Last night, the AA (the UK’s Automobile Association) tweeted that it had resolved a “data issue” on its shop website following reports that sensitive data (including customers’ names, addresses, email addresses, and partial credit card information) has been exposed on a publicly-accessible server.
The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We’re sorry.
Rumours of a data breach involving AA customers first popped up on Twitter over a week ago, when security researcher Troy Hunt said that he had been contacted by someone who had informed the AA of a security problem back in April.
The data remained accessible for a few days, before finally being secured. But the AA decided not to tell its customers in April (or May, or June) that there had been a problem.
What the AA *did* do was warn customers “urgently” that they should not respond to an email seemingly from the AA about a password change.
The company later confirmed that it had indeed sent the email (albeit “in error”) and that no passwords had been changed. Which is curious in itself, because some customers did report that their passwords stopped working, and others described on Twitter how when they contacted the AA’s support team via telephone they were told that they had been “hacked”.
Of course, there is nothing to indicate that the bizarre password reset email had anything to do with the earlier security breach.
If you’re finding this confusing to follow, you’re seemingly nothing like as confused as the AA.
Amid criticism from the security community and growing media interest, the AA’s support Twitter account went into overdrive describing the reports of a data breach on its online store as “speculation” and asserting that “credit card details have not been compromised”.
https://twitter.com/TheAA_Help/status/881902730276679680
Quite how much of the report of a data breach the AA believes to be speculation isn’t made clear. And it also doesn’t say what’s not speculation.
But one thing’s for certain. Partial credit card data of AA customers *did* leak out.
Here is a small sample of the data that was exposed through the AA security breach – containing card details such as expiry date and the last four digits of the card number
That’s obviously not as bad as full credit card details, but for the AA to downplay the incident and say that “no Credit Card info was compromised” seems wrong on so many levels to me.
With just those last four digits – and accompanying information about the customers’ name and contact details – it’s easy to imagine how fraudsters could target users, pose convincingly as the AA (“here are the last four digits of your credit card number”), and extract further information that could be maliciously exploited.
Perhaps the AA, and other organisations, would be wise to read Troy Hunt’s excellent article about how to properly disclose a data breach. Because the way the AA has handled this incident appears to have been at best shambolic, and at worst downright deceitful.
The Information Commissioner’s Office (ICO) have been informed, and the AA says it has brought in independent investigators.
For further discussion of this incident (and the AA’s response to this blog post) take a listen to this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Who's Recorded Future?
Ah, Recorded Future. They're marvelous. They are very generously supporting the podcast this week.
Oh, that's nice.
Isn't it great?
Yeah.
They are the real-time threat intel firm, and they use machine learning technology to analyze the open and the dark web to give people— Yeah, I know.
To give people greater insight into emerging threats. What's really going on out there.
To give people greater insight into emerging threats. What's really going on out there.
And do they share that information with people like us?
Oh yeah.
So you can either sign up to be one of their customers, obviously, or you can get their free Cyber Daily newsletter and get the latest insights in your inbox at no charge whatsoever.
All you have to do is go to recordedfuture.com/intel.
So you can either sign up to be one of their customers, obviously, or you can get their free Cyber Daily newsletter and get the latest insights in your inbox at no charge whatsoever.
All you have to do is go to recordedfuture.com/intel.
Recordedfuture.com/intel?
That's right. And thanks to Recorded Future for their support of the show.
I fed you every line there, Graham.
Smashing Security, Episode 32. The iPhone 8, a data breach of the AA, and a mystery no-show with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security. Smashing Security, Episode 32.
And I, my name is Graham Cluley, and I'm joined as always by my good buddy, Carole Theriault. Hello, Carole, how are you?
Hello, hello, and welcome to another episode of Smashing Security. Smashing Security, Episode 32.
And I, my name is Graham Cluley, and I'm joined as always by my good buddy, Carole Theriault. Hello, Carole, how are you?
Hello, Graham, I'm very well.
You still out in Canada, are you?
I am. And you'll see I have a bit of a frog in my throat. I got a bit of a cold from my niece, so I hope I sound clear.
Is she French-Canadian as well?
No, she— well, she's Canadian. She's not really French-Canadian. She's only— and she's 3. She's pretty cute.
Yeah. Okay.
And now, who's our guest today?
Oh, well, I'm a bit worried actually, because he should be here. We were expecting antivirus industry veteran to be joining us today, but he hasn't shown up yet.
So I hope he's all right. Now, in his defense, we are actually recording this on the morning of July 4th.
So I hope he's all right. Now, in his defense, we are actually recording this on the morning of July 4th.
Well, he's not waking up with a hangover then.
Well, he might start celebrating Independence Day early. Who knows? He is American. So I don't quite know. I mean, maybe he'll be joining us later on. Let's hope so.
But shall we just— I mean, you've got a plane to catch and things, haven't you?
But shall we just— I mean, you've got a plane to catch and things, haven't you?
I have a plane to catch. So I think we should just crack on.
Shall we just crack on?
Short and sweet.
And if he joins us later, then that'll be fantastic. Hokey-cokey. Well, let me tell you what I'm going to talk about today. It's an interesting topic.
Which is about the AA, not Alcoholics Anonymous, crew. No, this, I know that's what you were thinking. This is the Automobile Association, which sounds really grand, doesn't it?
It is the British Automobile Association. They are the fellows in the yellow vans who come out and rescue you when your car blows up and try and sort you out.
