BA Security Fallout
A discovery of the file containing the code used in the recent hack of the British Airways website and app that affected 380,000 transactions has revealed that it only took 22 lines of JavaScript to cause the massive data breach.
Skimming
The hack that took place on 21st August and caused disruption into September is now believed to be down to the injection of a digital skimming file designed to steal financial data from the online payment forms of BA’s website and app. The small skimming file, which was discovered by a cyber-security firm RiskIQ, was used to grab data from BA’s online payment form and then send it to the hacker’s server when the customer hit the ‘submit’ button.
Targeted
The researcher concluded that this was a highly targeted attack where the malicious page in the app was built using the same components as the real website, thereby giving a very close match to the design and functionality of the real thing.
The RiskIQ researcher has described the 22 line digital skimming file implanted by the hackers as “simple but effective”.
Magecart Suspected
The finger of suspicion is now being pointed at a group of hacking operatives known as Magecart. The suspicion is based upon a close match with their modus operandi as highlighted in a recent attack on the Ticketmaster websites where Madgecart also used a similar digital skimmer hidden in a third-party element of the payment process.
More To Come
The attacks on Tacketmaster and BA are believed to be part of a larger campaign by the Magecart hacking group to target big brands, and it is thought, therefore, that more big names will be hitting the headlines soon for data breaches.
Vulnerable
According to some security commentators, the weakest link in payment processes is an obvious place for hackers to strike e.g. by putting older systems or third-party code into a payment chain.
The apparent ease of the attack, which led to the theft of names, email addresses and full credit card details, has led to obvious anger from those affected and criticism of BA by security commentators and professionals.
Big Fine Possible Under GDPR
There is now the real possibility that BA could face a massive £500 million fine (4% of global turnover based on 2017) under GDPR, and this breach is believed to be one of the first really big tests of the new law.
What Does This Mean For Your Business?
Even though the hackers in this case had gone to great lengths to closely tailor their code to the BA site and used a Secure Socket Layer (SSL) certificate, suggesting a serious level of planning and targeting, it still remains a relatively simple method of attack that has exposed vulnerabilities in the payment systems of a big company. The dependable image of BA, the fact that it is such a big brand, and the scale and scope of the theft have caused shock and anger among customers, and there will undoubtedly be substantial costs to BA’s finances and reputation.
As some security commentators have pointed out, there are ways to preventing third-party code taking data from sensitive web pages, and BA should really have been wise to this. In BA’s defence, even encryption of data used in the payment system would not have been effective because the data was intercepted before it had reached the company’s servers.
One positive thing to be taken from this case is that it has alerted more companies to the possibility of this kind of attack, thereby giving them time to build-in defences against it.
Tech Tip – Send Texts From Your Windows 10 PC With ‘Your Phone’ App
If you’d like to be able to send phone texts from your PC without having to unlock your phone, you can do it with the Your Phone app for Windows 10. Here’s how:
– Open the Your Phone app.
– Click on Messages.
– Click on the See Texts button.
– Click on the Send Notification button.
– On your phone, confirm the notification to allow Your Phone app to access your text messages.
– To send a new message, click the New Message button.
– Type the phone number or search for the contact you want to send a message to.
– Use the reply box at the bottom to send the text from your PC. That’s it!
Display System Drives First In File Explorer
In Windows by default, your File Explorer now opens the Quick Access screen when launched. If you’d rather go back to the old way of displaying your system drives first, here’s how:
– Right-click the Quick Access link on the left.
– Choose Options.
– Choose ‘This PC’ from the top drop-down menu.
– That’s it !
Superfast Broadband Boosts Business and Jobs
Among the findings of a recent government report about superfast broadband in the UK are claims that superfast broadband rollout so far has led to job creation and a £12.28 benefit for firms for every £1 invested by central and local authorities.
Measurable Benefits
The Evaluation of the Economic Impact and Public Value of the Superfast Broadband Programme report, by The Department for Culture, Media and Sport (DCMS), covering 2012 to 2016, claims that the fact that superfast broadband has now reached almost five million homes and businesses (Openeach puts the figure at 10 million) has provided noticeable, measurable and business and economic benefits.
Fewer Jobseekers, More Jobs
For example, according to the report, superfast broadband has driven a reduction of almost 9,000 jobseekers allowance claims, and the creation of 49,000 local jobs.
What Is Superfast Broadband?
Superfast broadband refers to connections with broadband speeds of 24 megabits per second and above.
Where?
