Omega Owners Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Search the maintenance guides for answers to 99.999% of Omega questions

Pages: 1 2 [3]  All   Go Down

Author Topic: Hacked For The First Time  (Read 879 times)

0 Members and 1 Guest are viewing this topic.

Gaffers

  • Omega Queen
  • ********
  • Offline Offline
  • Gender: Male
  • NE Hampshire/Surrey
  • Posts: 10904
    • S-Type 3.0
    • View Profile
Re: Hacked For The First Time
« Reply #30 on: 07 February 2018, 13:17:44 »

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.
It's quite common they will try and take your phone over, it's used for authentication for so many services and it potential keeps you busy/diverted whilst they do other financial things.

That is apparently if they can get hold of your SIM after they have fooled your mobile phone provider to send you a new one.  This did not happen to me, and I believe the phone companies are now ahead of the fraud. ;)

Another way to thwart 2FA using a code sent to a phone is to crack the algorithm and gain access to any local SS7 infrastructure.  It's not that difficult if you know your stuff but you will need to know a lot about how GSM networks work in order to pin point the SMS traffic for the particular phone.  You would also need to know that person's number or IMSI.  I believe that the hardware needed can also be difficult and expensive to come by.  As the networks are switched on to the vulnerabilities in SS7, I would suspect that many of them will be monitoring their networks for certain event markers which would give any miscreants activity away.

Thanks Guffer, I think I understand what you are saying, but as with all this you have to be a specialist in the IT field to know all about it.  The consumer like me who pays the money, and gives them business, should not have to go into such detail as the organisation that you deal with should be protecting their customers, as I did in the retail trade by ensuring full H & S requirements, along with security buffers, were in place to protect those who gave us business/profit :)

Bear in mind also that you are one of many millions of customers.  You have already been included in a very general sweeping appreciation of risk across their client-base.  To be 100% unhackable (if it is at all possible) it can be uneconomical for system owners to do so.  The law of diminishing returns applies a lot in security, the easy and cheap stuff can cover 80% while covering the other 20% can cost you many times more.  How far you go will always depend on several factors including a companies appetite for risk to their financials and reputation.  So there is a trade-off where it becomes cost ineffective to do more than X.  That point will have shifted slightly over recent months as preparations for GDPR are made and the extra regulatory risk is factored in to the appetite for risk with budgets shifted accordingly.  So the money they paid you back has already been budgeted for and frankly they don't care unless it generates significant negative media coverage.  However, I know of one organisation whose approach to the upcoming change in regulation was to just set-aside money for the inevitable fines.  No point in doing the work! :o

I deal with such things in every organisation I work with, us cyber nerds would like to get as close as possible to 100% but the bean-counters fight back and in the end the board will dictate how much you get.  As a case in point I worked for a building society a short while back and their annual loss to fraud was extremely low, barely enough to cover a single low-level security expert FTE (because they didn't use faster payments, thus a good place to keep larger amounts of cash IMO) However the reputational risk, highlighted by the TalkTalk debacle, is what spurred them on to improve their posture and make a significant investment, many times their fraud loss value.  They were targeted quite often with social engineering attacks yet the staff were very good at noticing and doing the right thing because they were forced to complete training every year (a very easy and relatively cheap security control)
Logged
Don't feed the troll.

Gaffers

  • Omega Queen
  • ********
  • Offline Offline
  • Gender: Male
  • NE Hampshire/Surrey
  • Posts: 10904
    • S-Type 3.0
    • View Profile
Re: Hacked For The First Time
« Reply #31 on: 07 February 2018, 13:18:11 »

Nothing suspicious about what was ordered, except its electronic stuff that's easy to move on.  I suspect the started at the lowest cost, and kept trying, bumping up costs until it was spotted.  That's a fairly common MO used.

laptops and mobiles are easier to shift, but the banks (any PP etc) are pretty switched onto this, so get closer scrutiny.


Guffers is the IT security/cybersecurity expert on here, so pay attention to what he says :y

Yes, obviously TB, but he and you talk a language that us mere mortals cannot fully follow! ;D ;D :y

I could try base 16 if that would help.....
Logged
Don't feed the troll.

Lizzie Zoom

  • Omega Baron
  • ******
  • Offline Offline
  • Gender: Female
  • Kent
  • Posts: 2547
    • Omega 3.2 V6 ELITE 2003
    • View Profile
Re: Hacked For The First Time
« Reply #32 on: 07 February 2018, 14:58:24 »


Bear in mind also that you are one of many millions of customers.  You have already been included in a very general sweeping appreciation of risk across their client-base.  To be 100% unhackable (if it is at all possible) it can be uneconomical for system owners to do so.  The law of diminishing returns applies a lot in security, the easy and cheap stuff can cover 80% while covering the other 20% can cost you many times more.  How far you go will always depend on several factors including a companies appetite for risk to their financials and reputation.  So there is a trade-off where it becomes cost ineffective to do more than X.  That point will have shifted slightly over recent months as preparations for GDPR are made and the extra regulatory risk is factored in to the appetite for risk with budgets shifted accordingly.  So the money they paid you back has already been budgeted for and frankly they don't care unless it generates significant negative media coverage.  However, I know of one organisation whose approach to the upcoming change in regulation was to just set-aside money for the inevitable fines.  No point in doing the work! :o