Which is about the AA, not Alcoholics Anonymous, crew. No, this, I know that's what you were thinking. This is the Automobile Association, which sounds really grand, doesn't it?
It is the British Automobile Association. They are the fellows in the yellow vans who come out and rescue you when your car blows up and try and sort you out.
I've called them. They've been amazing with me. I've only had great experiences with them, actually.
Me too. They're absolutely fantastic. If your fan belt snaps, they are the people who you want to call.
Now, unfortunately, something a little bit odd appears to be happening with the AA, because it looks like they've had a bit of a security incident.
Now, unfortunately, something a little bit odd appears to be happening with the AA, because it looks like they've had a bit of a security incident.
Okay. I haven't read anything about this, because I've been on, you know, Canada Day, family. So I'm sitting here with my popcorn.
I was about to say, grab your popcorn, and I will tell you the story. So the story starts in April.
Somebody found that the AA's online store, which in fairness is run by a third party, appears to have made a boo-boo.
Because a backup database of user information, things like names, email addresses, partial credit card details, had been left exposed.
And so this guy was able to download details of hundreds of thousands of AA customers.
Somebody found that the AA's online store, which in fairness is run by a third party, appears to have made a boo-boo.
Because a backup database of user information, things like names, email addresses, partial credit card details, had been left exposed.
And so this guy was able to download details of hundreds of thousands of AA customers.
This guy being a security pundit or a baddie?
Well, one assumes a good guy. Because he informed the AA of the problem, and a few days later, it appears that the problem was then fixed.
And he said to them, he said to them in June now, so this was a couple of months later, because he was waiting for the AA to send a message to its customers.
And he said to them, he said to them in June now, so this was a couple of months later, because he was waiting for the AA to send a message to its customers.
What, a message saying that he found this problem?
Well, a message saying that, you know, your data was exposed. There's a potential for it to have fallen into the hands of bad guys, or, you know, whatever they were happening.
And this is a UK company, right? This is AA in the UK.
Yeah, AA in the UK, yes. I don't know how they operate internationally.
Okay, carry on, okay.
And AA responded to this guy and said, "Well, you know, thank you very much for telling us about the problem and everything.
Regarding telling our customers, we are following internal AA policies." I think you can read between the lines on that.
Regarding telling our customers, we are following internal AA policies." I think you can read between the lines on that.
Isn't there an act, a legislation in the UK that says you have to tell customers in this instance if the data's been exposed?
Well, I think it depends on the absolute severity of what has occurred and what information.
Certainly, I would lean more towards informing customers and certainly informing the Information Commissioner's Office, ICO, the regulatory body who look after these things, if an incident has occurred so that they can determine what's gone wrong and what remediation may need to take place.
Certainly, I would lean more towards informing customers and certainly informing the Information Commissioner's Office, ICO, the regulatory body who look after these things, if an incident has occurred so that they can determine what's gone wrong and what remediation may need to take place.
Yeah, and note, yeah, if this happens after GDPR comes through, that's going to, yeah. Anyway, okay, carry on.
Yeah, that's right.
Well, go listen to that episode.
Go listen to our previous episode if you want to know all about GDPR and the implications there.
So anyway, the breach was discovered in April, there was no notification to customers. May, no notification to customers. June, no notification to customers.
So anyway, the breach was discovered in April, there was no notification to customers. May, no notification to customers. June, no notification to customers.
Okay.
And—
So a little sweeping under the carpet action.
Well, potentially. It suddenly looked a little bit odd. And it was round about then, at the end of June, that people started receiving a very strange email from the AA.
Purporting to be from the AA, or from the AA?
Well, don't jump ahead here, right?
Okay, I'm sorry, I'm sorry, I'm sorry. Okay, okay, okay.
Sorry. So the AA itself was tweeting out a warning to people saying, whoa, whoa, whoa.
You know, if you get an email which appears to come from us talking about a password reset, please don't act upon the email. Don't click on the link. Don't phone us up.
And people were very confused about this because the link really did go to the AA's website and the phone number really was the AA site.
You know, if you get an email which appears to come from us talking about a password reset, please don't act upon the email. Don't click on the link. Don't phone us up.
And people were very confused about this because the link really did go to the AA's website and the phone number really was the AA site.
So they're thinking, why would someone do that if it was for nefarious purposes?
Yes. And a few hours later, the AA came out and they said, well, look, the email was legitimately from us, but it was sent in error. OK. An accident occurred.
But there were still some customers who were very confused about this because some customers reported that they had tried to log into the AA website and their passwords had stopped working.
There was one user on Twitter who had actually contacted AA's support team via the telephone, and they claim that they were told that the AA had been hacked.
And yet the AA was now sending emails to people saying there's been no hack, there's been no data breach. You know, don't panic, everybody.
Please forget that email which we sent you about password reset.
But there were still some customers who were very confused about this because some customers reported that they had tried to log into the AA website and their passwords had stopped working.
There was one user on Twitter who had actually contacted AA's support team via the telephone, and they claim that they were told that the AA had been hacked.
And yet the AA was now sending emails to people saying there's been no hack, there's been no data breach. You know, don't panic, everybody.
Please forget that email which we sent you about password reset.
Yeah, this all smells a bit fishy, doesn't it? I would— if I was involved in this, I would be going, something's going on.
It's so curious.
Yeah.
It may be that that email was sent entirely in error, right? And I have no reason to believe that it was connected to the earlier security breach.
But all of this talk of the email, of course, got people thinking about the earlier breach, and people started talking about that more.
