Safe and secure online, on holiday – Kaspersky Lab official blog

Hopefully, you’ve read our advice on researching and booking holidays and other travel safely and securely. But have you thought about how to keep yourself protected online while you’re away, whether it’s the annual family holiday or a short break?

Whether you’re basking in the sunshine or enjoying the snowy slopes, it can be easy to forget that your online safety is as important as your sunscreen or goggles. So we’d like to offer some simple advice to help ensure that when it comes to being online, you’re as safe when away as when you’re at home.

Look after your mobile devices

The great thing about smartphones and tablets is that they’re small and portable. The downside to this is that they’re easy to lose, and easy for someone to steal. The consequences of this happening in your own country are bad enough, but if you’re abroad, you face additional inconvenience, expense and, often, upset.

When you’re out and about – especially in city centres – keep your phone or tablet close to you and get it out only when you have to in a safe place, to answer a message or check the map. Don’t leave it unattended in cafes, bars or public transport, and if there isn’t a safe in your hotel room, we recommend you take it with you.

And remember that apartments, villas, ski lodges or caravans all make attractive targets for thieves, so take care here as well.

Wi-Fi hotspots

When you’re on holiday – just like when you’re at home – there’s nothing easier and more convenient than being able to connect to Wi-Fi in your hotel room, the café or a bar. You can keep up with your friends, check the news, catch up on your email (uh oh, you’re meant to be relaxing!) and check your bank account.

But have you considered if that hotspot is secure, and what information you might be revealing inadvertently?

If you’re doing anything private online such as banking, paying for something, logging into a shopping site or confidential email – our advice is: don’t do it using a Wi-Fi hotspot, but use your data (remember, roaming is cheaper these days) or a mobile dongle.

This is because with hotspots, you have no guarantee that the connection is secure, so there’s a chance that it could be eavesdropped on orhijacked. Even if you need a code or your email to log on, it’s not worth the risk.

Social media

When you’re having a great time on holiday, there’s nothing quite like sharing it with posts and photos on your favourite social media platform, right?

Right, but the problem is, you can never be sure who’s going to end up seeing what you’ve posted and these days, social media has become the best friend of both burglars and fraudsters.

Advertise that fact that your home is unoccupied – even if it’s only for a weekend break – and you’re risking having it broken into. This isn’t uncommon, and even high-profile celebs have fallen victim. Insurance companies are now refusing to pay out if they find you’ve posted that you’re away so surely this, combined with the thought that somebody could be going through all your belongings while you’re away, would make you think twice.

We mentioned fraudsters using social media too, and this one affects your workplace. It’s become commonplace for fraudsters to combine the fact that you’re away on holiday with other snippets gained on LinkedIn or a sly phone call to defraud your business. They’ll impersonate a supplier, the bank, HMRC or – if you’re a senior exec, you – to extract money out of an unwitting colleague. You can only begin to imagine the consequences.

In conclusion

We want to you relax and enjoy your break and be able to enjoy your online experience seamlessly and safely while you’re away too. Following this practical holiday advice and the other online safety basics on our website, that shouldn’t be a problem.

Have a great time!

Source: Safe and secure online, on holiday – Kaspersky Lab official blog

Hunt for gang of travellers scamming elderly and vulnerable out of millions | Metro News

Whatever you do, don’t open your door to this gang of travellers. They are suspected of conning the elderly and vulnerable out of £3million and have been named as some of the UK’s most wanted fraudsters. The gang of five men and one woman are wanted after disappearing while out on bail.

The leaders of the gang have been identified as husband and wife Kathleen McCarthy, 29, pictured  and Oliver Boswell, 30 (Picture: City of London Police)
Do not open the door to this gang of fraudsters scamming the vulnerable out of millions
Oliver Boswell (Picture: City of London Police) Joint Fraud Taskforce calls on public?s help to catch eight wanted fraudsters responsible for more than ?1 million in losses. The Joint Fraud Taskforce is asking for the public?s help to catch eight wanted fraudsters. The City of London Police is today (Thursday 26 July) urging members of the public to help locate the fraudsters who are collectively responsible for more than a million pounds in fraud losses across the UK.
Oliver Boswell is part of the gang of fraudsters who are pretending to be judges, police and trading standards officers to make their victims transfer large sums of money (Picture: City of London Police).
Police have now launched an appeal for any information related to the rogue traders and conmen, who have been tricking residents into agreeing to unnecessary work on their homes which was never carried out. In some instances, the fraudsters pretended to be judges, police and trading standards officers to make their victims transfer large sums of money.

