Security

Security Flaw Discovered In NHS Anaesthetic Machines

Cybersecurity firm CyberMDX has reported the discovery of a security flaw in some Internet-connected GE Healthcare anaesthetic machines which could leave them vulnerable to hacks.

Security Flaw

The security flaw has been described as the exposure of the configuration of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks. This could potentially mean that when the devices are connected to the Internet, they could be remotely targeted by hackers who could modify the parameters of the anaesthesia devices. According to CyberMDX, this could mean that hackers could silence device alarms and even adjust anaesthetic dosages or switch anaesthetic agents.

Johnson & Johnson

The threat discovered in GE Healthcare anaesthetic devices may not sound too unlikely when you consider that back in October a security vulnerability was discovered in one of Johnson & Johnson’s insulin pumps (the Animas OneTouch Ping insulin pump) that a hacker could exploit to overdose diabetic patients with insulin.  Even though the company described the risk as “extremely low”, it still led them to take the precaution of sending letters outlining the problem to 114,000 people, doctors and patients, who used the device in the US and Canada.

Affected Machines

The affected GE Healthcare anaesthetic machines are reported to include Aestiva and Aespire versions 7100 and 7900.  It has been reported that some are used in NHS hospitals.

Suggestions

Some of the suggestions offered by GE in response to reports of the possible vulnerability (which may not be exclusive to just GE machines) are for hospitals/users to use secure terminal servers with strong encryption, and to use a VPN and other features to protect against hacks.

Also, GE suggests that organisations should use industry best practices and secure deployment measures e.g. network segmentation, VLANs and device isolation.

What Does This Mean For Your Business?

Where any device has an Internet connection e.g. IoT devices, there is now a risk of a possible attack, but the fact that these are medical machines which could lead to serious human consequences if remote hackers were able to tamper with them makes this story all the more alarming.

If, as GE and the US Department of Homeland Security have pointed out, all equipment is correctly isolated wherever possible, unnecessary accounts protocols and services are disabled, and best practice is followed, the risk should be very low indeed.

This story does, however, highlight how all businesses and organisations should take the security of smart/IoT devices seriously, particularly where there could be a clear human risk.

Microsoft Criticised By UK’s Cyber Security Agency Over Dmarc

The UK’s National Cyber Security Centre (NCSC) has complained that it has been unable to compile meaningful statistics and draw meaningful conclusions about email security in its latest report because Microsoft stopped sending Dmarc reports two years ago.

What Is Dmarc?

Domain-based message authentication, reporting and conformance (Dmarc) is a protocol, developed by the Trusted Domain Project, to help provide greater assurance on the identity of the sender of a message, and it builds upon the email authentication technologies SPF and DKIM developed over a decade ago and the work on a collaborative system pioneered by PayPal Yahoo! Mail and later Gmail.

Dmarc allows email and service providers to share information about the validity of emails they send to each other, including giving instructions to mailbox providers about what to do if a domain’s emails aren’t protected and verified by SPF and/or DKIM e.g. moving a message directly to a spam folder or rejecting it outright. Information about messages that have passed or failed DMARC evaluation is then fed back to a DMARC register, thereby providing intelligence to the sender about messages being sent from their domain and enabling them to identify email systems being used by spammers.

Dmarc works on inbound email authentication by helping email receivers to determine if a message “aligns” with what the receiver knows about the sender and if not, Dmarc includes guidance on how to handle the “non-aligned” messages e.g. phishing and other fraudulent emails.

Why Were Microsoft’s Dmarc Reports So Important?

Microsoft’s email platforms form one of the biggest receivers of email, and data from Microsoft about the number of emails failing Dmarc gives a good indication of the number of suspicious emails being sent.  The lack of this data in the NCSC’s Mail Check service means that the NCSC’s ability to monitor and report on email security driven by Dmarc adoption has been hampered. This blind spot could have a knock-on negative impact on email security for everyone.

