A Sky News investigation uncovered the shady dealings of some computer repair shops in London. An undercover reporter presented a laptop for repair at several computer repair shops, with the only problem being an easy to detect loose memory chip. However Sky had rigged their laptop to monitor how it was dealt with utilising keylogger software and they even had the laptop camera video the dodgy goings on.
One cheeky rogue trader charged the reporter £130, saying the laptop required a new motherboard, even though the original motherboard was absolutely fine, however more sinister and worrying was the invasion of customer privacy. Computer shop repair engineers were recorded rifling through marked private documents held on the laptop (folder was titled "private"), one scoundrel was captured actually stealing documents, removing them onto a USB memory stick, which included a text file labelled as holding passwords for Facebook, Hotmail, eBay and an online bank account. After lifting this information he went on to try to access the online bank account.
Unfortunately knowing the IT repair industry as I do, these kinds of abuse of trust is common place, IT repair staff, especially those with time on their hands are always likely to have a snoop, and within this subset of snoopers, there are those who will go that step further and actually do something devious with the information they find. I have even heard of computer shop chains employees doing the same type of snooping; just recall how Gary Glitter got caught for downloading illegal images.
Putting this Risk in Context
We all need to understand that sending your personal computer or laptop to a computer repair shop is on par with leaving a “stranger” alone in your home to carry out a domestic repair. If you aren’t happy trusting a stranger to do a domestic repair all alone in your home, why on earth would you trust a stranger to repair a problem with your personal computer all alone?
What should you do to Protect Yourself?
As with my “stranger in your home analogy”, you must insist on having your computer repaired while you are present, either have an engineer come to your home and repair it in front of you, or have it repaired while in your presence at the shop. Remember it’s not like having your car repaired at garage, as we have all kinds of personal and sensitive material digitally stored on their computers these days, I mean you really wouldn’t leave your car at the garage for repair, if your car contained your bank account books, your correspondences and r all your photo albums.
If you must give your PC or laptop to a third party for repair, if you are IT savvy I would either remove the hard disk or fully encrypt the hard disk. For the non-technical, I would advise approaching that family member or friend who is computer literate, just like with good lawyers or indeed good handymen, everyone should make a point of knowing a computer techie they can trust.
A UK view on Cybersecurity & Information Security, Everything Computer Security from the very basics to the advanced. A blog with a focus on the latest Cyber Security developments & issues in the UK, including Hacking, Privacy (GDPR), Data Breaches, security standards such as NIST, PCI DSS, Cyber Essentials & ISO27001, all will be simply explained.
Thursday, 23 July 2009
Friday, 17 July 2009
A History of Battling Payment Fraud
On Wednesday I popped into The Manchester Museum, and as I strolled into the “Money" collection of exhibits, I was greeted by a bunch of friendly guys sat behind a desk. The desk had various old coins laid out and a sign stating “Please DO Touch”. After a couple of minutes of weighing up and flipping various 2,000+ year ancient Alexander the Great and Roman coins, naturally me being me I started chatting about the fraud aspects, when one of the guys produced a Chinese bank note from the 14th century, which was safely housed in a protective plastic cover. This particular note happens to be one of the oldest surviving banks notes in existence. Now the Chinese invented and started using paper money around 960 following a metal shortage, without copper, silver and gold they couldn’t meet the demand to make coins, although there is evidence of cruder forms of paper money being made by Chinese centuries earlier, but these weren't widely adopted. The construction of the Great Wall of China was financed by printing paper money, which has echoes of our approach to resolving the current financial crisis.
As you can see from the picture the Chinese bank note depicts stacks of coins to show its value. However what I thought was particularly fascinating is the warning; on the bank note it states anyone attempting to produce a copy of the note will be executed. So we can see with this ancient creation of a new payment method, came the understanding to protect it against fraudulent exploitation. Without the death penalty deterrent I doubt if the first bank notes would have ever taken off.