I deal with such things in every organisation I work with, us cyber nerds would like to get as close as possible to 100% but the bean-counters fight back and in the end the board will dictate how much you get.  As a case in point I worked for a building society a short while back and their annual loss to fraud was extremely low, barely enough to cover a single low-level security expert FTE (because they didn't use faster payments, thus a good place to keep larger amounts of cash IMO) However the reputational risk, highlighted by the TalkTalk debacle, is what spurred them on to improve their posture and make a significant investment, many times their fraud loss value.  They were targeted quite often with social engineering attacks yet the staff were very good at noticing and doing the right thing because they were forced to complete training every year (a very easy and relatively cheap security control)

Thanks Guffer, that is a great and very interesting explanation which I do fully understand as a business manager used to dealing with multi-million pound budgets and being fully responsible for my Division's P&L account.  I used to factor in losses, or to use the other term, "wastage" with a remit to control them to maximise final bottom line profit (never a loss).

I think, as with any service industry, the "company" must take responsibility for looking after it's customers as you want their repeat business and give them maximum security whilst you do that.  It is the online companies that have encouraged the development into a boom of their business so they should go the extra mile to protect their customers, let alone their profits.  It strikes me, and really confirmed by you, that they have the attitude that "oh well, hacking is going to happen, no point in worrying too much about it apart from limiting it's impact on profits, and sod the customers "security".  In the press we have seen instances of these hackings taking place when there should have been even the regular software to stop such attacks.  No the online industry has got to do a lot more to encourage those potential customers who at the moment (wisely) refuse to use online services, and keep the customers that already do.  The companies who finally really do pull out all the stops will be the ones to survive with a healthy growing customer base. It is dog eat dog out their in all variants of the retail industry, and only the strongest and best will survive. :y


« Last Edit: 07 February 2018, 15:01:11 by Lizzie Zoom »
Logged

Gaffers

  • Omega Queen
  • ********
  • Offline Offline
  • Gender: Male
  • NE Hampshire/Surrey
  • Posts: 10904
    • S-Type 3.0
    • View Profile
Re: Hacked For The First Time
« Reply #33 on: 07 February 2018, 15:12:36 »

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! :o)
Logged
Don't feed the troll.

Rods2

  • Omega Lord
  • *******
  • Offline Offline
  • Gender: Male
  • Sandhurst Berkshire
  • Posts: 6609
    • 1999 3.0 Elite Estate
    • View Profile
Re: Hacked For The First Time
« Reply #34 on: 07 February 2018, 16:02:46 »

The problem starts with lack of political will as the legal framework could make things much more difficult for hackers, next is a farcical legal situation where little Johnny's solicitor says he can't help it due to Asperger's syndrome and he will probably get no more than a conditional discharge after causing millions in costs and loses for multiple people and businesses. >:( >:( >:( This makes the crimes highly profitable, with the criminals unlikely to be brought to justice and then the punishment for a 'white collar' crime minimal to nothing. >:( >:( >:(

The price is more expensive goods from online suppliers, higher credit card interest rates and bank account charges and inconvenience for the public at large. >:( >:( >:(

To show how profitable it is two former Scottish bank employees that went into the online fraud business proceeds of crime stuff has just been auctioned with a new value of 2.8m. >:( >:( >:(

If the Government wanted to get tough they could as all of the criminal's activities are traceable but it has to be at the Government law enforcement or security services level and it is easier and cheaper to pass that buck to make it a business and Joe public problem. >:( >:( >:(

 
Logged
US Fracking and Saudi Arabia defending its market share = The good news of an oil glut, lower and lower prices for us and squeaky bum time for Putin!

Lizzie Zoom

  • Omega Baron
  • ******
  • Offline Offline
  • Gender: Female
  • Kent
  • Posts: 2547
    • Omega 3.2 V6 ELITE 2003
    • View Profile
Re: Hacked For The First Time
« Reply #35 on: 07 February 2018, 16:04:27 »

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! :o)

Oh yes, fully agree with that Guffer:y :y

One bank that I use does not accept symbols being used in the password.  Thank goodness other sites I use do allow my passwords of 12 characters, with combinations of letter, upper and lower case, numbers, and with some symbols.  Others I have tried as you say restrict you to silly lengths of password.  Why do the banks continue to use only 4 digit pin numbers with their cards?  Far too small!  At least some credit cards companies are pushing authorisation code lengths to 5 or even 6 numbers (not letters!!) :)
Logged

STEMO

  • Omega Lord
  • *******
  • Offline Offline
  • Gender: Male
  • Up North
  • Posts: 8868
    • Astra 2.0 diesel
    • View Profile
Re: Hacked For The First Time
« Reply #36 on: 07 February 2018, 16:25:50 »