Public Sector Uptake – Good News

The NCSC’s latest report contains good news, however, about a significant uplift in the public sector adoption of email security protocols.  For example, public sector domains using Dmarc more than tripled from December 2017 to December 2018 to 1,369, and the number of domains with a Dmarc “quarantine” or “reject” policy (to prevent suspicious emails being delivered to inboxes) also tripled.

What Does This Mean For Your Business?

Having a collaborative intelligence sharing and effective protocol and process such as Dmarc that is being widely adopted by many organisations has significantly improved email security.  This is particularly valuable at a time when businesses face significant risks from malicious emails e.g. phishing and malware, and email is so often the way that hackers can gain access to business networks.

Sharing intelligence about the level and nature of email security threats and how they are changing over time e.g. in the trusted NCSC report, is an important tool to help businesses and security professionals understand more about how they tackle security threats going forward.  It is, therefore, disappointing that one of the world’s biggest receivers of email, which itself benefits from Dmarc, is not providing reports which could be of benefit to all businesses and organisations.

Facebook Launches Martin Lewis Anti-Scam Service

Facebook has launched a new anti-scam service using the £3m that it agreed to donate to the development of the programme in return for TV consumer money champion Martin Lewis dropping his legal action over scam ads.

What Legal Action?

Back in September 2018, MoneySavingExpert’s (MSE) founder Martin Lewis (OBE) took Facebook to the UK High Court to sue the tech giant for defamation over a series of fake adverts bearing his name.  Many of the approximately 1000 fake ads, bearing Mr Lewis’ name appeared on the Facebook social media platform over the space of a year, could and did (in some cases) direct consumers to scammer sites containing false information, which Mr Lewis argued may have caused serious damage to his reputation, and caused some people to lose money.

In January 2019, Mr Lewis Facebook came to an agreement with Facebook whereby he would drop his lawsuit if Facebook donated £3 million to Citizens Advice to create a new UK Scams Action project (launched in May 2019) and if Facebook agreed to launch a UK-focused scam ad reporting tool supported by a dedicated complaints-handling team.

How The New Anti-Scam Service Works

Facebook users in the UK will be able to access the service by clicking on the three dots (top right) of any advert to see ‘more options’ and “report ad”.  The list of reasons for reporting the ad now includes a “misleading or scam ad” option.

Also, the Citizens Advice charity has set up a phone line to help give advice to victims of online and offline scams.  The “Scams Action Service” advisers can be called on 0300 330 3003 Monday to Friday, and the advisers also offer help via live online chat.  In serious cases, face-to-face consultations can also be offered.

What To Do

If you’ve been scammed, the Citizens Advice charity recommends that you tell your bank immediately, reset your passwords, make sure that your anti-virus software has been updated, report the incident to Action Fraud, and contact the new Citizens Advice Scams Action service: https://www.citizensadvice.org.uk/scamsaction/

What Does This Mean For Your Business?

It is a shame that it has taken the threat of a lawsuit over damaging scam ads spread through its own platform to galvanize Facebook into putting some of its profits into setting up a service that can tackle the huge and growing problem of online Fraud.  Facebook and other ad platforms may also need to take more proactive steps with their advertising systems to make it more difficult for scammers to set up adverts in the first place.

Having a Scams Action service now in place using a trusted UK charity will also mean that awareness can be raised, and information given about known scams, and victims will have a place to go where they get clear advice and help.

£183 Million Fine (Biggest Ever) For BA Data Breach

The Information Commissioner’s Office (ICO) has imposed a £183 million fine on British Airways, the biggest fine to date under GDPR, for a data breach where the personal details of 500,000 customers were accessed by hackers.

The Breach

The breach, which involved criminals using what is known as a ‘supply chain hack’ took place between 21st August and 5th September 2018.  The attackers were able to insert a digital skimming file, made up of only 22 lines of JavaScript code, into the online payment forms of BA’s website and app. The malicious page in the app (identified by a RiskIQ researcher) was built using the same components as the real website, thereby giving a very close match to the design and functionality of the real thing. The skimming file meant that payment details entered into the malicious page by customers were intercepted live by the hackers who are believed to have been part of the Magecart group. Encryption was ineffective because the details were stolen before it reached company servers.

