North Korean IT workers are hijacking genuine LinkedIn profiles to apply for remote jobs and infiltrate enterprises.

Security Alliance (SEAL) said the technique, which marks an escalation from previous fake worker schemes, is hard to spot initially as the profiles appear completely genuine - as, in a way, they are.

The fraudsters appropriate real identities, leverage verified workplace emails and identity badges, and construct credible employment histories to pass background checks.

Once settled into remote roles, they route corporate laptops through “laptop farms” to maintain the appearance of a regionally based workforce.

While salary diversion helps finance the regime, there's also a more strategic threat in the form of persistent access, including the installation of malware and the theft of intellectual property.

Darren Guccione, CEO and co-founder of Keeper Security, warned the news should be viewed as a structural shift and significant escalation in cyber risk.

"What we are seeing is not an isolated fraud campaign, but the industrialization of professional identity manipulation, where nation-state actors combine stolen personal data, AI-generated imagery and deepfake video interviews to embed themselves inside unwitting organizations."

There are relatively simple ways to spot the fraud, however, such as asking applicants to connect with you on LinkedIn to ensure they have ownership and control of the account.

Meanwhile, SEAL said users experiencing identity impersonation involving fraudulent job applications should consider posting a warning on other social media pages to protect their identity and the broader ecosystem.

This should include the date the fraud was detected and the tactics that were observed. Users should list the accounts they control - and the communication channels not used for job discussions. Elsewhere, they should provide a method of verification, for example, "contact via company email".

Identity security needs a rethink

Guccione said enterprise leaders need to face up to the fact that identity is now the primary attack surface - and that in a remote and hybrid hiring environment, perimeter security offers little protection when adversaries are granted legitimate credentials and endpoint access.

Organizations must respond by hardening identity governance, for example. That includes rigorous identity verification during onboarding, enforcing phishing-resistant multi-factor authentication, applying least-privilege access from day one, and continuously monitoring for anomalous behavior.

“Privileged access has to be tightly controlled and audited at all times," he said.

"This campaign is a stark reminder that trust in digital identity must be earned and continuously validated. Without strong identity and access management controls, companies now risk providing expansive internal access to the very threat actors they are trying to defend against."

North Korea has been using fake remote workers to raise money for the regime for years now, with fraudsters claiming to be based anywhere from Italy and Ukraine to Japan, Malaysia, or Singapore.

While the scam initially targeted US companies, it has spread into Europe over the last year or so, with Google warning last summer that workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer.

Payment was managed via cryptocurrency, the TransferWise service, and Payoneer.

FOLLOW US ON SOCIAL MEDIA

Organizations are taking 11 person-hours on average to investigate a single identity-related security alert, according to new research.

Analysis from Enterprise Strategy Group found security teams are facing significant challenges managing the volume of alerts, especially since the rise of agentic AI.

In many organizations, meanwhile, its rapid adoption is outpacing organizational oversight and creating new attack vectors.

Identity is already fragmented across cloud services, developer platforms, identity providers, and infrastructure resources such as databases, servers, Kubernetes and workloads.

All told, this fragmented ecosystem of platforms, tools, and solutions, is hampering response times and placing enterprises at huge risk, the report noted.

“When it only takes minutes for threat actors to move laterally across your infrastructure, 11 hours to investigate an identity-related incident simply isn’t good enough,” warned Ev Kontsevoy, CEO of Teleport, a sponsor of the research.

“As we move deeper into the age of AI, we must remember that AI dramatically lowers the cost of identity attacks, and we must expect the frequency of them to increase.

"We must improve the trustworthiness of computing environments. We can only achieve this by eliminating anonymity and human error, and by unifying identity to simplify policy enforcement and enhance visibility of what each identity is doing.”

Credential theft is surging

Things are made all the harder by the ease with which criminals can obtain valid static credentials such as passwords or API keys to impersonate identities.

According to the study, credential theft now accounts for one-in-five data breaches, with the number of compromised credentials having surged 160% in 2025 so far.

This fragmentation of identities is also reflected in the tools that enterprises use to manage them, with security teams using an average of 11 tools to trace identity-related security issues.

The reason is a complex mixture of cloud adoption, cyber insurance requirements and the need for separate tools for different environments, such as on-premises, cloud or SaaS, as well as customer security requirements, legacy tools, and industry compliance requirements.

“Few organizations understand the scale of the threat, let alone how quickly malicious actors can move laterally and disrupt systems," said Todd Thiemann, principal analyst at Enterprise Strategy Group.

"Each application expands a company’s security and compliance surface area, often faster than they can govern it, and few are easily integrated with identity tools."

"This leaves blind spots, orphaned accounts, inconsistent access privileges, and gaps in auditability, which significantly raises the risk of breaches and regulatory penalties," Thiemann added.

Identity security is now a priority

For most organizations, modernizing workforce identity security is a priority, with 91% saying it's a top-five concern.

As a result, budgets are growing year over year, with 87% of organizations reporting plans to increase their spending on workforce identity security, and more than one-third anticipating a significant rise.

According to Kontsevoy, the most efficient strategy lies in combining unified, cryptographic identity with just-in-time access. That’s how teams can more effectively minimize the attack surface.

“The blind spots created by complex IT aren’t just a danger to security. They’re bottlenecking the productivity of engineers and security professionals. They need a way to quickly answer vital questions," he said.

"Who accessed database X and with what permissions? Is this behavior unusual for the identity in question? What’s the full summary of what an identity did in a single session across platforms? To answer these questions, we need a different approach to cybersecurity, one that isn't based on secrets and siloed identities."

Shoring up defenses

The study from Enterprise Strategy Group comes amid a sharpened industry focus on identity security in recent months.

With businesses across a range of industries adopting agentic AI solutions, this poses serious challenges with regard to managing machine identities.

A recent study from Okta, for example, found 85% of security leaders now view identity and access management (IAM) as a crucial part of their broader security posture, marking an increase compared to 79% in the year prior.

Similarly, 78% of respondents to the Okta survey said that controlling access and permissions for “non-human identities” now represents their main security concern, overtaking long-running focuses such as lifecycle management and network visibility.

Okta’s advice on this front centered largely around closer inter-departmental collaboration, urging enterprises to foster closer ties between AI project leaders with security practitioners.

In doing so, enterprises can still accelerate agentic AI projects, but mitigate future potential risks by accommodating security team concerns during the experimentation process.

MORE FROM ITPRO

• How to implement identity and access management effectively
• Enterprises are worried about agentic AI security risks
• Top identity management and security tips for beginners

Ten years ago, identity fraud typically meant people manually forging, but today’s threat actors work with purely-digital fakes with an increasingly-advanced toolset including ‘deepfakes’ that work even on live video feeds. At the same time, Twitter advertisers have seen billions wiped off their market caps as the platform struggles with its ID verification.

On top of the growing scale of digital fraudsters, a surprising amount of businesses are willing to let a small amount of fraud occur. Companies need to carefully plan how to avoid fraud, but more importantly learn from the experience of falling victim to scams.

This week, we spoke to Mike Tuchen, CEO of identity tech firm Onfido, to discuss the current threat landscape, how the tech sector can match threatening tech with detection systems, and best practice going forward.

Highlights

“It's currently neck and neck, but to your point, the quality of the deep fakes has gone way up. And so this is going to be an ongoing game of cat and mouse in the coming years, and so it's this combination of synthetic identities and deep fakes. That's really the cutting edge, that we'll see more and more fraudsters use.”

“You can't try to go back and say, "we'll shut down the dark net", that's not going to happen, right? We have to accept that that is out there. And it will always be out there, and so all we can really do is become increasingly sophisticated on the ‘ability to detect and protect’ side, as they're, as they ramp up their capabilities on that side.”

“Because of the so-called ‘blue check’, the verified thing, that was a complete fiasco and I'd say entirely preventable. But we've seen, you know, companies like Eli Lilly and Lockheed Martin get attacked and lose like $15 billion of market cap each. Because Twitter decided not to do, you know, any kind of verification aside from your willingness to pay eight bucks. I don't know if those were caused by people trying to manipulate the stock. But if they were, the trade off of making potentially millions of dollars by spending $8 on getting a blue check, it's a no brainer, right?”

Read the full transcript here.

Footnotes

• Identity theft: What it is, and how it can affect your business
• Onfido Fraud Report 2022
• Fraud detection and prevention market to hit $176 billion by 2030
• Deepfake attacks expected to be next major threat to businesses
• Real-time deepfakes are becoming a serious threat
• What are biometrics?
• What is the dark web?
• The rise of ransomware as a service
• UK gov unveils plan for nationwide digital identity scheme
• ID.me pushes for US-wide privacy legislation
• Data protection policies and procedures
• What is GDPR? Everything you need to know, from requirements to fines
• Review calls for urgent new laws over use of biometric technology
• Twitter's employee 'revolt' sparks survival concerns for a platform crumbling from within
• Businesses to receive unique Twitter verification badge in platform overhaul
• What are the pros and cons of AI?
• What is machine learning and why is it important?

Subscribe

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Google Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Subscribe to IT Pro 20/20

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘The front line of fraud tech'. We apologise for any errors.

Rory Bathgate

Hi, I’m Rory Bathgate. And you’re listening to the IT Pro Podcast, where this week we’re asking ‘who goes there’ as we discuss identity fraud. A recent report by Onfido, a UK firm specialising in identity tech, states that since 2019, identity fraud has increased 44% since the start of the pandemic – reflective of the rise in such cyber crime as threat actors took advantage of the digital transformation that took place across the period. It’s clear that security teams have their work cut for them, but the same report states that 75% of businesses are now simply willing to accept small volumes of fraud. This week, we’re speaking to Mike Tuchen, CEO of Onfido, to discuss the current threat landscape and what can be done for the sector.

Mike Tuchen

Thanks for having me.

Rory

So I guess my first question is kind of a broad one. How long has this willingness to accept small amounts of fraud be ongoing?

Mike

It's been rising over time, and we think for a couple of reasons. Willingness to accept fraud is going to come from, I think, two different backgrounds. Number one: what's the cost of fraud to my business? And number two: how much flexibility and choice do I have, in looking at fraud as a rule, let's say a diallable decision. Because in the past, when when companies are onboarding their new customers, this is an area where fraud can creep in, they were at a choice of fairly blanket policies that were generally kind of all or nothing in, in nature, right? And so you had a set of compliance dictates a set of, you know, fraud dictates driven by your fraud team, if you're a traditional bank, and you know, paper driven process. And I heard just recently from someone who had been in banking back in that era, that 75% of the applications were turned down for a new bank account, ecause of the cumbersomeness of those processes. A couple of things have happened. Number one, banks are still very, very sensitive to fraud, the cost of fraud to them is very high. But they, and all companies now, can take a much more ROI driven approach and say, "fraud, on average, costs me this much; a lost onboarder, a lower onboarding rate if you will, costs me this much. What's my trade off point? How do I balance those two?" And they can make an economic decision to balance the two of them by doing AV tests and figuring it out. So that's a new capability that simply didn't exist you know, if you were to turn the clock back five years, and certainly 10 years that didn't exist at all. So that ability to think about fraud as an economic choice, as opposed to as a binary sort of compliance driven choice, is a new sort of modern take that that I think changes a little bit of that tolerance.

Rory

Do you think that's also behind, in the same report, it's stated that companies younger than 20 years have a higher figure of accepting fraud rate, do you think that then this is reflective of that kind of changing perspective on what's really acceptable?

Mike

I think, yes, that's one of two factors. I think, number one, yes, they tend to be more agile about, you know, trying out this thing about fraud as an economic choice and trying out this, finding the balance of trade off. I think, as well, a lot of the more traditional companies, the longer tenure companies, have a higher cost of fraud right? If you're, if you're a bank, the cost of fraud to you is quite a bit higher than other platforms. With banks, one of the main things that banks do is extend loans. Well, that means if they have fraud, they're out the cost of the entire loan. Something like a choosing like a digital currency trading platform, the customer is bringing their own money in and is trading on their own account, the cost of fraud of them is just simply lower than the cost of fraud to the bank. So I think you'll see part of that is just simply how much is fraud costing me, as well as a potentially different economic choice.

Rory

Right. So it's really to do with the maturity of the company and therefore how severe the attack is.

Mike

Yes, and what industry they're in, right? It's not, in some cases there's a maturity difference. But in other cases, it's just simply, the industry, I'm in cost of fraud is very high, therefore I have to take, even if I'm very sophisticated about taking the economic trade off approach, I'm simply going to dial that all the way to the very, very low fraud end of it, because that's how the trade off for me works. Whereas for other platforms, they can see that a little bit differently.

Rory

So when this calculation is happening, when a company is weighing up, what degree of fraud is acceptable for us to allow to happen? Do you think that there needs to be more public sector pressure to kind of balance this out? Or is this a conversation that needs to be had had throughout the private sector to kind of change this culture?

Mike

I don't think there's a, this is an area where the public sector pressure is really going to be that helpful. To me, areas where the the public sector mandates are helpful is solving, you know, kind of externalities, where the market pressures don't solve themselves. An externality would be things like privacy, right? Who's protecting my privacy as an individual, and there's no market pressure that solves for that. It's a, it's a very weak sort of pressure for companies to take a privacy-centric approach. But on the other hand, governments can look out for the privacy of their citizens and mandate, you know, certain requirements like GDPR in the EU, or in California, there's the CCPA, which is a very similar regulation. And so those are areas where you're solving an externality that the market doesn't solve for, but I would argue that the fraud tolerance and desire to solve for that, the market really does balance that quite well. Companies that get hit by fraud, and they're very sensitive to that, right, if you look at the fraud, increase the 44% increase during the pandemic, the rise of sophisticated fraud, the cost of fraud, in companies that are sensitive to that, these are things that they care a lot about, and they take very, very active steps to counter. So I see this much more as a game of cat and mouse between the industry and the fraudsters, and a constant game of one-upmanship that's, you know, solving itself, I think, in a fairly disciplined way.

Rory

Right. Okay. And then focusing specifically on the tech sector, how can businesses mitigate the risk currently, is the tech they're just a technique to be developed more? And could you go over some of the maybe some of the inadequacies that we're seeing?