And people started saying to the AA, hang on, you had some kind of credit card breach. Data was compromised.
But all of this talk of the email, of course, got people thinking about the earlier breach, and people started talking about that more.
And people started saying to the AA, hang on, you had some kind of credit card breach. Data was compromised.
It was exposed.
Back in April.
Back in April.
And the AA then went round headless chickens on Twitter trying to calm everyone down, saying, all these media reports of us having a breach. They're full of misconceptions.
It's full of inaccuracies. And none of our credit card data has been exposed.
It's full of inaccuracies. And none of our credit card data has been exposed.
Okay.
Hmm.
And who's saying this? This is the CEO? Or this is just official communications from AA?
Official communications from the AA were saying this.
And meanwhile, the BBC were reporting that there appeared to have been a breach and Motherboard and other sites and security researchers Troy Hunt were tweeting about this as well.
And Troy, for instance, was confirming with people in that database which had been exposed that they were indeed AA customers.
And yes, the partial credit card information contained in that database did match their credit card numbers. And yet still, the AA said nothing happened. No, there was a problem.
We fixed it on our store website, but credit card information has not been compromised.
And meanwhile, the BBC were reporting that there appeared to have been a breach and Motherboard and other sites and security researchers Troy Hunt were tweeting about this as well.
And Troy, for instance, was confirming with people in that database which had been exposed that they were indeed AA customers.
And yes, the partial credit card information contained in that database did match their credit card numbers. And yet still, the AA said nothing happened. No, there was a problem.
We fixed it on our store website, but credit card information has not been compromised.
Oh, God. This is 101 how not to handle a situation this.
Well, that's what I think. And this morning, what I did— We're recording this on Tuesday, just so everyone knows, we'll put this out on Thursday.
But this morning on Tuesday, I posted a blog post 'cause I've seen all this and I thought, hang on a minute, I got my hands on a screenshot of some of the credit card data, the part of the AA database containing people's credit card information, expiry dates, the last 4 digits of the credit card number, as well as there was additional information in the databases such as the users' names and contact details and so forth.
And I posted a redacted version of that on my website and said, "This doesn't make sense because this looks credit card data to me, but the AA say none of it has been exposed." And do you know what happened?
But this morning on Tuesday, I posted a blog post 'cause I've seen all this and I thought, hang on a minute, I got my hands on a screenshot of some of the credit card data, the part of the AA database containing people's credit card information, expiry dates, the last 4 digits of the credit card number, as well as there was additional information in the databases such as the users' names and contact details and so forth.
And I posted a redacted version of that on my website and said, "This doesn't make sense because this looks credit card data to me, but the AA say none of it has been exposed." And do you know what happened?
No.
Well, the AA got in touch with me and suggested that I should take the screenshot down fairly urgently because he believed I was in breach of the Computer Misuse Act.
That's—
Shh.
That sounds a bit panicky. Oh dear. Okay, so he tells you your story. Basically, he doesn't your story.
He doesn't my story. He says that it's full of misconceptions and it's inaccurate.
And you asked him to clarify those misconceptions?
Absolutely. So I'm hoping he's going to get back to me with a statement which I can publish at the end of my article, and I will link to that, obviously.
I want to give him a platform. But so far, all he's sort of said to me is that no passwords were changed in the email error episode.
Well, you know, I didn't necessarily say that they were. I just said that some customers reported they couldn't get in. Also, he's saying no credit card information was compromised.
And it's just like, well, I can see some. And other security researchers are saying they see some as well. So it feels very shambolic. It feels like a complete mess.
I prefer to think that rather than deliberately trying to cover up the facts.
I want to give him a platform. But so far, all he's sort of said to me is that no passwords were changed in the email error episode.
Well, you know, I didn't necessarily say that they were. I just said that some customers reported they couldn't get in. Also, he's saying no credit card information was compromised.
And it's just like, well, I can see some. And other security researchers are saying they see some as well. So it feels very shambolic. It feels like a complete mess.
I prefer to think that rather than deliberately trying to cover up the facts.
Well, if they want advice on how to handle it, I'm happy to speak to the AA.
Carole offering her services as a PR crisis expert.
Yes, I'll even do it pro bono. This could be handled much, much better. Because the problem with handling it like this is they're gonna lose trust with their customers.
If people don't feel like they trust you, they don't wanna be with you. And there's a lot of competitors, right, to the AA?
If people don't feel like they trust you, they don't wanna be with you. And there's a lot of competitors, right, to the AA?
Well, yeah, I mean, there are some big competitors, that's certainly true. But I mean, the thing is this, a breach can happen to any organization. Absolutely.
No one's immune to a security incident happening. And I have sympathy for that happening. You know, we don't know the full details of how this particular one happened.
It sounds like there was a third party involved as well who may have some culpability, who knows?
However, if something like this happens, the first thing you need to think about are your customers and being open and transparent with them.
No one's immune to a security incident happening. And I have sympathy for that happening. You know, we don't know the full details of how this particular one happened.
It sounds like there was a third party involved as well who may have some culpability, who knows?
However, if something like this happens, the first thing you need to think about are your customers and being open and transparent with them.
It's their data that's breached.
Right.
Right? Like, sure, it's your systems that are maybe compromised, but you just need to put a bit of mortar in there and get it fixed, you know? Plug the leak.
But it's their data that's gone.
But it's their data that's gone.
You want to do everything you can to avoid the perception of a cover-up. I mean, what kills—
No, no, Graham. No, no. You do not want to do a cover-up. It's not perception. It's not just perception, right? It's don't do a cover-up.