The fact that CVV codes were taken in the attack, which are not meant to be stored by companies, was a strong indicator of live skimming ‘supply chain’ attack.

Magecart is also believed to have used a similar digital skimmer hidden in a third-party element (chatbot) of the payment process to hack the Ticketmaster websites where 40,000 UK users were affected.

500,000 Affected In BA Breach

A staggering 500,000 personal and customer payment details were stolen in the BA Breach including names, email addresses, and credit card details including card numbers, expiry dates and the three-digit CVV codes.

Why Such A Big Fine?

The record-breaking £183 million fine was imposed because, under the General Data Protection Regulation (GDPR), a company can be fined 1.5% of its worldwide turnover and a maximum 4% of its worldwide turnover. In the case of BA, the £183 million equates to 1.5% of its worldwide turnover in 2017. 

The largest fine previous to this was imposed prior to GDPR under the old Data Protection Act where Facebook was fined £500,000 for its role in the sharing of customer data with Cambridge Analytica.

What Does This Mean For Your Business?

This enormous fine is a reminder of the powers granted to the ICO under GDPR and of just how seriously matters of data protection are now viewed, particularly where large companies which should have the protective measures in place are concerned. Even though BA has expressed surprise at the size of the fine it is worth remembering that 500,000 customer details were stolen including credit card numbers by what was actually a well-targeted and tailored but relatively simple method of attack.  This exposed vulnerabilities in the payment systems of a big company that should really have been picked up earlier.  

Despite the fine being £183 million at 1.5% of BA’s worldwide turnover, it could have been worse since the maximum fine is 4% of turnover. The fine for BA should send a powerful message to other corporations that they need to make the data protection of their customers a top priority.

1000+ Android Apps Harvest Our Data Without Our Permission

Researchers from the International Computer Science Institute have reported that up to 1,325 Android apps are gathering data from devices after people have denied them permission, and Google claims that it will address the problem with the introduction of the new Android “Q” Operating System.

Apps Finding Way Around Privacy Restrictions

According to the ICSI researchers, who presented their findings last month at the Federal Trade Commission’s PrivacyCon, 1000+ apps are finding their way around privacy restrictions and are able to gather geolocation data, phone identifiers, and other data from users who may be thinking that they have successfully denied apps access to such data.

For example, in the study of 88,000+ apps from the Google Play store, the researchers were able to identify 1,325 apps that violate permissions on Android by using workarounds hidden in their code that can enable personal data to be taken from multiple sources including Wi-Fi connections and metadata stored in photos.

Which Apps?

The researchers highlighted apps such as Shutterfly photo-editing app which gathers GPS coordinates from photos and sends the data to its own servers, even after users have declined to give permission to access location data, and Baidu’s Hong Kong Disneyland park app and Samsung’s Health and Browser apps were found (like 13 other apps) to be able to piggyback off other apps that had been granted permission in order to obtain data like phone identifiers and IMEI numbers.

Android Q Could Help

It is thought the introduction of the latest (17th) version of Android’s Operating system, Android Q, released as a beta on March 13th and due for wider release later this year may be able to address many of these privacy concerns thanks to more stringent security features.  For example, users will be able to definitively choose and control when apps have permission to see their location i.e. never, only when the app is in use and running, or all the time when in the background. With Android Q, background apps won’t be able to jump into the foreground, and there will also be new permissions relating to the accessing of background photos, video, and audio files.

What Does This Mean For Your Business?

With mobile and app use being a normal part of everyday life, and with most people unable and unlikely to spend the time checking permissions and T&Cs on everything, we have to take on trust that when we deny it permissions, an app will abide by our decisions.  It may be a surprise, therefore, at a time when GDPR is in force and data privacy and security is a topic that many users think about and actively try to protect that so many apps are able to find workarounds that enable them to keep gathering data about us. It appears that it may be much more difficult to stay private online than many of us believe.