I think Marco Polo describes the Chinese bank note invention best in his book The Travels of Marco Polo (Il Milione).
“All these pieces of paper are issued with as much solemnity and authority as if they were of pure gold or silver; and on every piece a variety of officials, whose duty it, has to write their names, and to put their seals. And when all is duly prepared, the chief officer deputed by the Khan smears the Seal entrusted to him with vermilion, and impresses it on the paper, so that the form of the Seal remains printed upon it in red; the Money is then authentic. Anyone forging it would be punished with death”
Whatever the payment form, be it gold bullion bars, coins, bank notes or payment cards, thousands of years of history shows there has always been a non-stop game of cat and mouse between the payment method issuers and those who seek to take advantage, the fraudsters. I thought this game play was clearly evident when I observed a display of the various examples of bank notes used within the UK over the past few decades, where gradually over of the course of time, bank notes were printed on different harder to acquire types of paper, used more complex design patterns, then watermarks and then holograms.
Modern Bank notes has plenty of anti-counterfeit protection
Now payment cards have actually been around for many decades, but the mainstream usage of plastic payment cards, which we are continually becoming more reliant on instead of cash, really started to take hold from the mid 1980s. As with the evolution of bank notes, which increasingly used anti-counterfeit measures, we see the exact same principles in battling fraud with payment cards, and their originally unintended usage in the Internet payment arena.
However in recent times the lack of general public exposure of major card payment breaches, lack of policing of the Internet (catching the fraudsters) and indeed the lack of a strong deterrent (remember the death penalty?), has resulted in payment card fraud escalation. So the question is, are the card issuers becoming lazy in playing the cat and mouse fraud game? The publicly known statistics on card fraud show payment card fraudsters are continuing to thrive and are getting away with payment card fraud in ever increasing numbers, and history clearly shows us there is no end game in combating payment fraud.
Friday, 10 July 2009
118800 Mobile Phone Directory Search Privacy Concerns
"118800” is a new commercial Mobile Phone Directory Search venture, which charges absolutely anyone at all, £1 to obtain the mobile phone number of a UK citizen, searching by name and location. 118800 have amassed a database around 15 Million UK names, locations and mobile numbers for their directory, which was set to launch earlier in the week. I read a quote from an 118800 representative who stated the contact names and mobile phone numbers in their directory were harvested from the public domain, but what they really meant by public domain, was means they probably purchased the information from market research companies, online businesses and information brokers.
EDIT 12/06/09: Since I originally posted, a representative from 118800 has been in contact and provided further clarity on the 118800 directory search method. It seems my brief description of service was only partial, so may be misleading. I was unable to fully test the service at the time of posting, as the service was (still is) unavailable. I have decided to repost all of 118800 comments below within this post, both in the interest of fairness and to ensure the description of the service is correct and is not misleading.
"I'm from 118 800 and would like to correct the description of our service. We DO NOT give out mobile phone numbers to enquirers. We put people in touch with each other without disclosing any personal information. So if someone is trying to get hold of you through our service, you'll be called by us, told who is on the line for you and you can choose whether to be connected or not. The online service texts you with the enquirer's contact details so you can decide whether to contact them or not.
And, just like any other directory enquiry service, the enquirer needs to know your name & address. So it's very likely the first person to try to contact you using our service will be a friend or acquaintance who has lost your number or not got it on them." - 118 800
Most market research companies and online websites which collect our personal information, pretty much forcing individuals to input their mobile number these days. A minority of companies where this information is collected from, do a good job in warning their users that their information could be shared with a third party, however some companies use small print consent and opt out boxes which are disabled by default, knowing a percentage of people will neglect to read it properly, and some companies don’t even ask for consent, which is illegal under our regularly unenforced Data Protection Laws. So it is small wonder 118800 are able to go from zero to 15Million personal names, locations and mobile numbers in no time at all. Let's be clear on this, mobile service providers such as O2 and Vodafone are not providing your phone number to these guys, in fact I know they are just as annoyed at this practice.