The pair have already been convicted of money laundering, with McCarthy stealing more than £220,000 from 14 elderly victims in just one year.

John McCarthy (Picture: City of London Police) Joint Fraud Taskforce calls on public?s help to catch eight wanted fraudsters responsible for more than ?1 million in losses. The Joint Fraud Taskforce is asking for the public?s help to catch eight wanted fraudsters. The City of London Police is today (Thursday 26 July) urging members of the public to help locate the fraudsters who are collectively responsible for more than a million pounds in fraud losses across the UK.
John McCarthy, 33, is wanted for five fraud and money laundering offences after posing as a trading standards officer (Picture: City of London Police)

But they are now on the run after failing to turn up for their trial at Lewes Crown Court in December. Other members of the gang include James Flynn, 42, who duped a man in west London into transferring £64,400, John McCarthy, 33, who is wanted for five fraud and money laundering offences after posing as a trading standards officer, John O’Brien, 49, from Cambridge, and Daniel Sheridan, 48, from Wolverhampton. O’Brien allegedly made a victim hand over £75,000 in an advance fee scam where they are convinced to make an up-front payment in the promise of getting a share of a larger sum later. Sheridan is accused of posing as a judge during a phone call and threatening a victim with jail for contempt of court unless he handed over £79,000.

Denis Marku (Picture: City of London Police) Joint Fraud Taskforce calls on public?s help to catch eight wanted fraudsters responsible for more than ?1 million in losses. The Joint Fraud Taskforce is asking for the public?s help to catch eight wanted fraudsters. The City of London Police is today (Thursday 26 July) urging members of the public to help locate the fraudsters who are collectively responsible for more than a million pounds in fraud losses across the UK.
Denis Marku, from London, is suspected of using his role as a cashier at a Chelsea bank to steal more than £3million from customer accounts (Picture: City of London Police)
Nathan Scott Hudson (Picture: City of London Police) Joint Fraud Taskforce calls on public?s help to catch eight wanted fraudsters responsible for more than ?1 million in losses. The Joint Fraud Taskforce is asking for the public?s help to catch eight wanted fraudsters. The City of London Police is today (Thursday 26 July) urging members of the public to help locate the fraudsters who are collectively responsible for more than a million pounds in fraud losses across the UK.
Nathan Scott Hudson, from East Yorkshire, is suspected of stealing £110,000 from people who invested in several fake businesses (Picture: City of London Police)

The Joint Fraud Taskforce, made up of police, banks and other industry bodies, issued the appeal. They are also appealing for information about two other suspected fraudsters: Nathan Hudson, 34, and Denis Marku, 21. Hudson is suspected of stealing £110,000 from people who invested in several fake businesses. Marku, from London, is suspected of using his role as a cashier at a Chelsea bank to steal more than £3million from customer accounts.

Commissioner Ian Dyson, from City of London Police, added: ‘I would urge anyone who has information on the wanted fraudsters to call officers as these people will continue to commit fraud across the globe that cause misery to so many worldwide.’

Source: Hunt for gang of travellers scamming elderly and vulnerable out of millions | Metro News

Joint Fraud Task-force calls on public’s help to catch eight wanted fraudsters responsible for more than £1 million in losses

The Joint Fraud Taskforce is asking for the public’s help to catch eight wanted fraudsters. The City of London Police is today (Thursday 26 July) urging members of the public to help locate the fraudsters who are collectively responsible for more than a million pounds in fraud losses across the UK.

All eight have been identified through the work of the Joint Fraud Taskforce, an initiative that brings together law enforcement agencies, the financial sector and Government to fight criminals who prey on the public and UK businesses.

They include Nathan Hudson who defrauded people across London, Hull, Leeds, Liverpool, Plymouth, Cornwall and Poole; Denis Marku from south London who carried out frauds while working as a bank cashier; and six people including a husband and wife, who took part in ‘rogue trader’ scams throughout the country.

The wanted fraudsters have been identified as serious offenders by members of the Joint Fraud Taskforce, with submissions from UK police forces and other agencies, with the campaign to locate and bring them to justice led by the City of London Police, in its role as the national lead police force for fraud.

