Tech News : Conservative Party Gets £10,000 Data Protection Fine

The ICO has fined the Conservative Party £10,000 for sending unlawful marketing emails to people who did not want to receive them.

Breach

The ICO has decided that after an investigation into emails sent from the Conservative Party, in the name of Rt Hon Boris Johnson MP, during the eight days in July 2019 after he was elected Prime Minister, the Conservative Party breached the Privacy and Electronic Communications Regulations (PECR) of 2003.

Unsolicited Emails

The breach of PECR occurred because, as the ICO concluded, the Conservative Party did not have the necessary valid consent in cases where marketing emails were received by complainants. Although 51 emails were found to be conclusively in breach of the regulations, the Conservative Party sent out 1,190,280 marketing emails between 24 July and 31 July 2019, and the ICO accepts it is likely that some of those emails would have been validly sent, but that it is not possible to identify what that proportion is. This is because, as stated by the ICO, “the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law.”

More Marketing Emails Sent During The Investigation

The ICO expressed concern that while the investigation into the initial breach was underway before the Conservative Party had addressed the original compliance issues, it “engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails” which “generated a further 95 complaints”.

Stephen Eckersley, ICO Director of Investigations, said “It’s really concerning that such large-scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations”.

The Fine

There has been criticism from some online commentators that the £10,000 fine may not be enough, when considering that according to newspaper reports, one luxury hamper of organic food delivered to 10 Downing Street recently cost £27,000.

What Does This Mean For Your Business?

It is disappointing and concerning that such a big political party (the party now in government) would not check or know about and/or failed to comply with well-publicised data protection laws. As those at the heart of UK law-making, this does not reflect well.

For businesses, this story is a reminder that there are clear laws pertaining to direct marketing (i.e. any communication of advertising or marketing material directed at particular individuals). It is a reminder that consent is vital, and it is important to keep clear records of the basis upon which people consent.  Ignoring the regulations can result in a hefty fine and could prove very damaging to the reputation of a business.

Tech Insight – What Is A VPN?

In this article, we take a brief look at what a VPN is, how it works, its advantages, plus its disadvantages.

What Is A VPN?

A Virtual Private Network (VPN) is a service that allows you to create a secure connection to another network over the Internet, thereby creating a secure, protected, encrypted ‘tunnel’. A VPN is a private, secure, way to send and receive data across shared or public networks as if your computing devices are directly connected to the private network.

How Does a VPN Work?

A VPN works by routing your device’s internet connection through your VPN provider’s private server rather than your internet service provider (ISP). This creates an encrypted virtual tunnel. Also, the fact that your traffic is exiting the VPN provider’s server means that your true IP address is hidden, thereby hiding your identity and location.

Why Use A VPN?

There are many reasons why people use VPNs including:

– A general wish to keep data secure, keep online activity private, and feel safer.

– Protection from the risks of using public Wi-Fi networks (e.g. while out and about).

– Maintaining security when working remotely/from home (as many have done during the pandemic).

– As a good way to protect all devices in one go (for example, most paid-for VPNs provide multiple simultaneous connections).

– To escape bandwidth throttling.

– For those living in countries where there are repressive regimes, VPNs can help users stay in touch with the outside without being detected. However, VPNs and proxies have been banned in Russia for several years now, and China has regulated Virtual Private Networks (VPNs) through the country’s Ministry of Industry and Information Technology, and required developers to seek a license from the government before creating VPNs. 

Choosing a VPN

Things to consider when choosing a VPN service include:

– A service with no logging (no keeping of logs) can provide greater privacy.

– Find out where the VPN operator is geographically based.  For example, a VPN company in some countries may be subject to control and interference (enabling logging and adding tracking) by the state.  Many VPN services, for example are based in China.

– Google the VPN service to see if there has been any history of incidents and problems with the service.

– Read reviews about different VPN services (however, you should appreciate that that some may be unreliable, paid-for reviews).

– Make sure that the VPN service you choose has enough ‘exit nodes’ in the location you want to connect from in order to get better speed and service.

– Check whether the service disallows certain protocols e.g., P2P traffic, thereby potentially negatively affecting the service levels at certain times.

Advantages

Some advantages of VPNs include:

– Getting around geo-locking of content.  For example, a VPN can make a user look like they are in a region where content is available, thereby giving the user access to their favourite content wherever they are.