Superfast broadband is more available in some parts of the UK than others. For example, the highest rate of superfast broadband availability is in North East England (97.19%). Also offering high rates of superfast broadband availability are South East England (97.07%) and the West Midlands (96.56%).
Unfortunately, those who live and work in Northern Ireland are currently treated to the lowest rates of availability in the UK at 87.74%.
Boost
The growth in the levels of superfast broadband availability has been given a boost by factors such as Openreach, the firm that runs the vast majority of the UK’s telecoms infrastructure, reducing the wholesale price of broadband.
This is thought to have helped take-up for superfast and fibre broadband services by homes and businesses, and given competitors e.g. Sky and TalkTalk the opportunity to reduce the cost of using the network, provided that they can get enough sign-ups.
Back in March last year, Ofcom (the telecoms regulator) announced that BT has agreed to legally separate from Openreach, which owns and operates the UK’s broadband infrastructure. This move was intended to enable greater competition among broadband providers and greater investment in the network infrastructure.
Fibre
Fibre has offered greater broadband speeds and reliability, but at the moment, most connections have fibre-optic lines up to the local street cabinet, but then copper phone lines from the cabinet to the house.
The government says that its aim is to give all of the UK full-fibre broadband (fibre to and from the cabinet) – rather than rely on broadband delivered over copper networks, by 2033.
What Does This Mean For Your Business?
Broadband is now an essential service for business, and businesses would obviously welcome any improvement in broadband speeds in the UK as it would undoubtedly help UK companies to become more competitive, and would boost the economy.
Unfortunately, while those who are able to benefit from superfast and (full) fibre broadband are clearly reaping the benefits, this is not the case in many areas of the UK. For example, in April this year, a survey by consumer watchdog ‘Which?’ has revealed that more than half of UK customers across 12 providers, are having problems with their broadband service or price.
Although this latest government announcement paints a positive picture of superfast broadband in the UK, the UK is now only at 35th place in the global average broadband speed league tables. This is because it has been too late in embracing a full-fibre solution – FTTP (fibre to the premises). Many critics have pointed to UK infrastructure provider Openreach shying away from FTTP because of the perceived costs and level of difficulty of large-scale rollouts.
For the time being then, UK businesses have to rely on the slower FTTC (fibre to the cabinet), and this has put UK businesses at a competitive disadvantage with businesses in many other European countries.
Major improvements to broadband speeds for UK businesses in most areas are still a long way off as the UK may only actually have 7% full fibre coverage by 2020, with full coverage unlikely for another 15+ years.
New Australian Law Gets The Thumbs-Down From Tech Firms
In Australia, a new draft bill proposing ways for tech firms, software developers and others to assist security agencies and police has been given the thumbs-down by a major industry group over its ambiguity, and the potential security risks it could create.
What Bill?
The new “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018” is a Bill for an Act to amend the law relating to telecommunications, computer access warrants and search warrants, and for ‘other purposes’.
The bill proposes that a ‘technical assistance request’ may be given to a tech company e.g. a social media or chat app company asking that provider to offer ‘voluntary’ help in the form of ‘technical assistance’ to the Australian Secret Intelligence Service or an ‘interception agency’ with a view to enforcing / helping to enforce the criminal law, protecting the public revenue, and / or acting in the interests of Australia’s national security, foreign relations, or economic well being.
What Kind of Technical Assistance?
In essence, those who have interpreted and reacted publicly to the contents of the bill have taken it to mean that as part of the Australian government’s fight against the criminal use of encrypted communications (end-to-end encryption), tech firms will be asked to build weaknesses / ‘back doors’ into their products/ services that will enable government monitoring.
For example, the UK government (under then Home Secretary Amber Rudd) were seeking ‘back door’ access to encrypted apps such as Facebook’s WhatsApp on the grounds that terror suspects were known to have used it for communication prior to the Westminster attack. At the time, WhatsApp refused to co-operate on the grounds that end-to-end encryption prevented even its own technicians from reading people’s messages.
WhatsApp has also been blocked three times in Brazil for failing to hand over information relating to criminal investigations.
Worked In Germany
Presumably and ideally, the kind of thing that the new bill would be used for in Australia would be in the same way that German encrypted communications App ‘Telegram” had a back-door built into it which allowed law enforcement agencies to access messages, enabling them to foil a planned suicide attack on a Christmas market in 2016.