Right? Not in this case. Right, yeah. Don't cover it up, but avoid any chance that someone might mistake it as potentially being a cover-up. I mean, Nixon, right? Richard Milhous Nixon.
What did him? It wasn't so much the bugging of the Watergate building. It was the cover-up afterwards, which eventually got rid of him.
And that is what so many organizations need to learn, is you will get in a much worse mess than the data breach if you fumble and screw up your customer communications and they lose your trust.
What did him? It wasn't so much the bugging of the Watergate building. It was the cover-up afterwards, which eventually got rid of him.
And that is what so many organizations need to learn, is you will get in a much worse mess than the data breach if you fumble and screw up your customer communications and they lose your trust.
So my free advice to them right now in this situation is for the head honcho to write a blog article detailing what's happened in a timeline fashion, going back to April and to date now, explaining it to the customers.
And it should be open and, you know, for all of us to read.
He doesn't have to go into details about the breach or how the hack worked, because he doesn't know, but he should be able to explain the process of finding— because we know, we've been in these situations.
We know information dribbles out, in a non-orderly fashion and you have to piece all these things together to figure out what happened. Sometimes it takes a while and it sucks.
And it should be open and, you know, for all of us to read.
He doesn't have to go into details about the breach or how the hack worked, because he doesn't know, but he should be able to explain the process of finding— because we know, we've been in these situations.
We know information dribbles out, in a non-orderly fashion and you have to piece all these things together to figure out what happened. Sometimes it takes a while and it sucks.
And actually, you can turn a disaster into something actually positive because you can actually grow more trust by being more open and honest with people.
And yeah, I think you're right. I mean, it's been a bit of a mess.
It's not completely unrecoverable, but it feels to me like they've got themselves in a much worse mess than even the original data breach could have potentially caused.
And yeah, I think you're right. I mean, it's been a bit of a mess.
It's not completely unrecoverable, but it feels to me like they've got themselves in a much worse mess than even the original data breach could have potentially caused.
Well, we'll see what happens. I think if anything else happens before publishing on Thursday, we could maybe add just a little update just to make it more timely for our listeners.
Right, Graham? Great. Over to Jed's topic. Great, but I can't wait to hear what you're going to talk about today.
Right, Graham? Great. Over to Jed's topic. Great, but I can't wait to hear what you're going to talk about today.
He's not here, Carole. Seriously, I hope he's all right.
Okay, of course. Okay, 99%, he's probably all right, right? He's probably just slept in, or he's forgotten about it, or he doesn't use his calendar.
How could you forget about the Smashing Security podcast?
Okay, honestly, I am hurt. Okay, I'm a little hurt, but I am, right? I like this thing, and this has never happened to us before, you know?
It's not like other people wouldn't want to be on.
Right.
We're, you know, we had Shabaaz Malik the other week. He was very keen.
John Hawes was really keen.
John Hawes. Oh, he's excellent.
Yeah. And we, you know, and we have Michael Hucks coming in next week.
He's going to come around.
Yeah. We've had him once before. He's great.
Fantastic.
Anyway, we hope you're okay. But if you are okay, where are you?
Carole, over to you. What is your story of the week?
Okay. Well, I want to talk about iPhone's 10th anniversary.
Okay. And that is coming up.
And rumours have it that Apple is preparing quite an exciting launch to celebrate this anniversary.
So for the first time, there's gonna be 3 phones available and they're expected this fall, 2 of which are gonna be upgraded versions of the current models, but one is a top-of-the-line kind of handset with a completely overhauled look.
And this is all according to Bloomberg. So predicted features.
Now, of course, we all know that Apple keep this very close to their chest and people, you know, and they put out loads of prototypes to be tested, to be produced, to try and kind of confuse it.
So it's quite fun. It's a bit like a movie. Now, so predicted features include a curved glass front, a stainless steel housing, better color display.
So like deeper blacks, whiter whites, better camera.
So for the first time, there's gonna be 3 phones available and they're expected this fall, 2 of which are gonna be upgraded versions of the current models, but one is a top-of-the-line kind of handset with a completely overhauled look.
And this is all according to Bloomberg. So predicted features.
Now, of course, we all know that Apple keep this very close to their chest and people, you know, and they put out loads of prototypes to be tested, to be produced, to try and kind of confuse it.
So it's quite fun. It's a bit like a movie. Now, so predicted features include a curved glass front, a stainless steel housing, better color display.
So like deeper blacks, whiter whites, better camera.
I've always got a problem with the blacks and the whites on my iPhone. What are people like? How good are people's eyesight that they need that sort of stuff done, really?
You should go and Google the darkest black. There's great YouTube videos about the deepest black. They can only produce a tiny amount every year, but it's as dark as anything.
It's the darkest black ever.
It's the darkest black ever.
It's quite cool.
It's really cool how they do it. You should go watch it. All right. Okay. Okay, anyway, so they're also looking at, Apple's also looking at testing faster processors, right?
Based on smaller 10-nanometer production. Now that's down from 16 nanometers, which is what's in current existing phones.
And smaller processors are quite cool because they're more efficient and they will help you provide more features, allowing Apple to retain battery life while giving you new cool stuff.
So that's quite a cool balancing act that they've gotta face.
Based on smaller 10-nanometer production. Now that's down from 16 nanometers, which is what's in current existing phones.
And smaller processors are quite cool because they're more efficient and they will help you provide more features, allowing Apple to retain battery life while giving you new cool stuff.