– VPNs provide safety, security, and anonymity e.g., they hide details such as location.

– VPNs are a good way to provide a secure connection for remote workers.

– Convenience. Having a VPN that can easily switched on (e.g., while using a device in public place such as a café) offers a very convenient mobile security and privacy solution.

– If shopping online, using a VPN can help save money by getting around different prices for services based on region.

– VPNs can represent a very cost-effective security measure when compared to the costs of some security software (licensing fees) and firewalls. 

Disadvantages

Some of the disadvantages of VPNs include:

– Since a VPN is a virtual connection inside a physical network, slow connection speeds can sometimes be the result. VPN service providers are, however working on ways to minimise this problem.

– VPN blockers can be used by companies looking to charge users based on their geographic location.

– Setting up some VPNs can be complicated, and poor configuration from poor setup could lead to information leaks.

– Dropped connections can be a problem with VPNs. This can mean that a user’s true network information is displayed and can also lead to problems with a user’s ISP if sites have been visited that violate the ISP’s terms of service.

– VPNs may make it more challenging for activities that require bandwidth (e.g. gaming), however this can be easily enabled and disabled.

Popular VPNs

Popular VPN services promoted in the UK include ExpressVPN, NordVPN, Surfshark, IPVanish, CyberGhost, Hotspot Shield, ProtonVPN, and Private Internet Access.

What Does This Mean For Your Business?

A VPN is a convenient and effective security and privacy tool that has become particularly relevant for remote workers over the last year. Choosing a trusted, paid-for VPN solution with a good reputation is advisable for maximum peace of mind and VPNs offer benefits beyond just security (e.g. getting around geo-locking of content). It should always be remembered, however, that a VPN is one of many different tools and tactics that businesses can use as part of a much broader business and cyber security strategy.

Featured Article : How Secure Is Your Software/Digital Supply Chain?

It is easy to think that cyber-attacks are likely to come from outsiders unconnected to the business, but how much do you know about the security of your digital supply chain?

Software Supply Chain Risks

Businesses use many different third-party software tools as part of their day-to-day transactions and for organisations in the public sector, for example, the software, systems, and networks used may be closely tied to main suppliers with bespoke software solutions. Software supply chains are part of the wider information and communications technology (ICT) supply chain framework of an organisation which, in itself, is a network of retailers, distributors, and suppliers, all of whom are links in a chain of sale, delivery and production of software and managed services (and hardware), all of which are at risk.  As highlighted in a recent NIST (US) white paper, software is at risk of malicious or inadvertent introduction of vulnerabilities at each of the design, development and production, distribution, acquisition and deployment, maintenance, and disposal phases of the ICT Supply Chain Lifecycle.  Privileged access (such as accepting third-party software defaults without investigating further), allowing additional accessibility vectors, and third-party software that requires frequent communication with the vendor to update it can represent real threats to business/organisational security.

As defences have improved against the more common areas that are known to be susceptible to cyber-attacks (and therefore have become well-defended by organisations), cyber-criminals have turned their attention to more vulnerable areas with easier access – the software supply chain.  This is a difficult area for businesses to monitor and defend against as much of it appears to be based mostly on the trust of vendors and the more third-party software a business uses (from different sources) and the more links in the chain there are, the more risks there are.

How?

An example of how a supply chain could exploited is that of hackers writing malicious code or introducing a malicious component into a company’s trusted software (or hardware), which in turn can enable them to hijack a whole system and turn any updates that the company sends out into trojan horses (malware).  This, in turn, can allow the criminals to have complete control over a supplier’s customer networks, which could ultimately affect thousands of victims.

Survey

Some of the challenges that companies face in tackling the issue are highlighted in a BlueVoyant survey from 2020 which showed that 80 percent of Chief Information Officers and Information Security Officers (CIOs and CISOs) said they had experienced a breach originating with a third-party vendor in the past year.  Also, the survey revealed that four out of five organisations had experienced a cyber-security breach precipitated by a third-party vendor, almost one-third of security professionals (29%) said they had no way of knowing if a cyber risk emerged in a third-party vendor, fewer than a quarter (22.5%) said they actively monitor their entire supply chain, and almost one third (32%) said they only typically reassess and report a vendor’s cybersecurity risk position twice a year or less frequently.