It is good news, therefore, that Android Q may provide a way to offer us greater protection and provide more of a challenge to companies and organisations that want access to our data e.g. to help target us with advertising, even though app developers may argue that they are simply using the gathered data to help enhance and personalise our experiences of their apps (to keep us using them).  App developers are in a highly competitive and crowded market and although gathering and using customer data to make their apps more indispensable may seem legitimate, most of us value our online privacy, would object to having our data permissions effectively ignored, and may feel frustrated that we still have so few tools and cues to help us effectively control our privacy.

Latest Windows 10 Update Causes Problems For VPN Enterprise Users

The latest update to Windows 10 could break the platform’s Remote Access Connection Manager (RASMAN) and, therefore, cause problems with VPN for Enterprise users with certain settings.

Potentially Millions

Given that the latest Windows update which contains the problem code accounts for 50 million users, it was initially thought that a problem may have been created on a massive scale. Microsoft has, however, said that the code problem will only impact Windows 10 Enterprise.

What’s The Problem?

With certain settings, the latest KB4501375 update for Windows 10 1903 contains code that appears to adversely affect the Remote Access Connection Manager (RASMAN), which manages how Windows 10 connects to the internet and, therefore, is affecting VPN services.  The interruption to VPN services happens for Windows 10 Enterprise and results from a non-default setting (the diagnostic data level being manually configured to the non-default setting of 0) when used in conjunction with a VPN profile being configured as ‘Always ON VPN’ (AOVPN).  This can result in an error “0xc0000005” being shown on devices as the RASMAN stops working, and reports indicate that users have also reported an error in the Application section of Windows Logs in the Event Viewer with Event ID 1000 listing “svchost.exe_RasMan” and “rasman.dll”.

VPN

A virtual private network (VPN) provides a secure, encrypted connection, between a user’s device and a server operated by the VPN service thereby meaning that apps running across a VPN benefit from the functionality, security, and management of the private network.

The VPN market has grown rapidly in recent years as users seek greater security, and the large number of mobile and wireless devices now used by businesses and organisations which need to access business applications from remote locations (employees securely accessing the corporate intranet while outside the office) has made VPN technology a crucial component across various business verticals.

What To Do

Microsoft is reported to be developing a fix for the problem with no timeframe as yet, but a workaround is shown near the bottom of the page on Microsoft’s support site here: https://support.microsoft.com/en-au/help/4501375/windows-10-update-kb4501375

What Does This Mean For Your Business?

Many businesses now have workers who need to access the company’s network securely from a variety of remote locations, and VPN has, therefore, become an important business tool.  Although there are many different VPN services, Microsoft is a big name, a trusted brand, and its Enterprise users (those with 500 or more computers and 250 for the public sector) may be those likely to be using Microsoft’s VPN.  The disruption to VPN caused by the update may, therefore, be significant and can’t help Microsoft in the highly competitive and growing VPN market. As well as being disruptive and potentially costly, having VPN problems could also pose a security and privacy risk to businesses. It may also be quite inconvenient having to wait for the fix to be developed, with no sign off it to date.

Visa Adopts Blockchain For Cross-Border, Bank To Bank B2B Payments

Visa is integrating blockchain technology with its core systems to enable participant businesses to make direct, cross-border, bank to bank payments to other corporate participants.

B2B Connect

The news system called Visa B2B Connect is being built using the Hyperledger Fabric framework from the Linux Foundation, and will mean that, rather than paying another corporate by cheque, automated clearing house or wire transfer, all of which require intermediary banks and exchanges, payments can be made directly and instantly from bank to bank of corporate customers.

This will mean cost and time savings, and the ability to pay and get paid 24-hours a day, regardless of location, local time differences, and other problematic traditional banking anomalies such as data truncation, payment delays and compliance issues.

