GDPR

SurveyMonkey Goes to Ireland

Posted on by Andy Miller

California-based online survey software company SurveyMonkey has opened a datacentre in Dublin with a view to attracting enterprise customers in the EMEA region.

SurveyMonkey

SurveyMonkey, which was established in Portland by Ryan and Chris Finley, has more than 750 employees globally and is estimated to have more than 600,000 paying users across more than 300,000 organisational domains.  190 countries and territories use the SurveyMonkey platform which is a cloud-based, online survey tool that is offered for free, or SaaS.

The company now has offices in San Mateo, Portland, Seattle, Dublin, Ottawa, and Sydney.  The Irish office was opened in 2014 and currently has around 50 employees.  SurveyMonkey went public in 2018.

Why A Datacentre In Dublin?

There are several good reasons for the move to Dublin coupled with a focus on wooing EMEA enterprise customers, such as:

  • 16% of SurveyMonkey’s revenue during the first quarter of 2019 came from sales to the enterprise sector.
  • More than one-third of SurveyMonkey’s business revenue comes from outside the US, with the majority in Europe.
  • There is a huge opportunity for growth that’s offered by companies where SurveyMonkey has been adopted (as the free version) through back-door ‘shadow IT’, and where those enterprises can be encouraged to legitimately adopt the use of the software as company-wide deployments by being reassured that the data they collect is stored in a European data centre (Dublin). This has been termed a ‘land and expand’ strategy.
  • Dublin is ranked as one of the best places to work in Ireland and offers many benefits to tech companies and start-ups.

Phased Approach

SurveyMonkey’s strategy, of which the Dublin datacentre is a part, is a phased one with the first phase being to acquire new customers, and phase two focusing on migrating customers who already have a lot of data stored in their SurveyMonkey accounts.

In addition to expanding across Europe, SurveyMonkey will also be looking at making customers aware of the other services that it offers.

What Does This Mean For Your Business?

SurveyMonkey knows that the Europe /  EMEA region already delivers plenty of revenue and that there’s a great opportunity to expand further. Placing a datacentre in Europe may be very attractive to (and reduce risk for) enterprise customers who must be very careful about where their data is stored (refer GDPR) and who always want to reduce complexity about data storage.

This story also shows how the ‘shadow IT’ use of software has provided a way in and can be part of a successful strategy for growth and expansion.

Survey Shows Half OF UK Firms Have No Cyber Resilience Plan

Posted on by Andy Miller

A survey commissioned by email security firm Mimecast and conducted by Vanson Bourne has revealed that even after GDPR’s introduction, more than half of UK firms have no Cyber Resilience Plan.

What Is A Cyber Resilience Plan?

An organisation’s cyber resilience is its ability to prepare for, respond to and recover from cyber-attacks, and a Cyber Resilience Plan details how an organisation intends to do this.  Most organisations now accept that the evolving nature of cyber-crime means that it’s no longer a case of ‘if’ but ‘when’ they will suffer a cyber-attack.  It is with this perspective in mind that a strategy should be developed to minimise the impact of any cyber-attack (financial, brand and reputational), meet legal and regulatory requirements (NIS and GDPR), improve the organisation’s culture and processes, protect customers and stakeholders, and enable the organisation to survive beyond an attack and its fallout.

More Than Half Without

Mimecast’s survey shows that even though 51% of IT decision-makers polled in the UK say they believe it is likely or inevitable they’ll suffer a negative business impact from an email-borne cyber-attack in the next 12 months, 52% still don’t have a cyber resilience plan in place.

Email Focus

Email is a critical part of the infrastructure of most organisations and yet it is the most common point of attack. It is with this in mind that the Mimecast survey has focused on the challenges that managing the security aspects of email present in terms of cyber resilience and in achieving compliance with GDPR.

