PayPal accounts integrated with Google Pay are hacked

Earlier this year users of PayPal accounts that have been linked to Google Pay have reported unauthorised transactions on their PayPal accounts.

According to a number of victims, the illegal transactions have taken place at shops in the US with purchases particularly prolific at Target stores in New York.

Most of the victims appear to be from Germany and the costs of the transactions run as high as €1,000 in some cases.

PayPal has created a virtual payment card with a number, expiration date, and CVC number. When a Google Pay user makes a payment using PayPal funds, the transaction is done via the virtual card.

Researchers believe hackers could have found a way to discover the details of the virtual cards, though this is by no means certain.

PayPal said it has now resolved the issue without giving further details.

PayPal flaw

Two security researchers said last year they discovered a flaw in PayPal that allowed hackers to read the card details of a virtual credit card from a mobile phone if the mobile device is enabled.

This could likely happen via a near field communications (NFC) reader app. NFC is used when you tap your card on a payment device. For security purposes, the signal range is meant to be no more than about 20 centimetres. However, if a mobile device is being used to make a payment it has been proven that attackers can read the signal from up to 10 meters away with special equipment.

Given that only users from Germany, some of whom have never even visited the US, are affected suggest that their virtual card details are being picked up at contactless payment facilities in Germany and then brute-forced to reveal the full payment numbers.

For instance, in Germany the first eight digits of the virtual card are always the same, leaving 7 digits left to guess. The researchers who first discovered the flaw said attackers would only need 170 guesses to establish a valid credit card number and card expiry date.

With automated software, this could be discovered in seconds and online accounts could be filled up with funds from hacked PayPal accounts within minutes.

What to do?

  • Google has reportedly said that fraudulent payments need to be cancelled through PayPal.
  • PayPal advises reporting fraudulent transactions immediately so they can be cancelled.
  • PayPal users can also avoid using contactless features and remove Google Pay from their PayPal accounts.

Be vigilant everyone.

The MPMIT Team, offering local IT support in byte sized chunks to Micro businesses and Sole Traders in the Ipswich, Bury St Edmunds, Stowmarket and the surrounding areas.

Keeping Your Online Gadgets Safe

A wide range of household gadgets are being targeted by hackers, now that a gap in their security has been revealed. It is vital that for your own safety and security that you know how easy it is to keep your gadgets free from hacking by burglars and other criminals, so I shall outline very easy ways to enable this safety.

Gadgets that are being targeted include televisions, kids’ toys, smart thermostats, smart speakers, baby monitors and smart cameras. Most experts within this field have stated that the security of these devices is very good, but devices that use wireless technology is a criminal’s path straight into your own home, as they can easily be hacked. Similarly, Bluetooth connections between gadgets is another method of access into your own private life within your home. These have all come about due to the passwords attached to the gadgets being easily predicted, and not changed by house owners, leaving them vulnerable to hacking by burglars. Below, we look at the gadgets listed above, and advise you with some very easy steps to make them much safer and resilient to hackers.

Televisions:

Televisions come with cameras, microphones and web connection, all of which are accessible for hackers, potentially being able to use these means to broadcast inappropriate videos directly onto your TV. To resist this from happening, put some black tape over the top of the camera on your TV, and tweak your security settings to make it harder for hackers to get through (reset password etc.).

Kids’ Toys

Your children could be contacted by perverts through their gadgets where offensive images, videos or voices could be broadcast to them. Which? Has stated that karaoke machines, robots and walkie talkies all had security flaws, and 3 of the 7 toys tested could allow strangers to be in contact with the user. To improve the security of these gadgets, alter the PIN numbers and passwords, and turn the gadgets off when not in use by the children.

Smart Thermostats

The altering of your heating in your house could leave clues to hackers and burglars as to whether or not you are home, where if the heating is off for a long period, it would suggest to them that you are not in your house, leaving it vulnerable to burglary. To avoid your thermostat being hacked, again alter your password to something strong, and potentially allow two-step authentication, making your gadget more resilient and less likely to be hacked.

Smart Speakers

One of the best speakers in the market is Amazon’s Alexa, a gadget found in within most families now-a-days. However, there are some security fears that hackers are listening or even watching your daily activities through the cameras that some of the products are equipped with. Look for cameras on the product, and cover these up. There is also an option to opt out of being listened to, and manually programme instructions to Alexa through a tablet, being more secure, if strong passwords are set up between the two devices.