So coming back to the subject of the day, I don’t think its right that companies profit from our personal information, but at the same time they are providing a useful tool for identity thieves. An ID thief would be happy pay £1 to obtain a victims mobile phone number, while we are all aware of issues of voice mail hacking by private detectives, which is hitting the
Interestingly the 118800 website is currently down, perhaps due to complaints and negative media coverage, and they are going to the trouble to clearly describe the mobile directory search as a “Beta”. I suspect they are waiting until the heat dies down before re-launching the service.http://www.phonepayplus.org.uk/ which regulates premium rate and directory enquiry services. And if this sort of privacy exploitation really annoys you, send a letter to your MP. Remember complaining worked with web tracking advertising venture Phorm, such was the public outcry, this week after a year of evaluating BT and TalkTalk finally dropped their plans to use Phorm.
So what can we do?
2. Remove your Mobile Number from the 118800 Directory
When the 118800 website comes back, click on the ex-directory button on the 118800 website or you can text the letter 'E' to 118800 (which is also currently down) from the mobile phone you want to be made ex-directory. 118800 will send you an SMS message confirming you've been taken off. I have to give some kudos to 118800 for offering this clearly; certainly BT could learn a lesson here.
EDIT 12/06/09: Since I originally posted, a representative from 118800 has been in contact and provided further clarity on the 118800 directory search method. It seems my brief description of service was only partial, so may be misleading. I was unable to fully test the service at the time of posting, as the service was (still is) unavailable. I have decided to repost all of 118800 comments below within this post, both in the interest of fairness and to ensure the description of the service is correct and is not misleading.
"I'm from 118 800 and would like to correct the description of our service. We DO NOT give out mobile phone numbers to enquirers. We put people in touch with each other without disclosing any personal information. So if someone is trying to get hold of you through our service, you'll be called by us, told who is on the line for you and you can choose whether to be connected or not. The online service texts you with the enquirer's contact details so you can decide whether to contact them or not.
And, just like any other directory enquiry service, the enquirer needs to know your name & address. So it's very likely the first person to try to contact you using our service will be a friend or acquaintance who has lost your number or not got it on them." - 118 800
Most market research companies and online websites which collect our personal information, pretty much forcing individuals to input their mobile number these days. A minority of companies where this information is collected from, do a good job in warning their users that their information could be shared with a third party, however some companies use small print consent and opt out boxes which are disabled by default, knowing a percentage of people will neglect to read it properly, and some companies don’t even ask for consent, which is illegal under our regularly unenforced Data Protection Laws. So it is small wonder 118800 are able to go from zero to 15Million personal names, locations and mobile numbers in no time at all. Let's be clear on this, mobile service providers such as O2 and Vodafone are not providing your phone number to these guys, in fact I know they are just as annoyed at this practice.
Now it is true our government happily place our personal details on online searchable electrical roles, which can be fully searched for charge, and BT publish our names and home phone numbers in phone books which make them profit by way of advertising as well, but it doesn’t make this is right, we are now in the information age, information, especially personal information has value and companies handling our personal information are entrusted with it, they must protect it, not sell it or exploit it for profit. With the BT phone book you can opt out and go ex-directory, in fact over a third of UK citizens concerned about this have already done so, but try searching the BT website for information about going “ex-directory”, you won’t find it. Just like Sky won’t let you cancel TV package subscriptions without phoning their call centre up, BT do the same “round the houses” tactic. Incidentally Sky happily let you add TV packages by the web and via the TV. Online audio book providing company Audible use same tactic, sign up for a free trial and enter your payments details online to subscribe, but to cancel, you have to phone them up, this from an internet based company too.
