- Email: [email protected]
UK fraud increases again as Action Fraud comes under fire
computer
FRAUD & SECURITY ISSN 1361-3723 November 2019
Featured in this issue: Password meters: inaccurate advice offered inconsistently?
A
lthough we are continually offered the promise of passwords being eradicated they continue to be used extensively. But they remain a significant point of weakness.
Many sites and services offer meters as a guide to the strength of user-chosen passwords. But these are often of dubious
quality and have come in for severe criticism. Steven Furnell of the University of Plymouth builds on previous work to see if password meters have improved in recent years, whether it makes sense to rely on them and what organisations can do to improve them. Full story on page 6…
The guide to ransomware: how businesses can manage the evolving threat
C
yber criminals are taking a more targeted approach and this has been seen recently in a number of ransomware attacks.
The latter part of 2018 saw ransomware figures hit an all-time high, along with the size of the ransoms demanded. The use of ransomware is evolving, with increasingly malicious threats being
spread through a growing range of vectors. As a result, businesses are beginning to place greater emphasis on implementing measures that help detect and prevent cyber security threats. Thorsten Kurpjuhn of Zyxel looks at the steps organisations can take to protect themselves. Full story on page 14…
Gateway to securing the cloud
F
or some years now, security professionals have been bemoaning the erosion – even disappearance – of the traditional network perimeter.
First mobile computing, then the cloud rendered many of their traditional and well-honed tools, such as firewalls, less
effective. Other solutions came along to take their place, but as Simon Eappariello and Craig Talbot of cloud security firm iboss explain in this interview, today’s IT and communications infrastructure is complex and requires a different mindset when it comes to security. Full story on page 16…
UK fraud increases again as Action Fraud comes under fire
T
he UK’s Office of National Statistics (ONS) has issued the latest annual figures for crime in England and Wales and, once again, the figures for fraud – most of which is technology-enabled – are up.
The figures come from the Crime Survey for England and Wales (CSEW), which is a large poll of the population, police-recorded crime and fraud offences collated by the National Fraud Continued on page 3...
www.computerfraudandsecurity.com
Contents NEWS
UK fraud increases again as Action Fraud comes under fire
1
UK Government funds security developments
3
Visit us @
www.biometrics-today.com
FEATURES
Password meters: inaccurate advice offered inconsistently?
6
Although we are continually offered the promise of passwords being eradicated, they continue to be used extensively on the majority of devices, sites and services. But they remain a significant point of weakness. Manywww.membrane-technology.com sites and services offer meters as a guide to the strength of user-chosen passwords. But these are often of dubious quality and have come in for severe criticism. Steven Furnell of the University of Plymouth builds on previous work to see if password meters have improved in recent years.
Visit us @
Visit us @
The guide to ransomware: how businesses can manage the evolving threat 14
Cyber criminals are taking a more targeted approach and this has been seen recently in a number of ransomware attacks. The latter part of 2018 saw ransomware figures hit an all-time high, along with the size of the ransoms demanded. The use of ransomware is evolving, with increasingly malicious threats being spread through a growing range of vectors. Organisations of all sizes can fall victim to ransomware attacks, with many business owners thinking their companies are too small to be targeted by hackers although smaller firms are, in fact, the most vulnerable. As a result, businesses are beginning to place greater emphasis on implementing measures that help detect and prevent cyber security threats. Thorsten Kurpjuhn of Zyxel looks at the steps organisations can take to protect themselves.
Visit us @
Visit us @
Gateway to securing the cloud
16
For some years now, security professionals have been www.networksecuritynewsletter.com bemoaning the erosion – even disappearance – of the traditional network perimeter. First mobile computing, then the cloud rendered many of their traditional and well-honed tools, such as firewalls, less effective and, in some conditions, irrelevant. Other solutions came along to take their place, but as Simon Eappariello and Craig Talbot of cloud security firm iboss explain in this interview, today’s IT and communications infrastructurewww.sealingtechnology.info is complex and requires a different mindset when it comes to security.