The eight suspects show the scale of the fight against fraud including how criminals use the internet to commit their crimes and launder the proceeds. This appeal also follows the recent publication of the Office of National Statistics (ONS) Crime Survey of England and Wales which once again showed that fraud is one of the most prevalent crimes in the UK.

City of London Police Commissioner Ian Dyson QPM said:

“Law enforcement, Government, businesses, and the public working together is one of the keys to combating fraud and bringing criminals to justice.

“The Joint Fraud Taskforce is key to this and brings an urgency and clarity to the UK’s response to fraud, and enhances our efforts to protect the public and businesses across the UK.

“I would urge anyone who has information on the wanted fraudsters to call officers as these people will continue to commit fraud across the globe that cause misery to so many worldwide.”

National Crime Agency Director of Prosperity Donald Toon said: “The eight wanted fraudsters that feature in this campaign have each caused significant harm to people in the UK. We in the NCA are working in close partnership, through groups such as the Joint Fraud Taskforce, with organisations across the public and private sectors to apprehend criminals who have so far managed to evade justice. Members of the public have a key role to play in helping to locate these criminals to ensure that they are brought to justice. I appeal to anyone who may have relevant information to contact Crimestoppers and help ensure that these fraudsters can no longer cause financial harm and emotional distress to their victims.”

Katy Worobec, Managing Director of Economic Crime at UK Finance, said:
“Fraud affects the whole of society, so eradicating it requires action from all corners. Through the Joint Fraud Taskforce the finance industry is combining with law enforcement and the government to make the UK the most hostile environment in the world for fraudsters. “The industry also fully sponsors a specialist police unit, the Dedicated Card and Payment Crime Unit, which targets the organised criminal groups responsible for these crimes.”

Mike Haley, Chief Executive of Cifas, the UK’s fraud prevention service, said: “The launch of the Joint Fraud Taskforce two years ago was an important step towards creating a new era of collaboration amongst government, police and industry partners, resulting in shared intelligence, a unified response and greater awareness of the risk of fraud among consumers. Fraud is the volume crime of the 21st Century and with this more focused approach fraudsters should expect to be caught and brought to justice.”

Today’s release follows the first Joint Fraud Taskforce (JFT) wanted fraudsters appeal, which was issued in July 2016. Two years ago we highlighted ten wanted fraudsters who were linked to over £20 million in fraud losses in the UK and abroad. Of these, five still remain outstanding. We would urge anyone who has information on the five outstanding wanted fraudsters from the 2016 appeal to contact the relevant agency, or Crimestoppers immediately with any information which could assist these investigations.

If you do not want to speak directly to the police you can contact the independent charity Crimestoppers anonymously on 0800 555 111.


Timeshare Scams Haven’t Gone Away Warn Trading Standards

Timeshare scams haven’t gone away! That’s the warning from Warwickshire County Council Trading Standards as millions of sun-worshipers take to the skies for their annual holiday.

Trading Standards Officers professional body, the Chartered Trading Standards Institute (CTSI) is warning holidaymakers not to let their guard down.

Warwickshire County Councillor Andy Crump, Portfolio Holder for Community Safety said: “Trading Standards are concerned that holidaymakers are still being approached whilst abroad and enticed by offers of further holiday accommodation opportunities to encourage them to attend ‘presentations’ selling timeshare, holiday ownership or discount holiday clubs.”

Trading Standards and CTSI advise consumers to be wary about attending such presentations, where they may be subjected to pressure sales, which could lead to them parting with large sums of money.

Consumers need to be aware that the cost of timeshare is not just a one-off payment, but there are additional monthly maintenance fees on top, and these may increase significantly over time.”

The European Union has specific legislation covering the sale of timeshare and other holiday products, and there are strict rules about the way in which the sales can be carried out. These include the requirement to give consumers key information and cancellation rights, and the prohibition of any upfront deposits being taken.

CTSI Lead Officer for Fair Trading, Sylvia Rook, added: “It is easy to get caught up in the dream of potentially ‘owning’ part of a beautiful resort, or accessing cheap holidays, but if you are asked to part with a large sum of money, it is always important to check the details of the offer carefully and seek legal advice before signing anything. Sleep on it before making any important financial decisions, which may tie you in to monthly, or annual, fees for many years to come.”