So coming back to the subject of the day, I don’t think its right that companies profit from our personal information, but at the same time they are providing a useful tool for identity thieves. An ID thief would be happy pay £1 to obtain a victims mobile phone number, while we are all aware of issues of voice mail hacking by private detectives, which is hitting the
Interestingly the 118800 website is currently down, perhaps due to complaints and negative media coverage, and they are going to the trouble to clearly describe the mobile directory search as a “Beta”. I suspect they are waiting until the heat dies down before re-launching the service.http://www.phonepayplus.org.uk/ which regulates premium rate and directory enquiry services. And if this sort of privacy exploitation really annoys you, send a letter to your MP. Remember complaining worked with web tracking advertising venture Phorm, such was the public outcry, this week after a year of evaluating BT and TalkTalk finally dropped their plans to use Phorm.
The Information Commissioners Office (ICO), charged with protecting our personal information in this information age, again shows its complete lack of teeth by basically giving this service and others similar services than will inevitably follow the green light.
So what can we do?
1. Complain -
Some might say you will be wasting your time complaining to the ICO, but is still well worth a shot; however I recommend complaining with PhonepayPlus
Some might say you will be wasting your time complaining to the ICO, but is still well worth a shot; however I recommend complaining with PhonepayPlus
2. Remove your Mobile Number from the 118800 Directory
Now if everyone did this, their service would crumble, but either way it well worth ensuring the removal of your mobile number from the directory (it really shouldn't have to be this way) and here's how.
When the 118800 website comes back, click on the ex-directory button on the 118800 website or you can text the letter 'E' to 118800 (which is also currently down) from the mobile phone you want to be made ex-directory. 118800 will send you an SMS message confirming you've been taken off. I have to give some kudos to 118800 for offering this clearly; certainly BT could learn a lesson here.
Sunday, 5 July 2009
Secret Service tells UK Government not to Publicly Disclose Data Breaches
Are you wondering why there haven’t been any UK Government Department Information breaches making the news headlines in recent months? Has our government departments resolved their poor Information Security Management and poor security cultures? Has other topics such as swine flu and dodgey MP expenses claims kept government data breach headlines out of the press? I would love to think UK Government Departments have cleaned up their Information Security Act, as I know serious efforts are being made, however we can't really be sure government have stemmed their poor information management tide, as I heard another reason which goes to explain why the once steady drip of media coverage of government departments data breaches has come to a halt.
I don’t want to name any names, but I heard a member of government committee working on the Digital Britain report say, government departments had been advised by a UK security service department to stop publicising data breaches, because it is letting our enemies know our weaknesses. If this is indeed true, I have to say I really don’t agree with this sweeping under the carpet approach, for one the cat is out already out of the bag regarding our government track record on security, tens of millions of records have been lost that we know about, so I think our enemies already know about our weaknesses!
I am a supporter of the public disclosure of data breaches where the public's personal information is involved, to the extend I would like to see UK laws passed to ensure all organisations, both within the private and the public sectors, disclose any data breaches where citizen personal information has been actually or potentially compromised. The reason we need such laws is I feel it is the only real way entire industries and individual organisations will be bothered enough to raise their information security to the required standards, and better secure all our personal information. I believe it should be a fundamental right that we are informed if (more like when) our government or indeed a private company, loses our personal information, placing us at increased risk of serious cybercrimes like identity theft, which is the UK’s fast growing crime. Only by holding government department heads and business senior directors to account for such breaches, will organisations truly recognise the importance of properly securing our personal information, which after all we have entrusted in their care.
I am a supporter of the public disclosure of data breaches where the public's personal information is involved, to the extend I would like to see UK laws passed to ensure all organisations, both within the private and the public sectors, disclose any data breaches where citizen personal information has been actually or potentially compromised. The reason we need such laws is I feel it is the only real way entire industries and individual organisations will be bothered enough to raise their information security to the required standards, and better secure all our personal information. I believe it should be a fundamental right that we are informed if (more like when) our government or indeed a private company, loses our personal information, placing us at increased risk of serious cybercrimes like identity theft, which is the UK’s fast growing crime. Only by holding government department heads and business senior directors to account for such breaches, will organisations truly recognise the importance of properly securing our personal information, which after all we have entrusted in their care.