Visit us @
REGULARS
Editorial 2 Report analysis
4
News in brief
5
Visit us @
The Sandbox www.filtrationindustryanalyst.com 20 Calendar 20
Visit us @ www.computerfraudandsecurity.com
ISSN 1361-3723/19 © 2019 Elsevier Ltd. All rights reserved This publication and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
Visit us @
www.pumpindustryanalyst.com
NEWS ...Contined from front page Intelligence Bureau (NFIB) based on statistics from reporting bodies Action Fraud, Cifas and UK Finance. Of these sources, the CSEW is regarded as the most reliable. The CSEW estimates 3,863,000 fraud offences were committed in the year ending June 2019, a 15% increase over the previous year. The ‘bank and credit account fraud’ sub-category accounted for the majority of the cases, rising by 17% to 2.7 million offences. The rise in incidents is roughly equivalent to the 16% increase in the number of fraud offences reported to the NFIB, with 740,845 offences. The report notes: “The number of incidents estimated by the CSEW is substantially higher than the number of incidents referred to the NFIB. This is because the survey captures a large volume of lower-harm cases that are less likely to have been reported to the authorities. The CSEW estimated 3.9 million incidents of fraud for the year ending June 2019 compared with 0.7 million incidents referred to the NFIB.” It adds: “Incidents of fraud referred to the NFIB by Action Fraud, Cifas and UK Finance will include reports from businesses and other organisations, which are not generally included in the CSEW. They also tend to mostly be focused on the more serious cases.” However, that’s not necessarily the full story. Action Fraud – which is operated by US outsourcing company Concentrix – has recently been under fire. It is the primary point of contact for members of the public who believe they have been victims of fraud. However, an undercover report by The Times newspaper alleged severe shortcomings in the way Action Fraud handles incidents. The story alleged that phone lines were staffed by people – sometimes schoolleavers – with woefully inadequate training and that victims were deliberately misled about the likelihood of their cases being reported to the police, let alone any subsequent investigation taking place. No distinction was made between ‘informational reports’ and ‘crime reports’, with only the latter being referred on for police action – if
November 2019
any were taken. The threshold to qualify as a crime report is high, requiring that a victim’s bank details were stolen and any money lost was not reimbursed. The figures suggest that as few as 2% of incidents reported to Action Fraud are actually passed on to the police. The Times report is here: http://bit.ly/32H93eu. The City of London Police, which is responsible for Action Fraud, said it is investigating. There was more criticism from Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS). Its report, ‘Cyber: Keep the light on – An inspection of the police response to cyberdependent crime’, found that around 9,000 reports sent by Action Fraud to the NFIB were treated as containing malware and subsequently quarantined. “In these quarantined cases, victims haven’t received confirmation that their report has been received,” says the report. “Nor have they been reviewed for viable lines of enquiry or forwarded to forces for either victim care or investigation.” It goes on to highlight a lack of public awareness about the existence of Action Fraud and confusion over its processes. Around 40% of calls into the Action Fraud hotline are abandoned because of excessive waiting times. The report is here: http://bit.ly/2MSpa3h. Overall, the ONS report says that ‘computer misuse’ crimes in the year ending June 2019 fell by 13% compared to the previous year, with 977,000 incidents. So-called ‘computer virus’ crimes dropped 27%, to 442,000 – figures that may surprise many information security professionals. The ONS report is here: http://bit. ly/2qwvJQe.
UK Government funds security developments
T
he UK Government is investing £54m in partnerships and programmes to enhance cyber security for businesses and individuals.
As the next phase of its Digital Security By Design initiative, which also has the backing of Microsoft and Google, the Government is providing chipmaker Arm with £36m to develop new processors that are more resilient to
cyber attacks. Arm-designed chips are the most numerous and ubiquitous of all processors, powering smartphones, tablets, laptops, servers, embedded systems and Internet of Things (IoT) devices. “Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyberthreats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite. “Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.” The aim is to make it harder for attackers to take remote control of systems. The Government also believes the initiative will create additional business opportunities in the UK, by building more secure infrastructure. However, any benefits from new technologies developed by Arm, which is headquartered in the UK but owned by the Softbank Group in Japan, are likely to be felt worldwide. The Government is also putting an additional £18m into the Strategic Priorities Fund (SPF), an initiative that aims to combat online dangers such as fraud, phishing and malware. These goals were outlined in the recent Online Harms white paper that stated the Government’s ambition is to, “make the UK the safest place in the world to be online”. These funds come on top of the £1.9bn already committed to the National Cyber Security Strategy. The UK Government also announced that it is supporting a new ‘Prosperity Partnership’ between Toshiba Research Europe, the University of Bristol and GCHQ to develop more resilient wireless networks. This is one of six new projects funded with £40m from government, industry and university sources. There’s more information here: http://bit.ly/2pb3kz8.