Examples

High profile examples of supply chain attacks include:

– SolarWinds. In 2020, US-based IT management company SolarWinds Corp was infiltrated by a foreign threat actor who compromised the company’s build servers and used its update process to infiltrate customer networks. The attacker added malicious code into the company’s software system. This led to SolarWinds unwittingly sending out software updates to its customers that included hacked code. This was one of the biggest and most sophisticated hacks ever, thought to have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software.

– In 2017, there were suspicions that in the US, Kaspersky antivirus was being used by a foreign intelligence service for spying.  This led to U.S. government customers having to remove Kaspersky’s products from networks and them being disallowed from acquiring future products from that vendor.

– Also in 2017, the NotPetya (ransomware) attack saw a malicious data encryption tool inserted into a legitimate piece of software that was used by most of Ukraine’s financial and government institutions. This resulted in the malware spreading via trusted networks, rather than over the internet, thereby bypassing the processes put in place to prevent ransomware attacks.

Reducing The Risk of Software Supply Chain Attacks

Although the situation is a challenging one for many businesses and organisations, there are measures that can be taken to reduce the risk of attacks, breaches and other security and network issues caused via the software supply chain.  These include:

– Implementing a formal risk management program to assess all third-party suppliers against a set of criteria relating to whether third parties really need to access an organisation’s data or systems, and how business-critical they are to organisational processes. This can help CISOs and CIOs to identify and prioritise suppliers who pose the highest risk and need the most scrutiny and controls.

– Putting a patching policy and regime in place that ensures software updates are implemented as soon as possible to prevent criminals from exploiting old loopholes.  This could also involve testing (in a controlled environment) any updates related to security before rolling them out across the company network.

– Adopting a zero-trust approach and architecture means that rather than simply granting unrestricted access based on trust, verification is always required, thereby stopping the fast escalation of problems caused by a supply chain attack.

– Using more holistic, forward-thinking, and data-driven strategies can help businesses/organisations to be better informed about security readiness of any vendor partners.

– Sticking to proven security strategies such as investing in security programs, conducting regular risk assessments, and prioritising issues highlighted by the assessments, devising a plan, hiring the right staff, and using trusted, evidence-based tools can all help to mitigate the risks.

What Does This Mean For Your Business?

Previous, high-profile attacks such as SolarWinds have highlighted the interconnected vulnerabilities of business software/digital supply chains. Businesses face the challenges of being able to first get an overall view of where the potential risks/threats could come from (an audit and regular risk assessments) and of implementing an approach (e.g. zero tolerance), tools and procedures that mitigate those risks in a cost-effective and operationally friendly way. Interference by criminals that can lead to successful supply chain attacks has been shown to occur at any point from the development of software, through distribution, right through to disposal. This means that all businesses and organisations, private and public sector need to take a close interest in the security profile of their suppliers as well as their own organisations.

Tech News : Suspected Cannabis Farm Turns Out To Be A Bitcoin Mining Farm

Police in Sandwell in the West Midlands recently discovered a warehouse that had been converted to an operation to illegally supply large quantities of electricity for Bitcoin mining.

Same Heat & Electricity Profile as a Cannabis Farm

The warehouse was raided by police after the heat generated, which had been spotted by the heat camera on a police drone, and the excessive electricity consumption appeared to show all the hallmarks of a cannabis farm.

The find, the second of its kind in the area, showed that criminals have adapted an existing money-generating model to tap into a technological rather than a biological fast money-making scheme that essentially cuts out the middlemen and delivers direct profit with fewer risks.

Illegal Electricity Supply

The criminals were found to have made an illegal connection to the electricity supply from Western Power in order to power the 100 computer units that were discovered in the warehouse.

Bitcoin Mining

Bitcoin “mining” uses specialised Bitcoin computers that are constantly powered on and connected to the cryptocurrency network to verify transactions (sending and receiving of the Bitcoin cryptocurrency).  This verification is achieved by the computers solving puzzles to prevent fraud and to win small amounts of Bitcoin. The whole process is extremely energy hungry. In fact, Researchers from Cambridge recently highlighted how Bitcoin mining consumes 21.36 terawatt-hours (TWh) a year, meaning that if Bitcoin were a country, its energy (electricity) consumption would be ranked above Argentina and the energy could power all the kettles in the UK for 27 years.