So that's quite a cool balancing act that they've gotta face.
You know, you know what I'd like? What would you like? Yeah, because I know Tim Cook is listening to this, right? Yes, of course he is. He's a big fan of the show.
Steve Jobs probably isn't.
Please.
Okay, go on, go on. Okay, so Tim Cook's not listening, but what feature would you like?
Anyway, look, listen, listen, listen.
I'm listening.
They keep on shaving off more millimeters to make the phone even skinnier, right? I don't need a skinnier phone. I need a phone which has got a fatter battery, right?
That's what I actually want. I don't want something which is gonna— And I also don't want one of those clown shoe phones. You know, they now have these enormous— Samsung do it.
And there's the iPhone 7S. Is it the 7S? The stupidly large one, which makes me look like I've got hands the size of Donald Trump.
That's what I actually want. I don't want something which is gonna— And I also don't want one of those clown shoe phones. You know, they now have these enormous— Samsung do it.
And there's the iPhone 7S. Is it the 7S? The stupidly large one, which makes me look like I've got hands the size of Donald Trump.
Well, you do. Okay.
Okay, my hands are quite small, that's true. But anyway, I just don't want anything which emphasizes it even more.
So can we just have a better battery, full stop, rather than trying to squeeze everything into a smaller space?
So can we just have a better battery, full stop, rather than trying to squeeze everything into a smaller space?
You know, it's interesting. So my niece and nephew have been hanging out, family, right? They're what, 8 and 10, right?
Yeah.
They have these ginormous kinds of cases they put around their phones, their little iPods. They're not phones, but, you know, iPod stuff they're playing with.
It's huge, looks like a monster. And the other one looks like an old rotary phone on the back. It's twice the size of the phone in terms of width.
It's huge, looks like a monster. And the other one looks like an old rotary phone on the back. It's twice the size of the phone in terms of width.
Is this to protect them if they drop them or something?
Well, it's A, I think it's cute. B, I think it does protect it.
But 3, I think it's easier for them to hold and see the screen because they have their little hands and they, you know, they're holding this plastic bit in their arms and they can see the full screen without their fingers kind of, you know.
But 3, I think it's easier for them to hold and see the screen because they have their little hands and they, you know, they're holding this plastic bit in their arms and they can see the full screen without their fingers kind of, you know.
So you're saying that I have the hands of a 7-year-old girl? Is that what you're saying?
I'm saying lots of people might prefer a larger phone, you know, with more battery than a very skinny thing. Anyway, okay, well, Graham, I'm sure Tim Cook heard you.
Okay, sorry, sorry for the interruption. No, no, it's fine. Now, one of the cool changes is they want to do away with the bezel.
So the edge around the screen where the home button sits.
Okay, sorry, sorry for the interruption. No, no, it's fine. Now, one of the cool changes is they want to do away with the bezel.
So the edge around the screen where the home button sits.
Oh yeah.
And the problem with that is if the home button disappears, do we say bye-bye to Touch ID fingerprint scanning? Right? Because that's what we use.
So some have suggested, so people are thinking, oh, if they're going to make the whole front of the screen, you know, an actual screen, where's the button going to go?
Some have suggested it might move to the side or the back of the phone.
So some have suggested, so people are thinking, oh, if they're going to make the whole front of the screen, you know, an actual screen, where's the button going to go?
Some have suggested it might move to the side or the back of the phone.
Yeah, the back. I think some Android phones have their sort of fingerprint scanning on the back of the phone.
Yeah, I don't know. I find that, I think that would annoy the heck out of me actually.
I think it would feel that I was locking my phone, you know, I would be touching it all the time in a way that would be annoying. And also what about phone cases?
Anyway, doesn't matter.
But some are suggesting that actually what's actually gonna happen is they're gonna introduce 3D-based facial recognition sensors combined with eye scanning technology.
So users rather than using their thumbprint or index print will actually scan their face and eyes in order to log in.
I think it would feel that I was locking my phone, you know, I would be touching it all the time in a way that would be annoying. And also what about phone cases?
Anyway, doesn't matter.
But some are suggesting that actually what's actually gonna happen is they're gonna introduce 3D-based facial recognition sensors combined with eye scanning technology.
So users rather than using their thumbprint or index print will actually scan their face and eyes in order to log in.
All right.
I know, I felt weird when I first read this. I was thinking, you know, first they collect all our fingerprints. Now they want to know all our facial mapping and eyes, eye scans.
Although to be fair, okay, when they did the fingerprint thing, Apple was quite good.
It wasn't as though your fingerprint data was going to Cupertino so they could put it in some evil database.
It was kept in a secure enclave, I think they called it, on the actual device. So they were keeping it very securely.
And I would imagine if they are going to do any kind of 3D facial recognition, eye scanning stuff, I think Apple will be very conscious of that.
And they will want to store that securely on the device rather than, frankly, they don't want to hold that kind of toxic data. Who wants to store that data?
Because if it ever was breached, that'd be a problem for them.
It wasn't as though your fingerprint data was going to Cupertino so they could put it in some evil database.
It was kept in a secure enclave, I think they called it, on the actual device. So they were keeping it very securely.
And I would imagine if they are going to do any kind of 3D facial recognition, eye scanning stuff, I think Apple will be very conscious of that.
And they will want to store that securely on the device rather than, frankly, they don't want to hold that kind of toxic data. Who wants to store that data?
Because if it ever was breached, that'd be a problem for them.
