Author Archive for Andy Wilkinson

Your Latest IT News Update

SIM Swap Scam Warning

A recent investigation by BBC TV’s Watchdog Live revealed evidence that some mobile phone shop staff are not conducting proper ID checks for replacement SIM requests, thereby enabling some customers to become victims of SIM swap scams.

<More>

70% Increase In DDoS Cyber Attacks On Black Friday Prompts Christmas Warning

Cybersecurity experts are warning companies with online shops to have adequate protection against DDoS attacks in place after a 70% increase in that kind of cyber-attack was recorded on Black Friday.

<More>

ICO Investigation Into Police Use of Facial Recognition Technology

ICO head Elizabeth Dunham is reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

<More>

Liberty Wins Right To Judicial Review Into Investigatory Powers Act

The fact that Human rights group Liberty has won the right for a judicial review into the Investigatory Powers Act 2016 could mean a legal challenge in the high court as soon as next year.

<More>

Hard of Hearing? Skype Offers Live Captions And Subtitles

On 3rd December, Skype announced that it was celebrating United Nations International Day of Persons with Disabilities by launching its new call captioning with live captions and subtitles feature.

<More>

Tech Tip – Hands-Free Voice Control For Your Phone

Google’s Voice Access App (for Android 5 or later) lets you navigate your entire phone just by using your voice and Google’s voice assistant.

<More>

SIM Swap Scam Warning

A recent investigation by BBC TV’s Watchdog Live revealed evidence that some mobile phone shop staff are not conducting proper ID checks for replacement SIM requests, thereby enabling some customers to become victims of SIM swap scams.

What is a SIM Swap Scam?

SIM swap scams are believed to have been in existence for the last four years in one form or another.  In its current form, the SIM swap scan happens when a fraudster goes into a mobile operator’s shop and claims a false identity i.e. the identity of one of that operator’s customers.  The fraudster knows that the person they are claiming to be is a customer of that operator because of personal details that have been stolen in previous malware or cyber-attacks, and those details have been posted or sold on the dark web.

In the shop, while pretending to be that customer, the fraudster claims that their phone has been lost or stolen and asks to be issued with a replacement SIM. Once the fraudster has the replacement SIM, the victim’s SIM no longer works, and the fraudster can then access any online service that requires security codes to be sent to the phone, as well as being able to access any other of the victim’s personal details that are stored on the SIM.

In the past (London 2016), a similar version of the scam worked when fraudsters used an intercepted bank statement from the victim (or information found on social media) to call the person’s mobile operator, pass security checks, and get a blank SIM card.  The fraudsters were then able to access the unique codes sent by the victim’s bank to log into their account and transfer funds.

What Should Happen When Someone Requests a Replacement SIM?

At the moment, mobile operators should conduct i.d. checks for replacement SIMs, but it is not compulsory.  Also, the Watchdog Live investigation revealed that checks for contract customers and Pay As You Go customers may differ.  For example, O2 said that it only asks for photo ID when replacing SIMs on monthly contracts, and that Pay As You Go customers will be sent an authorisation code if someone is trying to access the number.

What Happened in Reality?

In the investigation, which involved the secret filming of Watchdog Live’s own ‘King Con’ former fraudster in multiple EE, O2, Three and Vodafone stores, EE and Three staff conducted all the necessary checks, but Vodafone blamed rogue employees for not doing so.  Also, replacement SIMs were obtained from O2 stores and the authorisation codes that the company says it sends out were not received.

What Does This Mean For Your Business?

It appears that this relatively old fraud is still very much alive and is a reminder of how valuable our personal details can be to criminals. Bearing in mind how serious this fraud can be to the victims, it is shocking that photo ID checks for replacement SIMs are not made to be compulsory for all operators in all situations.  Mobile operators could help themselves and customers by introducing compulsory measures and by making sure through training and in-built systems that all staff conduct satisfactory checks.

It is also worrying that the investigation appears to have revealed a two-tiered security system, with Pay As You Go customers afforded less protection.

In the meantime, one way that we can help ourselves is to regularly check both our phone and bank statements, and if you have a contract with e.g. O2, contact them to confirm that no replacement SIMs have been issued in your name.

70% Increase In DDoS Cyber Attacks On Black Friday Prompts Christmas Warning

Cyber security experts are warning companies with online shops to have adequate protection against DDoS attacks in place after a 70% increase in that kind of cyber-attack was recorded on Black Friday.

What Is A DDoS Attack?