Although consumers are becoming more aware of timeshare ‘scams’, there is a growing area of concern over businesses offering assistance on how to get out of timeshare contracts. Timeshare is far less popular than it used to be, and many people who bought timeshare in the 1980s now wish to exit their agreement, either because they are no longer in a position to travel abroad, can no longer afford the maintenance fees because of their advancing years, or because they do not want to burden their family with the potential problem of disposal in the future. As a consequence, there is now very little demand by consumers to buy timeshare on the resale market, which is why such companies have sprung up to ‘assist’ consumers wishing to exit their agreements.

Many businesses who used to sell timeshare have now rebranded themselves as businesses that will help consumers exit their timeshare, often at a very high cost, and CTSI would advise consumers to be very wary about using any such company, without carrying out their own research fully. In particular consumers should check the terms for exit with their timeshare company first, as many timeshare companies will allow the consumer to walk away from their agreement after paying a number of maintenance payments, and this will often cost substantially less than the fees the exit companies charge. Watch out for businesses who offer to sell you additional products, such as discount clubs, alongside the service they are offering, and certainly do not agree to enter into an new timeshare agreement to offset the old one.

Don’t be misled into believing that all firms who use the term ‘lawyers’ in their name are actually solicitors, as the term has no legal definition; you can check if a business is in the official directory of solicitors by looking on the Law Society website. Finally, always make sure you know exactly what you are agreeing to, and paying for, before you enter into a contract.

Trading standards are aware of a growing number of complaints regarding timeshare, particularly in relation to holiday clubs, timeshare resale, and exit companies, with over 800 complaints received nationally in the last 12 months, often with substantial sums of money being involved.

CTSI Director of Operations, Andy Allen, says, “Despite the falling popularity of traditional timeshare products the UK European Consumer Centre service continues to be contacted by large numbers of consumers who have lost significant amounts of money to timeshare related scams. Rogue companies have continually evolved their products in an attempt to evade the protection offered by consumer protection legislation, and they have also been very clever at developing a variety of guises, the specialist claims ‘lawyer’ being one of them, in order to further target timeshare owners.”

Even whilst you are in the UK you may be approached by someone offering an ‘investment opportunity’ in relation to so-called UK based timeshare ‘lodges’. The same timeshare laws apply in the UK, but always remember to carry out your own research, and certainly do not make a substantial investment for a percentage share in such a property without taking independent legal advice.

Anyone with concerns about timeshare or resale companies is advised to contact Citizens Advice Consumer Helpline on 03454 04 05 06 or Action Fraud on 0300 123 2050.

Tobacco crime – not to be sniffed at

Over 7 million illegal cigarettes and 478 kg of hand rolling tobacco have been seized by local Trading Standards within the Central England Trading Standards Authorities (CEnTSA), Warwickshire County Council’s Trading Standards Service can report.

The cigarettes and tobacco were seized in the last financial year (2017/2018) with a loss to the tax payer of nearly £2million. The total retail value of the illegal goods is estimated to be worth in excess of £3million. The amount of illegal product seized has increased year on year in recent years, with the amount of illegal cigarettes seized last year being almost 30% higher than a record seizure figure the previous year.

The seizures were often well hidden, in sophisticated concealments using electronic magnets controlled by a switch, hydraulic compartments in floors, false back to a fridge, as well as cavity wall compartments. Such hiding places are difficult to detect without the aid of specialist tobacco sniffer dogs.

All offending businesses are subject to criminal investigation, with some traders already being successfully prosecuted. Some have received financial penalties, others, suspended prison sentences and community orders.

In addition, some shops have had their alcohol licences suspended or revoked for dealing with illegal tobacco products.

Warwickshire County Councillor Andy Crump, Portfolio Holder for Community Safety said: “Far from being a victimless crime, the illegal tobacco trade creates a cheap source for children and young people. Whilst all tobacco is harmful, the illegal tobacco market, and in particular the availability of cheap cigarettes, undermines government health policies aimed at reducing the cost to the NHS of treating diseases caused by smoking. The loss to the tax payer means less money being spent on local communities, schools and the NHS.’’

