Have Hackers Hopped onto Deliveroo – or are its Customers Jumping to Conclusions?

Have Hackers Hopped onto Deliveroo – or are its Customers Jumping to Conclusions?

Hello, welcome to Sofa Time with Mirus. I’m Dan Sharp and I’m Paul Tomlinson. We’re going to do
some videos around different subjects that we see in the IT world, whether that’s
cyber incidents or about choosing an IT company, MSP, or just general tech things
that we see in the news, to help translate I guess some of the more
technical things we see into real-world understandable talk.
Yeah, try and take away the sort of technical jargon that we use in the
industry and just make it plain English. So, the first one we’re going to cover
today is around cyber security and actually isn’t so much a cyber security
incident, it’s Deliveroo’s perceived breach of their website. I guess do you want to tell us a
little bit more about it? Yeah so, what we saw with this one was Deliveroo had
a number of people contact them to say that they’d run up charges
which were too high in their account. And then what they realised is that somebody
else had gained access to that person’s account.
So, obviously Deliveroo were really worried thinking that they’ve got some sort of
breach within their systems and it transpires that the problem wasn’t Deliveroo, and actually the problem was related to the fact that people reused
the same passwords for the Deliveroo account that they use for other accounts,
and somehow the account had become compromised elsewhere and those same
credentials were then reused for the Deliveroo site to actually make those
different orders. I guess the difficulties you don’t know where that
data has been lost from in the first place.
No, I think that’s it that is the problem when we see a bucket of
data sometimes it’s really easy to tie it back to a specific location but, when
we actually see where data’s being reused it could come from so many
different sources and unless you understand every piece of data and you
can work it back then it makes it really difficult to understand where it’s come
from. It’s interesting that we’re seeing from our perspective less ransomware
type incidents which are quite a technical, quite a technically
difficult, challenge to overcome through firewalls and that kind of thing and
much more focus on really, strong, clever phishing type attacks in emails. Yeah, I
think it’s just much easier to orchestrate an attack when we’re looking
at using credentials and using that type of attack whereas, like you say, when you
look at a ransomware type of attack the tools are in place to
actually stop those type of things happening so, most people have
next-generation firewalls, most people have AV scanners, things like
that. So, it makes it a ransomware type incident much more complicated to
execute whereas, you know password reuse, or phishing credential, phishing people’s
credentials and reusing them for something else,
that seems to be a much easier way to do things really. I think password reuse is a
big issue and it’s a cross as a divider in your kind of personal life in your
work life, in terms of the different or the multiple numbers of SAS based
applications and just websites where you’re creating your own personal
account. Yes, so the Deliveroo, coming back to Deliveroo, obviously, that is password
reuse so, you know somebody’s used their credentials on one website and then
reused them for Deliveroo and then when one website has been compromised
they’ve been able to, the attacker, has been able to use those passwords in that way.
What we see though is that, like you say, that the crossover between work and
personal life you know we’re enforcing such a
complicated password policies and regular changes of passwords that it
makes it very difficult for people to remember unique passwords for every
system. And like you say (and people get lazy) yeah, people get lazy and there’s so many
systems as well. So, what we tend to find is that people use, you know, a base
password and they modify the base password or they use a password they use
every month and when they’re forced to change it, they just you know change it
to the correct month. There’s lots of different techniques that people do to
get around the fact of just using unique passwords because using unique passwords
can be seen as quite complicated and difficult to do. And when you think
about the volume of passwords and accounts that in each of individual
person creates and uses on a monthly basis, it’s actually probably quite a
significant number, isn’t it? Yeah, we were looking at one of the internal GDPR
exercises, so mapping out all the different business systems that we use.
We’ve got around 25 different systems that are used across the business. Some
only by a few people, but if you were a user of every system within this
business, you’d use 25 different systems. We’ve tried to integrate as many as
possible to use the same credentials through a single sign-on and multi-
factor authentication, but there’s also other systems that people need to
remember unique passwords for, and that’s where the password management tools come
in. So, you know and they work really well for both
in work life, but also in personal life. So they would store the passwords, they
would offer to create unique passwords when you’re registering for a site, and
they’ll also give you password score so they’ll tell you whether or not you’re
using the same password in multiple locations, the age of your passwords,
potentially, and whether or not a base password is being used with a
variation on top of it. So, it just tries to encourage unique passwords and makes
it simple to do that. That’s a reminder of good behavior in some
respects as well, isn’t it? Yeah absolutely, I think the password score
element really helps to kind of get it home that you know you’re not in a
healthy position if you’re using the same password for multiple sites. That’s
what we’ve already touched on is about multi-factor authentication I guess we
should probably explain what that is for that are not aware of that technical IT
term. Yeah, so obviously we’ve got user names, passwords, and then we’ve got
another factor of authentication so you know typically that would be a six digit
code that’s created. More commonly now what we’re seeing is it’s actually using
an app on your phone. So, you log in with you username, log in with your password,
and then it prompts you for a code and the codes change every 60 seconds
normally, and that code then is that extra barrier before you actually get
into the system. There are other ways of doing multi-factor authentication, you