Mike

So I'll talk about some of the hard problems there, and where the trade offs tend to be. The top level way to think about it is, it's a constant game of cat and mouse. And as the fraudsters get more sophisticated, then the industry players like us get better at catching that. And as we get better, and leapfrog, then they look for ways to find, you know, weaknesses in what we've just built and they, you know, go and attack and find the gap. And then we close the gap, and cover other things. And so it's a constant game of one-upmanship. So rather than think of it as a sort of static playing field, I think of it as an active adversary that you're, you know, constantly looking to outsmart on both sides. And so what that means is, if you were to turn the clock back 10 years ago, most identity fraud was people doing forgeries, so taking an existing document, a passport or a driver's licence, and with a magnifying glass and a pen literally changing the doc, forging the doc. Those are, those are much more rare now, that's like single digit percent, like low single digits, maybe 1% of the fraud that we see. What's much more common now is digital fraud of two types. First, digital fraud, again, starts with a standard identity doc, or an existing identity doc, and then changes i, applies a change to an existing valid doc. And much more common, or increasingly common now is a pure digital fake. Fraudsters are creating a template that's a say, a British driver's licence template or a UK passport, and then applying a whole bunch of different synthetic identities. So a pure digital fake, from the ground up, using a template that looks like a valid one. And so we're seeing much more of that. And coupled with that, we're seeing different types of biometrics fraud. So, you know, classically the the Mission Impossible remember those silicone masks they sort of put on? Those are actually real, right? There's actually people using them now. Yeah, it's amazing, used to be if you want to defeat an old style, online identity system, you would literally just hold up a picture of someone else in front of your face, right? And for an old style thing, that might be good enough, or submit a picture that was taken somewhere else, that's of someone else that's not of the person sitting in front of you. Well, nowadays, you actually we can detect, is there a live human being there? And is it the same one, indeed, that's on the doc. Neither of those two approaches will work anymore. And so the latest frontier is a purely, just like there's a purely digital fake, to create a document, people are creating so called deepfakes of a different face than yours, and mapping it onto your face. Again, our newest approach can detect that as well. But that's an example of, you know, what the old world looked like and some of the cat and mouse game that's going on right now.

Rory

So in terms of the deepfakes, I mean, I guess that's kind of cutting-edge, threat actor activity right now. You do hear stories, I don't know how overhyped they are, but you do hear tales of deepfaked LinkedIn job interviews, or things that are going on, very elaborate scams involving faked video, faked video interviews, being chief among them. But you're saying that the kind of protection tech currently is neck and neck, that maybe we're developing an antidote to those threats, as quickly as threat actors can develop the threats themselves.

Mike

It's currently neck and neck, but to your point, the the quality of the deepfakes has gone way up. And so this is going to be a an ongoing game of cat and mouse in the coming years. And so it's this combination of synthetic identities and deepfakes. That's really the cutting edge, that we'll see more and more fraudsters. This is the most sophisticated fraud, so we'll see more and more starting to do that. And we'll see companies like us doing more and more to prevent that, for sure.

Rory

And on a specific tech question, what kind of solutions are being implemented to detect things like deepfakes?

Mike

One example is a biometric solution that we just brought out over the last couple of months, called Motion. And what it does is, have the end user turn their head from side to side, similar if you have an Apple phone and you're enrolling with face ID, you have to turn your head from side to side. Similar concept to that, and what that does is, most of the current deepfakes that are mapping someone else's face onto yours in real time, they're taking a texture map and mapping onto your face. And as a result at the boundaries, there's, you know, a level of distortion is detectable when you turn your head. And so that's why, rather than just a purely static looking at your face approach, that approach allows us to capture current state of the art. As those deepfakes get better and better, that's gonna be harder to catch. But that's, that's the current state of the art, our approach is 10 times more accurate even on a normal static image then before, but now it also captures these advanced kind of capabilities

Rory

So I guess we've talked about one of the most cutting edge threats right now, but on a broader point, what are some of the most common methods through which identity fraud is currently carried out?

Mike

You know, very commonly what people are doing is taking a stolen ID and passing it off as their own. And so, for us, what we want to be able to do, and what we encourage customers to do, is a variety of different checks because a stolen identity can come in a couple of different flavours. If they have the actual identity card itself, someone actually stole your wallet, then the the the identity is valid, right? The card is a valid card. And it's truly a genuine identity. Now the question is, is that person the same one that's on the identity card? So we do a bunch of work to confirm that biometric, and all the stuff I just talked about, confirming that the actual picture on the card is the same person that's in front of the cameras, a live person there is the same one there. And the picture on whatever identity document you have hasn't been altered, right? Those are the ways that you can detect that scenario. So all of that is current state of play. The other thing that we encourage customers to do, is to add on secondary checks. So we have a configurable approach, where customers can say let me do exactly what I just talked about, check the validity of the document, let me check the biometrics and ensure there's the same person who's on the document, the document hasn't been altered. But now let's also go back and confirm that that driver's licence, for example, is still valid. Because the first thing that most people do when their driver's licence gets stolen is go and cancel it, and get a new one. And so when you do it a look up, it'll come back and say, aha this one has been cancelled. And so for all those, that'll be another way for customers to detect that. This is a case of valid document with fraudulent use case, and so checking is the document actually still valid or genuine, let's say genuine document, that's no longer valid. Other examples are, we talked about all the purely synthetic ID examples, with the way fraud is working right now is, it's a big business. Many billions of dollars a year are being created fraudulently. And the way that that works then is, fraud is no longer the realm of an individual hacker, that's working by themselves in their garage, right? It's a team of very technical people doing this at scale. And so they're, picture a software development team, that once they find an exploit, they're trying to exploit it hundreds or thousands of times. And so there's an army of people that they use for different biometrics, there's different variations on the theme of different identities, and subtle variations of those identities that they're plugging in. And so once they find one that you'll have a hundred different flavours of that, trying to sneak in the door. And so an example of a mitigation approach that we've created for that scenario, is something we call known faces, and something that we also call repeat attacks. And those two things cover that exact scenario. If we've seen someone before, who's been fraudulent, the odds of that person being fraudulent the next time around are very, very high right? It's unusual that you'd have, it's like almost vanishingly impossible to have someone do something fraudulently one time, and then be a valid genuine customer the next time around, right? They're either fraudster or not, by and large with kind of 99-100% probability. And so with that case, this concept of known faces is super powerful. Once you've detected fraud, through any mechanism, you say, "aha, that person is fraudulent". Similarly, it detects these variations on a theme. And then what we'll do is say, "aha, we've seen this variation before". And now here's one hundred, different, other slight variations on that theme. The odds are, these are all fraudulent, and so all of these are mitigation techniques for that type of attack.

Rory

So with this kind of, micro economy of fraudsters that you're talking about, is it in any way similar to the ransomware as a service model that we're seeing with ransomware threat actors, where they're licencing out their services to kind of wannabe threat actors, who now have access to tools much more powerful than they would be able to come up with on their own? Is there a similar black market for fraud happening currently in tech?

Mike

Absolutely. And so as a matter of fact, there's a fair amount of overlap between the various communities here. And so in the fraud world, things like buying stolen identities, you know, there's groups that sell stolen identities. You can buy identity document templates, you can buy identity document generators, where you can plug one into the other and create a synthetic ID. So all of these things, the level of simplification required is going way down. You can see there's a company that, not a company but there's this software out there, that will create a fake utility bill. And you ask yourself "why on Earth would someone want to create a fake utility bill, it doesn't seem like a very useful thing". Well, it turns out that many banks use things like utility bills to verify that your address is valid. And so all of these things are little pieces of the toolkit that are very readily available on the so called dark net. And so, yes, for sure there's a whole industry of tools providers and data providers that are behind this increasing sophistication of fraud.

Rory

That's, that's very worrying. I mean, I suppose it's very difficult to rip out those systems right now, all you can kind of do is add on the tools, like you were saying to detect them when they happen. I mean, I know that banks are forever being urged to move away from the paper utility bill system, but I guess it's slow to change.

Mike

It is, in the end it's, you know, the question you have to ask is, what's the best alternative? And yes, there are approaches where you log in live to your utility bill account, and confirm that there's actually a live account available. But that has limited geographic scope, and limited utilities. And so it's not, it's more secure, but it's not as broadly applicable, as a paper based fallback that a lot of companies end up using. And so ultimately, to your point, you can't try to go back and say, "we'll shut down the dark net", that's not going to happen, right? We have to accept that that is out there. And it will always be out there, and so all we can really do is become increasingly sophisticated on the ability to detect and protect side, as they're, as they ramp up their capabilities on that side.

Rory

In terms of blame, aside from fraudsters themselves, within an organisation, where do we lay, whose feet do we lay the blame at for fraud? Is this the C suite executives that are ignoring the signs? Or is it often a case of employees maybe being being lax with personal, like you're saying, they've lost some personal details, and that's had a knock on effect down the chain?

Mike

Yeah, I'd say inside of companies I don't think the sort of 'blame concept' is super helpful. I mean, if you're, if you haven't created a high quality, secure, and frictionless signup approach then you should make sure you get the right skills on your onboarding team. Because that's really all about your onboarding team and their capabilities. But by and large, if you've done that, if fraud creeps through, which it will because there's no system is perfect and there's this constant game of cat and mouse that I described, rather than looking for blame, I think a more appropriate approach is to stay, "let's get to the root cause". What happened here? How did it break through, and how do we mitigate that and ensure it doesn't happen again? And I'd say if you were talking to a senior exec, if you're getting good responsiveness to that question, and the team is able to get to the root cause, you're able to diagnose and say, and here's how we prevent that going forward. Great. You probably have a team that's approaching this the right way. If you're not getting clear answers there, and you're getting a defensive kind of reaction then maybe you should have a look at what's going on. But I'd say the most important thing is, are you using best practice approach, and best practice technology like our company? And, you know, do you have the sophistication to be able to measure how you're doing, and run AB tests, and course correct if your fraud rates are looking too high.

Rory

Right, okay. Yeah, it's cultivating an internal culture of, "you're never going to hit 0% fraud rate", just being able to bounce back from and learn when you are hit with these attacks.

Mike

It's very, very similar to the security world. And because the world the security world is exactly the same, where there's a group of increasingly sophisticated attacks that are coming in, and you as a security team is trying your best to create as resilient the posture you can, that also is usable by your internal employees. You don't want to make the system so airtight, that your own employees can't use it either. And so you're trying to balance that usability, and user experience, with fraud capabilities and constantly looking to detect, and adapt over time. This is exactly the same, you're balancing your end user experience, your onboarding rate, with your ability to detect fraud, and you're just trying to put the best combination of all that in play, but also be able to detect and react if there's something that you missed. And so you really want to take a very, very similar approach on both sides.

Rory

So something else I'd like to draw out from the report that I mentioned earlier, is that 84%, of executives surveyed said that they're less than completely confident in their company's ability to keep up with data legislation, or regulation. This seems to be a data sovereignty issue as much as, within a local region, an inability to keep up with the changing nature of privacy regulation. How much does this feed into inability to prevent fraud?

Mike

I think the two are somewhat orthogonal to each other. I think this is a, it's a real concern, because the data sovereignty and privacy regulations are continuing to evolve and change in every different country around the world. And so, if you're a company that's doing business across multiple countries, then trying to figure out "how do I stay compliant in this kind of evolving landscape?" is really difficult. And so for us, we see ourselves as in some cases, being a source of expertise and a trusted expert to help our customers understand some of those changes, and what are some of the things they need to do? You know for example, in the US, we've had some biometric privacy regulations that have emerged that many of our customers weren't aware of. And so we're needing to educate them, say "are you aware of this, you, here's what you need to do to become compliant". And so, it's something that we see ourselves increasingly needing to play a role to help our customers navigate, given how complex it's becoming.

Rory

And increasingly complex in America, if I understand correctly, there is a lack of central federal regulation. So it can vary state by state, right?

Mike

It does indeed, as a matter of fact there are a crazy number of states that have different — so the US is no longer in this sense, one country, we have, you know, 30 or so states have created different regulations. And even the current draft that hasn't passed the Congress yet, of a new nationwide privacy law still has carve outs for a couple of states. So even in the best case, where we're getting a national standard, that standard isn't going to be totally uniform. It's gonna be uniform for many states, but there's gonna be a carve out for at least two that had been in the latest draft. And so the US is going to be, it looks like, even in the best case, somewhat of a patchwork. And that's, you know, and then you start taking this to the rest of the world, think about how crazy that gets. That's why 84% of execs are saying they're not 100% confident they can do it, it's not because they're somehow falling asleep on the job, this is a very complex problem to solve. So if you want to a topical hook, you know, because this the so-called blue check the verified thing, that was a complete fiasco, and I'd say entirely preventable. But, you know, we've seen, you know, couples like Eli Lilly and unlucky Martin, get attacked and lose like 15 billion of market cap each. Because Twitter decided not to do you know, any kind of variable verification aside from your willingness to pay eight bucks, and just, you know, make a simple economic card. I don't know if those were caused by people trying to manipulate the stock. But if they were the trade off of making, you know, potentially millions of dollars by spending $8 on getting a blue check. It's a no brainer, right? Because there's no actual verification bar aside from your willingness to pay eight bucks. So those that's an example of just a poor trade off by a very, very influential player in the market. The solution for it is simple. If Twitter were to use the type of onboarding and verification techniques that we've been talking about, that every digital bank in the world, every traditional bank in the world, every financial company in the world is already using, so this is proven technology at very high scale. If Twitter were to use that, the risk of this type of market manipulation would be orders of magnitude less. And so, this is just an example of Twitter choosing not to take advantage of readily available technologies, and as a result, putting not just their customers and their advertisers, but the broader financial markets at at risk. And so we look at that and say, that's just not a good trade off right? They can clearly... for something, a service that costs $8 a month, $100 a year, the small, small, small fraction of that they could spend to get too strong verification, seems like a very, very obvious trade off to us that we think they were, you know, really not making the right choice.

Rory

And like you're saying, increasingly complex, here in the UK, we've got a constantly changing landscape, the government keeps promising to replace GDPR with something but they're not saying what that is specifically. So it's definitely a complex landscape. Would you say that this is holding back developments in identity tech, maybe preventing a more unified solution from being developed and agreed upon? Because, of course, you'd have to have it agreed upon in every various region?

