Cyber Bakery Chronicles
Your Weekly Cybersecurity Update
Your Weekly Cybersecurity Update ( 20 September 2024)
- Millions of Devices at Risk as Microsoft and Google Disable Insecure Email Login Method
- Cybersecurity Giant Fortinet Confirms Data Breach, Downplays Impact
- New Laws Target Banks, Telcos and Tech Giants in Fight Against Scams
- Online Voucher Scam Targets Sydney Restaurants Using Square POS
- TfL Staff Face In-Person Password Resets After Cyberattack
Millions of Devices at Risk as Microsoft and Google Disable Insecure Email Login Method
A major change in email security is set to disrupt many businesses and individuals. Microsoft and Google are disabling Basic Authentication (SMTP AUTH), an outdated method used by millions of devices to send emails directly. This will affect everything from security cameras and printers to scanners and network firewalls.
Why the Change?
Basic Authentication transmits usernames and passwords in plain text, making them vulnerable to theft. Disabling it will improve email security by forcing users to switch to OAuth 2.0, a more secure method that generates unique tokens for each device.
What Devices are Affected?
Many older devices, especially those not regularly updated, may only support Basic Authentication. This includes printers, scanners, security cameras, and network equipment.
Potential Impact:
- Disruptions to email alerts and notifications from security cameras and firewalls.
- Inability to scan documents and send them directly to email using printers and scanners.
- Unexpected issues for businesses that rely on these functionalities.
What to Do?
- Check with your IT department to ensure all devices are compatible with OAuth 2.0.
- Update device firmware if possible.
- Consider alternative solutions for email alerts and notifications.
Businesses should proactively review their IT infrastructure to identify devices still using Basic Authentication. And individuals should be aware of potential disruptions and contact IT support if they experience issues.
By transitioning to a more secure authentication method, email providers aim to protect users from credential stuffing attacks and improve overall email security. However, the change may require some adjustments and updates for those still relying on Basic Authentication.
Cybersecurity Giant Fortinet Confirms Data Breach, Downplays Impact
Fortinet, a leading cybersecurity company, has confirmed a data breach involving a limited number of customers in the Asia-Pacific region. The company maintains that the incident was confined to a third-party cloud storage service and did not affect its core operations or products.
Fortinet's Statement:
Fortinet acknowledges unauthorized access to a limited number of files on a third-party cloud drive. They claim this data breach only impacted a small percentage (less than 0.3%) of their customers and involved "limited data." Fortinet has contacted affected customers and assures them there's no evidence of malicious activity. The company emphasizes that no ransomware or encryption was involved, and no access to their core network was obtained.
Hacker's Claims:
A hacker using the alias "Fortibitch" contradicts Fortinet's statement. They claim to have stolen 440 GB of data from a Fortinet Azure SharePoint server and leaked it online. The hacker accuses Fortinet of ignoring ransom demands and questions why the company hasn't made a public SEC filing.
Uncertainties Remain:
While Fortinet downplays the incident, the validity of the hacker's claims regarding the size of the data breach remains unclear. Additionally, Fortinet hasn't addressed the potential involvement of Australian government data or critical infrastructure, as reported by Australian media.
Fortinet has engaged a forensics firm to investigate the incident and has implemented measures to prevent similar events. The Australian National Office of Cyber Security is reportedly aware of the situation.
This incident highlights the risks associated with data migration during acquisitions, as the hacker claims the breach occurred during Fortinet's recent acquisitions. It also raises concerns about the security of cloud storage services and the potential consequences of data breaches for cybersecurity companies themselves.
New Laws Target Banks, Telcos and Tech Giants in Fight Against Scams
Australians lost a staggering $2.74 billion to scams in 2023, a record high. The government emphasizes that current protections are inadequate and has announced sweeping changes aimed at combating the growing problem of scams. Under the new laws, banks, telecommunication companies, and tech giants like Google and Facebook will be held more accountable for preventing scams and compensating victims.
Key Changes:
- Mandatory Codes: Tech giants, banks, and telcos will be subject to mandatory codes outlining clear obligations to prevent, detect, and respond to scams. Companies failing to comply face fines of up to $50 million.
- Compensation for Victims: Victims can seek compensation from any party involved in the scam – banks, telcos, or digital platforms – through the Australian Financial Complaints Authority (AFCA). Maximum payouts at AFCA are expected to increase.
- Shared Liability: Unlike the UK model, which places primary responsibility on banks, Australia adopts a shared liability approach.