Baby Monitors and Smart Cameras

Some video cameras that can be bought cheaply on online shopping markets such as amazon have been tested to have security flaws, making it easier for hackers to access your gadgets. Weak passwords and remote access for strangers were noticed as key factors that meant hackers could easily use the cameras to investigate your homes. Before you buy a product such as this, use products that are well-known such as Arlo and Nest, which all have a high level of security.

If you require any help or advise whilst setting up your gadgets please get in touch with us here https://www.mpmit.co.uk/contact-mpm-it-computer-support-services/

The MPMIT Team, offering local IT support in byte sized chunks to Micro businesses and Sole Traders in the Ipswich, Bury St Edmunds, Stowmarket and the surrounding areas.

Home Workers – This is for you

The interests and cyber security needs of our customers are at the heart of everything we do. This is particularly important during these unprecedented and challenging times.

Millions of people the world over have made a sudden shift to working from home due to the current global circumstances. With our customers in mind we are developing material to help you stay safe and secure when you are online.

Protect those around you by staying connected, private and by sharing valid information.

Unfortunately, as you may be aware, cyber criminals are taking advantage of the anxieties and concerns around the coronavirus, Covid-19.

This has led to a flood of phishing mails that either attempt to steal log-in details belonging to remote workers or install malware on to a victim’s computer. Other infection methods are also being used such as websites that harbour malicious code and apps that are actually fronts for ransomware among other things.

To Protect yourself here are a few useful tips……

Mac malware email draftsEmails
Whenever you receive an e-mail that asks you to click or open a link, take a GOOD look at the sender’s actual email address, not just the displayed name (which could be a trick). You can usually see this by hovering your mouse over the sender’s name.

teleconferencing makes the world smallerWebsites
If opening links from within an e-mail, look in the URL address bar to see the domain hosting the web page, is it what you would expect – or is it a website you have never heard of? Again, you can hover your mouse over the link without clicking to see the destination website.

Dr Larry RobertsYour Systems
Keep your operating system and apps updated – this ensures you have the latest patches against any known exploits

Snoopers' charterLock or close your laptop when you’re taking a break, this will ensure that others in your home don’t accidently click on malware links or otherwise mess up your work.

With these tips in mind, please take an extra moment to review incoming emails, and the websites you visit to avoid becoming a victim of these attacks. Be extra careful around your online banking and financial investments and don’t be fooled by easy money. If it’s too good to be true, it usually is.

We express our gratitude to those of you who are working on the frontline to combat this virus and offer our sympathies and best wishes to those who have been impacted.

We’re in this together! Stay safe both online and offline!  If you need any help with anything mentioned in this blog please get in touch.

With Kind Regards

The MPMIT Team, offering local IT support in byte sized chunks to Micro businesses and Sole Traders in the Ipswich, Bury St Edmunds, Stowmarket and the surrounding areas.

Watch Out For Malicious PDF Attachments

Malicious PDFs are another hacker’s favourite. Over the past few weeks, we’ve been looking at ways you can be vigilant in the fight against hackers. So far, we’ve looked at two-factor authentication, encryption, and avoiding public WiFi.

This time we’re going to look at PDFs attached to emails.

Why PDF attachments can be bad news

Hackers are sneaky by nature.

On the face of it, a PDF looks quite an innocuous document. After all, you open them every day during your regular working practices. However, there is a darker side to the humble PDF.

Its called steganography – derived from the Greek language meaning ‘covered writing’, where a data file or malicious code can be hidden within another file.

A PDF file is a perfect vessel for hackers because they’re generally thought to be safe. However, if you receive one that contains malicious code, opening it will drop the code on to your device in a similar manner to clicking on a malicious link on a website.

How to stay safe from malicious PDFs

They are challenging to catch and check. That’s why it’s best that whatever PDF reader you use, your anti-virus or endpoint protection is up to date and that your email servers are running current and updated filters.

Software is also available that can test the PDF file before allowing it through to the intended user.

Be vigilant. Stay safe.

MPM Computer Consultancy provides IT Services, Support and Training to sole traders and small businesses in Ipswich, Bury St Edmunds, and surrounding villages.  