A denial-of-service attack is a cyber-attack on that is intended to make a computer or network unavailable to users, and a distributed denial-of-service attack (DDoS) is one that uses multiple compromised systems, sometimes thousands, that are often infected with a Trojan virus to launch a single attack on one system. The sheer number of requests that the target receives (called a ‘flood’) typically overload the resources and memory and render the targeted computer or network unavailable.

Black Friday – 70% Increase!

According to DDoS protection provider Link11, DDoS attacks on e-commerce providers showed an increase of more than 70% compared with other days in November, and Cyber Monday attacks showed a massive increase of 109% compared with the November average.

Up To 100 Gbps

Gbps, which stands for billions of bits per second, is a measure of bandwidth on a digital data transmission, and is the level used to gauge the intensity of DDoS attacks. When you consider that Link 11 have reported that attacks of around 6 Gbps are more than enough to exceed the capacity of most websites, the Black Friday and Cyber Monday recordings of levels of up to 100 Gbps in some attacks were extremely high.

The Cost of DDoS Attacks

Bitkom research found that cyber-attacks can cost retailers an average of €185,000.  This total includes costs of IT repair, loss of sales revenue and reputational damage to the business.

Research from Corero, in April this year, found that (DDoS) attacks typically cost enterprises up to £35,000 per attack in lost business and productivity, as well as mitigation costs. The research revealed that 69% of respondents said their organisation experiences anywhere between 20 and 50 DDoS attack attempts a month – about one attack per day!  78% of respondents in the Corero research said that the loss of customer trust and confidence was the most damaging effect on business of DDoS attacks.

Christmas Warning

Based on the huge increase in DDoS attacks on Black Friday and Cyber Monday, cyber security professionals are warning businesses to prepare now in order to protect themselves against an expected high level of DDoS attacks over the Christmas shopping period.

What Does This Mean For Your Business?

Businesses trying to simply expand their own infrastructure to absorb peak loads with their own resources may not have enough resources to stop determined attackers who may decide to deliver ever greater attacks to overwhelm services completely.

One of the best ways that businesses can prepare themselves for a possible increase in DDoS attacks is by investing in scalable, cloud-based protection solutions that can counteract the kind of targeted overloads caused by DDoS attacks.

Making sure that the business has an updated and workable Business Continuity Plan and Disaster Recovery Plan in place are also important elements of preparing for the possibility of the aftermath of a successful DDoS attack.

ICO Investigation Into Police Use of Facial Recognition Technology

ICO head Elizabeth Dunham is reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

Concerns Expressed In Blog Post In May

In a blog post on the ICO website back in May, Elizabeth Dunham expressed several concerns about how FRT was being operated and managed. For example, although she acknowledged that there may be significant public safety benefits from using FRT, Elizabeth Dunham highlighted concerns about:

  • A possible lack of transparency in FRT’s use by police and how there is a real risk that the public safety benefits derived from the use of FRT will not be gained if public trust is not addressed.
  • The absence of national level co-ordination in assessing the privacy risks and a comprehensive governance framework to oversee FRT deployment.  This has since been addressed to an extent by an oversight panel, and by the appointment of a National Police Chiefs Council (NPCC) lead for the governance of the use of FRT technology in public spaces.
  • The use and retaining of images captured using FRT.
  • The need for clear evidence to demonstrate that the use of FRT in public spaces is effective in resolving the problem that it aims to address, and that it is no more intrusive than other methods.

Commissioner Dunham said that that legal action would be taken if the Home Office did not address her concerns.

Notting Hill Carnival & Football Events in South Wales

Back in May 2017, South Wales and Gwent Police forces announced that it would be running a trial of ‘real-time’ facial recognition technology on Champions League final day in Cardiff. In June, the trial of FRT at the final was criticised for costing £177,000 and yet only resulted in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, Police faced criticism that it was ineffective, racially discriminatory, and confused men with women.

Research

Recent research by the University of Cardiff, which examined the use of the technology across a number of sporting and entertainment events in Cardiff for over a year, including the UEFA Champion’s League Final and the Autumn Rugby Internationals found that for 68% of submissions made by police officers in the Identify mode, the image had too low a quality for the system to work. Also, the research found that the locate mode of the FRT system couldn’t correctly identify a person of interest for 76% of the time.

What Does This Mean For Your Business?

Businesses use CCTV for monitoring and security purposes, and most businesses are aware of the privacy and legal compliance aspects (GDPR) of using the system and how /where the images are managed and stored.