E-Mail Archiving

One potential weakness that the survey revealed is that only 37% of UK IT decision-makers said that email archiving and e-discovery are included in their organisation’s cyber resilience strategy.  When you consider that email contains a great deal of personal and sensitive company data, it’s protection should really be at the core of any cyber resilience strategy.

Also, for example, in relation to GDPR, not having powerful archiving systems to enable emails to be found and deleted quickly upon a user’s request could pose a compliance challenge.

Human Error

Human error in terms of not being able to spot or know how to deal with suspicious emails is a common weakness that is exploited by cyber-criminals.

What Does This Mean For Your Business?

If the results of this survey reflect a true picture of what’s happening in many businesses, then it indicates that cyber resilience urgently needs to be given greater priority, particularly since it is now a case of ‘when’ rather than ‘if’ a cyber attack will occur.  Also, the risks of not addressing the situation could be huge in terms of risks to customers and stakeholders and the survival of the business itself, particularly with the huge potential fines with GDPR for breaches.

E-mail, and particularly email archiving (what’s stored, where and how well and quickly it can be searched) poses a serious challenge. Businesses should reassess whether their email archiving strategy is effective and safe enough and security should go beyond archive encryption to guard against impersonation attacks and malicious links.

Bearing in mind the role that human error so regularly plays in enabling attacks via email, education and training in this area alongside having clearly communicated company policy and best practice in managing email safely should form an important part of a company’s cyber resilience.

GDPR Says HMRC Must Delete Five Million Voice Records

Posted on by Andy Miller

The Information Commissioner’s Office (ICO) has concluded that HMRC has breached GDPR in the way that it collected the biometric voice records of users and now must delete five million biometric voice files.

What Voice Files?

Back in January 2017, HMRC introduced a system whereby customers calling the tax credits and Self-Assessment helpline could enrol for voice identification (Voice ID) as a means of speeding up the security steps. The system uses 100 different characteristics to recognise the voice of an individual and can create a voiceprint that is unique to that individual.

When customers call HMRC for the first time, they are asked to repeat the vocal passphrase “my voice is my password” to up to five times to register before speaking to a human adviser.  The recorded passphrase is stored in an HMRC database and can be used as a means of verification/authentication in future calls.

It was reported that in the 18 months following the introduction of the system, HMRC acquired 5 million peoples’ voiceprints this way.

What’s The Problem?

Privacy campaigners questioned the lawfulness of the system and in June 2018, privacy campaigning group ‘Big Brother Watch’ reported that its own investigation had revealed that HMRC had (allegedly) taken the five million taxpayers’ biometric voiceprints without their consent.

Big Brother Watch alleged that the automated system offered callers no choice but to do as instructed and create a biometric voice ID for a Government database.  The only way to avoid creating the voice ID on calling, as identified by Big Brother Watch, was to say “no” three times to the automated questions, whereupon the system still resolved to offer a voice ID next time.

Big Brother Watch highlighted the fact that GDPR prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless there is a lawful basis under Article 6, and that because voiceprints are sensitive data but are not strictly necessary for dealing with tax issues, HMRC should request the explicit consent of each taxpayer to enrol them in the scheme (Article 9 of GDPR).

This led to Big Brother Watch registering a formal complaint with the ICO.

Decision

The ICO has now concluded that HMRC’s voice system was not adhering to the data protection rules and effectively pushed people into the system without explicit consent.

The decision from the ICO is that HMRC now must delete the five million records taken prior to October 2018, the date when the system was changed to make it compliant with GDPR.  HMRC has until 5th June to delete the five million voice records, which the state’s tax authority says it is confident it can do long before that deadline.

What Does This Mean For Your Business?

Big Brother Watch believes this to be the biggest ever deletion of biometric IDs from a state database, and privacy campaigners have hailed the ICO’s decision as setting an important precedent that restores data rights for millions of ordinary people.

Many businesses and organisations are now switching/planning to switch to using biometric identification/verification systems instead of password-based systems, and this story is an important reminder that these are subject to GDPR. For example, images and unique Voiceprint IDs are personal data that require explicit consent to be given, and that people should have the right to opt out as well as to opt-in.

