Security Awareness

Don’t make bank transfers for purchases if:

• You don’t know the seller

• You are making a first-time purchase

• You have potential trust issues with the vendor

That said, there are cases when you want to pay for goods and services using banks transfers, and this article outlines a countermeasure to reduce loss from accidents or fraud.

Here are the steps:

• Request bank details – during the purchase, the vendor will provide the bank details, including the Account Name, Sort Code and Account Number. No change here.

• Set up as a payee – Add the recipient as a payee in the usual way

• Send a random micropayment – make a tiny payment as a test to ensure you have the correct bank details set up as a payee.

• Ask the recipient to confirm the amount received – notification of the exact amount received is confirmation that you have set up the payee correctly. The amount is essential, not just “yes, got it”.

• Pay the outstanding balance

This process:

• Avoids accidentally sending a large sum of money to the wrong account

• It prevents a vendor from denying receipt of a large payment

Banks have improved security by confirming the payee to provide greater assurance that you are sending payments to the intended recipient. This extra layer of protection helps avoid misdirecting funds to the wrong account and reduces fraud as you need to know the recipient’s name to make a payment to them. Without the name or the correct name, it will not be possible to confirm the payee, and the transaction will show up as a red flag before payment. You should be suspicious if a vendor volunteers an explanation in advance as to why the confirmation of payee will not sure a match against bank records.

The ‘NHS Test and Trace’ system is up and running in England. I didn’t expect to receive a fake telephone call informing me that I needed to self-isolate for 14 days. Luckily, the countermeasures to protect oneself against such calls are straight forward.

During the daily press briefing over the weekend, Dr Jenny Harries, deputy chief medical officer for England, said “it will be very obvious” when asked how people would know if the call was genuine. However, I don’t believe this will be true for all fake telephone calls of this nature. The level of fear surrounding the coronavirus is off the scale, and people respond differently to fear. Fraudulent coronavirus telephone calls will exploit the anxiety people are experiencing.

• The caller didn’t introduce themself by name, but rather brushed over the introduction quickly into wanting me to confirm my date of birth for identification purposes

• The caller wanted to know who I had spent time with recently. The caller refused to tell me who I had been in contact with on the grounds of patient confidentiality

• The caller wanted to know where I had been while outside my home. The caller refused to tell me where or when I had contact with a Covid-19 carrier

• The caller evaded question from me, by asking more questions; which all required me to provide personal details. It felt like an attempt to drown out my thinking on the matter so that I would respond from panic and fear rather than rational thought.

• The call came through to my phone as an unknown number. Official information states that the incoming call should be from 0300 013 5000. It is worth noting that caller-IDs are easy to spoof, so the correct number could still be a fake call.

• The tone of voice had more in common with professional sales staff working the streets to sign people up for monthly charity contribution or those that want you to change your Gas, Electricity or Broadband provider. Nothing said gave me the impression that the call was genuine, or that the caller had any health services experience.

These factors collectively supported my quickly formulated opinion that the call was fake. Although initially, thoughts raced through my mind about who I had been in contact with over the last week, then onto who else I could have passed the virus on to, and then compounded by the death rate over 38,000 people in the UK and 350,000+ globally. Then within a few seconds, my thoughts changed from potential consequences to one of scepticism about the call itself. Instead of thinking about family and friends, I found myself wearing my information security hat again, and everything about the telephone call felt wrong.

Very quickly, it became apparent that it was a tactic to get me to provide the information, which they could confirm as the reason for me needing to self-isolate. The caller wanted information from me but failed to demonstrate any credibility that they were genuinely acting on behalf of our National Health Service. I ended the call. The caller has not yet called again. I can speculate as to the direction of the telephone call had I answered questions without thinking, but will reserve that for a follow-up article.