As a society, we are also used to being under surveillance by CCTV systems, which can have real value in helping to deter criminal activity, locate and catch perpetrators, and provide evidence for arrests and trials. It is also relatively common for CCTV systems to fail to provide good quality images and / or to be ineffective at clearly identifying persons and events.

With the much more advanced facial recognition technology used by police e.g. at public events, there does appear to be some evidence that it has not yet achieved the effectiveness that was hoped for, may not have justified the costs, and that concerns about public privacy may be valid to the point that the ICO deems it necessary to launch a formal and ongoing investigation.

Liberty Wins Right To Judicial Review Into Investigatory Powers Act

The fact that Human rights group Liberty has won the right for a judicial review into the Investigatory Powers Act 2016 could mean a legal challenge in the high court as soon as next year.

The Investigatory Powers Act

The Investigatory Powers Act 2016 (also known as the ‘Snooper’s Charter’) became law in the UK November 2016. It was designed to extend the reach of state surveillance and requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months and to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services, government agencies and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Long Time Coming

Liberty was given the general go-ahead by the UK High Court to make a legal challenge against the Investigatory Powers Act in July 2017 and was enabled to do so with the help of £50,000 of crowdfunding raised via CrowdJustice.

Also, Liberty’s challenge is thought to have been helped by the European Court of Justice (in a separate case, represented by Liberty lawyers back in 2016) ruling that the same powers in the old the UK state surveillance law the ‘Data Retention and Investigatory Powers Act’ (DRIPA) were unlawful, and by a ruling by the court of appeal in January 2018 also finding the same thing.

The UK government was, therefore, given until July 2018 to amend or re-write powers to require phone and internet companies to retain data on the UK population.

Part 4 of the Act

The most recent High Court ruling on 29th November gives Liberty the right to a judicial review on part 4 of the Investigatory Powers Act.  This is the part which gives many government agencies powers to collect electronic communications and records of internet use, in bulk, without reason for suspicion.

Concerns About GCHQ’s Hacking

Human rights groups and even Parliament’s Intelligence and Security Committee have become particularly concerned about an apparent shift towards the use of hacking of computer systems, networks and mobile phones for information gathering by intelligence services such as GCHQ in projects such as the ‘Computer Network Scaling’ programme.

What Does This Mean For Your Business?

The UK’s ability to spot and foil potential plots is vital. Although the Investigatory Powers Act may include measures that could help with that, many people and businesses (communications companies, social media, web companies) are still uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state. The 200,000+ signatures on a petition calling for the repeal of the Investigatory Powers Act after it became law, and the £50,000 crowdfunding raised from the public in less than a week to challenge parts of the Act in the courts, both emphasise the fact that UK citizens value their privacy and take the issues of privacy and data security very seriously.

Liberty is essentially arguing for what it sees as a more proportionate surveillance regime that can better balance public safety with respect for privacy. The government initially believed that this level of surveillance was necessary to counter terrorist groups and threats posed to safety and democracy by other states, but successive legal challenges by Liberty have seen them give some ground. According to the Intelligence and Security Committee, GCHQ is running a project that aims to improve the way that it complies with the Act, and MI5 has also said that it trying to operate more compliantly.  As for any additional oversight of government orders to internet and phone companies, this is estimated to be running about a year behind schedule with IT problems being blamed for the delay.

Hard of Hearing? Skype Offers Live Captions And Subtitles

On 3rd December, Skype announced that it was celebrating United Nations International Day of Persons with Disabilities by launching its new call captioning with live captions and subtitles feature.

Inclusivity & Accessibility

Skype says that this latest feature, which uses AI-driven captions, is part of its on-going work to make Skype more inclusive and make Skype calls more accessible to all.

How Does It Work?

The new live captions and subtitles feature works on a call-by-call basis through the in-call screen or can be set to activate by default under Settings > Calling > Call Subtitles > then toggle ‘Show Subtitles’ for all voice and video calls.

The feature works on the latest version of Skype for one-on-one calls with friends or co-workers, or to any phone number, as well as in group calls with a work team or friend group.

Currently, the captions and subtitles auto-scroll in your call, but Skype says that it will soon enable additional viewing options, including the ability to scroll through them in their own side window.

Skype says that the captions and subtitles will be optimised to be fast, continuous, and contextually updated as people speak.

Translations Into 20 Languages

Skype also says that in the coming weeks, it will be augmenting the live captions and subtitles feature further by releasing translations that support over 20 languages and dialects.