123456 Still A Popular Password

Posted on by Andy Miller

A study by the UK’s National Cyber Security Centre (NCSC) into breached passwords has revealed that 123456 featured 23 million times, making it the most widely-used password on breached accounts.

Top Five Easy-To-Guess Passwords

The study, which analysed public databases of breached accounts to discover which words, phrases and strings were most popularly used, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

Names & Football Teams

The study revealed that people routinely use Christian names and the names of their favourite football teams as passwords, thereby making them relatively easy to crack.  For example, the most popular breached-password names were Ashley, Michael, Daniel, Jessica and Charlie. The most popular football team passwords noted by the study were ‘Liverpool are champions’, followed by Chelsea.

Not Confident

The NCSC study also found that 42% of those surveyed expected to lose money to online fraud, and that only 15% said that they were confident that they knew enough to be able to protect themselves online.

Big Risk – Password Sharing

The study also found that fewer than half of those surveyed used a separate, strong password for their main email account.  The risk of using the same password for multiple accounts and platforms is that if one of those accounts is compromised, cyber-criminals will sell your login details on and/or use ‘credential stuffing’ tools to try stolen passwords on multiple websites.

Stolen credentials are also routinely used in phishing attacks e.g. to send malicious emails to a victim’s list of contacts, and in targeted digital identity attacks, where the breached credentials are used to steal a victim’s entire digital identity, steal their money, or even to compromise their social media network data.

Passwords on Hacking Forums

As revealed back in January by security researcher Troy Hunt of ‘Have I Been Pwned’ service, 772,904,991 unique email addresses, and 21,222,975 unique passwords are already being shared on hacking forums as part of a collection of credentials stolen from multiple sites, dubbed Collection #1.

This highlights the importance of not sharing passwords between websites, and of changing passwords regularly.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One easy-to-use tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

The new version of the Chrome browser (69) also has an improved password manager, which could help those who still appear to rely upon using very weak passwords e.g. 123456, password, 12345678 and qwerty.  The Chrome 69 password manager suggests passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it can add these. Users can also manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 can store the password on a laptop or phone so that users don’t have to write it down or try and remember it (if they are using the same device).

If you’re worried that people in your business may currently be using passwords that have already been stolen, you can find a list of the (from Troy Hunt of ‘Have I Been Pwned’) here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and Mr Hunt provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/.

Experts Recommend Security Update For Magento E-commerce Sites

Posted on by Andy Miller

Security experts are warning companies with a Magento e-commerce site to make sure that it has the latest security patch and updates in order to avoid the risk of card skimming attacks.

Magento

Magento, originally developed by Varien Inc (now owned by Adobe) is a leading open-source, enterprise-class e-commerce platform written in PHP.

Security concerns about unpatched Magento e-commerce stores have been raised in the past e.g. in 2015 and 2016, with their possible susceptibility to a cross-site scripting attack, and in 2017 Magento CE web stores possibly being susceptible to Remote Code Execution attacks (skimming) and possibly having the database and server taken over.

Latest Vulnerability

The (SQL) injection vulnerability in pre-2.3.1 Magento code means that attackers would not need to be authenticated on the site and would have a level of privilege to be able to e.g. carry out a card skimming attack and could even launch automated attacks (because authentication isn’t needed).

For example, security expert Marc-Alexandre Montpas, a researcher at security firm Sucuri, has warned that this vulnerability is potentially so dangerous because of the number of active installs, the ease of exploitation, and the effects of a successful attack.

This kind of (SQL) injection vulnerability could even enable attackers to steal an entire database and take control of the website and web server.

Which Sites Are At Risk?

According to (Adobe) Magento’s own advisory notice, this vulnerability affects sites using the open source or commercial version of the software, and the affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.