Computer Fraud & Security
3
FRAUD & SECURITY ISSN 1361-3723 November 2019
Featured in this issue: Password meters: inaccurate advice offered inconsistently?
A
lthough we are continually offered the promise of passwords being eradicated they continue to be used extensively. But they remain a significant point of weakness.
Many sites and services offer meters as a guide to the strength of user-chosen passwords. But these are often of dubious
quality and have come in for severe criticism. Steven Furnell of the University of Plymouth builds on previous work to see if password meters have improved in recent years, whether it makes sense to rely on them and what organisations can do to improve them. Full story on page 6…
The guide to ransomware: how businesses can manage the evolving threat
C
yber criminals are taking a more targeted approach and this has been seen recently in a number of ransomware attacks.
The latter part of 2018 saw ransomware figures hit an all-time high, along with the size of the ransoms demanded. The use of ransomware is evolving, with increasingly malicious threats being
spread through a growing range of vectors. As a result, businesses are beginning to place greater emphasis on implementing measures that help detect and prevent cyber security threats. Thorsten Kurpjuhn of Zyxel looks at the steps organisations can take to protect themselves. Full story on page 14…
Gateway to securing the cloud
F
or some years now, security professionals have been bemoaning the erosion – even disappearance – of the traditional network perimeter.
First mobile computing, then the cloud rendered many of their traditional and well-honed tools, such as firewalls, less
effective. Other solutions came along to take their place, but as Simon Eappariello and Craig Talbot of cloud security firm iboss explain in this interview, today’s IT and communications infrastructure is complex and requires a different mindset when it comes to security. Full story on page 16…
UK fraud increases again as Action Fraud comes under fire
T
he UK’s Office of National Statistics (ONS) has issued the latest annual figures for crime in England and Wales and, once again, the figures for fraud – most of which is technology-enabled – are up.
The figures come from the Crime Survey for England and Wales (CSEW), which is a large poll of the population, police-recorded crime and fraud offences collated by the National Fraud Continued on page 3...
www.computerfraudandsecurity.com
Contents NEWS
UK fraud increases again as Action Fraud comes under fire
1
UK Government funds security developments
3
Visit us @
www.biometrics-today.com
FEATURES
Password meters: inaccurate advice offered inconsistently?
6
Although we are continually offered the promise of passwords being eradicated, they continue to be used extensively on the majority of devices, sites and services. But they remain a significant point of weakness. Manywww.membrane-technology.com sites and services offer meters as a guide to the strength of user-chosen passwords. But these are often of dubious quality and have come in for severe criticism. Steven Furnell of the University of Plymouth builds on previous work to see if password meters have improved in recent years.
Visit us @
Visit us @
The guide to ransomware: how businesses can manage the evolving threat 14
Cyber criminals are taking a more targeted approach and this has been seen recently in a number of ransomware attacks. The latter part of 2018 saw ransomware figures hit an all-time high, along with the size of the ransoms demanded. The use of ransomware is evolving, with increasingly malicious threats being spread through a growing range of vectors. Organisations of all sizes can fall victim to ransomware attacks, with many business owners thinking their companies are too small to be targeted by hackers although smaller firms are, in fact, the most vulnerable. As a result, businesses are beginning to place greater emphasis on implementing measures that help detect and prevent cyber security threats. Thorsten Kurpjuhn of Zyxel looks at the steps organisations can take to protect themselves.
Visit us @
Visit us @
Gateway to securing the cloud
16
For some years now, security professionals have been www.networksecuritynewsletter.com bemoaning the erosion – even disappearance – of the traditional network perimeter. First mobile computing, then the cloud rendered many of their traditional and well-honed tools, such as firewalls, less effective and, in some conditions, irrelevant. Other solutions came along to take their place, but as Simon Eappariello and Craig Talbot of cloud security firm iboss explain in this interview, today’s IT and communications infrastructurewww.sealingtechnology.info is complex and requires a different mindset when it comes to security.
