Friday, 21 March 2014

Information Careless Great Britain: All Aboard the non-Privacy Train

This week I experienced a rather concerning two hour journey from London aboard a Virgin Pendolino train.
Might be the Age of the Train, but it's not the Age of Privacy Awareness

I had just taken my seat on board, and the train had just cleared the tunnel just north of Euston station. As I was settling in to the journey I noticed something through the gap of the two seats in front, like a magpie drawn to a sparkling object, something had caught my eye. I have spent years conducting security assessments, checking system logs and databases for the presence of credit card data. During this time I have unwittingly developed the canny knack of quickly spotting a 16 digit primary account number of a credit card, along with a expiry date and the 3 digit security code. My eyes were drawn to the laptop screen of the passenger in front, which had a webpage fully on show, which displayed his typed in credit card details, including the 3 digit security code, which was not obfuscated. In my disbelief I considered taking a picture with my phone, but then thought better of this, as it crosses an ethical boundary in my view. But if a more unscrupulous person than I did take a picture, then they could use the captured credit card details to easily commit credit card fraud, namely use it to buy items online.

The passenger is at fault on so many levels, obviously having your credit card details on open display within a public environment is not the greatest idea, a cheap laptop privacy filter could help reduce this risk, but not completely, I think my viewing angle would still have been good enough to observe his laptop screen. Then the website itself didn't look too secure in my view, in that the webpage didn't obscure the credit card information he had typed in, especially the 3 digit security code, which is not a good sign. Then there was the method of the internet access, I was pretty certain the laptop was connected with the train’s public WiFi. These days (hopefully) most people understand you should never enter credit card details to purchase anything over a public WiFi, as there is no way of telling if you are connected with a fake WiFi hotspot operated by data thieves, or whether someone is listening into (sniffing) all your web traffic, or even performing a man-in-the-middle attack, which is a method of defeating the encryption (https SSL) used by ‘secure’ websites.

I was still shaking my head and tutting to myself when the three ladies sat around the table seats to my left piped up. All three of them worked within the HR department of a UK footsie 100 company which I won't name, I know this because for most of the journey all they talked about was their work. First they spoke in detail about an individual which their company had recently fired. Stating this individual’s full name several times with the reason for the dismissal. They discussed how they would prepare for his employment tribunal in the following week. Next they started a real bitching session against their boss, again I'm naming no names. One of their boss’s emails was read out from a Smartphone and then ridiculed, along with further gossip...she said this, he said that, I said this. Their department restructuring is apparently a complete joke and a waste of time. Finally there were further and rather personal remarks about their boss and another individual working within their department, the irony of their HR role and the tribunal case they had been initially talking about, was not lost on me.

How many phone calls do you hear on trains?

While still doing my best to mind my own business, an annoying ring tone sounded from the seat behind me, and Mike X announced his presence to the rest of the coach, with a booming “Hello Mike X”.  He wasn't a relation to Malcolm X, I am using X to protect his real surname. We all learnt that Mike was quite the slick salesman, and how he was key to his company winning a £450K contract with a well known construction company. We also heard how he and his colleagues were going to provide the right kind of answers the construction company wanted to hear in their tender documentation, and that his company should not worry too much about details at this stage, unless it was something that was going to be clearly stipulated in the contract. Finally he told us all about his plans for the weekend, dinner with his wife on the Saturday, and golf with his chums on the Sunday.

You couldn't make this stuff up, for a moment I thought it was part of some elaborate prank, but Ant & Dec were nowhere to be seen, so I decided save myself from further annoyance by the passengers around me, I put on my headphones, pulled out my laptop, stuck on my privacy filter and wrote it up for this blog post.

Conclusion – Information Careless
I can't help but wonder whether this train carriage represents an average cross section on the level of security awareness in the UK in 2014?  No wonder cyber criminals target the UK, they know its citizen's are information careless, and are a cash rich soft touch. Information Security awareness by the UK government and companies is either proving to be not be very effective, or people already understand it well enough and are choosing not to give a dam.

No comments: