News

Any Thumbprint Unlocks a Galaxy A10

Posted on by Andy Miller

Samsung’s so-called “revolutionary” fingerprint authentication system for the Galaxy A10 phone appears to be offering less than satisfactory results as it is discovered that any thumbprint can unlock one.

Biometric ‘Fail’

South Korean phone giant Samsung has received some unwanted bad publicity for its new Galaxy A10 phone after an article appeared in the Sun newspaper highlighting how a British couple discovered that, after putting a low-priced screen protector (purchased from eBay) on the phone, each other’s thumb print could unlock the phone.

The thumbprint scanner, which uses ultrasound to detect 3D ridges in fingerprints and only is supposed to recognise the thumbprint that has been registered by the user is reported to have recognised both of the thumbprints of user Lisa Neilson and both of her husband.

Patch

Samsung is reported to have acknowledged the fault and to be in the process of preparing a software patch to fix it.

Google Pixel ‘Face Unlock’ Issue

It seems that Samsung isn’t the only company struggling to produce a biometric phone security system that works properly.

The BBC has recently reported that after testing Google’s Pixel 4 phone’s Face Unlock system, it was discovered that with normal default settings on, the phone could be unlocked even if the user’s eyes were closed. The problem with this is that the phone could potentially be unlocked by another unauthorised person while the user is asleep simply by holding the phone in front of the user’s face.

The phone does, however, offer a ‘lockdown’ mode which users can switch to in order to deactivate the facial recognition system altogether.

Biometrics – The Way Forward?

Even though multi-factor authentication is more secure than relying on just a password for authentication, a continued reliance on weak passwords and password sharing by users, coupled with more sophisticated cyber and phone crime techniques mean that there is a strong argument for biometric methods of authentication, and a move towards what Microsoft has recently described as a “passwordless future”.

What Does This Mean For Your Business?

Even though biometrics has been shown to make things much more difficult for cyber-criminals to crack, as the A10 and the Pixel 4 security systems illustrate, biometrics have not been 100% successful to date and is still needs some work.  In fact, this is not the first time that a Samsung Galaxy has been in the news for a biometric issue. For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on the Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

Equifax Hack Inevitable Says Lawsuit

Posted on by Andy Miller

A lawsuit against US Credit Rating Company Equifax relating to the massive 2017 hack alleges that the breaching of Equifax’s systems was “inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices.”

What Happened

Back in September 2017, US Credit Rating Company Equifax was hacked and, in one of the largest recorded data breaches in history, an estimated 148 million customer details stolen, 44 million of which are believed to have come from UK customers.  Details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver’s license details, and around 209,000 credit card numbers.

Hackers got in through a vulnerability in the website and Equifax was reported to have known about the attack 40 days before informing the public that it had happened.  Another aspect of the case that caused outrage at the time was the fact that three senior executives at the company were believed to have sold-off their shares worth almost £1.4m before the breach was publicly announced.

The Lawsuit

The lawsuit that was filed against Equifax with the Northern District Court of Georgia (Atlanta Division) in the US states that the breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems”.

What Kind of Shortcomings?

The lawsuit alleges that Equifax’s data protection measures were “grossly inadequate,” and “failed to meet the most basic industry standards”.  The lawsuit paints a picture of a company with a shockingly simplistic and risky approach to the protection of personal data.  For example, it alleges that Equifax:

  • Failed to implement proper patching protocols and relied upon one individual to manually implement its patching process across its entire network.
  • Didn’t encrypt sensitive information and instead, stored in plain-text, making it easy for unauthorised users to read and misuse.
  • Didn’t encrypt mobile applications, meaning that it failed to encrypt data being transmitted over the internet.
  • Stored sensitive data on public-facing servers and left the keys to unlocking the encryption on those same public-facing servers, making it easy to remove the encryption from any data.
  • Used inadequate network monitoring practices and obsolete software.
  • Failed to implement adequate authentication measures.  This allegedly included using weak passwords and security questions.

Simple Usernames and Passwords Including ‘Admin’

One of the shocking accusations in the lawsuit relates to passwords.  It highlights how the New York Stock Exchange-listed firm responsible for protecting the sensitive personal data of millions of people used four-digit pins (derived from Social Security numbers and birthdays) to guard personal information, even though these weak passwords had already been compromised in previous breaches.

Also, the lawsuit alleges that Equifax relied upon the username “admin” and the password “admin” to protect a portal used to manage credit disputes, thereby making it incredibly easy for any hackers to guess.  For example, many penetration testing companies will use more obvious passwords such as ‘admin’ as a basic part of their testing of company systems.

Simple Passwords Still Widely Used

One of the main ways that we can all leave the door open to security breaches and hacks is by using simple, easy to guess passwords, and by sharing the same password between multiple websites and platforms.

For example, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords (in April this year) revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts.  The study, which analysed public databases of breached accounts, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

What Does This Mean For Your Business?

The allegations about the apparent organisational disregard for cyber-security at such a big company and the use of simple, default-style passwords such as ‘Admin’ and leaving one person in charge of patching for the whole company are truly shocking.  The case highlights how some organisations may be too casual about how they manage and protect sensitive data, which is a dangerous position to be in, particularly with the possible fines from GDPR. Since most companies still rely upon passwords for many important systems and tools, this case particularly highlights how IT departments may need to implement processes to make sure that default passwords are changed to more secure ones, and that commonly used passwords are blacklisted.  Introducing multifactor authentication (MFA) also adds another important extra layer of security to password-based systems, and many companies are now seeking biometric authentication methods as a way of getting completely away from the whole risky password area.

The Equifax case also highlights how businesses shouldn’t treat database security any differently from other aspects of their cybersecurity, especially by not sharing admin passwords, and if sharing is necessary, by keeping track of who has those passwords and why. Using analytics on a database is also a way in which businesses can track when someone has got into a database using certain admin credentials.

Tech Tip – Create Calendar Events Directly From the Taskbar

Posted on by Andy Miller

One of the new features added to Windows 10 with the September (1909) update was to enable Calendar users to be able to simply create a Calendar event directly from the Calendar flyout on the Taskbar.

To add quickly and easily add your Calendar event:

– Click on the date and time at the lower right corner of the Taskbar to open the Calendar flyout.

– Pick your desired date and type your text box to identify your event.

– Use the Inline options to set a time and location.

Ex-Employee Claims Your G Suite Data Is Not Encrypted

Posted on by Andy Miller

A report by a former Google employee on the ‘Freedom of the Press Foundation’ website warns organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.

G Suite

G Suite is Google’s set of cloud-based computing, productivity and collaboration tools including Gmail, Drive (for your company documents) and Calendar.

Privacy Risk

Former Google employee Martin Shelton alleges that files stored within Google’s G Suite have no end-to-end encryption as other Google services do, thereby potentially leaving business data vulnerable to being viewed by Google and by other persons such as Administrators.  Mr Shelton reports that:

  • While Google leverages your G Suite user data for e.g. filtering for spam, malware or targeted attack detection, it can also scan a user’s Google account for content that is illegal, or in violation of Google’s policies.
  • U.S. agencies can compel Google to hand over relevant user data from G Suite accounts to aid in investigations.
  • Business versions of G Suite, such as G Suite Enterprise, offer administrators the tools to monitor users and search device data within the G Suite domain thereby giving them remarkable levels of transparency to users’ (employees’) Google activities,  For example, Administrators can search for Gmail and Google Drive content, and metadata (e.g. dates, subject lines, recipients), and can log and retain this data.
  • Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, and more, from desktop and mobile devices and can receive push alerts for certain (suspicious) behaviours.
  • Administrators can use audit logs to see who has looked at or modified each document within the organisation.

Not The First Time

This is not the first time that Google has made the news over G Suite privacy.  Back in July 2018, The Wall Street Journal highlighted how third-party developers could view Gmail users’ messages.

What Does This Mean For Your Business?

This is clearly some unwanted publicity for Google, particularly when there is fierce competition in the business Cloud services market.

The advice for those worried about G Suite’s privacy and security suggested by former Google employee Martin Shelton is to use G Suite mindfully and give yourself a G Suite audit (Gmail, Drive, and Google-connected activity on mobile devices).  This way, if you can see certain data you can assume that the administrator and Google are likely to also be able see it.

Also, if you are concerned about unknown administrators seeing your G Suite data you could consider trying to identify who your G Suite administrators are, what G Suite version you have, whether your organisation is using G Suite Business or Enterprise, finding out what rules have been set in Google Vault and audit logs, and what policies exist for administrative data retention and access.

Mr Shelton also suggests that users may wish to find another cloud service provider that has end-to-end encrypted format to store any particularly sensitive data, or to simply keep data offline or off a computer entirely.

Food Writer Loses £5,000 in Phone ‘Simjacking’

Posted on by Andy Miller

Well known food writer, Jack Monroe, has reported falling victim to criminals who were able to steal £5,000 from her bank and payment accounts in a “Simjacking” attack.

What Is Simjacking?

Simjacking, simswapping or ‘phone hijacking’ involves criminals being able to port a person’s mobile phone number over onto on another SIM card. This is often carried out by criminals who, armed with the necessary personal data of an intended victim, go to a phone shop and pose as a customer who wants to switch to a different mobile provider but keep their existing phone number.

In some cases it may involve mobile operator or phone shop staff members being paid to carry out the crime.  One of the first clues that you may be a victim of Sjmjacking is when your phone suddenly stops working.

£5,000 Taken

In Jack Monroe’s case, the food writer said in a Tweet that her card details and PayPal information were taken from an online transaction which meant that when her phone number was ported onto a new SIM, the criminals were able to “access/bypass authentication” and therefore authorise payments from her account.  In another Tweet, Jack Monroe appears to imply that her date of birth may have been found by the criminals on Wikipedia.

With £5,000 being taken, Jack Monroe Tweeted that, despite being “absolutely absurdly paranoid about security”, not using publicly available email addresses on any financial accounts, using “gobbledegook” letter/number/special character passwords and having two-step authentication on all accounts, the criminals were still able to make purchases and withdraw cash using her account.

Jack Monroe Tweeted the amount taken, saying that the criminals had “HELPED THEMSELVES to around five thousand of them” (pounds). “Total figure not in yet. I’m so white-hot angry”.

Problem Not Addressed

The fact that the crime was committed against a celebrity and has been widely reported appears to have ignited discussion about an area that some feel the mobile industry may not have been addressing.

Mobile Connect – Alternative

The reports have also highlighted possible alternative mobile authentication systems that are available. One example is Mobile Connect, the GSMA’s secure universal log-in solution that matches a user to their mobile phone and is believed to represent a new standard in security.

What Does This Mean For Your Business?

The fact that simjacking is still quite a common crime, and not just in the UK, could highlight the fact that the mobile industry is not putting in enough effort and resources to eradicate the problem. In the UK, some commentators have called for an investigation by the Information Commissioner’s Office (ICO) to see if mobile operators are meeting their obligations to safeguard services and data under telecom privacy rules and GDPR.

The GSMA’s Mobile Connect secure login solution, if adopted and championed by mobile operators and banks, could be one way that the challenges of a lack of collaboration and standardisation have posed to security (such as the security problems and breaches that are at the heart of crimes like Simjacking/phone number hijacking) can begin to be tackled.

Dyson Scraps “Not Commercially Viable” Electric Car

Posted on by Andy Miller

Dyson has scrapped its £2.5 billion ‘N526’ electric car project with Sir James Dyson announcing that it was “not commercially viable”.

So Close

The project, which could be traced back to 1993 with the development of a cyclonic vehicle exhaust that could 95 cut per cent of harmful emissions, evolved into the full-blown development of Dyson’s own electric car.  The ‘N526’ project employed 500 UK workers (aimed to roll out the first vehicles for sale in 2021) had a driveable prototype, and was on the verge of kitting-out its production factory in Singapore before the plug was pulled on what some saw as the founder’s expensive “vanity project”.

Battery Work To Continue

Despite the project to build a whole car being scrapped, Dyson has announced that work will continue on improving the battery technology that would have been used in the car.  Dyson had originally planned to invest £1 billion in development of the car and invest another £1 billion in developing the electric battery technology, something that was closer to its existing business.

Even though there was great sadness among Dyson employees, and a question mark hangs over the future of those employed in the UK electric car division, Sir James Dyson said that his company had successfully built a “fantastic electric car”.

What Went Wrong?

Producing vehicles and competing in a car market where there are already well-established and experienced car companies such as Volkswagen that is spending £50 billion on its own electric vehicle requires massive amounts of money, capital investment, and the addition of different core skills and competencies to the ones that Dyson has.  Also, Singapore (compared to China or Malaysia) looked likely to be an expensive place to manufacture the vehicles.

Even though Dyson’s team was able to relatively quickly produce a working prototype, and convince some media commentators that it would become a serious challenger with a high-risk, high level of difficulty ‘new product in a new market’, it looks likely that the numbers didn’t add up and Dyson chose to ‘stick to the knitting’ (its core business) and not to risk the whole company and its brand on the expensive venture.

Harley Davidson Too

Just as Dyson announced that it was scrapping its electric car project, U.S. motorcycle giant Harley-Davidson announced that it was halting production of its first electric motorbike.  In Harley Davidson’s case though, the stopping of production was down to an issue with its charging system.

What Does This Mean For Your Business?

Sir James Dyson’s positive view of this being more of change of direction of a project (which is not likely to be the last change of direction) must mask some sadness that the company came so close to producing an electric car which may have been well received on the back of the company’s adventurous and innovative image.  The numbers, however, simply wouldn’t stack up, and the announcement of Dyson pulling the plug is unlikely to have come as a major surprise to the long-established automotive players who know just what it takes to produce, supply and compete successfully in the car market.  That said, relatively new car market players and likely of competitor of Dyson, Tesla has established itself as a real contender in the electric car market with its Model 3.

New Law To Advance Fast Broadband Roll-Out Announced

Posted on by Andy Miller

Amendments to the UK’s Electronic Communications Code will give broadband operators compulsory rights to install their apparatus on another person’s property, thereby getting around the problem of landlords not responding to requests for access to blocks of flats and apartments.

The Challenge

The challenge that has prompted the government to seek changes to the current legislation has been a claim by broadband operators that 40% of their requests for access to blocks of flats and apartments have routinely received no response. This has been blamed for slowing down the UK government’s plans to deliver the target of national full-fibre coverage by 2025 and develop the kind of digital infrastructure that could boost growth and boost productivity.

The Law

Prior to 2017, the UK law that applied to relations between landlords and telecoms operators in respect installing and maintaining electronic communications apparatus on land and buildings was the Telecommunications Code in the Telecommunications Act 1984 (amended by the Communications Act 2003). This Telecommunications Code has now been replaced by the new Electronic Communications Code (as part of the Digital Economy Act 2017). The new code means that a broadband operator can now apply for compulsory rights to install apparatus on another person’s property.

It is thought this change to the law will mean that an extra 3,000 (estimated) residential buildings (flats and apartments) per year can now have modern broadband installed.

Rural Challenge

The government still faces a considerable challenge in getting more rural areas connected in order to meet its broadband and mobile network roll-out targets, and there is currently a digital divide between urban and rural areas of the UK.  The government has recently announced, however, that £5bn new funding will be made available to bring gigabit-capable broadband to harder-to-reach, rural parts of the UK as well as a change in planning rules to help the roll-out of 5G.

What Does This Mean For Your Business?

Now that operators don’t have to wait for responses from landlords, this could make the chance of the government meeting its broadband targets a little more likely and could help boost the economy.

Broadband is an essential service for business and despite this positive change in the law, many UK business owners still know that broadband services in the UK can sometimes be patchy and often expensive, while ‘Which?’ research shows that the UK ranks only 31st in the world for average broadband speeds. Those businesses in rural areas are also finding themselves facing the challenge of a growing digital divide between rural and urban that is adversely affecting their competitiveness.

Even with this change in the law, being able to meet the target of national full-fibre coverage by 2025 is a big ask and it is estimated that the UK may only have 7% full-fibre coverage by 2020.

Digital ‘Pressure’ For Accountants

Posted on by Andy Miller

A report by IT company Prism Solutions has highlighted how traditional accountancy firms are having to change rapidly to meet challenges such as Cloud computing, GDPR and HMRC pressing quickly ahead with ‘Making Tax Digital’ (MTD).

MTD

According to the report, the whole accountancy profession is now on the verge of an evolutionary change and accountancy firms will need to develop into digital practices in order to compete and survive.

One of the key change drivers and challenges for accountancy firms is HMRC’s ongoing ‘Making Tax Digital’(MTD) initiative which has been designed to eradicate paper from the tax filing process and to make the UK tax system more effective, efficient and easier for taxpayers to use.

The fact that an estimated 1.2 million businesses are subject to the MTD VAT rules (for VAT periods starting on or after 1 April 2019 or 1 October 2019 for organisations which are more complex), must now keep VAT records in a digital format and submit their VAT returns to HMRC using MTD compatible software (yet can’t do so using HMRC’s website) means that they are turning to accountancy firms to submit the returns on their behalf.  This leaves accountancy firms with new challenges such as having to adapt quickly to a different type of interaction with their clients who are looking for accountants to be experts on the digital process and to provide instant service and issue resolution. Accountancy firms are also facing possible problems if HMRC doesn’t do enough to communicate MTD to relevant businesses.

Always On

The Prism Solutions report highlights how accountancy clients now expect technology to be ‘always on’ 24/7 and that the ability of an accountancy firms’ productivity to be able to connect with their clients in real-time, and offer access to real-time data that’s always on is an important way in which they can deliver an exceptional client experience.

Other Challenges

The Prism report also notes that, just as Cloud computing, GDPR, and MTD are already having an impact on accountancy, other emerging challenges to the profession include the development of AI technologies, blockchain and crypto-currencies.

What Does This Mean For Your Business?

Having to digitise accounts is providing challenges to both businesses and accountancy firms and looks set to change aspects of the relationship between the two.  Accountancy firms are realising that embracing all forms of ‘digital’ is a key enabler to enhancing productivity, and that becoming part of the digital revolution with their clients will enable them to not just offer a better service, but also to grow as they take advantage of new revenue-generating opportunities and position themselves as the go-to adviser for their clients.

As well as expecting ‘always-on’ service and digital expertise from accountancy firms, business customers will still want to use their accountants as a source of business advice for business planning, strategy, and market development (for example), and getting better at using digitisation to do this could be another way in which accountants could keep delivering value to businesses.

Tech Tip – Any.do

Posted on by Andy Miller

Any.do is an award-winning to-do list, calendar, planner and reminders app that can help you to increase your productivity and stay on top of things.

The app allows you to add tasks and manage shared projects, and to create a prioritised to-do list that you can actually stick to.

The app also gives you classic, location-based, recurring, missed call, and follow-up meeting reminders, while providing a calendar that can be turned into a powerful productivity tool.  You can also use hands-free to add tasks and voice commands to manage your to-do lists.

The Any.do app is available on the Google Play Store and on Apple’s App Store.

Thomas Cook Customers and Employees Targeted By Phishing Attacks

Posted on by Andy Miller

Security researchers at Skurio Ltd have warned employees and customers of Thomas Cook to be vigilant after it detected the registration of 53 Thomas Cook-related domains in the week after the travel operator went into receivership.

Phishing Risk

The risk is that cyber-criminals may be seeking to exploit a search for information from customers and staff affected by the company’s collapse to launch phishing attacks.  For example, Thomas Cook-related domains that have been registered but don’t have a holding page or landing-page on them could be used to create a legitimate-looking email address as part of phishing attempts.

German Site

One of the Skurio analysts, John Evans, reported finding a .de Thomas Cook-related domain that hosted a page that pretended to be a legitimate business, but was using the Thomas Cook likeness to make money from customer refund claims.

25% Just Piggybacking

The Skurio researchers found that 25% of the domains registered appeared to be just simply piggybacking off the collapse of Thomas Cook, and were using their domains to simply redirect to other websites.

Holding Pages + Advert Clicks

The researchers discovered that 50% of the recently registered domains had holding pages for websites on platforms like Wix or WordPress (awaiting a full live site).  Some other domains were discovered to be used for ad clicks and ad revenue e.g. with adverts for booking a new holiday or finding jobs for Thomas Cook employees.

Thomas Cook Contracted Skurio

Skurio were monitoring the Thomas Cook-related domain situation because (as reported by Skurio) Thomas Cook, had contracted Skurio, long before its collapse, to monitor surface, deep and Dark Web sources in order to provide early data breach detection services.  It was as part this service Skurio was scanning for new domain registrations relating to Thomas Cook services.   According to Scurio, this scanning involved looking for domains set up with subtle spelling errors or additional terms that a customer may expect to see, in order send phishing emails, create fake social media accounts or capture customer details online.

What Does This Mean For Your Business?

It is not uncommon for cyber-criminals to launch campaigns to take advantage of a popular information search by customers after events such as a high-profile security breach or company collapse.  This is because people may let their guard down and may simply not suspect such an underhand tactic, which is the kind of human error based on emotion that cyber-criminals are counting on.

Phishing attacks are all-too-common, and a recent APWG report showed that phishing attacks continued to rise in summer of 2019, with cyber-criminals focusing branded webmail and SaaS providers.

Companies can help guard against phishing attacks by educating and training all staff to be able to spot possible fraudulent tactics, and by encouraging and empowering them to question and refer any suspicious activity that could help to protect the business. Having clear systems for staff to follow, including carefully verifying any new payment requests before authorising them, and continuously promoting online vigilance can be well worth the effort in the fight against phishing, and the generally increasing number of social engineering attacks that companies are facing.