This is only a preview of the March 2023 issue of Practical Electronics. You can view 0 of the 72 pages in the full issue. Articles in this series:
|
The Fox Report
Barry Fox’s technology column
Keeping one step ahead of scammers is a full-time task
F
ew people now fall for the
mail shots, flyers or emails that
congratulate us on winning or
inheriting a fortune, and which costs
money or needs bank details to collect.
More of us are now wise to the way
scammers using VOIP can spoof their
calling number to match publicly available official numbers – so that the recipient’s phone shows the scam caller as
‘Bank’, ‘Building Society’ or ‘Credit Card’.
One of the cleverer recent tricks is
where a random cold caller to your
mobile says he (or she) is from your
cellphone service provider. While you
are taking the call, the scammer uses the
service provider’s website to send a ‘lost
password’ text message with ‘verification code’ to your mobile ‘to prove it’s
a genuine call’. If you then read out the
code the scammer can take over your
account, using stored credit card details
to buy credit for another phone, start
a new contract and cause much timeconsuming grief.
And, however carefully we protect
our own online life, we still remain at
risk from others who exercise less care –
even large companies with professional
IT support.
Ally Pally refund
Such was the case recently after I had
been in email correspondence with
the Alexandra Palace charity in North
London. Although the reason for the
correspondence is interesting, it’s not
essential to the scam which followed.
Suffice to say that the restored old theatre in the Ally Pally building, under
the old studios and transmitter tower
which broadcast the UK’s first TV services, had staged a probably excellent
part-musical play about Tom, Dick and
Harry, the Great Escape tunnels dug out
of Stalag Luft III during World War II.
I say ‘probably excellent’ because
the AP theatre staged the show ‘in
the round’, without radio-miking the
actors. So, at any given time, the large
audience ringed around the stage were
hearing direct sound from roughly just
a quarter of the cast, with the rest of
the sound bouncing unintelligibly off
the hard walls, floor and ceiling dome.
The AP management thanked me
for my detailed acoustic-electronic
suggestions, agreed that I was right to
say the production should have been
radio-miked and said they would be
installing the necessary equipment
later in the show’s run (but presumably,
until then audiences would continue
to strain their ears). I reckoned I was
entitled to a refund for paying for a
largely inaudible event, but management minions just sent me standardform email refusals. So, since as much
as anything, I don’t like being fobbed
off with semi-automated responses to
STOP! Always ask yourself by whom and
why you are being asked to click on a link.
considered arguments, I pursued – and
eventually – got my refund.
All was forgotten until, a few months
later, I received an email from the Alexandra Palace Finance Department
which – as often now happens with
business or medical communications
– came with a password-protected attachment. As I had no account and no
password, I queried the request and got
back an assurance that the attachment
was safe to read. But I still had no Ally
Pally account or password. So, I never
read whatever I’d been sent.
Have I been scammed?
Fast forward a few months and I
learned that the correspondence had
been a scam.
Die-cast enclosures:
standard and painted
Learn more: hammfg.com/small-case
More than 5000 standard stocked enclosure designs
uksales<at>hammfg.com • 01256 812812
10
Practical Electronics | March | 2023
I quote AP’s Director of Finance and Resources: ‘My
email account was hacked and the email you received from
me was malicious and from a hacker. The response you
received to your query was from the hacker… I sent out
a huge number of responses reassuring people that these
were indeed malicious and should be deleted.’
But, I got no such legitimate email. Should I be worried
about malware or ransomware?
The Director re-assured: ‘We have been advised by our
third-party IT team that this was a relatively unsophisticated
attack. They got access to my mailbox by me potentially using an unsecure public Wi-Fi… there has been no malware
or ransomware detected…we have been advised that any
recipient should delete the email and if not already done,
passwords changed to prevent any subsequent malicious
access attempts.’ (my italics)
Passwords
A BBC TV ‘expert’ recently gave similar general blanket
change-password advice in response to a viewer’s unrelated question.