The Marriott Hotel Chain Falls Foul To Hackers

A big company experiencing a data hack is becoming commonplace. This time around it’s the turn of the Marriott Hotel chain.

Back in 2014, details of 500 million hotel guests were stolen although it only came to light at the end of 2018.

The hackers copied and encrypted information and then removed it from a guest reservation database.

How big a data hack was it?

According to investigators, the data hack affected 327 million guests who had stayed at the Marriot owned Starwood chain of hotels. The following information was stolen:

  • Names, mailing address, phone number, email address
  • Passport number date of birth and gender
  • Arrival and departure information, reservation date, and communication preferences
  • Starwood Preferred Guest account information,

Basically, if you stayed at any of these hotels, you may have been affected: W Hotels, St. Regis, Sheraton Hotels & Resorts; Westin Hotels & Resorts, Element Hotels, Aloft Hotels; The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts; Four Points by Sheraton and Design Hotels.

For some of these guests (Marriott didn’t say how many), payment card data was also stolen. However, according to the hotel, payment data was encrypted but it couldn’t confirm that the data had been completely protected.

What about the remaining 173 million guests? Their stolen data only included a name, and sometimes other information such as mailing address, email address, or other data.

Personal identity protection

Once again, this brings the importance of protecting your data to the forefront. Even if you do take steps to ensure the security of your data on a daily basis, third parties may not be so vigilant.

All companies, to whom we entrust our valuable data, must take steps to ensure that our data is safe. Corporates must understand this can’t continue.

MPM Computer Consultancy provides IT Services, Support and Training to sole traders and small businesses in Ipswich, Bury St Edmunds, and surrounding villages. 

Source: BullGuard

UK Police Are Cutting Back on Cyber Crime Investigations

Fraud, especially cybercrime, is always hitting the headlines. However, five UK police forces are cutting back their investigations in this area.

This story first broke in The Times. Here’s what BullGuard had to say about it:

Police forces in the UK are cutting the number of fraud and cybercrime investigators as they face a £37 million black hole in law enforcement budgets, according to The Times.

Five police forces, West Yorkshire, West Midlands, Sussex, South Yorkshire and Cheshire, have cut the number of specialist investigators over the past two years, according to data obtained via a freedom of information request.

Apparently a secret presentation to police and crime commissioners by the National Crime Agency (NCA), also warns of glaring “operational gaps” in budgets for inquiries into serious and organised crime, including no specialist funding at all for cybercrime after March 2019.

  • A record £500 million in the UJ was lost to fraud in the first six months of this year as criminals find ever more sophisticated ways to outsmart an already overstretched police force.
  • About £145 million of the loss was a result of so-called “authorised” scams, where the victim sends funds to a criminal’s account believing they are following instructions from a bank, police or some other trustworthy source.
  • Most cyber fraud crimes referred to Action Fraud, the central fraud reporting agency, are not investigated as they are dismissed by a computer algorithm, usually, because they are under £10,000 and are not linked to known hacker groups.

Cybercrime investigators cut

It’s been apparent for some time that the police rarely investigate what they consider to be ‘small amount’ frauds because they are overstretched.

However, the fact that some forces are now cutting the number of cyber-crime investigators sends out a signal to victims that they may as well not bother reporting losses and to fraudsters that it’s open season.

  • Victims of “authorised” banking fraud are typically denied a refund unless the fraud is detected in time for the recipient bank to freeze funds before they are transferred elsewhere.
  • However, Vocalink, a payments services firm that is part of Mastercard, said fraudulent funds are typically moved into 10 different accounts within 10 minutes of a transfer.

Lloyds bank said some scammer’s accounts it has detected were opened with valid identification and address documents.

However, there are already technologies available that can quickly identify whether documents are suspicious by tying them to other forms of ID. Why aren’t the banks using them?

If there’s a moral to this tale it’s that we all need to be extremely wary of requests to send money, even if they appear to be legitimate, for instance, from your bank, solicitor or other trusted source.

If the request for a money transfer includes new bank details the first thing to be done is contact the organisation in question, either by phone or even better in person, and verify whether the account details are indeed accurate or part of an elaborate scam.

MPM Computer Consultancy provides IT Services, Support and Training to sole traders and small businesses in Ipswich, Bury St Edmunds, and surrounding villages.