Hackers are exploiting the pandemic to launch cyber-attacks on some of the UK’s biggest companies.
Firms distracted by the crisis are more vulnerable than ever. In May, easyJet revealed that it had been the victim of a cyber-attack, which had compromised the details of 9.8 million customers.
It said 2,200 credit card details were accessed, while the rest was limited to names, emails and travel details. But it might not be obvious what damage can be done with just names and emails.
We challenged hackers CyberNews to see if they could break into the personal accounts of Money Mail staff, armed with only our names and email addresses – with their permission!
So I asked ethical hackers CyberNews to see if they could break into the personal accounts of Money Mail staff, armed with only our names and email addresses — with their permission!
Unaware it was linked to the CyberNews challenge, Money Mail editor Victoria Bischoff revealed how she nearly fell victim to a cold-call scam (Last Word, August 26).
She received a call from a man posing as a PayPal representative, who told her there had been some unusual activity on her account.
He could refund the money but required some details. Fortunately, she was wise to it and ended the call.
It was one of a number of clandestine tricks they used in their attempts to steal our online identities. Others were more successful.
They fooled Google’s initial security checks and my mobile phone provider in order to intercept my calls and text messages via another device.
The hackers took advantage of nuggets of publicly available information and the worryingly lax security of tech giants.
The hackers were able to advantage of nuggets of publicly available information and the worryingly lax security of tech giants to infiltrate Money Mail staff accounts
Senior researcher Edvardas Mikalauskas says the first step was to gather information online. The most potent weapon was our mobile phone numbers.
They obtained these by pretending they had forgotten the password to our social media accounts.
In this instance, Facebook will verify your identity by sending a code to your mobile phone. Before it does so, it asks you to check it has the right number by showing you the last two digits.
In Victoria’s case, the hackers then did the same with PayPal, which provided the first two and last four digits of her number.
And by doing this across multiple accounts they were able to piece together the full number. Once they had this, they could attempt a so-called Sim-swap attack.
This is when fraudsters call your mobile phone company to request a secondary Sim card to install on a new device.
This means they will be able to intercept calls and text messages, and lock the victim out of their account by deactivating the original Sim card.
Six tips to stay safe online
- Use a password manager such as 1Password or LastPass. This allows you to store all your passwords in encrypted format, and you only need one password to access them all.
- Set up so-called multi-factor authentication whenever possible. This stops someone from accessing your account even if they know your password as you will also need to provide a fingerprint or special code sent to your mobile phone, for example.
- Don’t reuse passwords because old ones might have been leaked on the dark web. Check whether the email account you use has been leaked by entering the address into the website haveibeenpwned.com. If it has, change your password immediately and check for suspicious activity.
- Set your social media accounts to private and don’t overshare information.
- Change the default passwords of your wi-fi and router because these are well known to cyber criminals.
- Never do any financial transactions while connected to public wi-fi.
If successful, it gives hackers free rein to break into other accounts, including online banking.
When CyberNews did so, it exposed shocking flaws in customer security.
The hackers called my mobile phone provider 13 times until they found an agent who failed to carry out proper checks.
Edvardas says all he had to do was strike up a conversation.
‘The approach was to engage in a long talk about how I was interested in getting a smart watch, and using it with another Sim card,’ he adds. ‘Then, I confirmed the details, which was pretty much just the phone number. For answers I didn’t know, I tried to mumble.’
The Sim card was then shipped.
An attempt to hack our Google email accounts also revealed alarming gaps in security. The hackers asked for a password reset link to be sent to one of their email addresses.
To pass the initial verification stage, all they needed to know was my phone number and Victoria’s mother’s maiden name, which they found on an online blog.
In May, easyJet revealed that it had been the victim of a ‘highly-sophisticated’ cyber-attack, which had compromised the details of 9.8 million customers
Normally, password reset links are automatically sent to a registered device, such as the account holder’s home computer.
When requests are made from an unfamiliar source, Google asks the recipient to wait a couple of days so it can carry out a manual review before sending the link.
This is then used to set a new password, locking the victim out of their account and granting the hackers access to their emails.
Ironically, a customer service backlog caused by the pandemic means Cyber News is yet to receive this. Edvardas says he has spoken to cyber criminals who have temporarily given up on this method due to sluggish response times.
CyberNews was limited by their adherence to ethical methods. For example, they did not pay for information on the so-called dark web. Real scammers face no such constraints.
My Facebook account is private, I only Tweet about work, football and cricket, and I don’t have an active Instagram account.
But a team of cyber experts from Eastern Europe was still able to garner enough information about me to fool some of the world’s biggest tech firms. Only my colleague Fiona Parker was deemed secure.
My mobile phone provider says all customer service agents are trained to follow strict security and data protection protocols.
Google says CyberNews did not ‘hijack’ accounts or ‘access the information they contain’.
A spokesman says it uses a variety of checks ‘to ensure people’s attempts to regain access to their accounts are legitimate and safe’.
Google believes its security checks would likely have blocked the hackers during its manual review.