It is still unknown exactly how many of Magento’s 300,000 customer sites are at risk from this vulnerability.

Fix

Magento has already released a new security update / patch fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution.

What Does This Mean For Your Business?

This story illustrates how important it is to make sure that all software should be kept up to date with the latest patches and fixes, particularly for example, a company e-commerce website where hackers could gain access to customer payment and other private data.

If you have a Magento e-commerce website the advice is to install patch PRODSECBUG-2198. Also, to protect against this vulnerability and others, customers should upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. Magento recommends that customers install the patches as soon as possible.

Magento says that Cloud customers can upgrade ECE-Tools to version 2002.0.17 in order to get the vulnerability in core application patched automatically and that even though they have blocked any known ways to exploit vulnerability, they strongly recommend customers to either upgrade ECE-Tools or apply the patch through m2-hotfixes.

The full official advisory from Magento can be found here: https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Businesses Delayed Security Breach Disclosure

Posted on by Andy Miller

An FoI request to the Information Commissioner’s Office (ICO) has revealed cause for concern over whether businesses on the run up to the implementation of GDPR were preventing, detecting and responding to security threats and breaches in a good and compliant way.

Delay In Identifying and Reporting

An FoI request to the ICO by threat detection and response firm Redscan found that, in the year leading up to the implementation of GDPR on 25th of May, many UK businesses appeared to be routinely delaying data breach disclosure to the ICO.

The data revealed in the request indicated that companies took an average of 60 days to identify that they’d been a victim of a data breach and an average 3 weeks after discovery to report a breach to the ICO.  The worst offending business (in the data revealed) took a massive 44 months to identify a breach, and some organisations took an average of 142 days to report their breaches to ICO.

Financial and Legal Quicker at Identifying & Reporting Breaches

The FoI data did, however, show that financial and legal sector organisations were better at identifying and reporting breaches.  For example, financial services firms took 37 days to identify a breach and legal firms took 25 days.  These figures compare favourably to the general business category where companies took 138 days to identify breaches.

Also, when it came to reporting the breaches, financial services companies took an average of 16 days and legal firms an average of 20 days.  These figures, again, compare favourably to ‘general business’ category organisations which took 27 days on average to report breaches to the ICO.

Full Impact Not Reported

The requested data also showed that 9 out of 10 businesses did not fully specify the nature and impact of the breach to the ICO.

Dates Not Reported

The same figures showed that 21% of businesses did not report the breach incident date, and 25% did not report the breach discovery date to the ICO. It may be fair to assume that these figures could indicate that businesses may have either lacked awareness about the breaches or perhaps made a conscious decision to withhold important information due to fear of the consequences.

Most Hacks Happen At Weekends

The FoI data also showed that hackers tend to prefer attacking at the weekends as this is most likely to be the time when many Monday to Friday businesses are not monitoring for threats and essentially have their guard down, and attackers have two days to break into systems.  For example, the requested data showed that more than three-quarters of incidents happen on a Saturday.

What Does This Mean For Your Business?

This data relates to behaviour before the introduction of GDPR, but with GDPR now in place, and with the legal risks (big fines) and reputational stakes now escalated, businesses need to make sure that they can be compliant going forward.

Attacks are getting more diverse in nature, are occurring across a wider front, and are becoming more sophisticated.  Businesses must, therefore, make sure that they have the appropriate skills, technology, controls and procedures in place to identify a breach in the first place

Also, businesses now need to make sure that they report identified breaches in enough detail, and within 72 hours of becoming aware of the breach, where feasible.  These things are now vitally important as reporting requirements are much stricter under GDPR.

The fact that most businesses are hit by hackers at weekends indicates that businesses need to ensure that they have 24/7, 7-day-a-week controls, defences and procedures in place to be able to protect their systems and the data they hold.

Nest Locking Customers Out Over Suspected Security Breach

Posted on by Andy Miller

Nest Labs, the US manufacturer of smart home products is reported to have been locking some customers out of their accounts over possible password breaches.