So right now, this is the problem that they've been having with government authorities who kind of want access.
Is that part of, you know, is that kind of, so they're basically saying we can't access, we can't decrypt a phone.
Is that part of, you know, is that kind of, so they're basically saying we can't access, we can't decrypt a phone.
Well, yeah, they store this information very securely, exactly.
And so they will not jump through hoops for law enforcement, and that's why law enforcement finds it so difficult sometimes to unlock these devices.
And so they will not jump through hoops for law enforcement, and that's why law enforcement finds it so difficult sometimes to unlock these devices.
Yeah, I don't know if the law changed though and they're forced, would they be able to access this information and provide it to authorities upon a specific request?
I guess you could point the phone at your suspect's face or something like that if you have habeas corpus, you know, if you have their body.
It's harder to cut off your face than your fingers, right?
Well, I haven't tried either. Oh, you cut off your finger recently, didn't you?
I do cut my fingers a lot. I do a lot of cooking. So I do have— now, yeah, they're collecting the facial, you know, facial identifying data. I agree. They do store it well.
I mean, they sell, as you were saying, they sell the phones, right?
I mean, they sell, as you were saying, they sell the phones, right?
They don't give you a cheap handset and then sell the data or use that data to sell ads.
This, I think, is quite an important difference between Apple and some of the other manufacturers out there and some of the other technology companies.
Apple charge you an arm and a leg for some of their devices because they want to make money selling the hardware.
They want to make money selling you apps and things like that, right? That's how they've made themselves a fortune.
There are other companies out there, naming no names, who are much more interested in giving you devices on the cheap.
And then they will make money through advertising or collecting your information and monetizing that information instead. So there's a fundamentally different approach.
And as you can imagine, working in the security and privacy field, we lean one way a little bit more than the other.
This, I think, is quite an important difference between Apple and some of the other manufacturers out there and some of the other technology companies.
Apple charge you an arm and a leg for some of their devices because they want to make money selling the hardware.
They want to make money selling you apps and things like that, right? That's how they've made themselves a fortune.
There are other companies out there, naming no names, who are much more interested in giving you devices on the cheap.
And then they will make money through advertising or collecting your information and monetizing that information instead. So there's a fundamentally different approach.
And as you can imagine, working in the security and privacy field, we lean one way a little bit more than the other.
And I don't know, they're sexy devices. That's the thing.
Actually though, I am going to try and stick with my 6S as long as possible because I really like the whole cable headphone thing. I don't want to have— I want the cable.
And I don't want it.
Actually though, I am going to try and stick with my 6S as long as possible because I really like the whole cable headphone thing. I don't want to have— I want the cable.
And I don't want it.
Well, they removed all that, didn't they? To make it skinnier, I think. You see?
Yeah.
You see? But more than that, Carole, it's not just about them being sexy devices.
I think the amazing thing about the Apple iPhone, and here we are at the 10th anniversary, the incredible thing is there has been no major malware outbreak for iPhone.
I think the amazing thing about the Apple iPhone, and here we are at the 10th anniversary, the incredible thing is there has been no major malware outbreak for iPhone.
Yep.
That is extraordinary.
It's extraordinary in 10 years, actually. And how many of the, maybe 20% of mobile phone users use Apple, use iPhones?
I don't know. There are many more Android users than iPhone, but clearly, it's a serious market.
I think they do have a dedicated following.
There have sometimes been very targeted attacks and obviously there are other threats beyond sort of malware, but generally they've done a really good job and they've done a good job by frankly being control freaks about what happens on their device.
But also to give them credit, thinking about security and privacy, I think in a way which other companies maybe could take a lead from.
But also to give them credit, thinking about security and privacy, I think in a way which other companies maybe could take a lead from.
Yeah, but you know, I can't help but wonder if the next version, the iPhone 9 is gonna have a tiny little needle that pricks into your finger to just do a DNA collection to let you in, you know.
Let's hope it never comes to that. Well, I think it's time probably to thank our sponsor for supporting the show this week.
It is. Smashing Security is made possible by the generous support of Recorded Future.
Recorded Future are the real-time threat intel firm whose machine learning technology analyzes the open and dark web to give you great insight into emerging threats.
Sign up to their Cyber Daily Newsletter and get the latest insights at recordedfuture.com/intel. That's recordedfuture.com/intel. On with the show.
Recorded Future are the real-time threat intel firm whose machine learning technology analyzes the open and dark web to give you great insight into emerging threats.
Sign up to their Cyber Daily Newsletter and get the latest insights at recordedfuture.com/intel. That's recordedfuture.com/intel. On with the show.
Okay, welcome back to the show, and it is time for our picks of the week. Pick of the week. Pick of the week. Our favorite bit of the week, isn't it? Pick of the week.
It is, although mine's not fun. Funny. Maybe I should go first. Maybe I should go first because mine's fascinating, but it's not funny, and I know you like funny ones.
So I thought, you know, maybe I should go first and you go second.
So I thought, you know, maybe I should go first and you go second.
It's a bit like the 'and finally' bit on a news report of the skateboarder. You want to leave people on a happy note. Have you got something a bit miserable then?
Yeah, but fascinating.
Alright, go on then.
Okay, so the reason I'm calling this a tip is that my tip is don't do this. Okay, that's my tip.
Alright.
Okay, so this is all about kids, two teens trying to become YouTube celebrities, and they come up with a rather, I don't know, insert modifier here, idea to ramp up their views and subscribers to their YouTube channel La Mona Lisa.