The problem is that too many organisations call their customers, and expect people to identify themselves, so people are used to the idea of answer security questions whenever an organisation calls them. There is no way to know for sure if these types of calls are 100% genuine, and the only real defence is to politely inform the caller that you will call the NHS Track and Trace helpline to discuss the matter in detail. Using the official contact telephone number is something that I always recommend when financial institutions contact their customers. The same applies in this case. The contact telephone number, along with additional information is available at:

• https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works

Conclusion

Contact tracers should ask people to call the official contact telephone number to discuss the matter; this will allow proper dialogue to take place. As this is unlikely to happen, the security measure is as follows:

1. Accept the call. The caller will identify themself as calling from the NHS Test & Trace team
2. Thank the caller for making contact
3. Inform the caller that you will contact the NHS Test & Trace team directly on the official contact telephone number
4. End the call and obtain the correct telephone number from an authoritative source.
5. Contact the NHS Test & Trace team directly

If we are going to self-isolate for 14 days, the least we should expect is to know and understand the conditions in which we potentially became infected with Covid-19.

This article is one that I wish I never needed to write. However, it was inevitable that with something so life-changing as coronavirus, widespread fear and anxiety would be open to exploitation for malicious purposes

Updated – 2^nd June 2020

Thirty hours have elapsed since I received this call, and I have not received any further contact on this matter. If this were genuine, someone would have attempted to contact me again by now given the importance of the test and trace programme.

Essential security awareness points include:

• Evolve and establish a security-centric working culture. People are often your weakest link but become your greatest strength with an effective security awareness programme in place.

• Empower employees to avoid, prevent and report security incidents. Human error is a leading cause of data breaches. Security awareness allows employees to feel confident about their involvement with data and compliance with corporate policies.

• Write and implement security policies. Implementing policies, establishing working practices, and implementation software to support compliance will help mitigate identified risks. Security awareness training will reinforce the policies.

• Protect corporate assets and reputation. Loss from security breaches can be far more than data and financial; reputational damage could quickly result in a significant loss of clientele which in some cases could mean the end of the business.

• Reduce and prevent service downtime and expended investigative and repair effort. Recovering from cyber attacks can be costly, such as needing all hands on deck to get back up and running, losing orders while services are offline, cost of external help and severe disruption to business as usual activities.

• Implement proactive security practices. Learning about specific risks will help you evolve from a culture of reacting and recovering from attacks to preventing attacks through increased vigilance.

• Encourage the reporting of observed security risks. With an increased awareness of risk, employees become a valuable source of intelligence and insight throughout the business.

• Reduce threats and risks by continuously expanding security awareness. Continous training as the threat landscape changes is essential for users to recognise and avoid attacks.

Storing login credentials within 3^rd party apps can introduce significant security risks. I recently tested an application to determine its usefulness and fitness for purpose. As with several other applications experimented with over the years, this one included the option to integrate directly with other systems; in this case, one of the social media platforms. In the settings, a configuration option was available to add the user name and password so that the application could connect to access data directly. A couple of examples include:

• Banking applications which allow connections to several bank accounts where data is collected from multiple sources to create a financial dashboard

• Apps that connect to file storage systems, such as to catalogue songs and create playlists

These tools offer useful functionality, but there are security implications with this concept. Firstly, let’s not confuse this with single-sign-on (SSO) capability. Many websites and applications integrate with Facebook and Google for login purposes, but when signing in with Facebook or Google, the apps don’t have direct access to the login credentials. The quantity of data shared through this process has been controversial and has drawn vast media attention.  However, the focus here is on cases where applications ask for login credentials to be entered and stored for subsequent use, and where the application has direct access to the credentials. Essentially, this is permitting the application to access other systems and by extension, consequently, potentially giving human access to those systems.

How do you know what these applications are going to do with your login credentials? The logon credentials could be stored securely, but could just as easily find themselves held in plain text in a database with little or no security. Applications can easily be custom made to offer something useful to the target audience, with the hidden agenda of capturing user credentials given willingly by their users.

Banking organisations and social media platforms invent significant resources to improve security. It doesn’t make sense to use them with apps that may have been developed by a small business or one person with minimal resources and information security capability.

Here are some options to reduce the risks:

• Don’t give 3^rd party user credentials to apps, websites or other services

• Exercise vendor and application due diligence before adding 3^rd party user credentials

• If 3^rd party application integration is essential, consider creating a dedicated account to use. Depending on the purpose, this may or may not be a viable option.

It is best practice never to share your username and password with anyone. Sharing your usernames and passwords with 3^rd party applications can have the same or worse consequences.