http://news.sky.com/home/technology/article/16099260
Monday, 31 October 2011
Spy Smartphone Software Tracks 'Every Move'
Click for video
http://news.sky.com/home/technology/article/16099260
http://news.sky.com/home/technology/article/16099260
Tax rebates stolen by Revenue and Customs hackers – from today’s Sunday Times
Fraudsters have found a way to hack into government tax records and divert refunds meant for others into their own bank accounts.
An investigation by The Sunday Times has revealed that criminals are secretly examining HM Revenue & Customs’ records looking for anyone who has paid too much tax. They then change the details of the bank accounts into which the repayments are to be made.
Alternatively, the hackers file fictitious tax returns showing large overpayments directly into the HMRC computer in the names of genuine taxpayers, then ask for refunds.
Victims become aware of the scam only when they are officially contacted by HMRC and told an overpayment is being transferred into their account.
HMRC is now facing questions over its security procedures and how the hackers are able to infiltrate its records. Experts claim it has failed to react as promptly as the banks to the risk of online fraud.
Roger Symes, 53, a ship broker from Surbiton, in south-west London, received a letter last month from HMRC advising him of a refund. He said: “They gave details of a bank account into which they were paying the money, but it wasn’t my bank account.
“My accountant said he had the same problem with 18 other clients.” The refunds applied for were between £100 and £4,000.
The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online. How they are obtaining these security details is unclear. It is not known whether it is via computer attacks on individual accountancy firms or by breaching HMRC’s own systems.
One hacker who spoke to The Sunday Times this year said he had accessed HMRC’s systems and had been able to obtain details of agent sign-ons and passcodes. A security expert said the claim was credible but HMRC denied its systems had been compromised.
Once a hacker has an agent sign-in, he can read the tax records of all the accountant’s clients, amend them and change the bank account details. Accountants who have spoken to this newspaper said hackers have been accessing taxpayer records for at least two years.
Claire Savage, a chartered accountant in Milton Keynes, Buckinghamshire, spotted irregularities in one of her clients’ files in June last year.
She said: “I called him up to ask about his new bank account, which turned out not to be his at all. When I realised that security had been breached I went through all of my clients’ files. A fair chunk of them — around 10 — were affected, and repayments of up to £3,000 had been requested in each case.” None of Savage’s clients lost money to the fraudsters.
Ralph Hayden, a chartered accountant at GW Cox & Co in Frinton-on-Sea, Essex, said 41 of his clients had been affected by a similar scam, which was first noticed in November 2009.
He said: “HMRC said that it must be our systems that had been breached but we called in computer experts who confirmed that it definitely wasn’t.
“In most cases, a tax return had not yet been filed, so a false return was submitted. In others, their returns had been edited, so that a repayment was now due. HMRC were not advising their frontline staff in case it was an inside job.”
On hmrconline.com, a blog about the HMRC, one taxpayer reveals that his accountant was also targeted. The posting states: “We recently returned from holiday to the news that 91 of our accountant’s client accounts had been hacked at the HMRC government gateway website.
“Hackers had accessed information on 91 individuals or organisations and had entered false end-of-year accounts in order to claim self-assessment refunds.
“We then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts. They actually paid out. HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people [whose] accounts had been hacked.”
Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.
Jason Hart, managing director of Cryptocard, a computer security company, said: “If you just had a static passcode, then once it’s compromised, you’re going to be a massive target for the fraudsters. It’s an invisible threat because they can get into your system at any time and you don’t even realise.”
Sunday, 30 October 2011
Spy Smartphone Software Tracks 'Every Move'
11:14am UK, Sunday October 30, 2011
Sam Kiley, security editor
As marketing pitches you don't get much lower: "Track every text, every call and every move your spouse makes…"
Yes, software manufacturers have harnessed the green-eyed monster.
"A cell phone plays a role in almost every affair," said one producer of mobile phone spyware.
Another spelled it out: "When you begin to notice signs of a cheating spouse, the best way to catch that cheat is to spy on his or her cell phone using spy software.
"Such software is required because the cell phone has become the modern day keeper of secrets and its uses are as versatile and diverse as their makes and models."
But it is not just for jealous partners.
There is no way that a victim would know his phone had been comprehensively hacked.
Software designed to completely mine every secret on a smartphone can track its users, record their calls, copy their emails, read their text messages and bug the rooms the phones are sitting in.
Jason Hart, a cyber security expert with Cryptocard, explained how easy it is to turn a mobile phone into a pocket spy.