Microsoft – Introducing Captions and Subtitles For PowerPoint Presentations

Microsoft, which owns Skype, announced that as part of the same celebration of the United Nations International Day of Persons with Disabilities, it is introducing AI-powered captions and subtitles for presentations in real-time for PowerPoint.

Many Languages Too

Microsoft also announced at the launch, that the live captions and subtitles for PowerPoint will support 12 spoken languages and display on-screen captions or subtitles in one of 60+ languages.

Features

Live captions and subtitles in PowerPoint will use AI, automatically adaptive speech recognition based on the presented content for more accurate recognition of names and specialised terminology, and the ability for presenters to easily customise the size, position, and appearance of subtitles.

What Does This Mean For Your Business?

AI is the technology at the heart of these new features, and Microsoft is finding ways to utilise the technology to create many different value-adding and differentiating benefits to its services.

Accessibility is an important consideration and point of compliance for businesses, and these new AI-powered features can help businesses to communicate and present information in a more inclusive, accessible and engaging way.

Microsoft has emphasised that the new captions and subtitles feature joins many other accessibility features that it has introduced to Office 365, such as automatic suggestions for alt-text in Word and PowerPoint, expanded availability of automatic closed captions and searchable transcripts for videos in Microsoft Stream, plus enhancements to the Office 365 Accessibility Checker.

Tech Tip – Hands-Free Voice Control For Your Phone

Google’s Voice Access App (for Android 5 or later) lets you navigate your entire phone just by using your voice and Google’s voice assistant.

If you’d like to make controlling your smartphone an easy, hands-free experience here’s how:

– Install the Google app and the Voice Access app (see Google Play).

– Set up ‘OK Google’ detection so that the service can be invoked from any screen on your phone.

– Follow these simple steps to turn on voice access:
– https://support.google.com/accessibility/android/answer/6151848
– For a list of commands, go to https://bit.ly/command463 or open the app and select ‘show all commands’.

Your Latest IT News Update

Data Protection Trust Levels Still Low After GDPR

A report by the Chartered Institute of Marketing (CIM) has shown that as 42% of consumers have received communications from businesses they had not given permission to contact them (since GDPR came into force), this could be a key reason why consumer trust in businesses is still at a low level.

<More>

£385,000 Data Protection Fine For Uber

Ride-hailing (and now bike and scooter-hiring) service Uber has been handed a £385,000 fine by the ICO for data protection failings during a cyber-attack back in 2016.

<More>

New Hashtags Feature For Google Maps

Google has begun the global rollout of its new ‘hashtags’ feature in Google Maps, which allows users to add hashtags to the end of the reviews they write, thereby helping others to find local attractions and businesses.

<More>

Mobile Networks Faster Than Wi-Fi

A report by OpenSignal has highlighted how the fact that smartphone users in 33 countries get faster average download speeds using a mobile network than Wi-Fi means that mobile operators and smartphone makers need to ensure that consumers’ smartphones aren’t simply pushed onto a Wi-Fi network, only to receive a worse experience than the mobile network.

<More>

Bitcoin and Other Crypto-Currencies Hit New Lows

After losing 74% of its value so far this year, Bitcoin’s value, and that of other crypto-currencies have continued to fall this month as a sell-off takes place in what some see as the natural course for the market, and as another opportunity to buy crypto-currencies at a low price.

<More>

Tech Tip – Access Your Phone’s Photos and Texts On Your Computer

The Windows 10 phone app means that you can get instant access to your Android phone’s photos and texts on your computer.  Here’s how to get it:

<More>

Data Protection Trust Levels Still Low After GDPR

A report by the Chartered Institute of Marketing (CIM) has shown that as 42% of consumers have received communications from businesses they had not given permission to contact them (since GDPR came into force), this could be a key reason why consumer trust in businesses is still at a low level.

Not Much Difference

The CIM report shows that only 24% of respondents believe that businesses treat people’s personal data in an honest and transparent way.  This is only slightly higher than the 18% who believed the same thing when GDPR took effect 6 months ago.

Young More Trusting

The report appears to indicate that although trust levels are generally low, younger people trust businesses more with their data.  For example, the report shows that 33% of 18-24 and 34% of 24-35 year olds trust businesses with their data, compared with only 17% of over 55s.

More Empowered But Lacking Knowledge About Rights

Consumers appear to feel more empowered by GDPR to act if they feel that organisations are not serving them with the right communications.  For example, the report showed that rather than just continuing to receive and ignoring communications from a company, 50% of those surveyed said that GDPR has motivated them to not consciously opt-in to begin with, or if opted in, make them more likely to subscribe.

