24 April 2014

Nick Jones

Nick Jones - CPP Group Plc

18 | posts 73,985 | views 4 | comments

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Hacking - how easy is it?

27 May 2011  |  6785 views  |  2

Would it surprise you to learn that there are over 20,000 videos on YouTube alone that are devoted to hacking? And that the most popular of these video tutorials have millions of views?

You may think that as long as you have up-to-date anti-virus software that you would be safe online, but these tutorials are designed to teach users how to hack numerous online accounts including social media accounts, secure online payment systems and smartphones. There are 6,000 videos on how to hack Facebook alone.

The average duration of these videos is three minutes and the most popular of these videos tend to be under three minutes long.

Although there are a variety of hacking tutorials available two distinct techniques have been identified – ‘man in the middle’ and ‘SQL injection’. A specific search for ‘man in the middle hacking’ returns over 1,000 videos with the most popular video viewed more than 200,000 times.

‘Screencast’ videos are being used more and more as they are accessible and easy-to-follow because they demonstrate exactly what the user sees in their own screen. The viewer needs only to replicate what they see online and they have become a hacker. It is unnerving to see that this video has been viewed more than half a million times.

The other common form of hacking video – SQL injection – exploits a weakness in a website that allows the hacker to deliver a specific line of code that causes the website to inadvertently reveal information from its database.

Although these hacking tutorials provide a fast introduction to hacking, they are not for the seasoned professional. There are online communities with thousands of contributors where the science of hacking is constantly evolving. The beauty and danger of the internet means that these communities are easily found.

Looking to test the effectiveness of this content, CPP recruited a small group of volunteers in a controlled experiment to see if they could use an online tutorial. After signing a disclaimer saying they wouldn’t use the information for illegal or malicious attacks they were taken through a ‘man in the middle’ technique using Cain and Able software. The tutorial used a Screencast technique so as they were taken through the presentation they were also undertaking the hack themselves. From the beginning of the lesson to the point each volunteer was able to intercept another member’s of the group passwords took 14 minutes.

When we broadened the investigation and asked the general public their views on the issue, over seven million people in the UK claimed to have had their password-protected accounts accesses without their permission.

Asked if they were concerned about the potential for unauthorised access, most people said they were concerned and an overwhelming majority (87%) do not want this type of information online. Many thought it increased the risk of identity fraud and wanted the Government to take action to remove this type of content. Only 1% of people thought ‘hacking’ tutorials were ‘light hearted fun’ and nothing to worry about.

As the Sony data breach has recently shown, it is important for both businesses and consumers to keep anti-virus and firewall software up-to-date and change passwords regularly. To ignore this, puts us all at risk.

TagsSecurityRisk & regulation

Comments: (2)

John Dring - Intel Network Services - Swindon | 27 May, 2011, 14:09

Yes that's unnerving.  Its one of the reasons I do not just have a couple of passwords for the many sites/systems that need them and as a result I have to have a password vault to store them all.  I am a big fan of OneTimePassCodes and would much prefer to use the same token for many sites.  But it relies on the 'something you hold' factor.  Imagine a token-in-the-cloud ?  So you could get a OTP for any online service without carrying the physical thing.  But how to protect the cloud token :)

Dean Procter - Transinteract - Sydney | 01 June, 2011, 01:17

I suppose we could ask RSA, Lockheed or even PBS, they all seem to tragically have fresh first hand experience.

As I have long pointed out, all your secrets are gone and nothing is secure. Although I myself am unable to hack, I can by casual observation conclude that it is child's play with the snake oil salesmen forever on their back foot. In fact much innovation is child's play, often stolen or missappropriated by their elders.

I myself have enjoyed the education provided by some unique attacks I have witnessed. It is strangely satisfying being attacked by a means as yet unreported 'in the wild' and to recognise it as an attack. It makes you feel special. I guess it's a bit different if you fail to spot it.

I have little doubt that all minds lean towards a particular common idea of a solution for the finternets, yet it is fraught with difficulties to impose it, and without the exact right approach, it will merely compound the problem.

That isn't to say there isn't a solution. A solution to many issues, and when those other issues are recognised the solution to them all will be obvious.

According to WHO that solution shouldn't require too much exposure to your mobile phone or you may increase your risk of brain cancer. I suspect there are a few world leaders and bankers who have spent too much time on their phones. Perhaps a checkup might explain a few things.

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Nick

Can social media lead to identity fraud?

24 October 2011  |  5987 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupOnline Banking

Hacking - how easy is it?

27 May 2011  |  6785 views  |  2  |  Recommends 0 TagsSecurityRisk & regulationGroupOnline Banking

Time to take control of our identities

27 April 2011  |  4393 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupOnline Banking

Is identity fraud an issue?

07 April 2011  |  3955 views  |  2  |  Recommends 0 TagsSecurityRisk & regulationGroupOnline Banking

Half of mobile phones contain recoverable sensitive data

21 March 2011  |  4780 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupOnline Banking
name

Nick Jones

job title

Head of Communications

company name

CPP Group Plc

member since

2009

location

York

Summary profile See full profile »
Responsible for internal and external communications at CPP Group Plc - predominately in the UK, ...

Nick's expertise

What Nick reads
Nick writes about

Who is commenting on Nick's posts