Mike

Well, I'd say that identity is by its nature, historically, it's been a very sovereign concept. So every country sees themselves as the root of identity trust for their country. And I don't think that's ever going to change. And so, I think that you have to separate that out from this concept of privacy. So even if you were, in some best case world, to have a uniform worldwide privacy standard — this, by the way, doesn't exist and is unlikely to exist, as long as all of us are alive and for quite a bit longer than that — but in some ideal planet, if that were to, you know, actually happen, you still have this concept of each country wanting to certify and be the source of trust for identity. And I don't think that changes, right? You get your national identity card well, by its name, from the country. You get your driver's licence, in the US, we get it from the state, but in most places you get it from the country. You get your passport from the country. So it's the government, the federal government, that ultimately is the source of identity. And so everything else, you know, depends on that and devolves from that in some way. So I don't think that is ever going to change, governments are very, very proprietary about their, let's call it their identity sovereignty.

Rory

That makes sense. It's as much a sociological and cultural problem maybe, as it as it is a technological problem. Just on that point of technology, just as my final question, I have to ask, when we're faced with kind of leading edge threats, like deepfakes, often leading edge solutions such as AI and machine learning, are pushed forward. How can these be be used in verifying identity? And is there a strong future for these technologies?

Mike

Absolutely, as a matter of fact, it's really the only way to solve this going forward. And so, everything that we do at Onfido, and everything I've talked about today it's been all about AI, machine learning. Because it think about the, you know, you talked about the LinkedIn job interview. And, you know, if you can fool a human being in an interview setting, which is a pretty demanding setting, then the odds of you being able to fool a human in an onboarding process, which lasts a fraction of time is sort of astronomically high. And so, really the only way you can do that is to train a computer to catch a computer. And then it becomes a software, machine learning arms race, which is kind of the current state of play that where we are. But it's, we're at the point now where the best models are better than human judgement. So historically, the the highest performing solutions were hybrid solutions that had an automated portion, and then a human in the loop to make trade-offs for corner cases that that computer couldn't figure out. Our newest technology. And so as a result, what customers were forced to do is choose between either a hybrid solution, which has the best accuracy, but has the trade-offs associated with that, which means slower turnaround time, because there's a human being who's actually looking at it. Worse scalability during peak times like Black Friday, or you know, Christmas rush, or whatever it is, Super Bowl if you're in that world, or the World Cup in Europe. Or, you know, have something fully automated but not as accurate. And so if you ask customers "well, which one do you want?" and they say, "I want both, I don't want to make that trade off". We're just at the point now, where our new fully automated solution is just rolling out. And that's about 25% more accurate than our hybrid solution, which is the most accurate in the market today, and has all the benefits of a fully automated solution, fast turnaround time, measured in seconds and, you know, infinite scalability during peak times and stuff like that. And so it's it's a win-win-win. But that's an example of just really applying ML and AI super deeply to solve this problem. And that clearly is the future direction. So your answer is: Is it promising? Yes, matter of fact, it's the only way.

Rory

Well, Mike, thank you so much for being on the show.

Mike

Rory, thanks for having me.

Rory

As always, You can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk. You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you're enjoying the show, leave us a rating and a review. We'll be back next week with more insight from the world of IT but until then, goodbye.

The Unique Identification Authority of India (UIDAI) withdrew advice yesterday advising citizens on how best to secure their Aadhaar national identity cards.

The Aadhaar system is used in India to provide a single source of identity verification across the country for its residents. Once enrolled, citizens can use their Aadhaar number to authenticate and establish their identity multiple times using electronic means or through offline verification, according to UIDAI. Linked to a citizen's biometric data, it's used for accessing social welfare schemes, opening bank accounts, dispersing pensions, passport applications, and more.

UIDAI’s Bengaluru office warned the general public last Friday to not share a photocopy of their Aadhaar with any organisations as it can be misused. Alternatively, a masked Aadhaar can be used instead, which displays only the last four digits of the card’s number, which can be downloaded from the UIDAI official website.

UIDAI also asked the public to avoid using a public computer at an internet cafe to download their e-Aadhaar. “However if one does so, it should be ensured that all the downloaded copies of e-Aadhaar are permanently deleted from that computer,” it advised.

The warning added that only those organisations that have obtained a user licence from the UIDAI can use Aadhaar for establishing the identity of a person. Unlicensed private entities like hotels or film halls aren’t permitted to collect or keep copies of the Aadhaar card, or seek a photocopy of the card, it said.

This provoked a response on social media, with one user saying that they have stayed in around 100 hotels which kept a copy of their Aadhaar.

Following the uproar, the UIDAI released a clarification two days later, on 29 May. It stated that its Bengalaru office issued the warning as there was an attempt to misuse a photoshopped Aadhaar card.

“The release advised the people to not to share photocopy of their Aadhaar with any organisation because it can be misused. Alternatively, a masked Aadhaar which displays only the last 4 digits of Aadhaar number, can be used,” it stated.

However, it added that given the possibility of the misinterpretation of the press release, the message is withdrawn with immediate effect. Card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers.

The system has been a cause for concern in the past, with critics worried about its security and surveillance capabilities. In 2018, India’s Supreme Court upheld the validity of the system, saying sufficient security measures were taken to protect data and it’s difficult to launch surveillance on citizens based on Aadhaar. However, the judges asked the government to provide more security measures as well as reduce the period of storage of data.

The LAPSUS$ hacking collective managed to breach T-Mobile systems using employee credentials and downloaded more than 30,000 of the company’s source code repositories.

This is according to evidence obtained by investigative reporter Brian Krebs, who detailed the data breach on his KrebsOnSecurity blog.

LAPSUS$ members accessed T-Mobile's internal company tools on several occasions in March, using T-Mobile VPN credentials purchased through the dark web, including a stolen data trading platform known as the Russian Market.

Conversation screenshots obtained by Krebs show how easy it was for the hackers to find new login credentials in the case that a targeted employee had changed their password, using SIM-swapping to bypass two-factor authentication. LAPSUS$ member ‘Amtrak’ had detailed to a member known as ‘White’, who has been using the Lapsus Jobs account, how they had found a new T-Mobile employee account to target, allowing them to access the company’s Slack communications.

‘White’, also known as ‘WhiteDoxbin’ and ‘Oklaqq’, is an Oxford-based teenager who was one of the LAPSUS$ members arrested and charged in late March. He is believed to be one of the leaders of the hacking group, despite his young age – estimated to be 16 or 17 years old at the time of the attacks.

Screenshots obtained by Krebs seem to hint that the hackers’ legal guardians are aware of criminal activity, with ‘Amtrak’ telling ‘White’: “Parents knkw [sic] I simswap [sic]”.

Apart from T-Mobile’s Slack channels and Bitbucket source code repository, LAPSUS$ also managed to gain access to the company’s customer account management platform Atlas.

Despite this, T-Mobile has stated that “the systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value”.

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete,” the company told KrebsOnSecurity.

This is the third known data breach for T-Mobile in 15 months, following an incident affecting around 200,000 customers in January 2021 and 47.8 million customers in August 2021. The company also fell victim to three other breaches between 2018 and 2020.

Commenting on the news, Mike Newman, CEO of identity & access management (IAM) solution provider My1Login told IT Pro that “this latest breach on T-Mobile is yet another example of how attackers are relying on credential theft to carry out ransomware attacks”.

“Today all ransomware gangs, from BlackCat to LAPSUS$ to DarkSide have been relying on compromised user accounts to gain an initial foothold on an organisation’s network and then turn off security controls, steal data and deploy ransomware. This means to fight back against these attacks we need to focus on improving the security of user credentials and passwords, so they can’t be stolen or socially engineered out of victims in the first place,” he added.

Management at cosmetics firm Shiseido was allegedly aware of a data breach on company systems weeks before officially reporting the incident to the Information Commissioner’s Office (ICO), according to former employees.

The UK data regulator told IT Pro that the Japanese cosmetics giant first reported “an incident” on 11 April, as per reporting rules that require a company to report any incidents to the ICO no later than 72 hours after first discovery.

However, two former Shiseido employees have told IT Pro that the company had been made aware of the data breach as early as 17 March, following multiple reports of employees having their identities stolen.

One of the victims, former business manager for Shiseido subsidiary NARS Cosmetics, Faye Hopping, detailed how she became aware of her personal details, including a scan of her photo ID, being used to set up a fraudulent company in her name:

“My postman intercepted a letter from Companies House towards the end of March which went to my old property. Luckily he did, or I would have been completely unaware that a company had been established in my name as director! The company was set up from 14/3/22 so I’m not sure when my details would have been breached,” she told IT Pro.

After “emailing countless people within Shiseido”, Hopping was only formally contacted by the company on 19 April with an offer to provide a 12 month subscription to Experian credit and web monitoring services.

Hopping described the offer as “bit late considering most of us were advised to join Experian & Cifas when we reported the incident to the fraud crime [police]”.

In the same correspondence dated 19 April, the cosmetics giant denied responsibility for the data breach, stating that “there is no evidence that the information has come from Shiseido”.

This is despite the list of victims reportedly including “hundreds” of former and current employees of Shiseido and its subsidiary brands, according to employee reports.

The company has refused to accept liability "as [the breach] could have come from a third party or even HMRC", another former employee who had a fake company set up in their name told IT Pro.

Having received a letter from Companies House in the first week of March congratulating them on becoming a company director, the former employee, who wishes to remain anonymous, promptly notified Action Fraud. However, they didn't find out about the breach until 7 April, when a former co-worker mentioned that they had "attended a Teams Q&A that day about a possible data breach".

"She [the co-worker] was told the company are not accepting liability and therefore had no intention of contacting former colleagues. I also found out that they sent out an email on the 17th March so they were aware of the breach at this point," the former employee said in an email to IT Pro.

"I have since sent four emails to Shiseido HR and Legal [department] but have yet to have a response. They sent out a scripted email on Thursday, 14 April from a new email address they set up specifically for the data breach and I forwarded all emails I’d previously sent to this email address but I have still yet to hear back from them. I have sent a subject of access request and a formal complaint to them but they haven’t responded," she added.

Hopping told IT Pro that she was in contact with 23 former colleagues who had also been affected, adding that “it’s disgusting how this whole incident has been handled".

Shiseido didn’t reply to IT Pro’s multiple requests for comment.

Under GDPR, companies have up to 72 hours to inform the ICO of any data incident, provided its clear the breach poses a risk to the rights and freedoms of data subjects. If the incident is likely to create significant risk, companies are also required to inform employees without undue delay.

If a company is found to have breached this rule without justification for a delay, they can be liable for a fine of up to £10 million or 2% of global turnover, whichever is higher.

We’re all too familiar with phishing. Fraudulent emails purporting to be from a trusted source, and tricking the victim into revealing sensitive information, are rampant.

Banks and financial services, third-party vendors, and streaming services are among the popular targets for impersonation. By and large, phishing scams rely on social engineering and clever personalization to lure victims into transferring money to a fraudulent account or providing personally identifiable information (PII).

The year 2020 saw 6.95 million new phishing attempts. Not surprisingly, COVID-19 scams were common, as were gift cards and gaming hacks. There’s a lesser know variant of phishing, however, that’s equally perilous. SMS phishing, or smishing, employs text messages sent over mobile phones as bait. There’s often an air of urgency in these messages, which entices recipients to click on malicious links.

How common are smishing attacks?

Reports of smishing in the UK rose nearly 700% in the first half of 2021, according to a study by enterprise security provider Proofpoint. Additionally, parcel and package delivery scams made up 67.4% of all smishing attempts.

Other prevalent smishing scams include:

1. Urgent notifications regarding credit card payment
2. Act-now coupons with special discounts
3. Request for survey/feedback from customer support
4. Unusual account activity alerts
5. Unknown service charges
6. Flash sales and giveaways
7. Instant student loans

Over 9,000 reports have been filed to Which?’s Scam Sharer tool since it launched in March 2021. Most reports (65%) involved phone calls or text messages, with 31% of these scams originating as text messages.

Why are smishing rates so high?

The average SMS open rate is 98% compared to just 20% for emails, according to Gartner. Additionally, SMS marketing helps businesses offer 24/7 support to customers, boosting engagement. Given the high response rate, it’s less of a surprise why cyber criminals emulate brands.

That said, smishing attacks are particularly hard to tame for one particular reason: lack of authentication. Unlike emails, SMS messages cannot be blocked or flagged without third-party software. Unhindered by the law, perpetrators can automate SMS messages to millions of ten-digit phone number combinations.

For instance, Edward Smith, a UK customer of Santander bank, was conned out of £22,700 after providing a spoofed bank phone number with his one-time password in 2016.

Santander released a statement stating, “Whilst we are very sympathetic to Mr Smith's situation and the distress caused by being the victim of a scam, Mr Smith disclosed a OTP to validate and authorise the transfer, a security measure we put in place to protect customers against fraud. He also confirmed the payment as genuine when we called to check. Therefore we cannot accept any responsibility for the losses on this account.”

A subsequent investigation revealed there were at least ten other Santander SMS fraud cases under investigation, with one victim reportedly losing £40,000.

How to spot and stop smishing scams?

Social engineering and trickery make smishing scams extremely potent and persuasive. Listed below are a few tips to prevent smishing:

1. Do not click on links sent via text message

Expect the unexpected. Malware can also spread through secure messaging apps like WhatsApp and Signal. Hacking groups, including Dark Caracal, have successfully employed WhatsApp, Signal, and Messenger to distribute phishing links that trick users into installing phoney updates to their encrypted messaging applications. Updates typically include malware files that allow hackers to view user screens, record keystrokes, and even take control of devices remotely.

2. Look for misspelled words

Smishing attacks are often characterized by poorly crafted sentences, improper grammar, and misspelled words. Be sure to check for these tell-tale signs when you suspect smishing. Spam messages may also contain links that differ ever so slightly from the site's original URL. Navigate to the website manually instead of clicking on the link to avoid being scammed.

3. Verify the number before initiating contact

Smishing messages typically come from random or strangely formatted numbers. For example, the number 5000 indicates the message was sent via email and may be malicious. Calling the concerned organization and asking for confirmation is the most reliable way to determine whether the number/message is legitimate. In the event that the number is fraudulent, delete the message to prevent any risks.

4. Limit the size of your digital footprint

Publicly available information can help criminals improve the credibility of their phishing messages. A good case in point is social media accounts. Review your privacy settings to ensure hackers cannot retrieve personally identifiable information, including your mobile number.

Already responded? Here are your options

Timely action can prevent harm. Here are some steps to take if you've already replied to a suspicious message:

1. Contact your bank if you have been tricked into disclosing your financial information. Block or freeze your account to prevent further transactions.
2. Notify your IT department if you used your work phone to respond. Log out of all other connected devices and reset your password.
3. Run a full scan with antivirus software if you clicked on a suspicious link to install or update an application.