This feeling of empowerment was also illustrated back in August in a report based on a study by business intelligence and data management firm SAS.  The SAS study showed that more than half of UK consumers (55%) looked likely to exercise their new GDPR rights within the first year of GDPR’s introduction.

Unfortunately, even though many people feel more empowered by GDPR, there still appears to be a lack of knowledge about exactly what rights GDPR has bestowed upon us. For example, the report shows that only 47% of respondents said they know their rights as a consumer in relation to data protection.  This figure has only increased by 5% (from 43%) since the run-up to GDPR.

What Does This Mean For Your Business?

The need to comply with the law and avoid stiff penalties, and the opportunity to put the data house in order meant that the vast majority of UK companies have taken their GDPR responsibilities seriously, and are likely to be well versed in the rights and responsibilities around it (and have an in-house ‘expert’). Unfortunately, there are always a few companies / organisations that ignore the law and continue contacting people.  The ICO has made clear examples e.g. back in October Manchester-based Oaklands Assist UK Ltd was fined £150,000 by the ICO for making approximately 64,000 nuisance direct marketing calls to people who had already opted out of automated marketing.  This is one example of a company being held accountable, but it is clear from the CIM’s research that many consumers still don’t trust businesses with their data, particularly when they hear about data breaches / data sharing on the news (e.g. Facebook), or continue to have their own experiences of unsolicited communications.

It may be, as identified by the CIM, that even though GDPR has empowered consumers to ask the right questions about their data use, marketers now need to answer these, and to prove to consumers how data collection can actually benefit them e.g. in helping to deliver relevant and personalised information.

The apparent lack of a major impact of GDPR on public trust could also indicate the need for an ongoing campaign to drive more awareness and understanding across all UK businesses.

£385,000 Data Protection Fine For Uber

Ride-hailing (and now bike and scooter-hiring) service Uber has been handed a £385,000 fine by the ICO for data protection failings during a cyber-attack back in 2016.

What Happened?

The original incident took place in October and November 2016 when hackers accessed a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. The result was the compromising (and theft) of data relating to 600,000 US drivers and 57 million user accounts.

The ICO’s investigation focuses on avoidable data security flaws, during the same hack, that led to the theft (using ‘credential stuffing’) of personal data, including full names, email addresses and phone numbers, of 2.7 million UK customers from the cloud-based storage system operated by Uber’s US parent company.

The ICO’s fine to Uber also relates to the record of nearly 82,000 UK-based drivers, including details of journeys made and how much they were paid.

Attackers Paid To Keep Breach Quiet

Another key failing of Uber was that not only did the company not inform affected drivers about the incident for more than a year, but Uber chose to pay the attackers $100,000 through its bug bounty programme (a deal offered by websites and software developers to offer recognition and payment to those who report software bugs), to delete the stolen data and keep quiet about the breach.

Before GDPR

Even though GDPR, which came into force on 25th May this year says that the ICO has the power to impose a fine on a data controller of up to £17m or 4% of global turnover, the Uber breach took place before GDPR.  This means that the ICO issued the £385,000 fine under the Data Protection Act 1998, which was in force before GDPR.

Other Payments and Fines

Uber also had to pay a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over the company’s attempt to cover up the data breach in 2016.

Also, for the same incident, Uber is facing a £533,000 fine from the data protection authority for the Netherlands, the Autoriteit Persoonsgegevens.

What Does This Mean For Your Business?

As noted by the ICO director of investigations, Steve Eckersley, as well as the data security failure, Uber’s behaviour in this case showed a total disregard for the customers and drivers whose personal information was stolen, as no steps were taken to inform anyone affected by the breach, or to offer help and support.

Sadly, Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users’ accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history to that point back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.

This story should remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities) and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.

Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, thereby offering no easy access to cyber-criminals. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.

Even though the recent CIM study showed that less than one-quarter of consumers trust businesses with their data security, at least the ICO is currently sending some powerful messages to (mainly large) businesses about the consequences of not fulfilling their data protection responsibilities.  For example, as well as the big fine for Uber, back in October, the ICO fined a Manchester-based company £150,000 for making approximately 64,000 nuisance direct marketing calls to people who had opted out via the TPS, and earlier this month, a former employee of a vehicle accident repair centre who stole customer data passed it to a company that made nuisance phone calls was jailed for 6 months following an ICO investigation.