Three People Suspected

Three people, who were described by a witness (on the Birmingham Live website) as looking “a bit nerdy and dodgy” had apparently been noticed visiting the warehouse unit at the Great Bridge Industrial Estate, Tipton, at odd hours over the past 8 months.  The warehouse unit was reported to have suspicious-looking wiring and ventilation ducts visible from the outside.

Bitcoin Mining Not Illegal

Although Bitcoin mining is not illegal, the way the criminals obtained the electricity for the operation, which was estimated to have used thousands of pounds worth of power does appear to have been illegal.  Also, damage to the unit through its conversion to crypto-mining farm is yet to be assessed.

What Does This Mean For Your Business?

Criminals, particularly in the tech world, are always looking for scams and schemes that deliver maximum profit for minimum ongoing effort, whilst maintaining their anonymity and keeping their distance (often the other side of the world) from their crimes. This scheme shows how criminals have tried to be smart (in the technical sense) by using an existing idea (taking over a building and an electricity supply) to make a fast profit with middlemen from a currency that would be very difficult to trace back to them through the online technical route. Their mistakes, however, appeared to be that they failed to take account of elements in the real-world (i.e. the heat generated that could be spotted by police surveillance). Also, although they are likely to have made money by keeping their distance online but the wiring, setting up and monitoring of the warehouse meant that they had to remain physically too close to their crime, which in this case is the theft of electricity.

This story illustrates how tech-based criminals are finding ever-more creative and sophisticated ways to exploit opportunities and make money, and businesses should, therefore, focus on making their cyber-defences as robust as possible using tried and tested methods to stop any basic breaches, however creative the methodology.

Tech News : Guarding Against The Rise In Router and VoIP Attacks

After a recent high profile media story highlighted how poor router security led to a police raid of the home of an innocent family, we take a look at how Wi-Fi piggybacking attacks against home and domestic targets, and VoIP hacking of businesses worldwide are growing threats.

What Happened?

It has been reported that in January this year during the lockdown, the family home of a couple and their two young children was unexpectedly raided by police. The shocked and frightened family could only look on as their desktop computer, two laptops (and a borrowed laptop), current (in-use) mobile phones and old mobile phones retrieved from drawers around the house were taken away by officers. The family found themselves with just a landline for communications, and under suspicion for a crime which, as it later transpired, they did not commit, and knew nothing about.

Work Laptop

To make matters worse, the father of the family was forced to tell his boss that the police required the decryption key to unlock his work laptop, thereby making him fear for his job.

Wi-Fi Accessed Due To Poor Router Security

When the devices, which the family were told had been taken for ‘evidence’, were finally returned two months later, it became clear that a mistake had been made because the family’s Wi-Fi connection had been used without their knowledge, and by an unknown party to upload illegal images to a chat site. 

The evidence given to the police by the National Crime Agency which led to the raid, had suggested that the illegal uploading had come from the family’s IP address. In reality, the family had simply fallen victim to criminals piggybacking their insecure wireless connection. The weakness that had allowed the attack is believed to have been a weak/poor default password on their old router.

Router Danger

A recent Which? investigation looked at the security aspects of 13 models of (commonly used) old routers from companies such as Virgin, Sky, TalkTalk, EE, and Vodafone. It was discovered that 6 million users may have router models that have not been updated since 2018 at the latest, with some not being updated since as far back as 2016! The investigation discovered issues with more than half of all routers (of those surveyed).  This suggests that as many as 7.5 million users could have routers with security risks.

The main vulnerabilities threatening the security of business and home-user routers, which are often the same thing now with remote working, include weak default passwords that can be easily guessed by hackers, meaning that the router could be accessed remotely, from anywhere in the world. Local network vulnerabilities can also allow a cybercriminal to take control of a user’s device, see what a person is browsing, or even direct a user to malicious websites. A lack of recent updates to the Firmware of a router could also negatively affect a device’s performance, thereby affecting productivity, and leave outstanding security issues.

VoIP Systems Hacks on the Increase

Recent ‘Check Point’ research has also shown that there has been a big rise in cyber-fraud operations targeting VoIP phone systems worldwide. For example, a Gaza-based hacking group was found to be responsible targeting servers used by more than 1,200 organisations based across over 60 countries, with half of those targets being in the UK! What’s more, hackers worldwide are creating their own social media groups to share tips and know-how relating to VoIP phone system hacking and to organise and co-ordinate future attacks.