Nest

Nest Labs (founded by iPod inventor Tony Fadell and purchased by Google back in 2014) is a manufacturer of smart home gadgets, including thermostats, cameras, a video doorbell, a smoke and CO2 alarm, and the Nest Aware system where customers can monitor all activity at their home via an app.

What’s Happened?

Nest has recently been the subject of several hacks e.g. there have been reports of Nest cameras being hacked, such as the family in Northern California who reported their camera giving a message (from hackers) warning them of a fictional North Korean missile attack.  Also, more recently in the US, on Superbowl Sunday, a mother reported an unknown male hacker talking to her 5-year-old son through the Nest security camera in his bedroom.

Advice From Google

In the light of the increase in hacks, in the early part of February, Google emailed out a warning to the owners, urging them to secure their login credentials with measures such as two-factor identification and stronger passwords. In the email, Google said that there hadn’t been a breach, but that it was simply reminding users that breaches are possible and that there are measures they can take to help protect themselves and get the most out of Nest products.

Google says that the recent reports of hacks are based on customers continuing to use compromised passwords i.e. passwords that have been exposed through breaches on other websites, and probably shared and sold-on among the hacking fraternity.

Locked Out

The lock-outs of accounts that some customers are now experiencing appear to be strong reminders from what is essentially a security app to those who are known to still be using compromised passwords and who haven’t yet set-up 2-factor authentication, that now is the time to address these issues.

One added bit of motivation to do so could be the relatively high monthly fees for Nest products and services that customers will be paying for nothing if they don’t act now.

Other Troubles

Nest has also found itself in hot water recently after it was discovered that a “secret” microphone is incorporated in Google’s Nest Guard product that has not been listed in the product’s  tech spec.  This has led to a serious backlash, and calls from a Senator for action to be taken to help protect users from the privacy and security threat that some smart products can pose.

What Does This Mean For Your Business?

Even though these are security related products, their basic protection has been through the use of passwords.  Due to the number of hacks of other sites, and the fact that people often use the same password for multiple sites, and due to the bizarre and terrifying nature of some of the hacks of Nest speakers, it is not a surprise that the company is taking strong action to try and force users to set up a secure, new password, and the extra security layer of 2FA.

This story is a reminder that it is not a good idea to use the same passwords on multiple websites, as hackers now have software to enable them to quickly try the same password details in multiple websites (credential stuffing).

Although 2FA does add another relatively solid layer of security to online accounts, Google (Nest) has said that it is also considering new security measure to prevent this kind of hacking from happening with Nest’s products again.

New York’s Governor Orders Investigation Into Facebook Over App Concerns

Posted on by Andy Miller

The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.

Alerted By Wall Street Journal

The Wall Street Journal prompted the Governor to order New York’s Department of State and Department of Financial Services (DFS) to investigate Facebook when the paper reported that Facebook may have more access than it should to data from certain apps, sometimes even when a person isn’t even signed in to Facebook.

Health Data

It has been reported that the kind of data that some apps allegedly share with Facebook includes health-related information such as weight, blood pressure and ovulation status.

The alleged sharing of this kind of sensitive and personal data, whether or not a person is logged-in Facebook, prompted Governor Cuomo to call such practice an “outrageous abuse of privacy.”

Defence

Facebook’s defence against these allegations, which appears to have prompted a short-lived but noticeable fall in Facebook’s share value, was to point out that WSJ’s report focused on how other apps use people’s data to create ads.

Facebook added that it requires other app developers to be clear with their users about the information they are sharing with Facebook and that it prohibits app developers from sending sensitive data to Facebook.

The social media giant also stressed that it tries to detect and remove any data that should not be shared with it.

Lawsuits Pending

This appears to be just one of several legal fronts where Facebook will need to defend itself.  For example, Facebook is still facing a U.S. Federal Trade Commission investigation into the alleged inappropriate sharing of information belonging to 87 million Facebook users with now-defunct political consulting firm Cambridge Analytica.