Suite of APIs

The Visa B2B Connect system essentially provides a suite of Application Programming Interfaces (APIs) which allow participating banks to automate B2B, cross-border and cross-currency payments, by developing an end-to-end B2B payments solution to onboard customers, set up their suppliers, check Visa B2B Connect foreign exchange rates and submit payments. Alternatively, banks can choose to integrate just a subset of the APIs to address more specific needs e.g. checking on the status of certain payments through the Visa B2B Connect site.

Expansion Plans

Although the new system will only work for those corporates signed-up as participants to Visa’s pilot scheme, there are already plans to expand it so that it will cover more than 30 global trade corridors and 90 markets by the end of this year.

Benefits

The benefits that the blockchain-based B2B Connect system offers include cryptographically secured B2B transactions, transaction transparency and predictability, and the peace of mind and security of operating within a trusted network where all parties are known participants on a permissioned blockchain operated by Visa.

Blockchain Lacking Functionality

Recent research by Gartner showed that Only 11% of CIOs have deployed or are in short-term planning with blockchain, partly because of the fact that, at the moment, blockchain is a technology and not a complete, ready to use application, and therefore, lacks business-friendly features like a user interface, business logic, data persistence and interoperability mechanisms.

What Does This Mean For Your Business?

For corporates, Visa’s B2B Connect system appears to unlock some of the long-promised benefits of blockchain in terms of fast and easy cross-border payments, security, transparency, and the reassurance of a trusted name in the payments world.  Also, the fact that a suite of APIs are available to participants means that the system can be set up relatively easily, thereby tackling the issue (as highlighted by the Gartner research) of confusion among corporate tech heads about how best to incorporate blockchain and worries about there being few ready to use, complete applications available.

For smaller businesses the hope of being able to use blockchain to add value, reduce costs and gain competitive advantages is being boosted by a growing Blockchain as a Service (BaaS) market which offers the chance to deploy distributed ledgers without the cost or risk of deploying it in-house, and without needing to find in-house developers.  The cloud-based CRM platform ‘Salesforce’ for example, is adding a low code, blockchain-powered service that will allow enterprise users to share data with third parties in a secure, transparent, and auditable way.

Google’s reCAPTCHA v3 System Prompts Privacy Criticism

The widely used Google  reCaptcha V3 bot-detecting login system has come in for some criticism after two security researchers claimed that one of the ways that Google determines whether you’re a malicious user depends on whether you have a Google cookie installed on your browser, which could also mean that the privacy of your browsing habits may also be at risk in using the system.

What Is reCaptcha V3?

Google’s reCaptcha V3 is the latest version of Google’s bot-detecting login system, introduced last autumn, that can detect abusive traffic/malicious user-behaviour on your website without user friction i.e. without the need to tick an ‘I am not a robot’ box, or identify items in pictures.  With this version of the reCaptcha system, background monitoring assigns a risk score to a user, which then enables the system to decide how to handle that user e.g. if a user with a high-risk score tries to log in, they may then be required to use two-factor authentication. From Google’s point of view, the idea is to give users a better experience and avoid the kinds of interactions that can inhibit users from intuitively and painlessly reaching their goals within a digital interface. With reCaptcha V3, Google may be happy with the trade-off between the possibility of some inconvenience for legitimate users versus greater protection for websites.

Widely Used

It has been reported that 650,000 websites already use reCaptcha v3, including 25% of the top 10,000 sites.  This makes any concerns about the system a potentially serious issue.

What’s The Problem?

The concern suggested by the two researchers, Marcos Perona and Mohamed Akrout, who have studied reCaptcha V3 is that, being a Google product, not only does it appear likely to deem a user less of a risk if they have a Google cookie on their browser i.e. they have a Google account and are signed in, but that cookies like these can also pass on data which is unnecessary for login, about a person’s browsing habits, thereby posing a possible threat to privacy.