What To Do

Businesses can guard against router security threats by taking measures such as changing the username and password(s), ensuring that the router’s firmware up to date, changing the network name/SSID, stopping the Wi-Fi network name/SSID from being broadcast, enabling the router’s firewall, or simply opting for a router upgrade / a new, more secure router.

To guard against the threat of VoIP phone system hacks, businesses need to make sure that their security patch installation management systems and procedures are up to date, call billings are regularly analysed, there is clear and robust password policy in place, and that an intrusion prevention system is implemented.

Featured Article : Safely Moving Your Tech Hardware

With many of us now owning tech items such as laptops, desktops, and printers, we look at the best ways to prepare tech hardware for a safe journey to a new home.

Tech Owners

An Aviva survey from 2020 showed that the average UK home now has 10.3 internet-enabled devices (286 million in UK homes) and that having children in the home increases the average number of devices.  For example, a UK home with 3 children can now typically hosts 15.4 internet-enabled items.

Add to these statistics the fact that the number of people working from home in the UK almost doubled during the pandemic (ONS figures) to 25.9%, and it’s clear that our tech devices, such as laptops and PCs, have a value and importance well beyond their physical price tag as work tools, vital communications and home research tools, and entertainment gateways.

When it comes to moving home, therefore, it is especially important to ensure that these items are protected and that they can quickly resume their function safely at their new destination.

Preparation of Tech For The Removals Journey

Good preparation begins with good IT practice and extends to preparing for any possible risks to your tech items. Key preparation activities should be:

– Backing Up. Having a reliable, secure, cloud-based backup service for your work and vital data should be standard work practice anyway to preserve business continuity and to preserve valuable memories (photos and videos). Before moving, however, backing up PCs and laptops can ensure that in the event of any physical damage to an item, your data has been saved.

– Connection. Making sure in advance, where possible, that where you’re moving to has enough sockets, phone points, and likely a decent likely broadband provision (check with your provider if in doubt) can enable a fast tech setup at the other end.

– Security. Make sure that prior to removal, devices have password protection in place so that only you access them, and that any sensitive data is not stored on the device itself (which should be part of normal backup procedures).

– Careful disassembly. It is easier for your removals company, and safer (for the device) to ensure that everything has been disassembled in an organised way (e.g. peripherals, leads, power adapters, your router, monitors, and computers). Arranging the items so that each device and its cables and adapters go in the same box can speed up re-assembly at the other end.

Packing Tech Devices For Removals

Tech devices and peripherals are high value and contain small components that can be easily damaged by knocks and bumps.  Also, some devices are rarely disassembled after their original assembly in the home, so users can be unfamiliar with which lead goes where, and belongs to which device.  With these concerns in mind, when preparing for your home removals:

– Ensure that you have boxes, bubble wrap, packing paper, tape, and enough soft materials to pack them with similar protection to when they were first shipped.

– Record what goes where. Taking a photo on your phone of where cables are plugged in, and or using labelling (round cables) or colour-coded tape can help you to re-assemble your tech hardware quickly at its new home.

– Take portable storage devices with you.  If you still use storage devices such as USBs, or even external hard drives, you may decide that its better and safer to take these with you (e.g. in a bag/box in your car) so that you can minimise the chance of losing them or forgetting which box you put them in.  Cloud back-up storage can be a much safer way of keeping your personal data safe.

– Label your boxes.  Clearly labelling your tech device boxes will help you to quickly find and re-assemble them at the other end.

– Trust your removals company. Your removals company has experience in safely transporting tech devices and high-value, delicate home and office hardware. Their fully trained, trustworthy staff are able to assess your situation from the quote to the move itself. Your removals company should also be able to give advice wherever it’s needed.

Tech News : Get Notified By Google If Your Passwords Are Compromised

As part of Google’s latest security updates to Chrome and Android, users will not only be alerted if any of the passwords in their Password manager are compromised but will also be given the opportunity to make a quick fix.

Quick Fix – Change Password

In the ongoing competitive battle between Google’s Chrome browser (and its Android OS) and Apple’s equivalent, Google has released new security updates. Part of the updates to the Password Manager that’s built-in to Chrome and Android is the new quick-fix feature which will enable the Google Assistant to navigate to the compromised accounts and change passwords within seconds. 

