Weekly Threat Report - 6th March 2020
Consumers urged to secure internet connected cameras
This week, with support from Which?, we published new consumer advice and guidance on how to secure internet connected cameras in the home.
We’re all becoming more reliant on ‘smart’ technology, and things like connected security cameras and baby monitors help make our lives easier. However, insecure default settings can leave devices vulnerable to cyber criminals.
In rare cases, live feeds or images from smart cameras can be accessed by unauthorised users and that’s why we outlined three steps people can take to make their devices safer:
If your camera comes with a default password, change it to a secure one – connecting three random words which you’ll remember is a good way to do this. You can usually change your password using the app you use to manage the device.
Keep your camera secure by regularly updating security software. Not only does this keep your devices secure, but often adds new features and other improvements.
If you do not use the feature that lets you remotely access the camera from the internet, it is recommended you disable it.
The NCSC is supporting the Department for Digital, Culture, Media & Sport (DCMS) in the development of future UK legislation, which will ensure consumer smart devices sold in the UK adhere to three rigorous security requirements. These are:
Device passwords must be unique and not resettable to any universal factory setting
Manufacturers must provide a public point of contact so anyone can report a vulnerability
Manufacturers & retailers must state the minimum length of time for which the device will receive security updates
Tesco and Boots issue security warnings to customers
Tesco Clubcard and Boots Advantage Card holders have been warned of potential security risks. Earlier this week, Tesco confirmed new Clubcards would be issued to 600,000 members following unauthorised attempts to access customer accounts. It’s understood criminals had used a database of stolen usernames and passwords, with some attempts reportedly proving successful. Elsewhere Boots was forced to suspend payments using loyalty points build up on Advantage Cards, after a similar incident affecting its customer accounts. The act of using a breached list of usernames and passwords to access accounts is call ‘password-stuffing’. It’s a form of attack which preys upon those that use similar email and password combinations across several different online accounts.
Tesco says no financial data was accessed and they had taken steps quickly to address the issue. Boots also confirmed that no credit card information had been accessed, and they hoped regular service would be back to normal as soon as possible. The NCSC recommends that the public use strong and unique passwords across different accounts, especially key platforms such as email and online banking. The three random words approach is a great way of creating a strong password. The NCSC has published advice on how to stay secure online.