Bob Charnley, Chairman of CEnTSA said: ‘‘More and more people over the past few years have decided enough is enough and are providing information to Trading Standards, to stop local criminals selling and distributing illegal tobacco. Combating illegal tobacco has become an increasing priority for Trading Standards. The illegal tobacco trade has strong links with crime and criminal gangs, including drug dealing, money laundering, people trafficking and even terrorism. Selling illegal tobacco is a crime.”

Mr Charnley added ‘‘retailers are becoming increasingly sophisticated in their approach, adapting their methods in order to avoid detection. Some businesses had gone to great lengths to conceal the illegal tobacco in secret compartments, including hydraulic lifts in floors, false walls and fridges. You may hide it, but we will find it.’’

Illegal tobacco products can usually be easily recognised. They will be very cheap, often less than half the price of legitimate packets and often have foreign writing on them.

Anyone being offered cheap tobacco or any other types of illicit goods should report it to Trading Standards by calling the CEnTSA’s confidential fakes hotline on 0300 303 2636.

Household appliances recalled due to fire risk – GOV.UK

List of household appliances recalled due to fire risk since 2010.



Manufacturers notify the Department for Business, Energy and Industrial Strategy of a product that has been recalled because of a safety risk.

Each document provides information on the:

  • type of product
  • manufacturer
  • reason for its recall
  • what you need to do if you own this product

You can also find out about guidance on how to check latest recalls, register your appliance and who to contact for more information on product safety on the government’s Acting on product safety website.

Source: Household appliances recalled due to fire risk – GOV.UK

Two-factor authentication: Everything you need to know! | iMore

How do you protect your photos, messages, and more from being hacked or stolen online? With two-factor authentication!

Two-factor authentication: Everything you need to know!

Hackers are too good, and security systems flawed. Longer complicated passwords created by generators like Safari’s iCloud Keychain or third party apps like LastPass or 1Password can help, but the best way to lock down your accounts is to add extra security options for two-step or two-factor (2FA) authentication. Here’s how to go about it.

What is two-factor authentication?

Two-factor authentication is the most prevalent way to secure your accounts: It asks you to authenticate that you are who you say you are by supplying not only your password, but a unique code supplied from your phone or an external app. It ensures that those accessing your accounts have access to your physical devices as well as your virtual passwords, and makes a simple password crack or social engineering hack a lot more insufficient when it comes to accessing your personal data.

What’s the difference between two-factor authentication and two-step verification?

They’re commonly used interchangeably, but two-factor traditionally requires two different types of authentication. That can include something you know (password), something your are (fingerprint), or something you have (Bluetooth dongle). Two-step verification, on the other hand, can use the same type of information delivered by different sources. For example, a code you remember (password) plus a code you’re sent over SMS (token).

Two (or more) factors can be more secure, but two steps are typically enough for most online accounts. It’s a better version of the old “security questions”. It not only helps you avoid needing to remember your random answers, but it also removes the risk of relying on potentially easy-to-find information.

Why is two-factor authentication so important?

Passwords are weak, broken, and by all accounts, outdated: Having to remember a random assortment of numbers, letters, and possibly (but not always) other characters can be tough on your memory and easy for attackers to compromise, especially when technology like Touch ID exists. Apps like 1Password or LastPass can help with organizing and memorizing your passwords and even help you create super-long strings, but you’re still reliant on a single password to keep you safe. Two-step/two-factor authentication requires two different keys to log you into your account, significantly amping up the level of difficulty for any would-be hackers to access your personal information.

What accounts can I set up with two-step verification or two-factor authentication?

Over the past few years, lots of web services and banks have hopped aboard the multiple authentication methods bandwagon — more than we can properly list. The folks over at Two Factor Auth, however, have kindly put together a master list of services that support two-step verification or two-factor authentication, along with links to how-to documents, what methods of two-factor authentication they support, and how to contact a service you use to request that they implement two-factor authentication.

Here at iMore, we’ve put together a bunch of articles on some of the most popular services that support two-step/two-factor authentication — as well as the easiest ways to set it up — to help you keep your accounts safe and away from prying eyes.

What if I lose my phone (or have it stolen)?

One of the big fears with SMS or code-based two-factor authentication is the potential loss of your primary authentication device: If you don’t have your phone, you can’t get SMS messages, et cetera. Thankfully, most services offer recovery keys or special passcodes that can unlock your account in case you don’t have access to your cell phone at the present moment. Make sure to write these down in a safe place; I use 1Password’s secure notes feature for this, and also store a hard copy in my office.