Apple Also Accused By Governor Over FaceTime Bug

New York’s Governor Cuomo and New York Attorney General Letitia James have also announced an investigation into Apple Inc’s alleged failure to warn customers about a bug in its FaceTime app that could inadvertently allow eavesdropping as iPhones users were able to listen to conversations of others who have not yet accepted a video call.

DFS Involvement

The Department of Financial Services (DFS), which is one of the two agencies that have been ordered to investigate this latest Facebook app sharing matter has only recently begun to get more involved in digital matters, particularly by producing the country’s first cybersecurity rules governing state-regulated financial institutions such as banks, insurers and credit monitors.

Some commentators have expressed concern, however, about the DFS saying last month that DFS life insurers could use social media posts in underwriting their policies, on the condition that they did not discriminate based on race, colour, national origin, sexual orientation or other protected classes.

What Does This Mean For Your Business?

You could be forgiven for thinking that after the scandal over Facebook’s unauthorised sharing of the personal details of 87 million users with Cambridge Analytica, that Facebook may have learned its lesson about the sharing of personal data and may have tried harder to uncover and plug any loopholes that could allow this to happen. The tech giant still has several lawsuits and regulatory inquiries over privacy issues pending, and this latest revelation about the sharing very personal health information certainly won’t help its cause. Clearly, as the involvement of the FDS shows, there needs to be more oversight of (and investigation into) apps that share their data with Facebook, and possibly the need for more legislation and regulation of the smart app / smart tech ecosystem.

There are ways to stop Facebook from sharing your data with other apps via your phone settings and by disabling Facebook’s data sharing platform.  You can find instructions here: https://www.techbout.com/stop-facebook-from-sharing-your-personal-data-with-other-apps-37307/

Discovery of Microphone in Google’s Nest Guard Prompts Backlash

Posted on by Andy Miller

The discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec has been put down to an erroneous omission by Google, but it has also caused a backlash that escalated to the US Congress.

What Happened?

One of Google’s products is the Nest Secure product which is a home security system that operates using a phone app, alarm, keypad, and motion sensor with Google Assistant built in (which is the main hub), Nest Detect Sensors for doors and windows, and a tag which the homeowner taps on the main hub when they enter the house to disarm the system. Earlier this month, the addition of Google’s digital assistant to the product led to the surprise discovery that the main hub unit has always had a microphone installed in it, but the microphone was not mentioned on the technical specifications for the product.

The discovery of what appeared to be a “secret” microphone has, therefore, prompted anger and discussion among privacy and security advocates and commentators, concern from consumers, bad publicity for Google, and calls for action by a Senator, a Congressman, and many others.

Google Says 

Google’s response to the discovery was simply to apologise for what was an “error” and oversight on its part for not listing the microphone in the tech spec for the system, and to stress that the microphone was not intended to be ‘secret’ and had not been used until the addition of the Google Assistant.

It has also been reported that Google has said that one of the reasons for the microphone’s inclusion had originally been to allow future functionality, for example, to detect breaking glass in the home.

Criticism

Google has faced anger and criticism from many different angles over the discovery of the microphone including:

  • Maryland Congressman John Delaney calling for privacy legislation to now be applied to a broad range of tech products.  Mr Delaney also proposed that electronic tech products should have labelling on them like that on food products, so consumers can be quickly and easily alerted to any privacy and security implications.
  • Virginia Senator Mark Warner, chairman of the Senate Intelligence Committee, calling for hearings with federal agencies and the U.S. Congress about the digital economy, and the smart home ecosystem.
  • The Electronic Privacy Information Center (EPIC) calling on the Federal Trade Commission (FTC) to request via an enforcement action, that Google divests of its Nest hardware products, and that Google disgorges any data that it may wrongfully have obtained from Nest customers.

What Does This Mean For Your Business?

