Laurenadmin

It may feel our lives are on hold right now but online fraud is as prevalent as ever. Whether it’s through emails, texts, calls or those exploiting others online seeking to buy hand sanitisers or face masks, you need to be alert. By using the Take Five initiative from the Government (https://takefive-stopfraud.org.uk/) you can be one step ahead of the fraudsters.

Online fraudsters will try anything and everything to get your personal details, debit or credit card details or access to your bank. Let’s look at the ways you may be exploited within knowing it.

Text scams also known as the cute and cuddly term, smishing. Smishing is fraud, they are texts claiming to be from the good guys, the reputable companies, but they are not. They will ask you to click on a link or call a premium telephone number, a prompt that gives them the opportunity to take information from you or take your money. A good example is a recent text received from O2 claiming a bill hadn’t been paid, it looked 100% genuine, only by logging in to the account itself did we confirm that it was in fact fraudulent. The text contained a link and had we entered bank details who knows what would have happened, so keep an eye out and think before clicking the link.

Whether it’s business or personal, email phishing affects everyone. Did you know over 3 billion phishing emails are sent every day? These are like smishing but longer, more elaborate and if the fraudster has done their homework, they will contain personal information or details you can relate to. They are designed to get you to click on a URL contained within that email or download a file which can be attached in any form, including Word, Excel or PDF. As a business we receive several pertaining to unpaid invoices, some look genuine from real companies and others are simply trying their luck. Clicking on links or downloading files can be a sure-fire way to give fraudsters access to your details and the potential of being hacked. If it is an email you feel you need to follow up with, use known websites or customer service contact details to confirm whether it is genuine or not.

You are eligible to get a tax refund of £1,234 GBP, click here to access your funds. Look familiar? HRMC scams come in the phishing and smishing form, along with phone calls and WhatsApp messages. You may have received an email which looks very real, it has the banner, the official icons, the text looks right and it asks you to click on the link to claim your rebate or tax refund. Don’t. It will take you to what looks like a genuine web page to enter your details but it isn’t real. Where you were hoping for some extra cash, it will end up costing you. There are currently two known SMS scam texts allegedly from the HRMC, one is offering a Goodwill payment, ‘click here to apply’ and the £250 fine text, which claims you have left your house more than once during lockdown. This scam provides an 0800 to call. If you are unsure about any communication you have received from the HRMC visit their website for help (https://www.gov.uk/government/organisations/hm-revenue-customs).

Shopping online. During lockdown online grocery sales have increased by a quarter, it is no surprise if we can’t go out, we shop online, whether it’s for food, clothes, electronics or face masks. There are millions of websites that want to sell to you but how do know if they are safe to shop with? If you are using Chrome they provide some protection against dodgy websites, a big red webpage will arrive when you click on a link with a warning such as ‘this website may contain malware’ or ‘deceptive site ahead’. Also look for the padlock symbol alongside the website’s URL in your browser; you can click on the padlock to see the site’s information including the site’s SSL certificate, cookies and the site settings. There are more obvious signs such as bad English, spelling mistakes or grammatical errors; try looking for a telephone number, company number or head office address. If they’ve passed those tests, Google the website name and see what comes up. This is usually a good indicator if they are worth spending your money with. Always be wary when purchasing medicine online and always look at reviews, the good, bad and ugly as many can be fake.

The promise of sun, sea and sangria. It is safe to say the pandemic has disrupted everyday life across the world. Weddings, festivals and holidays were all cancelled and the promise of some summer sun in a foreign country later in the year can be very tempting right now but is it legit? There are many online scams which offer the dream villa for a week or two, the price is unbelievably low and they warn you that this deal won’t be around for long, all you need to do is make the bank transfer and your booking will be secured. This is a scam. They will take your money and seemingly disappear, seeking their next victim. Always use reputable travel companies, those who are ABTA protected and those with a track record. This will ensure you are financially protected and your autumn/winter escape is secured.

How Scam-Savvy are you? Take the Take Five Stop Fraud online quiz https://quiz.takefive-stopfraud.org.uk/

In June 2018, Instagram had amassed one billion monthly active users worldwide with the USA being the largest user group and the UK 8th on the demographics chart with a total of 23 million users.

Facebook purchased Instagram in 2012 and combined they are the two most popular social media networks used worldwide.

What happened?

In July of this year a critical vulnerability was discovered in Instagrams’s 2-step authentication password recovery feature allowing hackers to compromise any Instagram account in only ten minutes without the account holder being aware.

2-step or two factor authentication is an additional layer of security added to websites, including Amazon, Google, Microsoft and Twitter, to mention a few, to make it harder for hackers and fraudsters to access your online accounts. There are various types of two factor authentication however mobile text verification is still the most widely used and it is the type of authentication used by Instagram.

How was the vulnerability identified?

The flaw in Instagram’s recovery system was found by Laxman Muthiyah, a bug bounty hunter.

He investigated the password recovery feature that allows users to regain access to their account after forgetting their password. This involves a user receiving a six-digit passcode to their smartphone for authentication.