Need more help with two-step verification or two-factor authentication?

Running into trouble setting up two-step verification or two-factor authentication? Have a question about turning two-step or two-factor on for your favorite service? The iMore Forums are a great place to get advice and help from other members of our community; you can also ask a question in our Q&A forum and we’ll get back to you as soon as we can.

Source: Two-factor authentication: Everything you need to know! | iMore

What does the NCSC think of password managers? – NCSC Site

Android password screen

People keep asking the NCSC if it’s OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them – private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?

This is a big topic, so we’re chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you’re an individual deciding whether and how to use a password manager for your personal use. If you’re looking for business use, this blog post won’t hold all the answers you need (look out for more from the NCSC on this soon).

Should I use a password manager?

Yes. Password managers are a good thing.

They give you huge advantages in a world where there’s far too many passwords for anyone to remember. For example:

  • they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
  • they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
  • they can generate new passwords when you need them and automatically paste them into the right places
  • they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet

All these things are full of win. They reduce security friction – making security easier and more convenient.  If security is difficult, tedious, appears to add no value or gets in the way of the main task we’re trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.

Well, that all sounds great. Where’s the catch?

You might be thinking “If password managers are this good, why haven’t you recommended them before now?”

Well, they do have some drawbacks:

  • Password managers are attractive targets in themselves. They’ve been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go.
  • If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.
  • You can’t use them for everything. Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime. If your bank is one that takes this stance, you’ll need to think about how you’re going to manage critical passwords without writing them down. On the brighter side, this is much easier to do once you’ve got most of your passwords out of your head and into the password manager.

Should I use a browser-based password manager?

Many web browsers now come with password managers built in, and they can be a very good choice. They are very convenient to use, as they are fully integrated with the web browser – so they know when you’re on a website that needs a password, and they just pop up and do their thing. You don’t even have to remember a separate master password. So feel free to use the built-in password manager, provided that:

  1. You keep your web browser up-to-date.
  2. You have some kind of access control on your device such as a PIN/password/biometric…two things you should be doing anyway!

One drawback with browser-based password managers is that your passwords may not automatically sync between all your devices if these use different operating systems. So, if you have a Windows laptop, an iPad and an Android smartphone, your passwords may not follow you around everywhere – unless you use the same web-browser on all your devices and log into it. Also, if more than one person uses a device on the same user profile, they would all have access to the same password-protected content. You may not want that.

Should I use a standalone password manager?

Compared to browser-based managers, standalone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they’re on. They give you a little more control over when and where you use your passwords, as you get to press a button to say ‘I want to use the password please’, rather than the web page in the browser requesting one when it feels like it.

Importantly, with a standalone password manager you do have to create and remember a long master passphrase (unlike with a browser-based one). Standalone password managers may also include more advanced features, such as:

  • notifications about compromised websites
  • flagging up reused or weak passwords
  • prompting you to change old passwords*
  • helping you change passwords for some websites, by integrating with your browser
  • multi-factor authentication

How do I do this, then?

As with many things, there are lots of different ways of going about this. This is what I do myself:

  1. First, try and cut down the number of passwords in your life, and reduce how much you rely on those passwords to prove who you are. Use multi-factor authentication or single sign-on where available. For infrequently-used passwords, use a password reset mechanism when you need to log in (instead of making any attempt to recall or store the password). But take really good care of the email account that the password reset emails are sent to.
  2. Consider biometrics. Fingerprint readers on smartphones are generally good enough to protect your phone and the data on it, and they are very usable. So feel free to use them. Turn on encryption (if it’s not already on) for extra protection.
  3. Decide whether to use a browser-based or a standalone password manager. Personally, I use both, for different things.
  4. If you use a standalone password manager, make its master passphrase the best you possibly can. We suggest a passphrase rather than a password as it’s much easier to make it really long, and adding length gives much more protection than adding complexity. Make it hard for someone who knows you to guess in 20 attempts, and make it totally different from any password or passphrase you’ve ever used anywhere else.
  5. Memorise your passphrase. Yes, you really do have to, sorry! If it helps, write it on a piece of paper until it’s firmly lodged in your memory. Keep the piece of paper very safe, and destroy it when you’ve memorised the password.
  6. Don’t put any work passwords into your personal password manager unless you’ve got permission from your employer.