Smart electronic products and devices are now in homes and businesses everywhere, but consumers and business owners should have the right to be clearly informed about the security and privacy implications of those products so that they can make an informed choice about whether to buy and operate them.

As some commentators have noted, the arguments that it’s easier to ask for forgiveness than seek permission or that ‘it’s in the fine print’, shouldn’t be acceptable privacy policies from tech companies.  The idea of food packaging-style labelling on smart tech products to help inform about security and privacy implications may not be a bad one, and if the tech industry can’t regulate itself on this matter then more legislation to protect consumers and businesses seems likely.

This is a damaging story in terms of trust and reputation for Google, particularly in the US where the story has been given greater prominence and may cause consumers to think twice about the kinds of smart products that they let into their homes and businesses.

Form-Jacking Attacks Hit High Profile Companies

Posted on by Andy Miller

Research by Security Company Symantec has revealed that high profile companies such as BA and Ticketmaster are among the many thousands of businesses whose websites are being targeted with “form-jacking” attacks every month.

What Is Form-Jacking?

Form-jacking involves inserting a small amount of malicious JavaScript code into the checkout web pages of e-commerce sites, thereby allowing attackers to monitor payment card information being entered and to then syphon that information off.

When a user hits the submit button on a checkout page that contains the malicious code, the user’s payment and personal details are sent to an attacker’s servers where the attacker can use this information to perform payment card fraud or sell these details on to other criminals on the dark web.

Pages that have been compromised in this way aren’t easy to spot, and to the naked eye, the checkout process looks normal.

How Big Is The Problem?

Symantec claims to have stopped more than 3.7 million form-jacking attacks in 2017, and between August and September 2018, the company says that it blocked 248,000 attempts at form-jacking.  The fact that 36% of these blocks took place from September 13th to September 20th was an indicator that form-jacking attempts were escalating towards the end of last year.

Symantec reports that 4,800 websites are being hit by form-jacking attacks every month.

Examples

High profile examples of victims of form-jacking given by Symantec include British Airways and Ticketmaster who were both targeted by the ‘Magecart’ hacking group.

The attack on British Airways saw the Magecart attackers set up a spoof web domain designed to look like those of the legitimate company, and even purchase paid SSL certificates from Comodo to make it look more legitimate. Magecart was present on British Airway’s website from August 21 to September 5, and the 22 lines of digital skimming JavaScript code that it took to operate the form-jacking attack affected 380,000 transactions.  In the BA attack, the vital customer data was skimmed and stolen in a fraction of a second between the time the customer put the mouse over the submit button and before the data had a chance to reach BA’s servers as the customer clicked on the button.

In the case of Ticketmaster attack, which took place in June, attackers first compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites.  This chatbot then provided the way in for the Magecart attackers which enabled them to alter the JavaScript code on Ticketmaster’s websites so that payment card data from customers could be captured and sent to their servers.  It is thought that the form-jacking code remained undetected on Ticketmaster’s website from September 2017 to June 2018.

What Does This Mean For Your Business?

Cybercriminals have found that better back-up practices by businesses and home users have made attacks like ransomware less likely to pay, so may have moved into form-jacking. The fact that it only requires the insertion of a relatively small amount of JavaScript and that it can be very difficult to detect make it an attractive new way to get paid for many criminals.

Companies can use network-based and file-based protection against form-jacking, and ways to stop attackers getting in to inject the code include using firewalls to block all incoming connections from the internet to services that should not be publicly available, enforcing a (complex) password policy, turning off file sharing if not needed, turning off and removing unnecessary services, keeping patching up to date, and configuring email servers to block or remove emails that contains file attachments that are commonly used to spread threats e.g. .vbs, .bat, .exe, .pif and .scr files.

Also, companies should guard against software supply chain attacks by testing new updates, even seemingly legitimate ones, in small test/sandbox environments, and by monitoring the behaviour of all activity on a system to help identify any unwanted patterns.