Report to curb the spread

It's still worthwhile to report your suspicion, even if it's only a hunch. Luckily, it only takes a few steps to report spam.

Do not open or reply to suspicious emails. Instead, forward them to phishing-repot@us-cert.gov, an inbox established by the US Cybersecurity & Infrastructure Security Agency (US-CERT) in collaboration with the Anti-Phishing Working Group (APWG). You can also forward report cases of identity theft through identitytheft.gov. UK readers can forward possible phishing attempts through the Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk.

Additionally, you can report suspicious text messages to universal short-code 7726 at no charge. The service will help your phone provider track down the source of the text and take appropriate measures.

“Smishing attempts have risen dramatically – with fraudsters taking advantage of the pandemic to trick consumers into giving away personal details and transferring their hard-earned cash,” says Rocio Concha, director of policy and advocacy at Which?.

The firm also released a ten-point SMS guide, encouraging businesses “to do their part to protect consumers from scams”. The guide offers advice on how businesses can differentiate their texts from those sent by scammers impersonating them, to protect consumers from fraud.

Identity verification startup SentiLink has secured $70 million in a funding round led by Craft Ventures, bringing its valuation to $85 million.

The Series B funding round also saw participation from Felicis Ventures, Andreessen Horowitz, and NYCA. Per reports, Victoria Treyger and David Sacks from Felicis will serve as observers on SentiLink's board.

SentiLink will use the funds to combat identity fraud in the US by expanding its product line and workforce.

“SentiLink’s growth trajectory is one of the fastest I've ever seen and their traction with companies from new startups to major US banks is impressive,” said David Sacks, co-founder and general partner at Craft Ventures.

“All of this stems from the team’s deep understanding of fraud and identity. I learned about fraud attacks I didn't even think were possible from talking with Naftali and Max. We're excited to lead SentiLink's Series B and to support them as they transform how identity verification works in the US.”

SentiLink integrates disparate data sources to identify synthetic identities with unparalleled accuracy. Its ID Complete module matches the Social Security number (SSN) data across US identities to fill in incomplete or missing data. Synthetic Fraud and ID Theft Scores indicate the likelihood of application fraud.

What’s more, SentiLink’s Risk Operations team continuously monitors synthetic identities to develop consistent and accurate fraud labels.

“SentiLink is reinventing identity verification in the US. Despite businesses spending large amounts of time and money trying to figure out if people are who they say they are, identity fraud is rampant and real customers suffer from false positives and unnecessary friction,” said Naftali Harris, co-founder and CEO of SentiLink.

Commenting on prerequisites, SentiLink said its real-time fraud detection solutions only require name, address, DOB, SSN, email, and phone number for assessing identity fraud.

More than half of businesses across the UK, Germany, France, Spain, and Italy have seen a rise in fraud levels this year, according to new research commissioned by identity management provider GBG.

Some of the most frequent attacks were credit and debit card fraud (56% of respondents), followed by phishing (46%), and e-transfer fraud (37%).

However, respondents said that they are currently least prepared to defend themselves from synthetic identity fraud (26%), IP piracy (26%), and social engineering attempts (25%).

What's more, one in three consumers said they had become more worried about becoming a victim of fraud as a result of the COVID-19 pandemic. Unfortunately, their fears may be justified; according to GBG, fraud has become a prevalent issue in 2020, with one in five consumers affected by identity fraud only this year.

The rise in incidents can be attributed to the digital acceleration powered by government-imposed lockdown restrictions and social distancing. This year saw many consumers open online accounts, with the most popular being shopping (47%), social media (35%), and online banking (31%), using mobile numbers (50%), email addresses (48%), and biometric data (28%) to log in.

GM of Identity Fraud, Europe at GBG, Gus Tomlinson, said that the research “shows that not only is identity fraud already prolific, the ‘trust gap’ it creates poses a risk to industries which will depend on digital trust if they are to thrive in 2021 and beyond”.

“For some businesses and even entire sectors, we are nearing a tipping point: get this balance wrong, and lose trust – and therefore customers – for good.”

GBG also warned that each individual identity fraud attempt could cost an organisation between £1,000 and £4,999 on average.

At the height of the pandemic in April, it was reported that about £2 million was lost to coronavirus-related fraud in the UK, with the NCSC warning that “an increasing number of malicious cyber actors are exploiting the current COVID-19 pandemic for their own objectives".

"In the UK, the NCSC has detected more UK government branded scams relating to COVID-19 than any other subject," the report added.

The dark web is a nefarious place, where criminals lurk and communicate, buy, sell, plot and plunder. It’s the data black hole, a home to information stolen in data breaches. With information so easily accessible to fraudsters, it’s no surprise ID theft is booming.

This whitepaper explores the depths of the dark web, examining why it’s a threat to corporate data and why businesses need to take action.

Download it now for a comprehensive guide to the dark web, helping your business stay clear of the threat it poses.

More than 15,000 webcams in homes and offices can be accessed by members of the public and manipulated over just an internet connection.

Many security and conferencing cameras can be accessed remotely by anyone if users implement no additional security measures post-installation, according to findings by Avishai Efrat, a white hat hacker with Wizcase. In other cases, these cameras are set with predictable passwords or default user credentials.

Webcams susceptible to this include AXIS net cameras, the Cisco Linkys webcam (now owned by Belkin), and WebCamXP 5 software, among many others in countries all across the world.

Many may assume that only devices like routers can be exposed in this way, given they serve as gateways that connect other devices with each other. Webcams, however, can also be accessed remotely in a similar way via peer-to-peer (P2P) networking or port forwarding. It's through these mechanisms that Internet of Things (IoT) devices, too, can be hacked.

"Is it possible that the devices are intentionally broadcasting? We can only determine this for on certain webcams that we're able to access the admin panel for," said Wizcase's web security expert Chase Williams.

"They're not necessarily broadcasting, but some may be open in order to function properly with apps and GUIs (interfaces) for the users, for example.

"Also included with some measure of frequency are specifically designated security cameras at places of business, both open and closed to the public which begs the question, just how much privacy can we realistically expect, even inside an allegedly secure building."

While it's difficult to know who owns such devices from technical information alone, cyber criminals may be able to ascertain such details using context from videos. Potential attackers can also glean user information and estimate the geolocation of the device in cases where they have admin access.

With the information made available by the unsecure webcams, Wizcase suggests cyber criminals can change settings and admin credentials, obtain bank and payment information, or even give hostile government agencies a glimpse into people's private lives.

The vulnerabilities can be explained by the fact that manufacturers aim to make the installation process as seamless and user-friendly as possible. This, however, can sometimes result in open ports and no authentication mechanism being set-up.

In addition, many devices aren't put behind firewalls or virtual private networks (VPNs), which could otherwise offer a measure of protection.

"Standalone cams are notorious for not being secured properly," said Malwarebytes' lead malware intelligence analyst Chris Boyd.

"If you have a cheap IoT device in your home watching over your sleeping toddler, or a few handy cams serving as convenient CCTV when you head off to the shops, take heed. It may be that the price for accessing said device on your mobile or tablet is a total lack of security.

"Always read the manual and see what type of security the device is shipping with. It may well be that it has passwords and lockdown features galore, but they're all switched off by default. If the brand is obscure, you'll still almost certainly find someone, somewhere has already asked for help about it online."

Wizcase has suggested that whitelisting specific IP and Mac address to access the camera should filter those with authorised access, and prevent attackers from being able to infiltrate a user's network.

Adding password authentication, and configuring a home VPN network, too, can mean remotely connecting to the webcam is only possible within the VPN. UPnP should also be disabled if people are using P2P connections.

"The biometric data, unencrypted passwords, and personal data of over one million people have been discovered sitting on a publicly accessible database belonging to a company that serves the likes of the UK Metropolitan Police and banking groups."

Those were the familiar words I typed out as part of my coverage of the Biostar 2 data breach. It's the same narrative I've seen hundreds, if not thousands, of times since becoming a technology journalist in my numbness I even entertained the idea that one million wasn't too bad.

But the Biostar 2 incident is perhaps the most unique security lapse I've come across in my three years at IT Pro. Not because of how it was discovered, nor because of how many were affected. The security lapse itself is even quite common.

What's uniquely terrifying about this breach is the nature of the data that was stolen.

Data breaches and hacks have become so common now that they fail to spark the same outrage they once did. That's not to say people don't get angry when they see a national airline exposing data to the world, or a massively popular social network improperly sharing information to third parties. Yet, for all that initial vitriol, the story disappears soon after. The number of those affected is usually difficult to conceptualise and, by extension, relate to. The privacy impact on each customer also varies significantly.

The initial buzz around the headline is usually followed by the release of fixes, process improvements, and the occasional lawsuit, only for attention to eventually turn elsewhere. Only very rarely does a data incident reverberate in the minds of the public. Facebook's Cambridge Analytica scandal comes to mind. Yet for most, we forget.

And that's ok.

The reason we forget is that the data itself is mercurial. The likes of passwords, email addresses, ID numbers, web history, and user preferences, while unique to each of us, can all be changed relatively easily or at least can go out of date quickly. Financial data theft, of course, can be more damaging but, again, cards can be cancelled and security numbers scrapped. It's also true that data theft for the majority of us usually translates into the odd dodgy phishing scam; often hilarious, always dismissed.

There's also the derision that accompanies scams that exploit password reuse. Those of us that turn to password managers, mainly so that we can fire and forget whenever we sign up to a new service, can be safe in the knowledge that it's those who are uninformed or lazy in their approach to security that will feel the brunt of most hacks.

But the Biostar 2 data leak exposed us all to something a little more sinister and, I would argue, is one of the most serious vulnerabilities ever discovered. Here we had raw, non-hashed fingerprint data and facial scans sat on a vulnerable database, information that is entirely unique and (outside experimental surgery) can't be changed. We've all resigned ourselves to the fact that companies will slip up when it comes to data protection, but when that extends to the very data that makes us individuals, serious questions need to be addressed.

The incident will certainly have implications for the biometrics industry. The drive to go passwordless may improve user security and user experience, but there seems to be little consideration as to how much more sophisticated data collection and storage will need to be as a result. In fact, many companies, including previously respected household names, have demonstrated unprecedented incompetency when handling our data, and it's time we started taking that seriously.

We have to question whether we should allow software vendors to continue to digitise more and more of our immutable personal information in the pursuit of state of the art services, many of which are entirely unnecessary.

The UK government has called for evidence to help it create a new online identity verification tool that can be used across government services and the private sector too.

The consultation was opened on Friday to all businesses and individuals in order to ascertain what will be needed from the new tool. The government especially wants to hear from those who represent the interests of people who have the potential to be digitally excluded, such as vulnerable people.

The new tool will be created with a view to tackling a range of issues, from secure purchasing of age-restricted materials on and offline to filing tax returns and registering for a new GP.

Identity fraud is also a fast-growing issue in the UK with identity fraud prevention service Cifas releasing 2018 figures, which showed more than 189,000 people were victims of identity fraud - a figure up 41% from 2017.

With a reliable digital identity that can be used across various sectors, it could cut down the country's reliance on physical documents which can be more easily stolen, misplaced or even forged.

"These new proposals could make it easier for people to prove their identity without compromising their personal information and for businesses to conduct checks in a safe and secure way," said Jeremy Wright, digital secretary. "This will help make sure more and more people benefit from the huge potential of technology and can use it to shop, bank and access Government services."

The government believes the plans could help stimulate the UK's digital economy, adding 3% to the union's GDP by 2030 if implemented successfully.

Keen to dispel any speculative data protection issues surrounding a hybrid of private and public sector data access, the announcement made by the Cabinet Office and the Department of Media, Culture and Sport, said no private organisation would have access to government-held data under the proposal.

"Any new solutions will be compliant with recently strengthened data protection laws and set out requirements for the secure transfer of data," said the announcement. "There will be no central identity database and individuals will be in control of their personal data."

The Cabinet Office hasn't explicitly drawn parallels between this new proposal and its Verify programme which has been heavily scrutinised since its launch, but Oliver Dowden, minister for implementation alluded to it being a possible extension to it.

"Last October I announced that the GOV.UK Verify programme is mature enough to move to the next phase of its development, in which the private sector takes on responsibility for broadening the usage and application of digital identity in the UK," said Dowden. "Allowing organisations greater flexibility to reuse identities is an important step towards this goal."

Verify was launched in 2016 as a method of digital identity verification to be used across all online government services but has been "failing its users and struggling to meet key targets" according to a report by MPs.

The Government Digital Service, the body responsible for Verify, missed every single one of its performance targets for Verify and saved far less money than originally intended when making the business case for it in 2016.

The service was also shrouded in other failures from promises of 25 million users by April 2020 and only recording 3.6 million by February 2019, to technical issues relating to its success rate. When implemented, it promised a 90% success rate in verifying identities but was actually around 48% successful, according to a damning NAO report.

"In many ways the Verify programme is an example of how government has tried to tackle a unique and unusual problem, adapting over time in response to lessons learnt and the changing nature of the external market," the NAO report concluded. "Unfortunately, Verify is also an example of many of the failings in major programmes that we often see, including optimism bias and failure to set clear objectives."

After the consultancy on the latest proposal has ended, a pilot scheme will run to help iron out the issue with the new tool. The first to trial it will be companies which already provide digital identity services to the UK government.

The Samsung Galaxy S10's 'ultrasonic' in-display fingerprint reader can be easily unlocked with a 3D-printed fingerprint, allowing hackers to break through the device's biometric security.

The exploit was discovered by a Reddit user going by the names of 'darkshark9', who cloned his own fingerprint from a photograph of the print left on a wine glass. Using common software tools Adobe Photoshop and Autodesk 3ds Max, he created an accurate replica of the print using a home 3D printer costing less than 400.

In a proof-of-concept uploaded to Imgur, darkshark9 showed the device being unlocked by the fake print, stating that "the 3D print will unlock my phone...in some cases just as well as my actual finger does".

"If I steal someone's phone, their fingerprints are already on it," he explained. "I can do this entire process in less than three minutes and remotely start the 3D print so that it's done by the time I get to it. Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone."

The photo used in the exploit was taken with the S10+ itself, but he also theorised that by using a higher-quality DSLR camera, you could steal someone's digit "from across a room... or further".

The S10's in-display fingerprint reader was one of the main selling points of the new device, with Samsung saying its biometric security "provides a high level of protection for sensitive data". However, most security experts agree that using biometric security as a primary unlock method is less secure than a password or PIN.

