How to protect your data in free public WiFi hotspots
In an ‘ethical experiment’ conducted earlier this year, a primary school child hacked into a free public WiFi hub in just over ten minutes.
The young hacker, a seven-year-old called Betsy, followed instructions she had acquired through a Google search, under the supervision of professional hacker Marcus Dempsey. It took her just 10 minutes and 54 seconds to set up a rogue access point at a free public WiFi hotspot and start eavesdropping on Internet traffic. It takes little imagination to conclude how much damage a maliciously motivated adult hacker could achieve in similar circumstances.
Yet, a recent survey (Kaspersky) reveals that 70% of tablet owners and 53% of smartphone owners use public Wi-Fi hotspots. The security risk posed by hackers using the vulnerabilities of these connections is immense, affecting all types of personal data including bank details and passwords.
What precautions can be taken to minimise this risk? To begin with, and obvious though it may sound, avoid using free public Wi-Fi. One way of doing this is to use your smartphone’s network. It may cost a bit more – particularly if you are abroad – but it could save you in the long run.
If you can’t do that, then treat all WiFi with suspicion. Possibly the greatest risk is not, as is often feared, the encryption or data but lack of verification that a hotspot is genuine. If possible, try to verify that any wireless connections are legitimate. Sometimes malicious users set up a connection name that is similar to that of the café or hotel that provides free WiFi but it is advisable to speak to someone who works there to check the correct connection name and IP address.
Using a virtual private network (VPN) will effectively provide you with a means of encrypting your data as it passes through the network. It will usually cost a bit more and performance will be slower but is still less expensive than using mobile data roaming in most cases. Accessing websites using encrypted HTTPS SSL, which is now offered on many services that exchange e-commerce data or login, is also a wise precaution as is anti-malware and security software for your device.
Two-factor authentication is a good idea for any computer user but has added benefits for those using an open WiFi hotspot. For example, Google offers two-step verification on all user accounts which means that in the unlikely event that a password or username is intercepted, hackers will still need to go through an added step to break into the account.
At the risk of repetition, however, it is important to emphasise that the greatest risk in using free public WiFi is that a malicious or ‘evil twin’ hotspot can be set up to carry out spoofing attacks that manipulate DNS to feed the user authentic-looking login screens. Troels Oertig, head of Europol’s cybercrime centre, has said (in a BBC interview) that people should only send personal data across networks they trust. Authentication and trust are therefore key.
And if the ‘ethical experiment’ proves anything it is that you can’t even trust a seven-year-old.
Online Training to Support Local Businesses to Use Superfast Broadband
Local MP praises e-safety contract for iNorthumberland project
As superfast broadband is rolled out across the region the iNorthumberland Business Support service has appointed Northumberland-based firm Security Risk Management (SRM) Ltd to deliver cyber security Masterclasses that will complement their online learning initiative.
Anne-Marie Trevelyan, MP for the Berwick-upon-Tweed constituency says: “Superfast broadband for every home in Northumberland is one of my key campaigns and I am delighted that it is being rolled out to many villages across our county, though there is more to do. The iNorthumberland initiative will enable the county’s small and medium sized businesses make the most of the opportunities presented by superfast broadband by giving them the tools to stay safe online. I am pleased that Security Risk Management, a company with strong Northumberland roots, will be delivering a world-class training and support package for local businesses.”
The aim is to ensure that Northumberland’s Small and Medium Sized Enterprises (SMEs) and small businesses will reap maximum benefits from superfast broadband while being aware of how to protect themselves from cyber threats.
The iNorthumberland service has been established to provide an online cyber education programme, delivered via its online portal. SRM’s experienced cyber security consultants will be sharing their knowledge to help businesses operates safely and effectively in this exciting area.
Brian Fenwick, Director of SRM, says: “We are delighted to be involved with such a worthwhile programme which will benefit businesses within our home area”.
A key aspect of the iNorthumberland programme is an online learning portal, delivering a range of eLearning courses, specifically developed by industry experts. To date over 300 eligible users have signed up to the programme but it is expected ultimately that up to 350 SMEs and social enterprise business will receive 12 hours of intensive business support via the portal while up to 330 further businesses are expected to improve their capability and performance with spin off benefits to regional employment.
Notes to Editors
Security Risk Management (SRM)
SRM is a UK based Information Security and Training Consultancy headquartered in Gosforth, Newcastle upon Tyne with a dedicated Forensics Laboratory in Rugby, an office in London and a small base near Berwick upon Tweed. The company is a Payment Card Industry (PCI) Qualified Security Assessor with consultants who are Cyber Security Experts and ISO 27001 Lead Auditors. It is one of only 18 companies worldwide accredited by the Payment Card Industry to investigate breaches of credit card data and is also involved in delivering training at adult higher education level to Computer Forensic and Cyber Security students.
The iNorthumberland project is being delivered by Arch Digital, a private sector development company established by Northumberland County Council to further development and regeneration in the county. The project is funded jointly by Northumberland County Council and the European Regional Development Fund 2007-2013. The programme aims to provide ‘high quality business support to ambitious businesses in Northumberland, helping them to harness the opportunities of superfast broadband and associated technologies in order to effectively manage and grow a business online’.
FFA 2015 Annual Review Reveals UK Card fraud worth £479 million
by Brian Fenwick, Operations Director
Financial Fraud Action UK (FFA UK) has published its 2015 Annual Review. The organisation, which is ‘responsible for leading the collective fight against fraud in the UK payments industry’ and has banks, credit, debit and charge card issuers and card payment acquirers in its membership, reveals that fraud losses on UK cards reached £479 million in 2014.
This figure is up 6 per cent on 2013 (£450 million) and up 40 per cent on 2011 (£340 million). This must, however, be seen in context. According to the Dedicated Card and Payment Crime Unit (DCPCU) figures, there has been an overall fall in card fraud of 78 per cent since Chip & Pin was introduced in 2004. This equates to 7.5p for every £100 spent, compared to 12.4p in 2008.
The area that is now seen as being most at risk is those termed as “cardholder not present” transactions. These are online and telephone based transactions which, in 2014, accounted for £330.5m of UK card fraud. That is 69% of the total.
The solution is to take card data out of the IT environment by removing personal card data to a secure off-site store. Adhering to the data security standards laid down in the Data Protection Act and PCI DSS will ensure that compliance is achieved.
Taking these standards a step further by adopting the ISO 27001 framework is, however, the most effective way to ensure data security. More and more organisations are now asking for help in securing ISO 27001 certification because within its framework there is not only a comprehensive data security protocol but it also brings with it an inherently inbuilt flexibility. Used as a basis, it is possible to use its methodology to manage several compliance programmes and to build security into each layer of an online or telephone sales operation.
There are many potential pitfalls when dealing with data security compliance in general. The main one is selecting the wrong product; but others include not specifying correctly or misinterpreting the intent of the standards. Using a consultant experienced in all aspects of data protection and standards reduces these risks while improving the chances of a successful integrated and cost effective strategy.