Okay, now, Mona Lisa is a kind of channel that features this couple doing dares and stunts, and, you know, a few family videos and that kind of thing. So this is their idea.
You tell me what you think. Tell me if you would try this at home, right? So you set up two cameras to capture your wife or your girlfriend firing a gun at you.
Okay, now, Mona Lisa is a kind of channel that features this couple doing dares and stunts, and, you know, a few family videos and that kind of thing. So this is their idea.
You tell me what you think. Tell me if you would try this at home, right? So you set up two cameras to capture your wife or your girlfriend firing a gun at you.
Hang on a minute.
From a foot away. From a foot away. But don't worry, you have protection in the form of a hardback book. And I think in this case an encyclopedia was used in front of your chest.
So imagine Mrs. Cluley pointing a gun at your chest, right, a foot away.
So imagine Mrs. Cluley pointing a gun at your chest, right, a foot away.
I can easily imagine that.
Okay. And the guy, this guy Pedro Luis Ruiz, okay, apparently convinced his girlfriend, Mona Lisa Perez, that the book would stop the bullet from a foot away.
Okay, now you're thinking, okay, maybe what kind of gun were they using? That was the first question I asked. What kind of gun did they use, right?
Okay, now you're thinking, okay, maybe what kind of gun were they using? That was the first question I asked. What kind of gun did they use, right?
Yeah. Maybe it's shooting blanks.
They didn't use a little nothing, a little .22. They use a Desert Eagle .50 caliber pistol.
Now, I of course had to Google this, knowing absolutely nothing about guns, but was quite shocked to learn that the .50 in that title actually refers to the bullet size, and that means that the bullet is half an inch in diameter.
This gun is a massive handgun. It can shoot— the bullet can go, if uninterrupted, 200 meters is its maximum length.
Now, I of course had to Google this, knowing absolutely nothing about guns, but was quite shocked to learn that the .50 in that title actually refers to the bullet size, and that means that the bullet is half an inch in diameter.
This gun is a massive handgun. It can shoot— the bullet can go, if uninterrupted, 200 meters is its maximum length.
Oh my goodness.
Right?
That is quite a big bullet. I don't know anything about guns. I'm British.
Think about half an inch, right? Like, think about half an inch. Anyway, it's a huge bullet. It's huge.
I'll put links in the story so you can actually go see how much bigger it is than this.
I'll put links in the story so you can actually go see how much bigger it is than this.
And he's not wearing—
He's wearing an encyclopedia.
I've got a bad feeling about how this is going to end. Yeah.
It did not.
Okay, so he's not wearing a bulletproof jacket. She's just shooting from a—
Yeah, close range, through an encyclopedia, into his chest, and yes, it went completely through.
Now, what makes this kind of tragic is that he did a bit of testing on this beforehand, and he shot it through a stack of books, I think on a bookcase, and he was able to show his friend that the bullet did not go through the entirety of the first book.
But of course, the pressure of all those books being together may have made that different, right? It might have changed that.
Taking the book out and just holding it in front of you. And also, wouldn't the force of the gun slam that book to your chest so fast? Oh, anyway, I just think it's so crazy.
Now, what makes this kind of tragic is that he did a bit of testing on this beforehand, and he shot it through a stack of books, I think on a bookcase, and he was able to show his friend that the bullet did not go through the entirety of the first book.
But of course, the pressure of all those books being together may have made that different, right? It might have changed that.
Taking the book out and just holding it in front of you. And also, wouldn't the force of the gun slam that book to your chest so fast? Oh, anyway, I just think it's so crazy.
I suppose I don't have to ask— he's died, has he?
He has died.
Oh my goodness.
Pregnant with their second child, now faces second-degree manslaughter charges. She's looking at a maximum sentence of 10 years in prison or a fine of $20,000. Or both.
So I thought, God, could this actually be a Darwin Award? Could this be a Darwin Award? So I looked up the Darwin Awards. I know, I know, but come on, come on.
It is a silly thing to do. But however, it doesn't because, you know, yes, yes, you know, he has died. So that's one, that's one category, one criteria.
Astounding misapplication of judgment, which I think this qualifies. But the problem is he didn't cause his own demise, did he? Even though it was his plan.
So I thought, God, could this actually be a Darwin Award? Could this be a Darwin Award? So I looked up the Darwin Awards. I know, I know, but come on, come on.
It is a silly thing to do. But however, it doesn't because, you know, yes, yes, you know, he has died. So that's one, that's one category, one criteria.
Astounding misapplication of judgment, which I think this qualifies. But the problem is he didn't cause his own demise, did he? Even though it was his plan.
Because he didn't—
He didn't pull the trigger. Yeah, he didn't pull the trigger.
This is—
But you know what scares me? What scares me is the— you must want fame so badly.
Yes, I do.
They wanted to do this for maybe we can get 300,000 subscribers. That was the day before.
There's videos that are still on their channel that you can see from the day before and a few hours before saying, we're really hoping for that. Anyway, so this is my tip.
Don't do this. You know, when we have to learn— I know you don't like us talking about these kind of things, but we have— I think we have to learn about these things.
The more people talk about it, they'll think, okay, not a good idea, think twice.
There's videos that are still on their channel that you can see from the day before and a few hours before saying, we're really hoping for that. Anyway, so this is my tip.
Don't do this. You know, when we have to learn— I know you don't like us talking about these kind of things, but we have— I think we have to learn about these things.
The more people talk about it, they'll think, okay, not a good idea, think twice.
