Weekly Threat Report - 26th January 2018
Report's are drawn from recent open source reporting, see the latest report here:.
Two-factor authentication usage
Open source reports quote remarks made by a Google software engineer who revealed at a recent security conference that fewer than 10 per cent of Gmail users enabled Two-Factor Authentication (2FA).
The benefit of 2FA is that it provides an extra layer of security. The user has to provide standard login details of a password and username and also something that only that user has access to. This might be a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.
When asked why 2FA is not mandatory, the Google software engineer raised the issue of usability and suggested users would potentially choose an alternative service if they were forced to use additional security.
2FA is also not mandatory for users of Uber but it is offered when suspicious activity is detected on an account. However, a security researcher is also reported to have found a bug in Uber’s 2FA system that allowed hackers to bypass the authentication system without entering a relevant code.
Increased attention in attacks against 2FA systems (e.g. SMS interception for high value bitcoin users) and its usability could degrade how it is perceived and trusted in the long term, which could result in a lower uptake of the service. As one of the core methods of securing online accounts it is important that users trust 2FA and find it relatively user-friendly.
Using 2FA makes the compromise of online accounts much more difficult than using just passwords and can be very effective against guessed or compromised passwords, which was behind the success of the recent targeting of the UK Parliament. The NCSC highly recommends the use of 2FA. See the NCSC Password Guidance for further information.
Cyber-enabled petrol scam uses industry insiders
Media reporting has highlighted an innovative cyber-enabled scam involving petrol pumps across Russia.
With the collusion of staff, criminals reportedly siphoned fuel off into empty tanks at the targeted petrol stations. Meanwhile, malware on the petrol stations’ computer systems was used to display false data on the amount of fuel dispensed to customers, with each customer unknowingly receiving between 3% and 7% less fuel than they paid for. The stolen fuel was then sold separately and off the books by the criminals who pocketed the profits.
The malware used was reportedly ‘nearly impossible to detect’, though Russian authorities recently disrupted the scam when they arrested the alleged creator of the malware, Denis Sayev.
It’s not clear if a scam like this would be feasible in the UK. The National Measurement and Regulation Office enforces regulation of devices used in UK industry for measuring volumes of purchased commodity, that would make this sort of crime difficult, but not impossible, to execute.
This attack represents an evolution of previously known attacks on payment systems, which have directly targeted the payment card data itself. With the global roll-out of improved protections (chip & pin), we expect to see continued innovation by criminal elements getting financial benefit from fraudulent access to payment systems.
Meanwhile, it is possible this type of cyber-enabled crime will constitute an emerging threat globally during 2018.