by Bob | Apr 20, 2016 | Views
I wrote recently about the Panama Papers, probably the largest and most significant data breach of our times. While the dust has settled for now, the breach cost the Icelandic Prime Minister his job and caused severe embarrassment to the British Prime Minister. Well, how about following that with the sobering tale of the world’s largest cyber heist to date? News is only now coming to light about the heist, which took place in February. Nearly $81 million was illegally transferred using the SWIFT interbank network from the Bangladesh Central Bank’s account with the Federal Reserve Bank of New York. The funds were transferred from New York to a Chinese businessman’s account in the Philippines. They were then transferred to local Filipino casinos for laundering, and the businessman in question – whose accounts have now been frozen – claims that his signatures on the fraudulent transactions had been forged. The fraudulent transfers took place on Friday February 5th, a day when the Bangladesh bank was closed, but the fraudulent transactions were not identified until the next day due to a ‘printer problem’. The Federal Reserve Bank was then closed over the weekend, meaning that a full response was not possible until the following Monday – which was, in turn, a public holiday in the Philippines. Details of the hack were kept from the Bangladesh government for ‘several weeks’. While the governor and two deputy governors of the Bangladesh Central Bank have been replaced following the breach and the Bangladesh banking system branded ‘incompetent’, it could have been much, much worse. The criminals requested a total of 35 transfers from...
by Bob | Apr 11, 2016 | Views
Possibly the most significant data breach of our age. We’ve seen data breaches come and go; they make headlines for a couple of days, maybe a couple of weeks and are largely forgotten, except by those whose data has been compromised and their subsequent victims. The ‘Panama Papers’ take data breach to a whole new level, they’ve already cost the Icelandic Prime Minister his job, and have made life very uncomfortable for David Cameron, the British Prime Minister, even if his sins would appear to be of lack of communication rather than financial impropriety. They’re not alone, though, 12 national leaders are listed among the 143 politicians. Well, Mossack Fonseca – the source of the data breach – is the world’s fourth biggest provider of offshore services; it has acted for more than 300,000 companies, more than half of which are registered in the UK or British administered tax havens. The scale of the breach in itself is mind boggling – 2.6 terabytes of data, comprising 11.5 million documents – extracted from Mossack Fonseca’s systems. That dwarfs the 1.7 gigabyte ‘Wikileak’ in 2010 or the 3.3 gigabyte leak of files from HSBC in 2015. The most recent breach is thought to have taken place in December 2015, but papers are currently being analysed by 370 reporters from 100 media organisations. The documents take the form of 4.8m emails, 3m databases, 2m PDFs, 1m images and 320,000 image files. And the source of the breach? Well the smart money currently suggests that Mossack Fonseca were using WordPress and Drupal plugins that stored database credentials in clear text. The Mossack Fonseca...
by Bob | Feb 17, 2016 | Views
Here at Compliance3 we major on Contact Centres, and compliance. Our founders set up some of Britain’s first contact centres, or ‘call centres’ as they were called back in the day. We now work closely with major contact centres to help them improve and manage their compliance to regulations such as PCI DSS and the new EU General Data Protection Regulation (GDPR) that will replace Britain’s Data Protection Act. We are also, as you may have noticed, passionate about data security and we were recently warned about a disturbing new means of electronic pick-pocketing that exploits contactless or NFC (Near Field Communication) technology. I love technology – call me ‘Inspector Gadget’ – and I confess there’s something slightly cool and ‘James Bond’ about paying one’s bar bill with a swipe of an Apple Watch or iPhone – that is assuming your bar bill is under thirty quid. But a policeman friend recently sent me this photo of an electronic pick-pocket, purportedly taken on a London bus. The theft is simple, the thief simply has to register a ‘purchase’ on the NFC reader with a value of less than thirty pounds, then swipe the NFC reader past a trouser pocket that looks to have a wallet, and if there’s a contactless card in that wallet – kerching! Portable NFC readers (and copiers) are available on a well known auction site for under fifty pounds. Given that sometimes it’s impossible to avoid standing close to people, particularly on public transport, men might want to consider putting their payment cards in an inside jacket pocket, or investing in a wallet that offers NFC or RFID...