The research found, for example, that those who went to a website with reCaptcha v3 while logged into their Google account were given a low-risk score by the system, whilst those who visited using private browsers such as Tor or a VPN were scored as high risk. Also, the research found that to make the risk-score system work properly, web admins need to embed reCaptcha v3 code on all pages on the website.  This will enable reCaptcha to learn about how website users act on the site over time, thereby assisting the machine learning algorithm to generate more accurate risk scores. Unfortunately, installing reCaptcha v3 every page of a website could mean that those signed into their Google account are unwittingly passing on data about every web page they go to that has embedded reCaptcha v3, thereby potentially having their privacy compromised to an extent.

What Does This Mean For Your Business?

It should be remembered that these are the conclusions of pieces of research which may or may not have valid points, but it certainly wouldn’t be the first time that Google has been accused of potentially causing concern in matters of user privacy. For example, a microphone was discovered in Google’s Nest Guard product that was not listed in tech spec (which was put down to an erroneous omission by Google), and in December last year, research by Internet Privacy Company DuckDuckGo reported evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Users and businesses appreciate the value of frictionless interactions and positive experiences with websites, as well as both appreciating the need to keep introducing new versions of products with improved security to stay one step ahead of attackers.  Privacy, however, is also an important issue, both legally and personally, and the heightened concerns about it may mean that Google gets a little bad publicity where users feel that data may be unnecessarily gathered, or is collected in a way that doesn’t appear to be made entirely obvious.

Is CCTV Surveillance By Amazon Drones The Future?

An Amazon patent from 2015 appears to indicate that Amazon may consider ‘surveillance as a service’ using a swarm of its delivery drones armed with CCTV, as a monetising opportunity in the future.

Patent

The details in the patent foresee customers paying for a tiered service that employs the onboard cameras of Amazon’s delivery drones visiting users’ homes in-between delivery routes and filming irregularities and potentially suspicious activities.  For example, the cameras could potentially be programmed to detect evidence of break-ins and lurkers on/near a property, and the onboard microphones could even be programmed to detect suspicious noises such as breaking glass.

Tiered Service

It is thought that such a service could offer different tiers of service (reflected by different pricing) based upon factors such as frequency of visits e.g. daily or weekly, monitoring type e.g. video or still, and alert type e.g. SMS, email, a call or via app ‘push’ notifications.

Privacy

There are likely to be some obvious privacy concerns with a private company using its drones to film an area where it has a customer. However in doing so, avoiding filming an area where it does not have permission to film would present a challenge.

The Amazon patent suggests a possible remedy in the form defining a “geo-fence” around the area that does have permission to be filmed so that the drone’s surveillance activities can be focused (to an extent).  The patent appears to accept, however, that some filming of the outside area of the fence could occur.

National Surveillance Camera Day

In a world first, last week the UK played host to an awareness-raising National Surveillance Camera Day on 20th June as part of the National Surveillance Camera Strategy. As part of the day’s events, an “doors open” initiative allowed the public to see first-hand how surveillance camera control centres are operated at the premises of signatories to the initiative in the UK e.g. local authorities, police forces, hospitals, and universities.

Drone Research Reveals Negative Perceptions Among The Public

For the most part, people accept that the presence of CCTV surveillance cameras in public areas, operated by local authorities, and the presence of CCTV on business premises are generally for the greater good as a crime-reduction tool.

The same cannot be said for drone-based surveillance.  For example, new research from the PwC has shown that public perception remains a barrier to drone uptake in the UK.  The results of the research showed that less than a third of the public (31%) feel positive about drones, and more than two-thirds are concerned about the use of drones for crime.  In contrast, businesses appear to have a much more positive perception of drone use with 35% of business leaders saying that drones aren’t being adopted in their industry because of negative public perceptions despite the fact 43% of those business people who were surveyed believed that their industry would benefit from drone use.

What Does This Mean For Your Business?

Amazon is a company that has continued to grow and diversify into many different areas in recent years, embracing and pioneering many different technologies along the way, such as parcel delivery drones. It is not unusual for companies, particularly big tech companies to introduce many patents with many new ideas. In that sense, it’s difficult to criticise Amazon for wanting to get maximum (monetising) leverage from its delivery drones from a business perspective.