Benefits

Firstly, the fact that users are alerted when a password has been compromised is valuable because if users are made aware of a problem, they can quickly take action before more damage is done, rather than simply finding out after the event (e.g. stolen data or money) and/or the password being used by other attackers after being passed on/sold on.

Secondly, having a fast-track route to a quick fix through being offered a one-click ‘Change Password’ button means that users can minimise the amount of time that they are exposed to risk, and can quickly and conveniently change a password without having to go back to the site where it has been compromised, click on the forgot password/change password link, and go through a longer process that way.

Setting Up The Feature

The feature, which is powered by Google’s AI technology (since 2018) ‘Duplex’, is available to users who have turned “Safe Browsing” on and who are signed-in and syncing to Chrome.

On Android, for example, to receive alerts if any passwords have been compromised (e.g. in a data leak on a third-party website or app) navigating to the ‘Settings’ in Chrome and selecting ‘Privacy and security’ > ‘Safe browsing’ and tapping on ‘Standard protection’ gives users the option to switch “Warn you if passwords are exposed in a data breach” to on or off.

Users can also choose to check saved passwords themselves to see if any have been exposed in a data breach. Again, this can be done via ‘Settings’ in the Chrome app, by tapping ‘Passwords’ > ‘Check Passwords’.

What Does This Mean For Your Business?

This is one of several new security features announced in answer to Apple’s recent iOS 14.5.1, and macOS 11.3.1 security updates, and specifically, is an answer to Apple introducing compromised password alerts with iOS 14. Clearly, being alerted and being able to check password compromises, and being able to change a password quickly and easily is likely to be very beneficial to users.  Google also recently announced that it will soon be automatically enrolling its users in Two-Step Verification ‘2SV’ to improve the security of its services, but the future of authentication and verification is most likely to be ‘passwordless’ and based on biometrics. For example, last year, Google announced that users could verify their identity by using their fingerprint or screen lock instead of a password when visiting certain Google services (e.g. Pixel devices and all Android 7+ devices) due to Google’s collaboration with many other organisations within the FIDO Alliance and the W3C that led to the development of the FIDO2 standards, W3C WebAuthn and FIDO CTAP that allows fingerprint verification.  Both Apple and Google may, therefore, be highlighting features based around more traditional security ideas now, but the direction of travel is away from passwords altogether.

Featured Article – The Issue of Push Payment Fraud Reimbursement

With Barclays Bank recently publishing the figures of refunds it made to customers who fell victim to authorised push payment (APP) fraud, there have been calls for greater transparency and reform to the current (voluntary) reimbursement code.

Authorised Push Payment (APP) Fraud

APP refers to situations where consumers have used a bank transfer to pay for goods or services that are fake/don’t exist and the money is stolen by fraudsters.

The Contingent Reimbursement Model (CRM)

Where money has been stolen in this way by fraudsters, banks can choose to use a voluntary code, introduced in May 2019, called the Contingent Reimbursement Model (CRM).  This code sets out how and by whom consumers who have suffered APP fraud losses are re-imbursed.  Banks that sign up to the code are often the ones to re-imburse victims where the conditions of the code are met.

Issues

There are, however, several issues relating to this code and the reimbursement to APP fraud victims that organisations such as consumer champion ‘Which?’ have been pushing to change.  For example:

– An apparent gap in fraud protection and redress for fraud via authorised push payments compared to other forms of payment such as debit and credit cards.

– A lack of transparency by banks and building societies about their reimbursement rates relating to APP fraud. There has been criticism that figures are not being published and/or are not being published on a regular basis.

– A feeling among banks (as outlined recently in a blog post by Starling) that other organisations used by criminals as part of their frauds (e.g. social media companies and telecoms networks) should be taking some responsibility and co-operating with banks to prevent fraud.  For example, social media may be used to advertise the fraud and also to find those who are willing to launder money (money mules) and to buy stolen identity and card data.

The Reality

One way to get a realistic view of what is happening as regards the behaviour towards consumers who are victims of fraud could be to look at the figures by the Lending Standards Board which oversees the CRM code. Their figures show that in the first year of the code’s introduction, banks ruled that 77 per cent of fraud victims were partially or fully to blame for their losses and that customers were fully at fault in 60 per cent of cases.

Which? Wades In

Consumer champion ‘Which?’ has also published concerns online about how banks and building societies have been behaving as regards re-imbursement (or not) and has published its view of the issues that it hopes will “help inform the Lending Standards Board’s one-year review of the CRM Code”.  According to ‘Which?’ these issues are:

– An over-reliance (by the banks) on victims having ignored warnings.