Digi Objects
The loudest critic of the new Bill in Australia has been the Digital Industry Group (known as ‘Digi’) whose members include Facebook, Google and Twitter. Their main arguments against the bill are that it is ambiguous and lacks judicial oversight, and building any back-doors for government agencies into encrypted services will also be creating access for criminals to exploit. Big social media tech firms say, for example, that building such potential vulnerabilities into their services could not only leave the majority of their customers vulnerable to attack for the sake of catching a minority, but could also undermine the essential trust in their services.
What Does This Mean For Your Business?
Privacy, security, and freedom from unnecessary surveillance are valued concerns by individuals and businesses, but national security is also an issue, and is something that affects the wider economy. The bill from the Australian government is the latest in a long line of similar requests that the big tech companies are facing from governments around the world. The conundrum, however, is the same. Tech companies are private businesses whose services allow users to share personal data, and they need the trust of their users that privacy and security will be preserved, and yet governments would like access to the private conversations, hopefully just for national security purposes. Also, once a back-door is built-in to an encrypted service (e.g. end-to-end encrypted services), it is no longer really secure, and all users could potentially be at risk. Bills suggesting that help by tech firms would be ‘voluntary’ are also likely to mean that failure to comply voluntarily would undoubtedly have negative consequences for tech firms (e.g. fines).
As freedom and privacy groups would point out, there is also some mistrust over government motives for accessing more of our private conversations and details, and in the wake of the Facebook / Cambridge Analytica scandal for example, there are questions about just who else our details and private conversations and opinions could be shared with and how that could be used. It is also a fact that governments tend not to like communications tools and currencies (e.g. Bitcoin) that they can’t access, control, or regulate.
The ‘big brother’ element to bills like these worries citizens in all countries, and some tech companies, which are certainly not blameless (e.g. on user tracking and data sharing activities) are likely to try and hold out as long as possible from publicly being seen to be co-operating with any wide-scale government surveillance.
Facebook Uses Scoring System To Manage Misinformation
It has been reported that Facebook allocates a trustworthiness score to some members to help it manage misinformation issues such as some members continually flagging / reporting stories as fake if they don’t agree with the content.
Score?
It is not publicly known exactly how the score is arrived at, but it has been reported recently in the Washington Posts that Facebook’s ‘Misinformation Team’ will be making use of the metric, a system that has taken a year to develop.
Why?
It is understood that the system, which Facebook denies amounts to a reputation score, is part of an initiative announced 2 years ago to find a way to deal with issues around fake news and fighting misinformation.
These include both making news with dubious / fake content appear lower in users’ news feeds, and stopping people from indiscriminately flagging news as fake in order to control and influence news and opinions.
Repeat Flaggers In The Spotlight
The scoring system will have a focus on stopping some Facebook members from simply flagging / reporting stories they don’t agree with.
Some commentators have speculated that this part of the scoring system works by correlating any false news reports with the decisions of independent fact-checkers, and by giving higher scores (and presumably higher news feed positions) to a user who makes a single complaint that is substantiated, than to a user who makes lots of complaints, only some of which are substantiated.
Not The First Time
Facebook is not the first and only platform to us such scoring systems for members. For example, Uber rates customers on scores they’ve given to drivers, Twitter has been reported as having used a reputation score to help recommend which members to follow, and a pilot scheme in China is allocating a social credit score to citizens based on their online behaviour.
Criticism
The Facebook scoring system has been criticised by some people who say that Facebook’s own trustworthiness is unregulated, the scoring system is automated and not transparent, and could amount to another way of Facebook using peoples’ data in a way they may not expect or want (bearing in mind the Facebook / Cambridge Analytica scandal).
What Does This Mean For Your Business?
We are used to the idea that decisions that affect businesses are made using algorithms and automatic scoring systems i.e. search engine rankings. If the new Facebook scoring system works as it should and for the purpose that Facebook has stated, then it may contribute to better management of misinformation, which can only benefit the economy and businesses.
Unfortunately, how Facebook can be trusted to use our data behind the scenes is a sore subject at the moment, and it could be said that mistrust of Facebook and its motives with this move is expected and healthy. Since the Cambridge Analytics revelations, and findings that Facebook was used to distribute dubious, politically influential posts of Russian origins leading up to the US election, Facebook has to at least be seen / reported to be doing more to manage misinformation on its platform.
Unfortunately for Facebook, the scoring system is unlikely to appeal to President Trump, who has warned that it is dangerous for tech / social media companies such as Facebook to regulate themselves. Some commentators have suggested that this concern is partly based on a fear that conservative voices may be silenced by such measures.