Multiple tests have shown that the facial recognition technology used to unlock many smartphones is not foolproof, and Samsung itself advises during the setup of facial recognition that it is "considered less secure than other lock types".

However, when we reached out to Samsung, the company dismissed concerns about the hack, calling the phone's security "vault-like".

"The Galaxy S10's in-display Ultrasonic Fingerprint Scanner offers vault-like security that has been developed through rigorous testing to provide the level of accuracy and prevent against attempts to compromise its security, such as images of a person's fingerprint."

Samsung argued that the hack wasn't a threat, as it required using professional software and a 3D-printer, and that the copy "could only have been made under a very rare combination of circumstances". Both pieces of software used in the hack offer free trials, while the 3D printer used is available for less than 400, making it comparatively easy for even an amateur hacker to assemble the necessary toolkit.

"If at any time there is a potential vulnerability identified, we will act promptly to investigate and resolve the issue," Samsung said.

Researchers have established that more than 600GB of personal information is circulating online after finding a monster cache of four additional 'Collection' folders.

The Collection #1 leak discovered earlier this month was considered one of the largest leakages of personal data in history, with more than 773 million unique email addresses, and 22 million passwords, found circulating on hacking forums online.

But the scale of this leak has expanded dramatically after researchers with German firm Heise Security uncovered folders named 'Collections #2 to #5', containing swathes of personal data that were harvested from historic data beaches.

The full complement of Collection' data, folders #1 to #, now spans more than 2.2 billion unique email addresses and passwords.

Despite the data's historic nature, sourced from headline data breaches of the past such as the massive Yahoo hack, researchers with Heise Security believe cyber criminals will gamble on users' lax attitude towards password and try out the credentials anyway.

"The current leaks are a good opportunity to rethink your own password strategies," said Heise's Ronald Eikenberg.

"The most important rule is to use a different password for each service. And if you do not want to think up or remember a password for each service, it's best to use a password manager."

After the first batch of records were published online researcher Troy Hunt, who first unearthed Collection #1, suggested that cyber criminals may use the data for credential stuffing' attacks.

When publishing the details around the leak, Hunt also released an unverified list of past data breaches and compromised sites that made up the leak, totalling 2,890 files names, with the earliest breach occurring in 2008.

Just as with Hunt's site HaveIBeenPwned, the German Hasso Plattner Institute with ties to Heise Security runs a service called Identity Leak Checker which people can use to see if their usernames and passwords have been compromised in the Collection leaks.

After news around Collection #1 first broke, Malwarebytes' lead malware intelligence analyst Chris Boyd suggested the key for users and businesses who may be affected is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," Boyd said.

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

The scale of the leak, many times the scale of Collection #1 which was at the time thought to be the biggest single leak in history, is sure to prove staggering to the wider security community.

ESET UK's cyber security specialist Jake Moore believes this is the start of something "far more significant than anything we have ever seen before".

"Hackers are becoming even more sophisticated, and hopefully, this is a massive wake-up call to anyone with an email address," he said.

"The overarching statement here is that we need to adopt stronger layers of security, and this is the time to adopt a new way of managing passwords.

"Using your three rehashed passwords is no longer going to cut it."

Specifically focussing on fraud and counterfeiting of non-cash means of payment, the language of a new European Directive has been agreed upon to strengthen rules surrounding cyber crime.

The new Directive, supplementing the EU's scaled up response to cyber crime, will enhance member states' capacity to prosecute cyber criminals.

The rules which govern payments made with bank cards, mobile payments and payments via cryptocurrencies, aim to offer the penalties for fraud of this type more uniformity to deter cyber criminals from targeting those in states with more lenient punishments for cyber crime.

The Directive is also committed to offering victims of non-cash fraud better access to advice and support to limit the consequential damage against them following a cyber attack. Provisions for the exchanging of information between states will also be improved in an effort to close cross-border cases more quickly.

"We are building a safer Europe for our citizens - offline as well as online, and today we deliver on this commitment," said Dimitris Avramopoulos, Commissioner for Home Affairs, Migration and Citizenship. "These new rules will help us crack down on those who steal from our citizens through online fraud, and ensure that our citizens are better protected."

Current EU law governing non-cash payment fraud was drafted back in 2001 so the new law is required to adequately serve today's challenges and technological developments. Since 2001, mobile payments and virtual currencies have become commonplace and such, the law must reflect the criminal demands of today's society. It's also estimated that cyber criminals may be profiting as much as 1.8 billion every year, so the need for new laws has never been greater.

"Strengthening deterrence is crucial to tackling cybercrime -- malicious cyber actors need to know that they face serious consequences," said Julian King, Commissioner for the Security Union. "Today's agreement gives member states a stronger tool to effectively fight online fraud, and provides a forceful disincentive to would-be cyber-criminals."

The Directive will have to be formally approved and adopted by the European Parliament and the Council, and once it is, member states will have up to two years to draft domestic laws which enforce the Directive's rules.

The initial proposal for the updated Directive was featured in President Jean-Claude Juncker's 2017 State of the Union Address and the news follows Monday's agreement on the language of the new EU Cybersecurity Act.

The new Act aims to better support member states with tackling cyber threats and to establish an EU framework for cyber security certification. The framework will deliver technical guidelines for procedures and standards to ensure a high level of cyber security in IoT devices, smart cards and ICT infrastructure. Once approved by the European Parliament an Council, the Act will be drafted into the EU Official Journal and take effect immediately.

Nigerian cyber criminals have extended their reach into the UK as part of a wider campaign to target chief financial officers (CFOs) from businesses of all sizes and sectors.

The 'London Blue' hacking gang managed to generate a list of more than 50,000 high profile targets from a broad range of companies during a five-month period this year for future business email compromise (BEC) phishing campaigns.

Executives and financial leaders from several of the world's biggest banks are listed, according to researchers from cyber security firm Agari, while London Blue is predominately targeting mortgage companies. Such scams will focus on stealing real estate purchases or lease payments.

Moreover, the BEC attack emails London Blue launches typically contain no malware; the group instead sends fraudulent payment requests to finance teams. As a result, the emails are difficult to detect by the range of counter-measures firms typically employ to block harmful material.

"In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing - using specific knowledge about a target's relationships to send a fraudulent email - and turned it into massive BEC campaigns," the report said.

"Each attack email requesting a money transfer is customised to appear to be an order from a senior executive of the company.

It added: "Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful - identifying individuals with access to move funds, learning how to contact them, and learning their organisational hierarchies. However, commercial lead-generation services have allowed London Blue to shortcut gathering the necessary data for thousands of target victims at a time."

Of the 'London Blue' hit list, 71% of targets held the title CFO, while the remainder were senior members of finance teams including finance directors, controllers and members of accounting. The majority of targets are based in the US, with remaining targets based in a host of nations including Spain, the UK, Finland, and Egypt.

The group itself also operates through an organisational structure resembling that of a generic corporation, with members carrying out specialised functions. These include business intelligence, financial operations, human resources, sales management, email marketing and sales.

Firstly, London Blue members would generate leads for potential targets before engaging in open source reconnaissance to gather any missing information such as their email addresses or names.

Test emails will be sent to other London Blue members to make sure attack emails are sent before the BEC attack emails are sent, and mule accounts that are set up to receive funds share the spoils to the key players in the group.

According to Agari researchers, lead generation is also dependent on business with commercial data providers, with attackers most recently relying on one San Francisco-based firm to collect names, company, titles, work email and personal email addresses.

"This report demonstrates that cybercriminal groups continue to evolve and are using formal business strategies and structure to more effectively carry out their scams," the report continued.

"London Blue's use of legitimate commercial sales prospecting tools shows the out-of-box thinking these groups employ to identify new targets. The pure scale of the group's target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location."

The Marriott hotel chain has suffered a major data breach to its Starwood Hotel brand guest reservation database which potentially exposed the information of 500 million guests.

On 19 November, an investigation undertaken by Marriott discovered that there had been unauthorised access to its database on or before 10 September.

"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred," the company said in a statement.

"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."

The information accessed included the names, email addresses, phone numbers, and passport numbers of Starwood Hotel guests. For some guests, payment card numbers and expiration dates were also taken.

While the payment card data was encrypted using the AES-128 standard, Marriott noted that it cannot "rule out the possibility" that the two components needed to decrypt the numbers were not stolen.

Marriott said it has reported the data breach to law enforcement and will continue to work with said authorities to investigate the breach.

"We deeply regret this incident happened," said Arne Sorenson, Marriott's president and CEO. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

The company has set up a website to provide customers who might have been affected with more information and a year-long subscription to a fraud-detection service.

An ICO spokesperson said: "We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries.

"We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online."

A new facial recognition tool has been released that could help automatically identify and harvest the social media profiles of thousands of targets with very little effort. The tool is primarily aimed at white hat hackers.

The tool - dubbed Social Mapper - was developed by security company Trustwave, who has released it on Github under an open source license. The company, which specialises in ethical hacking services, says that Social Mapper is intended for use by white-hat hackers, penetration testers and 'red teams' - internal security staff who are tasked with simulating cyber attacks on the organisation.

Social Mapper only needs a list of targets with the individuals' names and photographs. Users can also input the LinkedIn ID of a specific company, and it will automatically create a list of targets based on all the people who are registered as employees of said company on LinkedIn.

From there, Social Mapper logs into a range of social media sites - including Facebook, Twitter, LinkedIn, Google+ and Instagram, as well as regional platforms like VKontakte and Weibo - and searches the targets' names, using facial recognition to match their profile picture to the given photo.

The software will then output a report containing all of the available social media profiles for each target, available in a variety of formats. It can also generate the target's work email, if you tell the software what format to use.

Any security expert worth their salt will tell you that a complete list of a target's social media profiles is an incredibly useful tool when conducting a cyber attack, and gathering such data is often the first step when conducting reconnaissance before an attack.

"Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination, but here are a few ideas:

• Create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
• Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
• Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
• View target photos looking for employee access card badges and familiarise yourself with building interiors."

However, Trustwave's Jacob Wilkin (who created the tool) noted that "While this is an easy task for a few, it can become incredibly tedious when done at scale". This, he said, is the primary idea behind Social Mapper: to speed up intelligence gathering that pen testers previously had to do manually.

"Its primary benefit comes from the automation of matching profiles and the report generation capabilities. As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester's time is utilized in the most efficient means possible."

While Trustwave has stated that Social Mapper is intended to be used by ethical white hat hackers, concerns have been raised that because the tool can be freely downloaded and used by anyone, it could easily be deployed by criminals.

Tim Helming, director of product management at DomainTools said that threat actors using open source components for phishing attacks show that available tools on the internet have "enormous potential to be used for both helpful and nefarious purposes".

What happens when a company you trust to safeguard your identity actually ends up being the very organisation that leaves you vulnerable to attack?

That's what customers of identity theft protection company LifeLock appear to be discovering, after researchers learned that a flaw in the company's website could be leaving customers vulnerable to spearphishing attacks.

The flaw was first reported by security expert Brian Krebs, who was alerted to it by US researcher Nathan Reese. Reese discovered the flaw after clicking on an unsubscribe link in one of LifeLock's emails, which took him to a page where he could update his email marketing preferences.

The URL for this preference centre featured a unique subscriber key, a numerical identifier used by LifeLock to internally catalogue customers. By changing this value in the URL, Reese was able to access the preference centre for other LifeLock subscribers - which meant that he could also see their email addresses.

"It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber," Krebs said. "The design of the company's site suggests that whoever put it together lacked a basic understanding of website authentication and security."

"If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them," said Reese. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spearphishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime."

Readers may remember LifeLock as the company whose former CEO Todd Davis was so confident in its services that he ran numerous ads featuring his genuine social security number. He had his identity stolen at least 13 times.

LifeLock is now owned by security firm Symantec following a $2.3 billion acquisition in 2016, and as of January 2017, the company had more than 4.5 million subscribers. IT Pro has approached Symantec for comment.

//

Cybercrime is arguably the biggest threat affecting modern businesses. Half of British companies have experienced a cybersecurity incident over the past year, with large (74%) and medium (70%) firms being the most affected.

That’s according to the 2024 Cyber Security Breaches Survey from the UK Government, which also found that phishing attacks, email and online impersonation, and malware are the biggest cybersecurity threats faced by UK firms.

Two-factor authentication (2FA) adds an extra barrier of entry for any third party attempting to access your account.

Requiring users to complete a second round of authentication after entering a password, whether by entering a code sent via text message or email or by using an authenticator app, adds a far more robust protective layer. While it may seem arduous to jump through these hoops, the benefits of having them in place are untold.

What is the difference between 2FA and MFA?

Two-factor authentication (2FA) is a form of multi-factor authentication (MFA) designed to add an additional layer of security to online accounts, services, and apps. It requires users to prove their identity using two forms of authentication, the first of which is a combination of a username and a password.

Passwords are often stolen by hackers and 2FA aims to solve this by forcing anyone attempting to access an online account or service to confirm their identity via a second form of authentication.

Common examples include one-time passwords, push notifications, biometrics, physical security keys, or codes generated by authentication apps. The premise is that only users will know or have access to this information, preventing unauthorized parties from accessing their accounts using breaches or leaked passwords.

Although 2FA falls under the MFA umbrella, it wouldn’t be accurate to use the former to describe the latter. The main difference between the two is that while 2FA only uses two forms of authentication, MFA relies on two or more methods for verifying user identities.

For instance, a user with MFA set up on their account could be asked to first complete a one-time password request after logging in with their username and password, then an additional form of authentication like a fingerprint. Only after passing these stages would they be able to access their account.

How does two-factor authentication work?

Two-factor authentication invariably uses a second, independent device that functions as a buffer between the service and the login attempt.

Some services will supply their own keys, although this has become less common as companies have turned to developing their own smartphone apps or making use of SMS messages. Regardless of whether it's a number-generating key or a confirmation message, the idea is that only the owner of the device will have access to the key and the ability to authorize the login attempt.

The additional security check normally appears after the user has submitted their username and password. Once the system checks that the account exists, it will then ask the user to perform an additional action.

Two-factor authentication has become ubiquitous with most online services that involve sensitive data, whether it’s banking or financial services, e-commerce, or business applications – although many other companies are starting to offer 2FA to stand out from the competition.