– Unreasonable expectations of how victims should have verified who they were paying.

– A failure to properly assess vulnerability.

– Poor communications (by banks) with victims.

‘Which?’ has called for urgent action to ensure that businesses adhere to the Code (CRM) and has called upon all those organisations signing up to the Code to test warnings to see if they are ‘effective’, make judgements based on what is reasonable on evidence of actual customer behaviour and to train staff in how to identify customers who could be vulnerable to APP fraud. Which? has also called for code signatories to properly explain specific reasons for reimbursement decisions to victims and has called on the Payment Systems Regulator to look at whether or not the voluntary industry code is effective in its current form.

Barclays The First To Publish Details

Barclays Bank recently became the first CRM code signatory to publish its APP fraud reimbursement rates online. According to Barclays, 74 per cent of its customers who suffered APP fraud losses in the first two months of 2021 have now been repaid. This appears to be a reversal of the trend identified by the Lending Standards Board.

Looking Ahead

We all make decisions about what offers seem legitimate to us and who/what to pay money to, however, not every Web user is as experienced or informed with regards to cybercrime, and many web users could also, for many reasons, be described as more vulnerable to fraud. Fraudsters are also becoming more sophisticated and creative in their methods which could, arguably make more consumers more vulnerable to APP fraud.

The banks and building societies have argued, perhaps with some legitimacy, that some responsibility for preventing push payment fraud may lie with other organisations in the chain (e.g. social media companies). However, it appears that, based on Lending Standards Board figures, the apparent lack of transparency in banks and building societies publishing figures about how many customers have been reimbursed for the APP losses may be due to the fact that most consumers have not been re-imbursed and often appear to be blamed for falling victim to fraud.

Looking ahead, it may be necessary, as suggested by ‘Which?’ and recommended by the Finance and the Treasury Select Committee, for the current voluntary CRM code to become mandatory with the hope that regulatory oversight could bring better reimbursement outcomes for consumers and greater transparency from banks and building societies. It may also be helpful for more of a collaborative approach to be taken among all links in the chain used by fraudsters to tackle the problem.

Tech Insight – Tech Insight: What Are Firewalls?

In this article, we take a brief look at what a firewall is, what types there are, and the benefits and drawbacks of firewalls.

Firewall

A firewall is a network security system that can monitor and control incoming and outgoing network traffic based on predetermined security rules.  Based on these rules, it decides whether to allow or block specific traffic and as such, provides a valuable, controllable security barrier between inside network devices and potential threats from outside (the Internet).

Hardware firewalls protect the machines on a network and software firewalls protect the individual machines that they are installed upon.

How Do Firewalls Work and What Types Are There?

Firewalls use their set of configurable rules to decide which traffic is allowed through and which traffic must be blocked. The firewall is generally able to do this by scanning packets of data (e.g. for known malicious code or attack vectors which are regarded as threats according to the rules). The main ways in which firewalls work include:

– Packet filtering.  This involves using certain identified threats as filters for incoming data. The small ‘packets’ (from packet switching) that make up data being sent digitally across the Internet are scanned and are either allowed to enter the network or are blocked depending on whether they are within or outside of the configured firewall rules.

– Proxy service/proxy server firewalls. These firewalls are intermediary (application level) servers that separate end-user clients from the destinations that they browse. They create a mirror version of the computer behind the firewall but prevent direct connections between the customer device and incoming data packets. As well as being used as firewalls, proxy servers also work as web filters, provide shared network connections, and cache data to speed up common requests. Proxy service firewalls are very secure.

– Stateful inspection/dynamic packet filtering. Often found on non-commercial and business networks, a stateful firewall (using stateful inspection) works by individually tracking sessions of network connections traversing it (i.e. it monitors the full ‘state ‘of active network connections). This method of firewall filtering therefore relies upon looking at the whole context of the traffic and data packets trying to access the network, rather than just looking at discrete traffic and data packets in isolation.

Benefits and Disadvantages

The benefits of having firewalls in place include:

– Protecting business continuity and protecting the business from threats that could cause damage, disruption, and lead to fines (data protection), loss of customers, reputational damage and more.  For example, firewalls monitor traffic, filter out malware and trojans and, prevent hacking attempts, and maintain privacy as well as security.