by Bob | Feb 14, 2016 | Views
We’ve written here, over the past twelve months, about some pretty significant data breaches. Some, like last October’s Talk Talk data breach, triggered an almost instant wave of spam and social engineering telephone calls. Elsewhere, the ‘dark web’ has long been the place for criminals to trade stolen data. The Daily Mail – last November – reported that a fraudster who called himself ‘The Martian’ was selling data stolen from Talk Talk for as little as £1.62 a time. Now, worryingly, stolen data has gone ‘mainstream’. The Times reported, on Saturday February 13th, that card data is now available for purchase on an openly available, if still illegal, website. The Times reports claims that details of 100,000 Brits were available on the site priced from just £1.67 per record, and that the site has been updated regularly with over 400,000 new records made available in the six weeks since the start of the year. The MP Keith Vaz, chairman of the home affairs select committee, described it as “deeply disturbing“, suggesting that the site could be funding terrorism and organised crime. He added that “The National Crime Agency must get this site closed.” and “I will be writing to the NCA to bring this to their attention.” One might hope that somebody at the NCA takes The Times. That said, the time of writing this, the site in question was still freely accessible, but even if it is taken down, the stolen data will doubtless be made available elsewhere. Update – a full week later the site was still publicly accessible. Stephen Orphei – the General Manager of the PCI...
by Bob | Jan 20, 2016 | Views
Brits targeted by 96,000 Scams last year The City of London Police, launching a new ‘Get Safe Online’ campaign (here) announced this week that number of reported phishing scams have risen by over 20% (to 95,556) in the last 12 months. That’s reported scams, so excludes potentially hundreds of thousands of Nigerian ‘inheritance’ scams or the seven ‘Scan results’ I received last week from my non-existent network scanner. Over three quarters (77%) of reported incidents were targeted emails, often using stolen data and using increasingly sophisticated ‘social engineering techniques, a further 12% were telephone scams that we reported on last year. Text Messages, Mobile Phone scams and postal scams provided the remaining ten per cent or so. Unsurprisingly, the peak day last year for scams was October 21st, the day the Carphone Warehouse data breach was announced. According to research from ‘Get Safe Online’, the most popular phishing scams include pretending to be from BT, iTunes/Apple ID, HRMC, a lottery organiser, PayPal, a bank or Amazon; with BT, iTunes and tax refunds topping the list. Tony Neate, CEO, Get Safe Online said “If you do have suspicions regarding an approach, it’s always better to be safe than sorry, so trust your instincts and double-check the person is who they say they are before handing over any information. This way, we can stay one step ahead and stop more people from falling prey to an online criminal.” Raj Samani, CTO for Intel Security, added “It’s extremely worrying that the number of phishing victims has risen by 21 per cent. Yet, sadly, it isn’t all too surprising. Cyber criminals are becoming increasingly...
by Bob | Jan 19, 2016 | Views
and British businesses can’t afford to ignore it As I wrote here at the beginning of last December, 2015 will surely be seen as the year of the big data breach, high profile data breaches at Ashley Madison, Carphone Warehouse, Talk Talk, Hilton Hotels and J D Wetherspoon made headlines. And rightly so as the personal details of some thirteen million people were compromised in those few breaches. And while some of those breaches were conducted by sophisticated ‘cyber pirates’, others were accomplished by disaffected teenagers. Other data breaches – such as that suffered at Morrisons, which compromised the personal details of some 100,000 Morrisons Staff – was a deliberate act by an employee ‘with a grudge’. While the board of Talk Talk concede that the cost of remediating their attack at ‘no more than £35 million’ the, relatively small, Morrisons breach cost around £2 million to resolve. Anthony Hilton, writing in the London Evening Standard (here) described Cyber crime as a “threat that British businesses can’t afford to ignore”. Hilton cites a study by the Centre for Economic and Business Research that suggested that 60% of surveyed businesses were ‘confident that their security would keep an attacker at bay’, brave words when you consider a survey by PwC suggesting that ‘90% of large companies and 74% of small companies had experienced some kind of breach in the previous 12 months, and most had experienced more than one – the average was four’. The CEBR survey also suggests that 14% of companies have never had a board briefing on cyber security, and 32% have never prepared a formal risk assessment....