How that additional layer appears can vary from service to service. For example, most banks now have their own security tokens for online banking, often in the form of random number generators and usually offered through a smartphone application, although some users may still be using a physical fob. Many online services have now forced users to set up 2FA as a minimum, including Google and Meta though the latter only has this requirement for 'high risk' accounts.

Getting through a second layer of security can be the slowest part of signing into a service but it's an effective way of sifting out those trying to brute force their way into an account.

What are the benefits of 2FA?

The biggest benefit of 2FA is preventing cyber criminals from breaching online accounts using passwords they've stolen or found in leaked databases on the dark web. But there are other reasons why you should use this security feature.

2FA can help tackle password fatigue, the feelings of tiredness associated with having to constantly remember and enter myriad passwords. It means you can choose an easy-to-remember password with the peace of mind that your account will be secured by a second authentication method.

Security leaders have less cause to worry about account breaches if they have a good 2FA policy in place, in the knowledge that cybercriminals have that extra barrier to entry. Adopting features like 2FA is also key to developing a security-first mindset — paramount as the threat landscape worsens.

Remote workers are still difficult for security teams to support, as their devices and corporate access need to be properly configured with 2FA or MFA, but this step is essential for protecting critical corporate accounts while supporting a hybrid work model. This is particularly critical for offices that take a bring your own device (BYOD) approach, as home devices can be more vulnerable to password-stealing malware and therefore need the extra line of defense.

Using 2FA methods like passkeys and authenticator apps provides users with “better and more secure protection”, says ESET global cybersecurity advisor Jake Moore.

“When threats are multi-layered themselves, accounts need the strongest multi-layered protection to stay secure,” he tells ITPro.

But as well as protecting against password breaches, 2FA could also bring about a passwordless future. Moore says this is possible thanks to “superior security options” that offer greater pxrotection against phishing and brute-force attacks than single passwords. He adds: “Passkeys, for example, offer ease of use, security as well as convenience and are already being rolled out smoothly across multiple accounts.”

Is two-factor authentication safe?

Despite the benefits it offers, it's worth noting that multi-factor authentication is not 100% secure. Microsoft has warned businesses against using systems that rely on voice and SMS due to security concerns, warning that these methods use no encryption and are therefore ripe for interception by hackers. With private details to hand, hackers can launch social engineering campaigns

For example, authentication via text message is vulnerable to interception and spoofing by hackers, particularly if they can hijack an account that supports a person's mobile number. Various account recovery processes for lost passwords can also be harnessed by hackers to work around two-factor authentication.

Sophisticated malware that has infected computers and mobile devices can redirect authentication messages and prompts to a device belonging to a hacker, rather than the legitimate account holder, thereby working within but also around two-factor authentication.

The most secure methods of 2FA use dedicated hardware tokens, such as a Google Titan Security Key or YubiKey, which are difficult for hackers to spoof unless they physically steal one. Google's offering, for example, uses cryptography to verify a user's identity and a separate URL to stop would-be attackers from accessing accounts even if they have the username and password.

Methods of 2FA reliant on codes sent via SMS are best avoided if you are running an enterprise with a treasure trove of data. This is because SMS is vulnerable to SIM swap attacks, in which attackers transfer a victim's number to a SIM card in their possession to intercept their messages. If they pull this off on a user they know uses SMS-based 2FA, they could gain access to their account without any alarms going off.

While 2FA may not be quite the security silver bullet it was once expected to be, it's still an important area of security and access control to keep in mind when procuring and setting up services for your business or personal life, because the more hurdles you can put in the hackers' way, the less likely they are to target you.

Twitter users are being warned to update their passwords after the company identified a flaw in its systems that could have allowed staff at the company to view them in plaintext form.

In an email sent to users, the social network explained that it had fixed the bug in question, and that its internal investigation "shows no indication of breach or misuse by anyone". However, in the interests of safety, Twitter is advising users to change their passwords just in case.

Twitter users' passwords are encrypted using the bcrypt hashing function, a widely-used encryption algorithm that is among the most secure options available. However, an error in Twitter's implementation of bcrypt could have potentially exposed users if left unchecked.

"Due to a bug, passwords were written to an internal log before completing the hashing process," the company wrote in an email to users. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

"We are very sorry this happened. We recognise and appreciate the trust you place in us, and are committed to earning that trust every day."

It's rare for large companies to be so pro-active about notifying customers of a potential security issue - particularly if it appears that no-one was affected. Most major hacks - including infamous incidents affecting Yahoo, TalkTalk and others - only come to light when evidence of the breach is discovered by a third party.

However, Twitter's behaviour is set to become the new norm. Once the new GDPR rules come into force later this month, companies will be bound by law to alert both customers and regulatory authorities in the event of a breach affecting customers' personal data, with stiff penalties for failing to do so.

Shh - what's that? If you listen very, very carefully, you'll hear it; it's the sound of countless security experts smashing their heads against their keyboards in frustration. The cause, as so often before, is the government's laughable attitude to data privacy and cyber security.

Where to begin with this latest shambles? You may recall that First Secretary of State Damian Green was allegedly found to have rude and naughty pictures of the pornographic variety on his government-issued computer, which Green denies.

Nadine Dorries, Conservative MP for Mid Beds, leapt to Green's defence over the weekend, pointing out that if porn was found on Green's computer, it may not have been him who was downloading and/or viewing it on taxpayer time. After all, she said, her staff use her login to access her official computer all the time. Even interns on exchange programmes!

Er, sorry... What?

Yes folks, you read that correctly - Dorries is so free and easy with her access credentials that she even hands them out to visiting exchange students. To make matters worse, several of her fellow MPs admitted they also share their login details with staff, including Nick Boles, Will Quince and Robert Syms.

Of course, Dorries was quick to downplay the seriousness of her actions, stating that all she has on her computer is a shared email account, with no access to government documents. Boles, similarly, said that only the four people he employs to deal with correspondence from constituents have access to the passwords, which are regularly changed.

For the avoidance of doubt, let's be crystal clear: this is a dangerous, insecure and irresponsible practice. Under no circumstances should anyone be sharing one login between multiple staff members. There are numerous ways to ensure staff members can access a shared computer, mailbox or file storage system without having one login that simply gets passed around, and the fact that government MPs are apparently not using any of them is extremely alarming.

Dorries and co claim that sharing their login with staff isn't an issue, but let's take the time to unpick some of the many, many problems with these arguments.

Firstly, there's the issue of lateral movement. Dorries says that the only thing on the computer is a shared email account. Even if that's true, the computer itself is 'Westminster-based', and is likely to be connected to some kind of internal network. This opens up the possibility for lateral movement, using Dorries' machine as a way to gain access to a more important target within the network.

Then there's the issue of data protection. The shared mailbox used by the staff of Dorries and Boles presumably contains at least a partial list of constituents' names and email addresses, along with who knows what additional information shared as part of their correspondence. Behaviour like this puts all of that information at risk.

Last but not least, accountability is the biggest problem with using a shared login - and one that is best illustrated, ironically, by the very issue that prompted Dorries' admission in the first place. She is quite right in stating that if Green's access credentials were shared by his staff, there's no way of proving that it was him that was allegedly looking at porn, but that's a huge problem.

Let's imagine that, instead of perusing some nudes, the First Secretary of State was instead accused of using his computer to leak classified intelligence data to Russian agents. With a single shared login, it's virtually impossible to trace the source of the leak back to the mole. If everyone has their own credentials, it's instantly obvious.

The concept of not sharing your username and password with anyone is a basic, fundamental tenet of cyber security best practice, and the tools to ensure that you shouldn't need to share your credentials have existed for years. Considering that the Tories are supposed to be the party of business, its own staff seem to be trailing laughably far behind the curve when it comes to keeping up with industry security standards - which would be funny if it wasn't so alarming.

The UK is set to lose access to the European Cybercrime Centre, after it was revealed the country will no longer be a member of Europol following its departure from the European Union in 2019.

The European Cybercrime Centre - also known as EC3 - was set up by the cross-border law enforcement group to provide support for EU police forces in tackling cyber crime. EC3 assists national police with intelligence, digital forensics and strategy support, collaborating on cases involving technological elements.

Cyber security experts have expressed dismay at the news. "This is hugely disappointing," McAfee's chief scientist Raj Samani told IT Pro. "Europol have a proven record of success and one would hope a degree of compromise can be reached since the safety of all citizens across the globe is our joint mission."

The government had stated earlier this year that it wished to continue its relationship with Europol following Brexit, but the EU's top negotiator Michel Barnier said that access to Europol would not be possible once the UK leaves the EU, stating that it was a "logical consequence".

Losing access to EC3 will mean that UK police units fighting cyber crime will no longer benefit from intelligence-sharing between EU member states, as well as from the extensive support network offered by Europol's cyber specialists.

"Since before the referendum, the NCA and its partners in policing and wider law enforcement have clearly stated our need to work closely and at speed with European countries to keep people in the UK safe from threats including organised crime, child sexual abuse, cyber attack, and terrorism," a spokesman for the UK's National Crime Agency told IT Pro.

"We are confident that these requirements are being taken into account, and that there is broad consensus on the need to retain our ability to share intelligence, biometrics and other data at speed. It is also vital to ensure we can continue to provide a quick, efficient and dynamic response to crime and criminals impacting the UK and its citizens, be it from serious and organised transnational crime or local level volume crime at the heart of UK communities."

Picture hosting site Imgur has confirmed that 1.7 million user credentials were stolen as part of a hack that took place in 2014.

The attackers made off with email addresses and passwords, but the company stated that no other data was included in the breach, as "Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information".

The company has already begun resetting the passwords of affected users and has released a public disclosure notice detailing the breach and Imgur's response to it.

"We are still investigating how the account information was compromised. We have always encrypted your password in our database," the company stated, "but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year."

Imgur, which has around 150 million monthly users, is one of the web's most widely-used picture hosting services, hosting images that are posted to internet message boards and social networks such as Reddit.

Imgur was alerted to the breach by Troy Hunt, the security researcher behind data breach cataloguing website Have I Been Pwned. He praised the company for its swift response to the incident after he told them on Thursday.

"I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays," Hunt told ZDNet. "That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary."

Hunt also said that more than half of the email addresses included in the incident had already appeared in Have I Been Pwned's database of previous breaches.

In addition to its users, the company said that it is planning to inform law enforcement agencies in its home state of California. "We take protection of your information very seriously and will be conducting an internal security review of our system and processes," Imgur said. "We apologize that this breach occurred and the inconvenience it has caused you."

Symantec has bought identify theft protection firm LifeLock in a deal worth $2.3 billion (1.85 billion).

The acquisition comes as Symantec looks to bolster its consumer market against falling anti-virus sales. It said this would "enable sustainable consumer segment revenue and profit growth".

Symantec said it expected to finance the transaction with cash on the balance sheet and $750 million of new debt. Symantec's board of directors has also increased the company's share repurchase authorisation from approximately $800 million to $1.3 billion, with up to $500 million in repurchases targeted by the end of Symantec's fiscal year in 2017.

LifeLock offers identity theft protection services for consumers and consumer risk management services for enterprises. It also offers threat detection, identity alerts, and remediation services.

Greg Clark, Symantec CEO, said the deal marks the transformation of the consumer security industry "from malware protection to the broader category of digital safety for consumers."

"As we all know, consumer cybercrime has reached crisis levels. LifeLock is a leading provider of identity and fraud protection services, with over 4.4 million highly-satisfied members and growing. With the combination of Norton and LifeLock, we will be able to deliver comprehensive cyber defense for consumers," he said.

LifeLock CEO Hilary Schneider added that having looked at alternatives, LifeLock's board of direcors concluded the deal with Symantec was "ideal" and offers shareholders "a significant premium for their investment, at closing".

"Together with Symantec we can deploy enhanced technology and analytics to provide our customers with unparalleled information and identity protection services. We are very pleased to have reached an outcome that serves the best interests of all LifeLock stakeholders," she said.

By offering each of the company's respective customer bases a broader digital safety solution, Symantec said it "expects to achieve additional revenue upside through higher ASPs and improved retention rates."

Six people have been arrested after a bogus email scam targeted students.

The Metropolitan Police Central e-Crime Unit (PCeU) said the compromised data had been used to illicitly acquire over 1 million.

The crooks sent out emails to students them asking them to visit a website and update their loan details. The site was bogus and tricked hundreds of students into handing over their bank accounts to the criminal network running the phishing operation.

The criminals were able to steal between 1,000 to 5,000 at a time, the Met said.

"A great deal of personal information was compromised and cleverly exploited for substantial profits," said Detective Inspector Mark Raymond from the PCeU.

"We have today disrupted a suspected organised group of cyber criminals and prevented further loss to individuals and institutions in the UK. Today's arrests demonstrate what can be achieved when a partnership approach is adopted to investigate internet-based crime."

The PCeU said it worked alongside the Students Loan Company, the banking sector and ISPs in tracking the suspects.

Search warrants were executed in London, Manchester and Bolton yesterday, where the suspects are currently being held. They were arrested on suspicion of conspiracy to defraud and Computer Misuse Act.

A number of computers and associated storage media have been apprehended by the police for forensic examination.

The arrests come towards the end of another positive year for the PCeU. Last month, the body shut down 2,000 fraudulent websites that were either flogging knock-off gear or selling nothing at all.

In October, the Met claimed the PCeU had saved the UK economy over 140 million in just six months.

The man who hacked Zynga, stealing the identities of two of the game developer's employees, has been jailed for two years.

Ashley Mitchell stole around 400 billion credits from the US firm and sold them on Facebook the same site the games were played on.

The 29-year-old from Devon used fake Facebook accounts and a front company to sell the credits for less than their face value in order to fund his gambling addiction, Exeter Crown Court heard.

The chips were believed to be worth over 7 million.

James Taghdissian, prosecuting, told Exeter crown court the figure was based on a Zynga estimate of what "they would have lost if all the chips were successfully sold on," the Guardian reported.

"It was clear there had been a systematic approach adopted in probing and accessing Zynga," Taghdissian said.

"He made determined and repeated efforts to attack Zynga's systems."

Judge Philip Wassall said Mitchell had used "a considerable degreee of expertise and persistence" to compromise Zynga's systems.

He said "people rely on the security of systems" and anyone who came before the courts who bypassed security controls for their own profit "can expect custody."

Zynga is the company behind a range of popular titles on Facebook, including FarmVille and Mafia Wars.

The case highlighted two forms of threat businesses faced: targeted attacks and social engineering scams.

The two were combined by hackers in recent attacks exploiting a vulnerability affecting Adobe Flash Player, Reader and Acrobat.