There remain, however, some serious challenges to the ideas in the drone surveillance patent including privacy concerns, and problems with current negative public perceptions of drones.  This will require education around case-use for drones, and re-assurance around regulation and accountability – this is a public company and could be one of many using the skies to offer the same service once the floodgates are opened.

For some businesses, however, as identified by the PwC and by Amazon’s patent, drones potentially offer some great new business opportunities.  It should also be noted that drones can offer some potentially life-saving opportunities, such as the human kidney for transplant that was delivered by drone, in the first flight of its kind, to a Medical Centre in Baltimore in May this year, thereby getting the organ to the surgeons much faster than by road.

For Drones it seems, there remains many opportunities and challenges to come.

Fraud Reported on Deliveroo and Just Eat App

Some Deliveroo and Just Eat customers have reported that their accounts have been used to buy food that they didn’t order, but both companies deny a data breach.

What Happened?

Several Deliveroo customers are reported to have been sent an email from the company stating that the email address linked to their account had been changed, after which it was found that food had been ordered through their account by using credit which an unknown person had obtained by claiming refunds for previous orders.

In the case of Just Eat, some customers also reported having their card details used to purchase food that they had not ordered.

Another Source

Both companies are reported to have denied that their systems had been breached and have said that the customer details used to fraudulently order the food were obtained from another, third-party source.

Password Sharing

Deliveroo is reported as saying that cyber-criminals know that people re-use passwords for multiple online services and that they can obtain login credentials gained from other breaches on other sites to try to access Deliveroo accounts.  This clearly indicates that Deliveroo believes that password sharing may have been a key factor in this fraud.

Expect To Lose Money To Online Fraud

Online fraud is now so prevalent that it appears that many people are resigned to the fact that they will be directly affected, and the message about the dangers of password sharing is not getting through.

For example, the UK National Cyber Security Centre research from April shows that 42% of Brits expect to lose money to online fraud by 2021.

The UK Cyber Survey found also that 70% believe they will likely be a victim of at least one specific type of cyber-crime over the next two years, and that 37% of those surveyed agree that losing money or personal details over the internet is unavoidable these days. The survey also found that fewer than half of those questioned used a separate, hard-to-guess password for their main email account.

1234 Still Most Popular + Dark Net

It’s not just password sharing that’s the problem but also that many people still appear to be choosing obvious passwords.  For example, the NCSC’s recent study into breached passwords revealed that 123456 featured 23 million times, making it still the most widely used password on breached accounts.

Also, recent Surrey University research showed that cyber-criminals now have their own invisible Internet on the so-called ‘dark net’ to allow them to communicate and trade beyond the view of the authorities, and that login details obtained from previous breaches are relatively cheap and easy to buy there.

Not The First Time For Deliveroo

It should be noted that, even though Deliveroo appears to have put the burden of responsibility elsewhere for these recent attacks, some customers had their accounts hacked and unordered food purchases were made back in 2016.  At the time the company also blamed the problems on passwords that had been stolen from another service in a major data breach, although some security commentators have suggested that Deliveroo should now look at whether its security systems are secure enough.

What Does This Mean For Your Business?

If Deliveroo and Just Eat’s claims are to be believed, users of these and many other services may be leaving themselves open to fraud by making bad password choices and/or may be unaware that they are using login credentials that have already been stolen or can be obtained by methods such as credential stuffing. Making good password choices is a simple but important way that we can protect ourselves, and Action Fraud suggests that we should all use strong, unique passwords for online accounts and enable two-factor authentication where it is available.

Ideally, passwords should never be shared between accounts because if one breach has taken place on one site, login details can very quickly be tried on other sites by cyber-criminals.  For example, in January a collection of credential stuffing lists (login details taken from other site breaches) containing around 2.7 billion records, including 773 million unique email address and password combinations was discovered being distributed on a hacking forum.

Websites such as https://haveibeenpwned.com/ enable you to check whether your email address and login details have already been stolen in data breaches from other websites and platforms.