- Tech Giants Targeted: For the first time, Facebook, Google, and other tech companies will be held responsible for scams flourishing on their platforms. This may involve verifying advertisers and taking down scam content.
- Confirmation of Payee: Banks will be required to implement confirmation of payee technology, alerting customers before sending money if the recipient account details differ from their expectations.
- Focus on Money Mules: Banks must identify and shut down accounts used by scammers to receive and transfer stolen funds.
- Phone Scam Measures: Telcos will be pressured to block a higher number of scam calls and texts.
Industry Reaction:
- Tech Companies: The tech sector has previously opposed mandatory codes, arguing that it's impossible to prevent all scams.
- Banking Industry: Banks lobbied for shared liability and welcomed the move away from the UK model.
- Consumer Groups: While supportive, some consumer advocates believe the UK's system, which places primary liability on banks, would be more effective.
The article highlights the story of Ilya Fomin, who lost his life savings in a scam impersonating his law firm. Despite seeking help from his bank, the money was transferred and could not be recovered. Fomin believes the proposed confirmation of payee technology could have prevented the incident.
The government is working on the specific details of the mandatory codes. Consultation with industry stakeholders is planned. While the new laws are expected to deter scams and offer victims greater recourse, their effectiveness will depend on implementation and enforcement.
Online Voucher Scam Targets Sydney Restaurants Using Square POS
An online voucher scam targeting restaurants using Square, a popular point-of-sale platform, is a concern. The scam exploits vulnerabilities in Square's voucher system, leaving businesses out of pocket for fraudulent purchases.
How the Scam Works:
- Scammers purchase vouchers online, either with stolen credit cards (third-party fraud) or by fraudulently claiming their card was stolen after purchase (first-party fraud).
- Scammers use the vouchers to dine at restaurants, often choosing smaller businesses with limited customer records.
- Scammers then initiate chargebacks with their financial institutions, claiming the voucher purchases were unauthorized.
- Square automatically deducts the disputed amount from the restaurant's account, leaving them liable for the fraudulent transaction.
Impact on Restaurants:
- Soul Dining, a Sydney Korean restaurant, lost over $2400 to the scam and has temporarily disabled online vouchers.
- Lokha Viet Fusion, a Vietnamese restaurant, was hit with a $145 chargeback for fraudulent vouchers.
- Lenny Briskets, a sandwich shop, identified and cancelled suspicious voucher transactions before incurring losses.
Industry Concerns:
- Restaurants are concerned about the financial impact of these scams, especially during challenging economic times.
- The scam highlights potential vulnerabilities in Square's online voucher system.
- Businesses are hesitant to implement additional verification measures (e.g., checking ID) fearing it may disrupt customer experience.
Square's Response:
Square acknowledges the issue and recommends that businesses enable 3DS technology. This security feature requires buyers to verify their identity through their bank, potentially shifting liability for fraudulent chargebacks to the card issuer.
Businesses should be cautious of customers paying with online vouchers, especially those with large denominations. Consider implementing 3DS technology if using Square for online vouchers. And report suspicious activity to Square and local authorities.
TfL Staff Face In-Person Password Resets After Cyberattack
Transport for London (TfL) is grappling with the aftermath of a cyberattack that compromised staff data. As a precaution, all 30,000 employees will be required to reset their passwords in person.
What Was Compromised?
The attack, first identified on September 1st, targeted TfL's directory system. While details like email addresses, job titles, and employee numbers were potentially stolen, TfL assures customers that sensitive data like bank details, home addresses, and birth dates remain secure.
In-Person Password Resets:
Citing expert advice, TfL has implemented a mandatory in-person password reset process for all employees. This measure, considered necessary due to the severity of the incident, requires staff to physically verify their identity to regain access to their accounts.
Business Continuity and Customer Reassurance:
While addressing the internal security breach, TfL has activated business continuity plans to minimize disruptions. Employees will receive updates through WhatsApp from line managers and people leaders. Recognizing potential customer concerns, TfL emphasized the security of their network and pledged further communication regarding customer data protection.
Arrest Made:
On September 5th, a 17-year-old from Walsall was arrested on suspicion of violating the Computer Misuse Act in connection with the cyberattack. The teenager was questioned and later released on bail.
The incident highlights the importance of robust cybersecurity measures for critical infrastructure. TfL's response, including employee password resets and customer communication, aims to mitigate the risks associated with the data breach. The ongoing investigation, involving a juvenile suspect, remains shrouded in some uncertainty.