A small number of targeted organisations were sent emails containing a Microsoft Excel document with a corrupted Flash file embedded inside.

Almost two-thirds of people in the world have been hit by cyber crime in some capacity, be it from viruses, credit card fraud or identity theft, a report has shown.

The most serious threat by far is malware, which was responsible for 51 per cent of cyber crimes affecting victims surveyed by Norton.

Just 10 per cent of those hit by cyber crime said they had been duped by an online scam, while phishing hit nine per cent and social network profile hacking seven per cent.

As for resolving cyber crimes, the average time it took to wrap cases up was 28 days, although the UK performed better with 25 days.

It also cost less in the UK to resolve these crimes, the national average being $153.13 (99.40), compared to the global figure of $334.

"We all pay for cyber crime, either directly or through pass-along costs from our financial institutions," said Adam Palmer, Norton's lead cyber security advisor.

"Cyber criminals purposely steal small amounts to remain undetected, but all of these add up. If you fail to report a loss, you may actually be helping the criminal stay under the radar."

Almost a third of victims globally said they never resolved a cyber crime.

Getting emotional

Symantec claimed the Norton study was the first to ever explore the emotional impact of cyber crime.

The strongest reaction to being hit by such a crime was "anger" with 51 per cent admitting to getting irate when attacked. Next was "annoyed" on 51 per cent, followed by "cheated" on 40 per cent.

Despite this, just half of the 7,000 adults polled said they would change their behaviour if they became a victim.

"We accept cyber crime because of a learned helplessness'," said Joseph LaBrie, associate professor of psychology at Loyola Marymount University.

"It's like getting ripped off at a garage - if you don't know enough about cars, you don't argue with the mechanic. People just accept a situation, even if it feels bad."

Symantec has completed its acquisition of VeriSign's security arm a deal that was announced in May this year.

A range of VeriSign products will be handed over to Symantec, including the VeriSign Identity Protection (VIP) Authentication Service and the VIP Fraud Detection Service.

VeriSign's identity and authentication business will become part of Symantec's Enterprise Security Group and the companies' security solutions will be brought together to offer a broader protection offering to businesses.

"The combination of Symantec's leading security solutions with VeriSign's security products, services and recognition as the most trusted brand online, uniquely positions Symantec to drive the adoption of identity security and restore trust online unlike any other company," said Enrique Salem, president and chief executive (CEO) of Symantec.

Symantec has started creating a new corporate logo incorporating the VeriSign check mark a symbol that gets more than 250 million impressions every day.

Roll out of these logos will be initiated towards the end of 2010.

The deal announced earlier this year was signed for $1.28 billion (0.81 billion) and also includes a majority stake in VeriSign Japan.

A contractor who worked in the IT department of the Bank of New York has admitted to stealing more than $1.1 million from charities and nonprofits, among other organisations.

Adeniyi Adeyemi stole personal information from 2,000 bank employees and then used the information to carry out the thefts over eight years.

Adeyemi took the personal data to open more than 30 bank and brokerage accounts with a number of financial institutions, including E*Trade and Fidelity.

The 27-year-old former IT worker used the charities' banking details to set up wire transfers on the E*Trade and Fidelity sites to transfer money from the charities' account to his dummy accounts. He then withdrew the funds or moved them over to a second layer of dummy accounts.

Many charities opt to place their bank details available online to make donations simpler for online users. Of course, this leaves them more open to attacks such as this.

Adeyemi also used the personal data he stole to take money from the bank employees, again by moving money over to the dummy accounts. To avoid detection, he ensured that no transfer would be more than $10,000 the point at which all financial institutions are required to report transactions to the US Treasury.

However, the New York/New Jersey Electronic Crimes Task Force of the United States Secret Service became aware of some suspicious activity and traced it back to wireless internet connections in Adeyemi's apartment building.

Some of the organisations affected by the scam include Goodwill Industries of Greater New York and New Jersey, the Sudanese American Community Development Organisation and the American Association for Clinical Chemistry.

"This defendant invaded the privacy of thousands of employees by stealing their personal and private information," said Manhattan District Attorney Cyrus R Vance, Jr.

"He victimised his colleagues, charities, and nonprofits. Particularly because identity theft is such a serious problem in our city and nation, I thank the members of our Cybercrime and Identity Theft Bureau for their work on these difficult cases," he added in a statement.

Adeyemi is due to receive his sentencing on 21 July.

The Metropolitan Police has arrested two London teenagers suspected of being behind an 8,000-strong online cyber crime forum.

The Police Central e-Crime Unit (PCeU) made the arrests after an eight-month investigation into what it calls the "largest international English speaking online cyber criminal forum".

Police also recovered more than 65,000 compromised credit card numbers that could have led to the theft of an estimated 7.8 million.

The pair, aged 17 and 18, were brought in for questioning yesterday on suspicion of encouraging or assisting crime, conspiracy to commit fraud and contravening the Computer Misuse Act.

According to the e-Crime Unit, the forum was used by its 8,000 members to buy and sell credit card details, bank account numbers, PINs and passwords, as well as to run "crime tutorials" and promote the development of malicious software.

Based on an average potential loss per card of around 120, the PCeU estimates the total losses from the credit card numbers it recovered could be as high as 7.8 million.

Malware available over the forum included the password-stealing Zeus Trojan, while compromised data harvested by others using The trojan was also on sale.

"Today's arrests are an example of our increasing effort to combat online criminality and reduce national harm to the UK economy and public," detective chief inspector Terry Wilson said.

The two teenagers have been released on bail pending further investigation.

As many as one in five Android apps exposes users' private data to third parties, a new report claims.

With Android-based devices continuing to grow in number and popularity, the Android Market is flourishing, with almost 50,000 apps available to download.

But in its analysis of the security issues the operating system faces as it continues to grow, mobile security firm S Mobile Systems unearthed some disturbing facts.

Of the 48,000 apps it examined, some 20 per cent requested permission to access information that could be used maliciously by attackers.

A further five per cent granted unauthorised individuals permission to make a call, while three per cent could allow text messages to be sent without the user's knowledge.

And S Mobile revealed that a total of 29 Android apps were found to ask for the same kind of permissions seen in spyware applications.

"Just because it's coming from a known location like the Android market or the Apple App store (with the iPhone), it doesn't mean you can assume that the app isn't malicious or that there is a proper vetting process," S Mobile chief technology officer Dan Hoffman said.

The S Mobile report isn't the first time the Android Market's app-screening methods have been called into question. In January, an online banking app was found to instead be a link to a phishing site where users were asked to update their information.

All told, S Mobile says that in its tests, 20,000 apps nearly half of the entire Android Market requested user permissions that the firm would consider "suspicious". However, because developers generally use aliases and aren't linked to a specific company, getting a true sense of whether an app can be trusted is no easy task.

"The Android operating system and the Android Market are quickly becoming the most widely used mobile platform and app store in the world," said S Mobile's chief executive Neil Book.

"There are individuals and organisations out there right now, developing malicious code designed to capture your most personal information and use it to their advantage."

Nearly one in four Britons are held back from shopping online over Christmas due to security fears, according to a YouGov survey.

Almost a quarter (22 per cent) of UK shoppers are holding back from online shopping due to fears over online identity theft and fraud, while 14 per cent do not trust e-commerce sites, according to the study.

The research, commissioned by Verisign, also said that UK consumers were only willing to spend a third of their shopping budget online, or 32 pence in every pound.

One of the issues for a third of consumers was the fact that you couldn't try goods before you bought them.

Fears about postal strikes also meant that 27 per cent feared that goods bought online would not arrive in time for Christmas.

Andrew McClelland, director at IMRG, said in a statement: "The research shows that fears over online safety are still holding consumers back this Christmas."

He added: "More and more people are browsing online but not necessarily spending a lot. If people don't trust the site they are browsing, they simply won't buy from it."

"If there is even a slightest hesitation the total amount spend will be dramatically reduced."

Although UK shoppers still have fears, some 86 per cent of them will be shopping online this Christmas, which is a six per cent increase from last year.

IT PRO offers guidance from security experts about how you can keep safe shopping online this Christmas.

The Guardian's jobs website has been hacked, with half a million user accounts affected.

In a statement on its website, the Guardian said the site was now secure, and that the incident had been reported to the Police's central e-crime unit.

The half-million affected users were contacted over the weekend. The newspaper company said that no bank or financial details were lost, and that many of the accounts were two years out of date. The American side of the site was not attacked.

"This is apparently a deliberate and sophisticated crime, of which the Guardian is a victim in addition to some of our users," the statement said.

"It is clear that only a minority of Guardian Jobs users are at risk," the site said.

"The police remain anxious to keep information about the apparent theft to a minimum, in order not to compromise their investigations, but did agree with us that we could inform those users who may be affected," it added. "We stress our regret that this breach has occurred."

Security firm Finjan said data that can be used to assemble "identity theft kits" is seen as valuable to online criminals.

"Although top web sites have been - and continue to be - targeted by cybercriminals, those sites that store identity information will continue to a primary target, especially now that criminal hackers are being affected by the economic situation we all find ourselves in," said Yuval Ben Itzhak, chief technology officer, in a statement.

Click here to find out about the worst hacking attacks - and the punishments the hackers faced.

With more than 55,000 mobile phones lost in black cabs every year, Londoners are four times more likely to be victims of identity theft than anyone else in the UK, according to the British Computer Society (BCS).

A survey of 300 cab drivers revealed that London is the UK's "black spot" for information loss, and that young, single professionals are the most vulnerable demographic.

To help combat the issue, the BCS has launched a taxi cab advertising campaign urging Londoners to be aware of the risks associated with data loss and advising them on how to take measures against it.

"Poor information management hurts people and corporations," said the BCS' chief executive David Clarke, in a statement.

"Londoners must realise that losing their phones, laptops, handbags or briefcases is like giving a thief the keys to your home. It's time to take more care of your personal data," he added.

Londoners left an additional 6,193 devices, including laptops, in black cabs this year.

"It is important that people protect their own information," said deputy information commissioner David Smith, in a statement. "This initiative will help make sure that personal information does not end up in the wrong hands."

Identity theft hotbeds in London include Kensington, Victoria, Clapham Junction and Hammersmith.

One of the TJX hackers has pleaded guilty to all charges in a 19-count indictment accusing him of masterminding one of the largest identity thefts in history.

Miami resident Albert Gonzalez, known by the screen name "segvec," was the third suspect to admit a role in stealing 40 million credit and debit card numbers from several US retailers.

The 28-year-old hacker faces 25 years in prison and will surrender over $2.7 million cash and other ill-gotten gains - among them a BMW and a condominium in Miami. Additional charges are still pending in New Jersey.

Gonzalez and 10 other individuals were arrested in Miami in 2008 on charges relating to thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Another hacker in the gang was sentenced to 30 years in prison in Turkey.

The cyber gang reached from the US to the Ukraine and Southeast Asia, where the stolen credit and debit card numbers were used to withdraw cash from ATMs and to make purchases. It is not clear whether Gonzalez was at the centre of a worldwide criminal network or acting on behalf of more powerful gangs based in Russia and Eastern Europe.

Gonzalez's actions have cost victims millions of dollars in losses. TJX has estimated the data breach has cost the company nearly $200 million.

Gonzalez will remain in a federal facility in Rhode Island until sentencing on 8 December.

Click here for more on the prison sentences hackers face.

The number of computers infected by malware designed to steal confidential information has risen by 600 per cent compared to the first six months of 2008, according to research.

Security researcher PandaLabs said that it received 37,000 samples of malware such as viruses, worms and Trojans.

Of that number, some 71 per cent were Trojans that were generally aimed at stealing bank and card details, as well as passwords for online services.

"Maybe one of the reasons for this increase is the economic crisis along with the big business of selling this information on the black market," said technical director Luis Corrons in a statement.

"We have also seen an increase of the distribution and infection of this kind of malware through social networks."

PandaLabs said that malware was changing the ways in which in tried to steal info.

Whereas before attacks almost exclusively targeted users with spoof bank websites, now they may users to other types of fake site where bank details might have to be entered, according to the researchers.

Targets included pay platforms such as PayPal and online auctions such as eBay in addition to online stores such as Amazon.

And it isn't just email. There are other means by which users can be lead to fake ant-virus websites, including social networks like Twitter, SMS messages to mobile phones, and spyware.

PandaLabs estimated that three per cent of all users had fallen victim to these techniques, and that they were much more difficult to detect them than in the past as they were designed to be hidden.

British customers who visited Radisson hotels in the US between last November and this May have been warned that their credit or debit card numbers may have been at risk.

Radisson Hotels and Resorts informed guests that computer systems in the US and Canada were accessed illegally, and that law enforcement agencies were investigating.

Fredrik Korallus, chief operating officer for Radisson, said in a statement: "The data accessed may have included guest information such as the name printed on a guest's credit card or debit card, a credit or debit card number, and/ or a card expiration date."

He hastened to add that the number of potentially affected hotels involved in this incident was "limited".

Korallus recommended that past guests reviewed account statements and credit reports closely.

He advised that if they did see any unauthorised activity, they should report it to the bank that issued the card as well as the police.

He said: "Radisson values guest privacy and deeply regrets this incident occurred, Working with law enforcement and forensic investigators, Radisson is conducting a thorough review of the affected computer systems."

Korallus said that it had also implemented additional security measures so the attack would not happen again, and was working with major credit card suppliers to make sure the incident was addressed properly.

This week three were accused of carrying out the 'largest identity hack ever', while a security executive detailed how British retailers could learn lessons from the incident.

A senior security executive has said that British retailers can learn lessons from the biggest identity hack case ever' - where 130 million credit and debit card numbers were stolen.

Chris Young, vice president for products at RSA, told IT PRO that retailers should not simply plug holes that they've seen in previous attacks, but rather get in front of the problems by identifying risk and putting policies in place.

"It's dangerous to chase incidents, if you are a retailer or anything else," he said. "What retailers need to do is learn from the incidents that have happened, but it's really about taking a step back and figuring out where do you have you greatest sources of risk.

One technology that companies were already using to protect data was enterprise-wide key management', where the right information was encrypted and the keys to it managed centrally.

He said that in many cases he was seeing retailers going a step further, such as with data-masking', where sensitive information was replaced with realistic false information.

Technology like this is used more in the UK and US, which Young said was due to the "size of the economies" that made retailers located there bigger targets. Also, the use of credit was much more pervasive there than around the world.