Although firewalls are generally for the good of the business, some of the disadvantages include some firewall rules being so strict that they can restrict the legitimate work of employees, thereby affecting productivity, firewall maintenance for large organisations can be complex (unless handled by the MSP), some firewall costs can be high, and some malware attacks (e.g. through phishing) can get past firewalls.

What Does This Mean For Your Business?

Firewalls are a long-established (and now a relatively standard) element of cyber-defences that still provide a vital protective function. The fact that they can be applied to different parts of the IT system and infrastructure and can be configured with different rules and different levels as required and left to operate on their own gives them flexibility but at the same time, they provide businesses with a level of confidence that networks are being monitored automatically. Firewalls, however, are just one (important) tool in the overall defence of business networks and devices.  Today’s cybercriminals are finding ever-more inventive ways to breach defences and exploit human errors and social engineering opportunities, so businesses need to employ a large number of different security (and privacy) tools and strategies to ensure that they are protected day-to-day.

Tech News : AI Keystroke Spy Tools

With AI recently in the spotlight in Europe over the need to regulate over some ‘unacceptable use’, some experts are warning of the threat of AI keystroke reading spy tools.

Possibilities

Companies like TypingDNA developing AI biometric verification (back in 2017) based on recognising the individual characteristics of how a person types, suggest that it is possible that similar programs from other sources could be used for malicious intent as well as good. 

The type of keystroke recognition used in the TypingDNA system (which is safe and secure and has not been used for nefarious purposes) uses timings and durations of key-press events and compares these against the normal typing pattern that each new enrolling customer gives a sample of when they sign up to the app. The same company has also managed to create a system called ‘Focus’ that can tell a user when they are most focused, tired, or stressed, purely based upon their typing.

Given this is already possible, the argument from some tech and security commentators is that it may only be a matter of time before AI keystroke analysis is used by cybercriminals to steal private, personal data.

Keystrokes Research

Keystroke dynamics/keyboard biometrics/typing biometrics research has been going on for over 20 years, and there have been several studies into how keystrokes can be analysed to extract data.

Back in 2017, for example, a study by Princeton University showed that keystrokes, mouse movements, scrolling behaviour, and the entire contents of web pages visited may already have been tracked and recorded by hundreds of companies. The study revealed that no fewer than 480 websites of the world’s top 50,000 sites were known to have used a technique known as ‘session replay’, which, although designed to allow companies to gain an understanding of how customers use websites, also records an alarming amount of potentially dangerous information. The researchers found that companies were now tracking users individually, sometimes by name.

Back in 2019, researchers from SMU’s (Southern Methodist University) Darwin Deason Institute for Cyber-security found that the sound waves produced when typing on a computer keyboard can be picked up by a smartphone and a skilled hacker could decipher which keys were struck. That particular research project tested whether ‘always-on’ sensors in devices such as smartphones could be used to eavesdrop on people who use laptops in public places and the researchers were able to pick up what people were typing at an amazing 41 percent word accuracy.

AI and Machine Learning Used For Bad

AI and Machine Learning have already been used for illicit purposes, such as deepfake videos and faked images.  For example, Social media analytics company Graphika reported identifying images of faces for social media profiles that had been faked using machine learning for the purpose of China-based anti-U.S. government campaigns. These campaigns, dubbed ‘Spamouflage Dragon’, involved the production and distribution of AI-generated photos (made using GAN) to create fake followers on Twitter and YouTube and Videos made in English, targeting US foreign policy, its handling of the coronavirus outbreak, its racial inequalities, and its moves against TikTok.

What Does This Mean For Your Business?

The rapid growth of AI and its incorporation into many systems and services across Europe has recently required new rules and regulation to keep up. Tech and security commentators have also been warning for many years about the possible uses of AI for dishonest purposes.  Although this has already happened with deepfake videos, there are real fears that AI can be manipulated to spot patterns that could be used in social engineering attacks, identify any new vulnerabilities in networks, devices, and applications and, of course, analyse keystrokes to steal valuable personal information from a user. Combining keystroke recognition, cameras, AI chips in phones and other AI-enabled spying methods could, if used in the right combination, pose a threat to the data protection defences of businesses. It is important to remember, however, that AI also points the way forward for protection (e.g. its incorporation into anti-virus and other cyber-security systems).