It starts with a little 'social engineering'.
By hacking the phone of someone the victim might trust, and learning something about them from reading their Tweets and Facebook page, the attacker will send a personalised email from a known account.
The user opens an email and a document, a picture, letter or pdf file.
A programme can be embedded in the attached document which takes the hacked user's phone off to a secret website site which covertly downloads spying software onto the smartphone.
Shortened weblinks are also a risk.
"Using Facebook and Twitter (and) getting an individual to click on a shortened link would actually take them to a website and automatically install malware," said Mr Hart.
"There is no way that a victim would know his phone had been comprehensively hacked."
Spyware 'can covertly operate all of a smartphone's functions from afar'
Attacks on smartphones shot up by 46% last year, and this year the percentage is likely to be in the thousands.
We loaded the commercial software onto my phone and very quickly Mr Hart was watching my emails come through.
The vendors of the software promised that he would be able to intercept and listen to my calls - we could not get that to work. But, as a bug, my phone was close to perfect.
The software meant Mr Hart could dial into my phone and it would secretly answer - broadcasting any conversation I was having near the handset back to him.
"Once a criminal or spy has got hold of software like this and loaded it onto your phone, there is very little indeed that you will be able to do either to detect or, or defend yourself. This is a total compromise," Mr Hart said.
Spyware can covertly operate all of a smartphone's functions from afar, turning it on and off, and stealing its secret contents.
Almost 500,000 new smartphones will be sold this year around the world.
Malware developers are running ahead of the industry's ability to develop tools which, in any case, would inevitably restrict how useful smartphones can be to a customer.
But, as losses to intellectual property theft are estimated to cost the UK £17bn a year, it is clear companies will be demanding an air gap between smartphones used for business - and smartphones used for everything else.
So, for the skiving worker, the truant teenager and the faithless spouse, there can only be a few words of advice - that phone isn't smart, it's a sneak.
Monday, 17 October 2011
Password Risks - Smart Phones at risk
The world is facing a wave of cyber crime thanks in large part to our newly-found addiction to the smartphone.
An estimated 480 million smartphones will be sold this year. They are indeed wonders of technology.
Henry Harrison, from UK cyber security experts Detica, said: "This is a fully fledged computer that's sitting in your pocket." It can, and probably will, betray you as a result.
The flaw in the smartphone is that it is too useful and too user friendly - for users who trade convenience for security.
They collect our emails, store our bank details, we tweet and use Facebook on them. They are our bank vault, our confidante, our guide.
But as Cryptocard's Jason Hart demonstrated - they are our new Achilles heel.
Mr Hart purchased a cheap item of equipment from a high street electrical store and downloaded free software from the internet - all he needed to set up an "evil twin" Wi-Fi connection.
Criminals use these to harvest passwords and other sensitive data from smartphones or computers - often giving their Wi-Fi hotspots fake names familiar to punters at cafes and in airports.
Full story: http://news.sky.com/home/technology/article/16090250
An estimated 480 million smartphones will be sold this year. They are indeed wonders of technology.
Henry Harrison, from UK cyber security experts Detica, said: "This is a fully fledged computer that's sitting in your pocket." It can, and probably will, betray you as a result.
The flaw in the smartphone is that it is too useful and too user friendly - for users who trade convenience for security.
They collect our emails, store our bank details, we tweet and use Facebook on them. They are our bank vault, our confidante, our guide.
But as Cryptocard's Jason Hart demonstrated - they are our new Achilles heel.
Mr Hart purchased a cheap item of equipment from a high street electrical store and downloaded free software from the internet - all he needed to set up an "evil twin" Wi-Fi connection.
Criminals use these to harvest passwords and other sensitive data from smartphones or computers - often giving their Wi-Fi hotspots fake names familiar to punters at cafes and in airports.
Full story: http://news.sky.com/home/technology/article/16090250
Monday, 10 October 2011
Facebook Passwords
FACEBOOK USERS EXPOSE PASSWORDS ONLINE
Social media users are increasing their chances of identify fraud, by providing clues to their online passwords.
A study by me commissioned by life assistance company CPPGroup Plc (CPP) has revealed that one third (32%) of Facebook profiles contain at least two pieces of personal information such as their mother’s maiden name, date of birth, hobbies or children’s names. This information is often also used as a password or as an answer to a security question when users look to reset their online account log-in details.
In the study, details including the name of the user’s first school (64%), employer (46%), dates of birth (25%), children’s names (25%) and favourite football team (17%) were found to be visible on many people’s Facebook profiles.