Finally, think about how important each password is to you for each account. If someone discovered this password, would it result in

  • your life being ruined?
  • your bank refusing to refund any losses?

If the answer to either is ‘yes’, then I wouldn’t put it in a password manager. For these cases, a password shouldn’t be the only thing that the security of your account rests on. So look at extra defences such as multi-factor authentication.

For other, less important accounts, having the password stolen might be massively inconvenient, but there would be no real permanent damage done. Passwords for these accounts should be OK to go into your password manager.

Some accounts have very low value. For instance, an online forum that requires a password, but doesn’t actually hold any personal information you care about. These passwords can be stored in a password manager without a second thought.

A future without passwords?

Long-term, I think the success of password managers shows  – yet again –  that password-based authentication has outstayed its welcome. Passwords are supposed to be ‘something you know’, but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you). Passwords have taken us a long way, but now it’s really time to move on.

The NCSC is working to help us all reduce our reliance on passwords, and to move towards a future where we make greater use of better, more secure, more usable authentication mechanisms instead. In the meantime, we’re also working on some guidance on how best to use password managers in organisations – look out for this soon.

Password managers are a good thing – for now. But we hope not forever.

Source: What does the NCSC think of password managers? – NCSC Site

Cyber Safe Warwickshire – Cyber Criminals are Sending Victims Passwords In New Sextortion Scam

Cyber criminals are sending victims their own passwords in an attempt to trick them into believing they have been filmed on their computer watching porn and demanding payment. Action Fraud has provided the following information and advice. 

There have been over 110 of reports made to Action Fraud from concerned victims who have received these scary emails.

In a new twist not seen before by Action Fraud, the emails contain the victim’s own password in the subject line. Action Fraud has contacted several victims to verify this information, who have confirmed that these passwords are genuine and recent. The emails demand payment in Bitcoin and claim that the victim has been filmed on their computer watching porn.

An example email reads:

“I’m aware, XXXXXX is your password. You don’t know me and you’re probably thinking why you are getting this mail, right?

Well, I actually placed a malware on the adult video clips (porno) web site and guess what, you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser started out working as a RDP (Remote Desktop) with a key logger which gave me access to your display screen as well as web camera. Just after that, my software program gathered every one of your contacts from your Messenger, Facebook, and email.

What did I do?

I made a double-screen video. First part shows the video you were watching (you have a nice taste omg), and 2nd part displays the recording of your webcam.

Exactly what should you do?

Well, I believe, $2900 is a fair price tag for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).


(It is cAsE sensitive, so copy and paste it)


You now have one day to make the payment. (I have a special pixel within this email message, and now I know that you have read this e mail). If I do not receive the BitCoins, I will definately send out your video recording to all of your contacts including close relatives, co-workers, and many others. Nevertheless, if I receive the payment, I’ll destroy the video immidiately. If you need evidence, reply with “Yes!” and I will send your video to your 10 friends. It is a non-negotiable offer, therefore do not waste my time and yours by responding to this message.”

Suspected data breach

Action Fraud suspects that the fraudsters may have gained victim’s passwords from an old data breach.

After running some of the victim’s email addresses through ‘Have i been pwned?’, a website that allows people to check if their account has been compromised in a data breach, Action Fraud found that almost all of the accounts were at risk.

Last month, fraudsters were also sending emails demanding payment in Bitcoin, using WannaCry as a hook.

How to protect yourself

  • If you receive one of these emails, delete it and report it to Action Fraud.
  • Don’t be rushed or pressured into making a decision: paying only highlights that you’re vulnerable and that you may be targeted again. The police advise that you do not pay criminals.
  • Secure it: Change your password immediately and reset it on any other accounts you’ve used the same one for. Always use a strong and separate password. Whenever possible, enable Two-Factor
  • Do not email the fraudsters or make the payment in Bitcoin.
  • Always update your anti-virus software and operating systems regularly.
  • Cover your webcam when not in use.

You can also find out more information about Sextortion on our advice page here

Source: Cyber Safe Warwickshire – Cyber Criminals are Sending Victims Passwords In New Sextortion Scam

Contactless payment security, concerns and considerations |

Contactless payments offer a fast and easy way to pay for goods in-store, but is it really as safe as they claim, and how can you keep yourself safe when using contactless?