know things like fingerprints you know people use this of a key ring type key
fob with again the sort of six digit character, but the mobile app seems to be
the most common way of doing it now. I think it probably where people would be
aware of that is their personal banking. A lot the time now you get the
square little thing, something to do with HSBC, for us directors you get your little key
fob which is two factor authentication, but people don’t actually know relate that’s the term for it. Yeah and I think that’s it’s it’s a great
example and I think or what we’d like to see is more use of that sort of
secondary factor of authentication in all applications so you know things like
LinkedIn and can you can enforce it there Instagram, Facebook all sorts of
social media accounts, but more and more business systems and particularly
SAS based applications also support it. It’s the legacy sort of on-premise
applications that we’re not seeing it or apps like Deliveroo and things like that
you know websites is you know those type of what would be considered low
value type transactions they don’t consider putting multi-factor
authentication on there, because actually it might make it more difficult to get a
sale. I think one of the key things
and you kind of see it because of the news is is that user education and
just general awareness, that reminder to think before you do something. Whether
that’s a phishing email, a website, an attachment in an email, it’s just that
education of our users. Yeah I mean we what we don’t know is whether or not the
Deliveroo perceive breach was related to phished credentials or whether it was a
relate to compromised credentials because of a problem with the website. We
can’t do much about the compromised website you know we all buy things
from websites and we need to trust in who were buying from you know and that’s
just hope that they’ve got the right controls in place to protect our data
once they’ve got it. In terms of phishing credentials obviously, if we get an email
it’s our decision whether or not we then follow the instructions in there,
and what we tend to find is there’s a lot of urgency placed in those emails
now. So, you know if you don’t do this in 24 hours (a certain time period) there’s a
consequence and the consequence is normally something you don’t want to
happen, like you lose access to an account. So, people have become really
clever at basically creating these phishing emails and convincing people to
do what they want them to do, which then allows them to gain access to the
credentials and potentially reuse them to attack the site. So, we’re looking more
and more around that sort of cyber security training and awareness to try
and improve people’s knowledge and try and get them to a point where they
understand what does a phishing email potentially look like or at least get to
a point where they pause and think should I really be doing this, is it
something I need to do right now? I think it’s one of the things you kind of
people might think it’s a one-off exercise but actually it’s almost a
process of continual reminder because, it just slips to the back of your head
again very quickly, and it’s that continual process of making people think.
Yeah I think you know what we do quarterly training here, some of our
clients do annual training, so it’s just trying to find the appropriate rhythm in
terms of training that applies to your business really. And one of the
things that we’re going to touch on now is the dark web. I guess people
think about the dark web and it’s this mysterious thing, but actually people’s
credentials are actually available on the dark web, and are actually available
to access to you, for reuse and we’ve got a good example. Yeah, so what
we’re seeing is obviously there’s lots of things available on the dark web;
people’s usernames, passwords, credit-card details, those type of things
are freely available there. So, you know the example we talked about is
my wife’s credentials, so what we did at home is I searched her private email
address and by searching that I found a common password that she uses, is freely
available in the dark web. Now that password she used for Tesco’s,
her Facebook account, lots and lots of different systems, and if somebody had
have taken that and tried to use that password, they would have been able to
gain access to all of those different systems, as her. So, when we sat down and
had that conversation at home, and I showed her the password, and explained
the sort of consequences of it, the entire evening was then spent logging
into different web sites and (fun evening) changing passwords. Yeah it was a fun
evening, and obviously it was completely my fault that she’d used the password
multiple times. Yeah, so, but we’re seeing, we’re actively monitoring more
and more customers domain names now, to look for this type of thing. You know,
some people we include their high profile individuals, we’ll include
their personal email address, as well as their work email address, but just
looking at the domains and when we do see the information that comes back and
we see about you know how common the passwords are or how simple the
passwords are and these are passwords that are used to protect their identity,
whether it’s in work or through third party systems, and you know it is it’s
becoming a real issue and you know we’re just trying to work with people to make
sure that they understand that complex passwords are required and you know
wherever possible do this sort of multi-factor authentication. I think
that’s the thing where the dark web scanning isn’t necessarily to to blame
somebody for their credentials being lost, it’s almost that re-education that
something’s happened, think about it, think about it, think about it, because
it’s not our kind of it’s not necessarily that they’ve given the details away
necessarily it’s they’ve been compromised somehow. Yeah absolutely, it’s
you know it’s not their fault that that third party sites potentially being
compromised, and by alerting people that it’s happened, then at least they know if
they haven’t if they haven’t followed the guidance around password reuse and
they have used that same password on multiple sites, then go and change those,
before they before somebody uses those to create an attack against them. So,
that’s the end of our video today. We’re going to do some more videos on various
subjects, as we said earlier. We hope you found it useful and we’ll
see you next time thanks a lot. Thanks everyone.

Be the first to comment

Leave a Reply

Your email address will not be published.