As the most active social media users, those aged 18 to 24 with a Facebook account are the most likely to publicise their personal information – and often to complete strangers. This age group has on average more than 250 friends but 81%[i] say they do not trust all of their Facebook ‘friends’. Half (50%) have accepted a friend request from a total stranger and 9% would accept an invitation from someone they did not know if they were good looking or popular.
But it’s not just the 18 to 24 year olds who are making themselves vulnerable - users of all ages are putting themselves at risk. One third (33%) of all those with a Facebook account admit to accepting an invitation from people they had never met before, with 38%[ii] confessing they don’t know everyone they are friends with on the site.
Over half (52%) of the Facebook account holders questioned had received friendship requests from strangers. And despite recent media controversy around privacy and security on the site, one in twenty (6%) users allow anyone and everyone to see their entire profile.
Danny Harrison, CPP’s Identity fraud specialist is calling on individuals to not use personal information for online passwords or security questions.
“It isn’t a good idea to use personal information for passwords online. Sharing is the whole point of Facebook and other social media sites, so users are naturally going to promote their personal information online. The problem is this information could be used by fraudsters to reset passwords and access people’s online accounts. To compound the problem, there are tools available online that can capture keywords from a website, including a Facebook profile, and others which will trial variations of the identified keywords until a password match is found.
For this reason, we are advising people to not use personal information as a means to verify their online identity and facilitate access to their online accounts.”
Personal information most commonly used as passwords[iii]:
1. Interests
2. Hobby
3. Favourite football team
4. Favourite football player
5. Children’s names
6. First school
7. Pet’s name
8. Dates of Birth
9. The user’s name
10. Maiden name
For further details please refer to my white paper.
Social media users are increasing their chances of identify fraud, by providing clues to their online passwords.
A study by me commissioned by life assistance company CPPGroup Plc (CPP) has revealed that one third (32%) of Facebook profiles contain at least two pieces of personal information such as their mother’s maiden name, date of birth, hobbies or children’s names. This information is often also used as a password or as an answer to a security question when users look to reset their online account log-in details.
In the study, details including the name of the user’s first school (64%), employer (46%), dates of birth (25%), children’s names (25%) and favourite football team (17%) were found to be visible on many people’s Facebook profiles.
As the most active social media users, those aged 18 to 24 with a Facebook account are the most likely to publicise their personal information – and often to complete strangers. This age group has on average more than 250 friends but 81%[i] say they do not trust all of their Facebook ‘friends’. Half (50%) have accepted a friend request from a total stranger and 9% would accept an invitation from someone they did not know if they were good looking or popular.
But it’s not just the 18 to 24 year olds who are making themselves vulnerable - users of all ages are putting themselves at risk. One third (33%) of all those with a Facebook account admit to accepting an invitation from people they had never met before, with 38%[ii] confessing they don’t know everyone they are friends with on the site.
Over half (52%) of the Facebook account holders questioned had received friendship requests from strangers. And despite recent media controversy around privacy and security on the site, one in twenty (6%) users allow anyone and everyone to see their entire profile.
Danny Harrison, CPP’s Identity fraud specialist is calling on individuals to not use personal information for online passwords or security questions.
“It isn’t a good idea to use personal information for passwords online. Sharing is the whole point of Facebook and other social media sites, so users are naturally going to promote their personal information online. The problem is this information could be used by fraudsters to reset passwords and access people’s online accounts. To compound the problem, there are tools available online that can capture keywords from a website, including a Facebook profile, and others which will trial variations of the identified keywords until a password match is found.
For this reason, we are advising people to not use personal information as a means to verify their online identity and facilitate access to their online accounts.”
Personal information most commonly used as passwords[iii]:
1. Interests
2. Hobby
3. Favourite football team
4. Favourite football player
5. Children’s names
6. First school
7. Pet’s name
8. Dates of Birth
9. The user’s name
10. Maiden name
For further details please refer to my white paper.
Friday, 7 October 2011
Sky News Live Web Chat
Join Our Chat On Smartphone Security
Wifi can make smartphones potentially vulnerable to hackers
11:18am UK, Monday October 17, 2011
The growing number of iPhones, BlackBerrys and other smartphones provide an opportunity for cyber criminals to steal your data.
More than four million people in the UK have been the victims of identity fraud, with wifi access meaning secret passwords stored on your devices are vulnerable.
Ethical hacker Jason Hart answers your questions on how to keep your smartphone safe.
RECOMMENDED STORIES