The big contactless payment fraud myth

Many banks and consumers assume that contactless fraud is where money is stolen from your contactless card directly. It’s a theory seemingly backed up on social media every few months with images (as below, from Tumblr) and warnings posted of supposed fraudsters carrying Chip & PIN machines, stealing from seemingly oblivious members of the public.While this sounds, in principle, like a valid concern, it would be incredibly difficult for criminals to operate such a machine without being noticed almost immediately.

There are myths about how easy contactless card fraud can be carried out (Image; Tumblr)

Chip & PIN machines need to be registered with a payment vendor and linked to a bank account before they can be used to charge cards – like how you need to register your mobile phone’s SIM card with a network before you can make a call. Since every transaction is monitored for fraudulent activity, and applying for such a device is a lengthy process with many safeguards to stop fraudulent uses, it’d be incredibly risky for any criminal to do this without drawing an incredible amount of attention to themselves.

Contactless “skimming” is a fraud risk

Contactless payment fraud image (Image: Shuttrstock)

While there may be no hard evidence of contactless based fraud, this doesn’t take into consideration if card details are stolen via contactless for later use – better known as “skimming”. Using widely available technology, or even a smartphone app, criminals can wirelessly read data from your contactless card without charging you a penny. In most cases, the data includes the full 16-digit card number, the card type (Visa, MasterCard, or similar), the issuing bank, the expiry date, the card owner’s name, and in some cases (worryingly) a mini-bank statement. With this data, it’s possible for criminals to create a cloned card with the original card details for use at older ATMs, shops, or even websites with poor security checks. Alternatively, they could simply collect thousands of card details with the intention of selling them on to the highest bidder. As there’s no financial transaction taking place, there’s no record of how many times it’s been read wirelessly, where it was read, by whom, and what their motive was.

Lost and stolen cards can still work months after cancelling

Contactless card fraud: hackers can use cancelled cards (Image: Shutterstock)

When contactless payments were first rolled out, concerns were raised about pickpockets and thieves being able to use a stolen card, without verification, to make high-value purchases. Reporting a card lost or stolen, and reporting any suspicious activity on your bank statement immediately should theoretically block that card from being used fraudulently. However, there have been mixed reports from members of the public that their cards continued to work long after being reported as lost or stolen. Banks have complex security limitations in place to detect fraudulent contactless transactions, but consumers should keep an eye on their bank statements and flag transactions they don’t recognise immediately – even if the card has been cancelled. You should also keep an eye on your credit report for suspicious transactions.

What about ApplePay and Google Wallet?

Apply Pay and Google Wallet: how safe are they? (Image: Apple, Google, loveMONEY)

When contactless payments first made their debut on smartphones concerns were raised about the security of card details being stored on, and transmitted from, a smartphone. The initial fear was that instead of a malicious person reading card details wirelessly from a wallet – which tends to reside in a limited number of secluded places, such as a pocket or a bag – they could read them from a phone – an item we tend to carry more publicly. Fears surrounding this potential threat quickly subsided, however, as the technology was showcased to only work in the specific context of paying for goods. In the case of ApplePay, for example, card details are only transmitted when the phone detects a Chip & PIN machine that is requesting payment, it requires either a passcode, or thumbprint, to complete the transaction, and the 16-digit card number transmitted is semi-randomised per transaction. These features give contactless payments via a phone another level of security in cases where the phone is either stolen, or a receipt is dropped at the point-of-sale terminal displaying the full card number.

Keep yourself safe from contactless fraud

Contactless payments offer a convenient way for consumers to pay for goods but, like most technology, come with a handful of security concerns that everyone should be aware, but not scared, of. With that in mind, here are some top tips to help keep yourself safe from contactless-based fraud:

  • RFID-blocking wallets, or a few sheets of thick tinfoil, will block any wireless signal from leaving your wallet without your knowledge;
  • Some banks offer non-contactless cards to their customers, but you have to ask. Contactless is very much the standard issue these days;
  • Using systems like ApplePay and Google Wallet give an extra level of security when paying and don’t transmit your card details without your consent;
  • Report any cards that are lost or stolen immediately to your bank, and keep an eye on your bank statement for suspicious transactions.

Source: Contactless payment security, concerns and considerations |