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! :o)

Oh yes, fully agree with that Guffer:y :y

One bank that I use does not accept symbols being used in the password.  Thank goodness other sites I use do allow my passwords of 12 characters, with combinations of letter, upper and lower case, numbers, and with some symbols.  Others I have tried as you say restrict you to silly lengths of password.  Why do the banks continue to use only 4 digit pin numbers with their cards?  Far too small!  At least some credit cards companies are pushing authorisation code lengths to 5 or even 6 numbers (not letters!!) :)
Buffer has already explained about 8/CKI. Banks like people to be able to use their products, and I don't think they want to be employing people to remind folk of their forgotten details.
There was actually research into the optimum number of digits for a PIN......and four won.
Logged
If you are offended by anything I post, sorry. Just thought I'd get that in now.

Gaffers

  • Omega Queen
  • ********
  • Offline Offline
  • Gender: Male
  • NE Hampshire/Surrey
  • Posts: 10904
    • S-Type 3.0
    • View Profile
Re: Hacked For The First Time
« Reply #37 on: 07 February 2018, 17:38:48 »

Passwords and codes are all about entropy, and where it isn't high enough additional controls are added. So for PINs there are the 3 tries and you are locked out. Passwords that are 8 characters or less can be reversed if you can intercept the hash. At 9 and above it becomes more difficult so my personal advice is do not have any passwords shorter than 10 complex characters for anything important. If you have difficulty remembering them then look at something like mooltipass which is an offline password manager. I got one for the wife because she is terrible for forgetting them.  Online password managers, use at your own risk.
Logged
Don't feed the troll.

Lizzie Zoom

  • Omega Baron
  • ******
  • Offline Offline
  • Gender: Female
  • Kent
  • Posts: 2547
    • Omega 3.2 V6 ELITE 2003
    • View Profile
Re: Hacked For The First Time
« Reply #38 on: 07 February 2018, 17:40:21 »

Passwords and codes are all about entropy, and where it isn't high enough additional controls are added. So for PINs there are the 3 tries and you are locked out. Passwords that are 8 characters or less can be reversed if you can intercept the hash. At 9 and above it becomes more difficult so my personal advice is do not have any passwords shorter than 10 complex characters for anything important. If you have difficulty remembering them then look at something like mooltipass which is an offline password manager. I got one for the wife because she is terrible for forgetting them.  Online password managers, use at your own risk.

 :y :y :y
Logged

Doctor Gollum

  • Omega Lord
  • *******
  • Offline Offline
  • Gender: Male
  • In a colds and darks puddleses
  • Posts: 8628
  • If you can't eat them, join them...
    • Feetses.
    • View Profile
Re: Hacked For The First Time
« Reply #39 on: 07 February 2018, 18:15:28 »

Is Lastpass available here, and is it any good?
Logged
Onanists always think outside the box.

Gaffers

  • Omega Queen
  • ********
  • Offline Offline
  • Gender: Male
  • NE Hampshire/Surrey
  • Posts: 10904
    • S-Type 3.0
    • View Profile
Re: Hacked For The First Time
« Reply #40 on: 07 February 2018, 18:45:47 »

Is Lastpass available here, and is it any good?

How do I put this?  If it were a crucial part of a boat's hull, it would be as effective as swiss cheese.

How many times has last pass been hacked?  I've lost count.

ANy online password manager is going to be a target of malicious actors.  Plus it is only a matter of time before they breach data because some dumb idiot lazy admin leaves the credentials for each machine in their datacenter in an excel file (look up the Sony Pictures hack)
Logged
Don't feed the troll.

Gaffers

  • Omega Queen
  • ********
  • Offline Offline
  • Gender: Male
  • NE Hampshire/Surrey
  • Posts: 10904
    • S-Type 3.0
    • View Profile
Re: Hacked For The First Time
« Reply #41 on: 07 February 2018, 18:51:57 »

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! :o)

Oh yes, fully agree with that Guffer:y :y

One bank that I use does not accept symbols being used in the password.  Thank goodness other sites I use do allow my passwords of 12 characters, with combinations of letter, upper and lower case, numbers, and with some symbols.  Others I have tried as you say restrict you to silly lengths of password.  Why do the banks continue to use only 4 digit pin numbers with their cards?  Far too small!  At least some credit cards companies are pushing authorisation code lengths to 5 or even 6 numbers (not letters!!) :)
Buffer has already explained about 8/CKI. Banks like people to be able to use their products, and I don't think they want to be employing people to remind folk of their forgotten details.
There was actually research into the optimum number of digits for a PIN......and four won.

The lack of special characters has probably more to do with being lazy about protecting against deliberate/accidental SQL Injection.  IE whereby the input field has characters that the database backend uses to separate functions, lines of code or values.  Most do it properly by sanitising input or converting it to a format where it doesn't cause a problem.  Others are lazy and just ban special characters.
Logged
Don't feed the troll.
Pages: 1 2 [3]  All   Go Up
 

Page created in 0.096 seconds with 17 queries.