He knew that the use of 6 digits meant there could be a total of 1 million possible combinations that could be text to account holders.  To be able to access an account all 1 million codes would need to be tried within the 10 minute window between receiving the code and the code expiring.

Although this seems impossible, it can be done with mass brute-force campaigns using an automated script and a cloud service account.

“In a real attack scenario, the attacker needs 5,000 IP [addresses] to hack an account,” he said. “It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”

Log-in attempts from one specific IP are restricted by Instagram, however Muthiyah discovered that they didn’t blacklist the IP addresses that had exceeded the number of allowed attempts for a certain time period which meant he could he switch between IP addresses in order to perform a continuous attack.

“I found two things that allowed me to bypass their rate-limiting mechanism: Race hazard and IP rotation,” he said. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of requests and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need thousands of IPs to perform the attack.”

He provided the evidence to Facebook, they verified the issue and congratulated him, awarding him with a $30,000 bounty, whilst swiftly resolving the glitch.

“The Facebook security team was convinced after providing the above video of sending 200K valid requests,” Muthiyah said. “They were also quick in addressing and fixing the issue.”

Are other websites vulnerable to this threat?

There are many different forms of two-factor authentication, such as app-generated codes, physical authentication keys, email-based systems and app-generated authentication but many 2FA schemes still use mobile text verification involving six-digit, one-time passcodes that expire within a few minutes. So how many services are vulnerable to the same kind of attack?

Almost all well-known websites use some form of two-factor authentication and it is clearly more effective than just a username and password but 2FA attacks are on the rise and many of the systems for account recovery are susceptible to phishing. With the amount of websites using 2FA increasing, it is important these flaws are found and eliminated quickly.

We have to bear in mind when online that although 2FA provides additional security it is not completely watertight.

Last year, an Android Trojan was exposed taking money from PayPal accounts even when 2FA is active. Posing as a battery optimisation tool, the app asked for excessive accessibility permissions, allowing it to observe activity on other apps and waiting for someone to open PayPal and log in.

What you can do

Google and Microsoft both have Authenticator Apps you can use for an added layer of security, downloadable from the Microsoft Store and Google Play, however where there is an app or a website, there is always a hacker trying to break the code and access your details. Get tips on how to stay safe online at https://www.getsafeonline.org/

Have you used the British Airways website recently?

Debit and credit card details may have been stolen from over 185,000 customers after the British Airways website was hacked yet again.

It is estimated 77,000 had their name, address, email address and detailed payment information taken and 108,000 people lost personal details.

This comes after a previous breach of its website earlier this year affecting 380,000 transactions, where passenger names and home addresses were compromised, as well as financial information, including debit and credit card numbers, expiry dates and CVV codes. In this instance, malicious code designed to ‘skim’ financial data was injected into the British Airways website without being detected.

All websites are based on code, it determines the functionality along with the overall design, but malicious code can be injected instead. It is common for websites to embed multiple pieces of code from other sources or third-party suppliers and hackers can exploit this vulnerability.

Both attacks were carried out by the same perpetrators.

British Airways will be contacting the customers affected by this to inform them if their details have been stolen.

Unfortunately British Airways are not the only company to experience this type of cyber attack and they are on the rise.

Once cyber criminals have personal data it can be used to access bank and credit card accounts to make fraudulent purchases. Stolen data may also be sold using the Dark Web.

Some security experts suggest that it’s likely the data stolen by the British Airways hackers is already available for sale on the dark web.

There will be an investigation by the UK’s National Crime Agency and the Information Commissioner’s Office.

You can check if your personal data has been compromised by data breaches by using https://haveibeenpwned.com/

Designed and hand built by Steve Wozniak, the co-founder of Apple in 1976, the Apple 1 was a bare circuit board provided without power supply, monitor or keyboard. It could be used for playing games, running the BASIC operating system or developing programs.

As a Hewlett-Packard employee, Wozniak originally offered HP the rights to the Apple -1. It declined.

To fund the project Wozniak sold his HP-65 calculator for $500 (£318), while Jobs sold his VW Microbus. 200 units were created in total and 175 sold.

It went on sale in 1976 for $666.66 (around £545) and it was the world’s first low-cost, assembled computer.

With the release of the Apple 2, Jobs and Wozniak wanted to reclaim some of the original boards used in the Apple 1, so they offered trade-in discounts against the new model. The boards which were reclaimed were then destroyed explaining why this product is so rare.

There are approximately 60 Apple 1 computers remaining, with only eight working examples. The Apple Registry has a list of them all.

The auction took place in Boston, Massachusetts, on Tuesday and  the final bid was won by an anonymous businessman who placed his bid online.

The highest price ever paid for an Apple -1 was $905,000 (£575,900) by the Henry Ford museum complex in October 2014.

In May 2015 a box of electronic goods was dropped off at a tech recycling business in Silicon Valley. This box contained a 1976 Apple 1 which was subsequently sold at auction for $200,000. Before chucking out or recycling computers, laptops, mobile phones, software or hardware it’s worth doing a quick Google check to see if they are an older, rarer technology which may fetch you a pound or two.