cyberhack is a hassle; salvaging your family relationships after being publicly outed on an adulterous dating website is something infinitely more profound.
While the story was still developing in August 2015 the team from Mentorn Media got in touch to ask if I could add some context to the story for a quick-turnaround documentary they were making for Discovery Networks. Beyond the hack itself, the show sought to explore the wider impact that internet and connected technology is having on 21st century sex and relationships – it’s not often I get to talk about teledildonics and virtual reality sex on television…
The documentary aired in September 2015 in the UK and in January 2016 in Australia. Here’s a trailer:
In whichever direction your moral compass points, Ashley Madison has for a long time been a hugely popular online destination. The Ashley Madison Agency Limited launched in 2001 and, until the events of July and August 2015, welcomed almost 125 million visitors every month from over 50 countries around the world.
Of all the high-profile hacks and leaks of 2015 the TalkTalk Data Breach in October may prove to be one of the most significant yet, potentially impacting all four million of its UK customers.
While details of the breach are still emerging the leaked data appears to include unencrypted names, addresses, email addresses, bank account/credit card information, customer account numbers and more.
The ‘significant and sustained’ cyberattack, likely using a DDOS (distributed denial of service) attack as a smokescreen for their chosen method of entry and extraction, shows the hallmarks of highly-organised cybercrime.
Sadly, this isn’t the first time that the UK telco’s customers have had their personal details sneaked out of the back door. Data leaks in November 2014 and August 2015 exposed information that has been used to successfully defraud customers of thousands of pounds with phishing and vishing attacks.
- Treat incoming telephone calls purporting to be from a service provider – TalkTalk or otherwise – as potentially toxic. Regardless of any account number or information quoted, or the telephone number called from (Call Line IDs are easy to spoof), in my opinion phishing and vishing fraud is now so common that incoming calls are impossible to trust. A reputable/genuine caller will quite understand any concerns and give you an option to call back on a verified number found on your (for example) bank statement or the firm’s main website (not a link they send). However, make sure you call back from another number (maybe a mobile if you have one – but check call charges) or ensure your landline has been cleared first (wait 5 minutes or call a friend first).
- Check your bank statements, credit card bills and any online payment service accounts (eg Paypal). If there are any transactions you don’t recognise, no matter how small, query them. And then keep checking them – this is good practice anyway.
- Check and change your passwords, particularly if you use the same password as your TalkTalk account across any other accounts? Email, social network, PayPal, auction sites etc?
TalkTalk has a dedicated page to keep those concerned updated with the latest news and advice on the data breach: http://help2.talktalk.co.uk/oct22incident