Setting up new email passwords is not a trivial matter; it
means that all user’s devices must be changed to the new
password (phone, laptop, desktop, tablet). In the case of
Google GMail the address is tied to a wide range of services
which must all be reset to the new password.
But what does changing passwords achieve if a hacker
has simply stolen email addresses from a third party’s
address list? The hacker has stolen the email address, not
the password, because email passwords do not travel with
email addresses.
A colleague of mine surmises that, ‘it’s not at all unlikely
that your email password is already out there in some ‘dark
web’ database containing millions of such addresses. As
such, it’s of little value to anybody and may well just be
being ignored. However, if a bad actor has obtained your
email address together with a set of emails containing some
interesting financial information, your email password
may well have leapt in value and be worth purchasing on
the dark web.’
Says Alexandra Palace, presumably on advice from its
IT advisers: ‘We have been advised that the approach this
attack has taken means that if you have clicked on the link
contained within the email and entered your own email
address and password (as advised by the hacker) they will
have captured both bits of information.’
Most IT-savvy folk will not enter their email address and
password if asked to log into a third-party secure online
locker. They will recognise that there is no connection
between email security and locker security. But someone
less familiar with online risks and perhaps in a hurry or
worried or both, may well give it a try. In this case, the
hacker cleverly created ‘urgency’ by saying the link would
expire in two days; and when recipients replied to the scam
mail querying sign-in, the scammer replied with reassurance that the email and site were safe.
Later, of course, the scam site was blocked with dire
public warnings. But blocking can only happen after early
accessors have fallen foul; and the scammers have gone on
to create fresh traps elsewhere.
In my case I gave no information away so felt confident
in not changing my email passwords. But I did make the
mistake of replying to the original email, thereby unwittingly confirming that my stolen email is ‘live’ and thus
worth more for sale.
Practical Electronics | March | 2023
Use VPN
If you are out and about with a laptop, then linking to
a third-party Wi-Fi source without VPN (Virtual Private
Network) protection is a really risky. I would hope that an
IT specialist company employed by a large organisation
would put staff VPN protection in place, or at least forcefully advise staff to use only public Wi-Fi access points
with well-known service names, like those ftom O2, Virgin
or a national rail line. It’s too easy for a scammer to create
a phoney Wi-Fi access point and suck sensitive data out
of victims’ mobiles.
Says Ally Pally: ‘We think we have now bottomed out the
cyber breach and apologise once again for your data being
exposed in this way. We have taken steps to raise awareness
of this type of attack internally and put in place changes
to our IT infrastructure to mitigate this happening again.’
But there will still be countless other employees of countless companies that haven’t even thought about the risks
they are running with customers’ data by using unsecured
laptops on any available Wi-Fi they find in a coffee shop.
Public education on the risks of using public Wi-Fi and
practical advice on VPN is pitifully poor. Even the companies selling security solutions aren’t doing it.
A self-promoting cybersecurity security company that
specialises in VPN recently sent out a press release listing
the best ways to avoid the theft of ‘account login credentials,
personal information, or bank and credit card information’.
I asked why there was no warning on public Wi-Fi and
no mention of VPN. I, for one, would have welcomed some
expert advice to try, use and pass on.
The reply I received hardly inspired confidence. Simply:
‘This is a great tip … so feel free to include.’
JTAG Connector Plugs Directly into PCB!!
No Header!
No Brainer!
Our patented range of Plug-of-Nails™ spring-pin cables plug directly
into a tiny footprint of pads and locating holes in your PCB, eliminating
the need for a mating header. Save Cost & Space on Every PCB!!
Solutions for: PIC . dsPIC . ARM . MSP430 . Atmel . Generic JTAG . Altera
Xilinx . BDM . C2000 . SPY-BI-WIRE . SPI / IIC . Altium Mini-HDMI . & More
www.PlugOfNails.com
Tag-Connector footprints as small as 0.02 sq. inch (0.13 sq cm)
11
|