Visit us @
REGULARS
Editorial 2 Report analysis
4
News in brief
5
Visit us @
The Sandbox www.filtrationindustryanalyst.com 20 Calendar 20
Visit us @ www.computerfraudandsecurity.com
ISSN 1361-3723/19 © 2019 Elsevier Ltd. All rights reserved This publication and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
Visit us @
www.pumpindustryanalyst.com
NEWS ...Contined from front page Intelligence Bureau (NFIB) based on statistics from reporting bodies Action Fraud, Cifas and UK Finance. Of these sources, the CSEW is regarded as the most reliable. The CSEW estimates 3,863,000 fraud offences were committed in the year ending June 2019, a 15% increase over the previous year. The ‘bank and credit account fraud’ sub-category accounted for the majority of the cases, rising by 17% to 2.7 million offences. The rise in incidents is roughly equivalent to the 16% increase in the number of fraud offences reported to the NFIB, with 740,845 offences. The report notes: “The number of incidents estimated by the CSEW is substantially higher than the number of incidents referred to the NFIB. This is because the survey captures a large volume of lower-harm cases that are less likely to have been reported to the authorities. The CSEW estimated 3.9 million incidents of fraud for the year ending June 2019 compared with 0.7 million incidents referred to the NFIB.” It adds: “Incidents of fraud referred to the NFIB by Action Fraud, Cifas and UK Finance will include reports from businesses and other organisations, which are not generally included in the CSEW. They also tend to mostly be focused on the more serious cases.” However, that’s not necessarily the full story. Action Fraud – which is operated by US outsourcing company Concentrix – has recently been under fire. It is the primary point of contact for members of the public who believe they have been victims of fraud. However, an undercover report by The Times newspaper alleged severe shortcomings in the way Action Fraud handles incidents. The story alleged that phone lines were staffed by people – sometimes schoolleavers – with woefully inadequate training and that victims were deliberately misled about the likelihood of their cases being reported to the police, let alone any subsequent investigation taking place. No distinction was made between ‘informational reports’ and ‘crime reports’, with only the latter being referred on for police action – if
November 2019
any were taken. The threshold to qualify as a crime report is high, requiring that a victim’s bank details were stolen and any money lost was not reimbursed. The figures suggest that as few as 2% of incidents reported to Action Fraud are actually passed on to the police. The Times report is here: http://bit.ly/32H93eu. The City of London Police, which is responsible for Action Fraud, said it is investigating. There was more criticism from Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS). Its report, ‘Cyber: Keep the light on – An inspection of the police response to cyberdependent crime’, found that around 9,000 reports sent by Action Fraud to the NFIB were treated as containing malware and subsequently quarantined. “In these quarantined cases, victims haven’t received confirmation that their report has been received,” says the report. “Nor have they been reviewed for viable lines of enquiry or forwarded to forces for either victim care or investigation.” It goes on to highlight a lack of public awareness about the existence of Action Fraud and confusion over its processes. Around 40% of calls into the Action Fraud hotline are abandoned because of excessive waiting times. The report is here: http://bit.ly/2MSpa3h. Overall, the ONS report says that ‘computer misuse’ crimes in the year ending June 2019 fell by 13% compared to the previous year, with 977,000 incidents. So-called ‘computer virus’ crimes dropped 27%, to 442,000 – figures that may surprise many information security professionals. The ONS report is here: http://bit. ly/2qwvJQe.
UK Government funds security developments
T
he UK Government is investing £54m in partnerships and programmes to enhance cyber security for businesses and individuals.
As the next phase of its Digital Security By Design initiative, which also has the backing of Microsoft and Google, the Government is providing chipmaker Arm with £36m to develop new processors that are more resilient to
cyber attacks. Arm-designed chips are the most numerous and ubiquitous of all processors, powering smartphones, tablets, laptops, servers, embedded systems and Internet of Things (IoT) devices. “Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyberthreats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite. “Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.” The aim is to make it harder for attackers to take remote control of systems. The Government also believes the initiative will create additional business opportunities in the UK, by building more secure infrastructure. However, any benefits from new technologies developed by Arm, which is headquartered in the UK but owned by the Softbank Group in Japan, are likely to be felt worldwide. The Government is also putting an additional £18m into the Strategic Priorities Fund (SPF), an initiative that aims to combat online dangers such as fraud, phishing and malware. These goals were outlined in the recent Online Harms white paper that stated the Government’s ambition is to, “make the UK the safest place in the world to be online”. These funds come on top of the £1.9bn already committed to the National Cyber Security Strategy. The UK Government also announced that it is supporting a new ‘Prosperity Partnership’ between Toshiba Research Europe, the University of Bristol and GCHQ to develop more resilient wireless networks. This is one of six new projects funded with £40m from government, industry and university sources. There’s more information here: http://bit.ly/2pb3kz8.
Computer Fraud & Security
3