Research has revealed that 83 per cent of the UK population still use either their date of birth, pet name, street name or maiden name as a password.

More worrying still, the survey by people search website Yasni said that we're using these unsecure details for most of our private email or bank accounts.

Not surprisingly, only 37 per cent of users are aware of the dangers of disclosing this information online, such as on social networking sites like Facebook.

"With social networking sites and forums, in particular, people trust their friends and are at ease with the intended recipient of the message; therefore forgetting this very private information has been made public," said Yasni's chief executive Steffen Ruehl in a statement.

Michael Callahan, vice president of data protection security vendor Credant Technologies, suggested that this human habit of using simple and easy to remember passwords strengthened the case for encryption.

"The fact that so many people are using data that can be easily extracted from public records or even the internet is extremely worrying, as, if that approach is tranposed to a business environment, it makes company security very weak indeed," he said in a statement.

He claimed that this made the case for encryption more necessary on data in the workplace as well as laptops used outside of the office environment.

Callahan added that workers often developed close ties, and could easily be sharing password sensitive information to each other as well as the outside world.

"If the data from the survey is extrapolated to the workplace, then it's a fair bet that your work colleagues are using similar low levels of password security on their office systems," he said. "If ever there was a case for encryption of company data, this is it."

US-based payments processor Heartland Payment Systems was the victim of a massive security breach, which could have exposed customer information associated with the 100 million transactions it handles each month.

Heartland found evidence of the intrusion last week, and notified law enforcement officials as well as the card brands involved. It said that the incident could have been the result of a widespread global fraud operation.

The only data compromised was names, card numbers and expiration dates as well as the information on the card's magnetic strip which could be used to duplicate cards.

Heartland was alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions. An investigation uncovered malicious software compromising data across Heartland's network.

Avivah Litan, analyst at Gartner, told the Wall Street Journal that this was the largest card-data breach ever, even beating the TJX credit card data theft last year.

Richard Wang, of SophosLabs US, said that it appeared the information stolen was enough to create fake cards.

He said on his company's blog: "Although addresses were not compromised by this breach, making card not present' fraud more difficult, this provides one more piece in the puzzle for anyone trying to assemble stolen identities."

"A name and card number from one breach could be used along with name and address from another source to build a more complete identity."

For anyone affected by the breach, more information is available on a specially-created website run by Heartland.

Destroying your hard drive with a hammer was the best way to avoid your data falling into the wrong hands when throwing away your computer, a study has advised.

Which? Computing issued the advice after it learned that identity thieves were looking through council tips and internet auction sites like eBay to find discarded PCs and laptops.

The magazine claimed thieves would use specialised software to recover the data deleted by the original owner, letting the thieves commit acts like credit card fraud.

Which? Computing editor Sarah Kidner said: "It sounds extreme, but the only way to be 100 per cent safe is to smash your hard drive into smithereens."

However, some experts and vendors have suggested that smashing hard drives to destroy data was expensive, environmentally damaging and completely unnecessary.

Data backup and software recovery vendor Acronis said that the study completely ignored the fact that there were "ultra-effective" disk cleansing solutions available, which had been used by government agencies and big corporate companies.

"In the current economic climate, individuals and businesses across the UK are choosing to re-use, re-cycle or donate older laptops. Wiping hard drives securely is a simple process and costs just a few pounds," it said in a statement.

"Laptops or PCs can now be safely passed onto a new colleague, sold to a third party, or donated to a charity such as Computers for Africa."

Graham Cluley, security expert at Sophos, agreed that smashing your hard drive wasn't necessary. He claimed that it was very easy to think that you had destroyed a hard drive when in fact you hadn't, as it was possible to extract data from severely damaged hard drives.

He said: "You are probably going to do more damage to yourself taking a sledgehammer to a hard drive than the chances perhaps, of your data being stolen, with bits lying here there and everywhere."

Researchers recovered over 10,700 stolen online bank account credentials and 149,000 stolen emails during a seven-month study on the underground economy'.

The study by the University of Mannheim also finished with researchers harvesting 33GB of keylogger data, resulting in information about stolen credentials from more than 173,000 compromised machines.

Researchers managed to collect this data from dropzones', a public writable directory on a server residing on the web acting as an exchange point for keylogger data.

Malware running on compromised machines would send all credentials to the dropzone, where an attacker could pick them up and use them.

Researchers Thorsten Holz, Markus Engelberth and Felix Freiling said that the data was worth potentially millions of dollars on the underground market, and that cybercrime was profitable enough to earn attackers hundreds of pounds per day.

They said in the report: "The result of this study is that internet-based crime is now largely profit driven and that the nature of this activity has expanded and evolved. Digital and classical crime are merging."

The two keyloggers the researchers analysed were Limbo and Zeus with the researchers observing some 164,000 infections stemming from the former.

Stolen data included that from banking websites and credit cards, as well as social networks, email passwords and online trading platforms. Statistics showed that 12 per cent of the data was traced back to the UK.

However, the analysis method used in the report was not restricted to keylogger-based attacks.

The researchers said: "It can be applied to all attacks in which an attacker steals authentication credentials of a victim after some form of contact. We call these types of attacks impersonation attacks.

"This class covers a range of real-world attacks including many different forms of phishing, certain forms of sending spam, or online fraud based on identity theft."

The study is available here.

Facebook profiles are being sold on the "online black market" for 89p, according to Trend Micro research.

Other deals online thieves are making include 35 for stolen bank details, 25 for stolen credit card details, and a pop-up Trojan used unseen on a computer to steal information for 60.

Spamming was still popular and incredibly cheap, with 30,000 UK based email addresses for 5, and one million international email addresses for 4.

Trend Micro noted that cyber attacks increased by 500 per cent in the shopping period between September and December in 2007, and expected that figure to rise by even more this year, as the barriers to becoming an online thief lower and the economic climate takes its toll.

Rik Ferguson of Trend Micro said that users were giving a huge amount of information away on social networks, with criminals drawn to these sites as they had email addresses, names and birthdays readily available.

He said: "Whether you're going online to use Facebook, doing your banking or Christmas shopping you should be aware that hacking activity and identity theft tend to increase during certain times of the year.

"As we approach Christmas we urge users to apply a certain sense of caution when it comes to the sites they visit and giving away personal information."

His tips for users to stay safe were to look for the padlock on browsers, vary passwords, use social networking sites carefully, clean your machine regularly and to use protective software.

An innovative software application that helps hospitals plan and provide care for cancer patients needing chemotherapy headed an impressive list of award winners at the 2008 BCS IT Industry Awards.

The awards ceremony, which took place last night at the Grosvenor House Hotel on London's Park Lane, saw 23 awards handed out in three categories: Individual Excellence, Organisational Excellence and Project Excellence.

"The BCS IT Industry awards are regarded as the hallmark of excellence, best practice and professionalism in the industry," said David Clarke, chief executive of the BCS.

Concentra claimed two awards for its pioneering C-Port software application. Produced for the NHS, C-Port applies advanced modelling and simulation techniques to tackle the problem of chemotherapy capacity planning, which has never been done before.

The application can forecast how each individual patient will experience care, how long they wait, who they see, and when. It creates in simulated form real life events that influence treatment such as equipment breakdowns, phone calls, meetings and absenteeism.

The judging panel - which included IT PRO Editor Chris Green - praised C-Port for its innovation, its contribution to the healthcare industry and for the benefit it delivered for patients and their families by improving the efficiency of care.

Other high-profile winners included Garlik for its DataPatrol identity theft prevention technology and CSC's Emergency Care Solution for NHS Ambulance Services, which enables paramedics, using a rugged touch screen tablet, to access a summary of the patient's notes to help them determine the best course of treatment and avoid unnecessary hospital admission.

Full details of the winning projects, companies and individuals can be found here.

Project Excellence Awards winners

Environment Project

SPIRE by Fivium

Web-based Technology

DataPatrol by Garlik

Business-to-Business Project

C-PORT by Concentra

Mobile Technology Project

Emergency Care Solution for NHS Ambulance Services by CSC

Research & Development Project

The Simul Weather SDK by Simul Software

Information Security & Data Management Project

Policy Based Encryption Service by MessageLabs

Social Contribution Project

C-PORT by Concentra

Flagship for Innovation

DataPatrol by Garlik

Organisational Excellence Awards winners

Public Sector

Fife Council

Commercial & Financial Sector

Norwich & Peterborough Building Society

IT Consultancy of the Year

Xantus Consulting

Green Organisation

gm2 Logistics

Large Technology Supplier

Neural Technologies

SME Supplier

Portal Technology Systems Limited

GCS Women

Goldman Sachs International

Individual Excellence Awards winners

IT Trainer of the Year

David Brown from U Can Do IT

Business Analyst of the Year

Leigh Taylor from Skandia

Service Manager of the Year

Claire Adams from NHS Connecting for Health

Systems Developer of the Year

Simon Adams from Parallel

Consultant of the Year

Nandakumar Balasubramaniyan from Portal Technology Systems

Project Manager of the Year

Tina Sands from National Grid

Young IT Practitioner

Sarah Christie from Procter & Gamble

IT Leader of the Year

Richard Earland from National Policing Improvement Agency

With a little effort, a bit of technical know-how and dubious morality, it's a cinch to become a successful online fraudster.

Here is a step-by-step guide to how people set themselves on the career path to be a wanted criminal - the secrets of the identity thieves.

One - Choose your career path

There are two different career paths that you can take as you begin your life as an identity thief.

The harvesting fraudster

These are the guys who steal credentials usernames and passwords from online banking, credit cards and other types of ID theft. They use technical infrastructure such as phishing keys, trojans and other types of malware which are hosted over the internet and sent to the consumer.

The cash-out fraudster

These are the fraudsters who cash-out' or make money from the credentials. For example, if one of these fraudsters was given credit card details on a disk, or online banking passwords, they would be able to empty the accounts.

Whereas the harvesting fraudsters are all about the malware technology, the cash-out fraudsters will have an operation - for example, having physical drops' where money can be dumped. They will also be able to monetise selling goods on the black market for cold hard cash.

With online banking fraud, the cash-out fraudsters will have accounts which they will be able to launder money into. With this, they will usually recruit collaborators with bank accounts, take the funds and send it to the supply chain.

How to decide

The cash-out fraudster will never have contact with the consumer they are after the credit card details or bank accounts. It depends on you point of view: do you want to deal with the technical side harvesting, phishing etc or do you want to recruit mules and end up cashing the account?

Being a cash-out fraudster is more risky. You'll be doing the actual fraud by emptying accounts and transferring money to your mules but the reward is greater.

Two - What to defraud

The world is your oyster. It's not just financial institutions that you can defraud, but internet services, social networks, online games, and virtual worlds.

Social engineering is one of your best tools, so understand how it works. It's easy to get people out there to perform actions or divulge confidential information with some simple trickery with malware, such as phishing attacks or trojans.

Take advantage of an employee. Often this is the easiest way to get hold of information which could be left open due to negligence or even rogue ones who are willing to sell information. Poorly protected back-end servers? You can probably find many other ways to find data.

Three - Malware and trojans

Trojan technology

This is for the harvester fraudsters out there those who want to get their hands dirty with the tech and steal personal information direct from the consumer.

Trojans are invisible, and you can get these on anybody's computer without them being aware of it. They'll collect information everything that you do online, and deliver it to the trojan operator.

One of the more common ways to get a trojan on a computer at present is a blend of phishing and trojan attack. Users will often receive an email which takes you to a fake website which is playing a video which freezes.

It will then ask you to run an application which will enable you to run the video. Once you click on the application hey presto! You've got a trojan on somebody's machine. In some cases you won't have to get the user to click on the application prompt they'll be automatically infected.

Crimeware

Cash-out fraudsters will be interested in buying a ready-made trojan because instead of fiddling around with the technology, all you need is to purchase one, leave it running, and collect data at your leisure.

The price of malware and trojans is dropping. A good example is Zeus, a dangerous and effective trojan which has the ability to do many nasty things and is available for about $700 to $1000.

There are infection kits, building your own botnet kits, as well as beginner' trojans which you can practice with for less money.

If you are going to go for the technical route then you will have to deal with several factors you'll need to find hosting servers, install the botnet on machines, install SQL databases, encryption packages as well as other components.

You'll also have to deal with anti-virus companies sending out signatures against your trojans which means additional builds and upgrades. You'll need to make new patches as well. You'll also need knowledge of how to do the actual infection of all the computers.

This is probably the best way to go if you're just starting out, because rather than dealing with kits and installation you can get it done as a service, with somebody else sending out the trojan for you.

Buy a package which contains the latest version of the trojan, already installed in bulletproof hosting, it will be live for years. It will be updated with all the latest anti anti-virus patches as well as have a command control centre.

Subscribe, and it will also be hooked into an infection service where you sit back and relax while you watch computers being infected and credentials being collected. Within a few minutes after being supplied with a username and password, you'll be able to carry out your attack.

It's Fraud as a Service' at its best. In fact it's now it's possible to cut out the harvesting fraudster and do it all yourself. Prices all available on the internet...

Four - Communicating and making your reputation

Once you've decided on your career path and understood the technology, the next step is to build your reputation in the underground community as a fraudster with a nickname.

This is necessary because you'll need to make people trust you and believe that you will be able to do a good job in harvesting or cashing out, rather than messing up or god forbid be law enforcement in disguise.

There are different types of communication channels which you can use, such as an IRC channel. Usually these places will be like marketplaces where you will be able to see what your fellow fraudsters are doing, as well as communicate with them.

Here you are free to haggle as well as wheel and deal, and whether you are a cash-out or harvesting fraudster, you're sure here to make arrangements to suit you exactly.

It's even possible to talk with your fellow fraudsters about the banks which are easier to commit fraud against and ask for pointers about how to perform successful illegal money transfers.

Fraud discussion forums are different in that they are less of a free for all and a place to advertise what you can offer. You can communicate and let others know what you are interested in such as services, partners, what you are selling, and what kind of tools you are looking for.

If you are a harvesting fraudster and working with tools such as trojans and malware, fraud forums will have reviews on different products, so you can be up to date with the latest technology, features and what you can buy on the black market.

To make your reputation you could get other fraudsters to test your wares, rate you and rank you, just like eBay's e-commerce system. If you get good remarks, you'll be able to get a better reputation which will allow you to make better deals. It's even possible to get other fraudsters to vouch for you.

This is important if you don't build your reputation, others won't do business with you...