Yeah. Anyway, okay, thanks for sharing your pick of the week.
Hey, okay, you go, you go, you go. Cheer us up, cheer us up.
All right, well, I'll give— well, you know, I don't know if mine's completely cheery either. Better. So I've been having a few problems with my ear.
Oh, it's true.
Yeah. So I love podcasts. I love nothing more when I go to bed at night—
Me too.
Than to have a little earphone shoved down my ear canal, playing a podcast, probably this podcast. I just listen to Smashing Security for 8 hours every night.
What better way to spend my time? Okay, I do this.
What better way to spend my time? Okay, I do this.
I do this. Are you saying I'm doing something wrong? I do this.
Yeah, for goodness' sake, you've got to stop doing— You serious? Yeah, because not— well, here's the thing. So I've now become an expert on ears and ear-related diseases. Dr.
Graham is in the house. Tell us everything.
You know earwax? First of all, apparently it's nothing to do with being grubby. But earwax is generated in order to get rid of foreign bodies in your ear.
And earwax naturally is supposed to come out of your ear, and it typically comes out of your ear at night. Right? Now, if you've got your earphones in, your earwax does not come out.
And if you keep on wearing earphones all the time, and I'm talking about these in-ear earphones, as it were, then— Like the iPhone?
And earwax naturally is supposed to come out of your ear, and it typically comes out of your ear at night. Right? Now, if you've got your earphones in, your earwax does not come out.
And if you keep on wearing earphones all the time, and I'm talking about these in-ear earphones, as it were, then— Like the iPhone?
Like iPhone? Yeah, exactly.
Like those. And there are many other brands as well.
No, no, I just mean that there's some that you can also shove into your ear, you know, that kind of seal around the— I guess it's your ear canal?
Yeah, I'm talking about the ones which actually go in the hole. Right? Okay. But the point is, earwax is meant to come out, right?
So I started to get— I had a bit of sinus trouble the other day, and I started to get some pain in my right ear. And initially I thought— Poor Graham. Yeah, exactly.
And I went to the doctor, and the doctor said, well, we can't actually see what's going on with your eardrum because you've got too much earwax in this particular ear.
And I said, okay. So I got that sorted out. Turns out these days they basically use a vacuum cleaner to get rid of earwax, right? They don't syringe it anymore.
They've got this little micro suction thing. Very cool. So I went and got it. And so I had the earwax removed and I thought, once I've done that, I'll be able to hear properly.
Because the problem was, when I began to suffer, it felt like my right ear had not popped. And so I was constantly underwater.
And so they got rid of the earwax and unfortunately that hasn't changed anything.
And I've got some infection or some liquid fluid in my middle ear, which makes me feel like I'm underwater.
So I started to get— I had a bit of sinus trouble the other day, and I started to get some pain in my right ear. And initially I thought— Poor Graham. Yeah, exactly.
And I went to the doctor, and the doctor said, well, we can't actually see what's going on with your eardrum because you've got too much earwax in this particular ear.
And I said, okay. So I got that sorted out. Turns out these days they basically use a vacuum cleaner to get rid of earwax, right? They don't syringe it anymore.
They've got this little micro suction thing. Very cool. So I went and got it. And so I had the earwax removed and I thought, once I've done that, I'll be able to hear properly.
Because the problem was, when I began to suffer, it felt like my right ear had not popped. And so I was constantly underwater.
And so they got rid of the earwax and unfortunately that hasn't changed anything.
And I've got some infection or some liquid fluid in my middle ear, which makes me feel like I'm underwater.
Yes, I'm actually only shocked because I'm worried about my ears.
That's right. And it's not very pleasant at all, and it can take months to fix.
But one of— but don't worry about that, you know, I'm getting medication, and it may be that I have to have a little operation.
But one of— but don't worry about that, you know, I'm getting medication, and it may be that I have to have a little operation.
That you're worried that all your listeners are going to send flowers or something?
Jesus Christ. There are things which they can do, but it takes a little bit of time. And, but here's what I discovered.
There are these things called sleep earphones or sleep headphones, and they're kind of cool.
So, Carole, if you are like me and you love to listen to podcasts and fall asleep listening to podcasts, you can wear this— you can get them on Amazon and things like this, different priced ones, but you can get these things which are like a John McEnroe style headband.
So it goes, so it's like, you know, hey, I've just been down the gym or whatever like that. But they have slipped into them very, very flat speakers on the side.
There are these things called sleep earphones or sleep headphones, and they're kind of cool.
So, Carole, if you are like me and you love to listen to podcasts and fall asleep listening to podcasts, you can wear this— you can get them on Amazon and things like this, different priced ones, but you can get these things which are like a John McEnroe style headband.
So it goes, so it's like, you know, hey, I've just been down the gym or whatever like that. But they have slipped into them very, very flat speakers on the side.
Hey, and that'll help you with your sweating problem as well.
Well, I've got, you can get them in different materials. So there are ones which are better for hotter climates and hotter times of the year than others.
But anyway, you can sleep on these quite comfortably and you can still have your little voice. It's even possible to get wireless ones.
Now, I thought that was a bloody stupid idea, to be honest, because why would I want some very clunky Bluetooth device in my headband connected to my phone?
So I've got one which is on a wire, but it means I can listen to my podcasts and there's nothing actually in my ear. And of course, Mrs.
Cluley hopefully will not be irritated by any extraneous noise coming from whatever I'm recording.
But anyway, you can sleep on these quite comfortably and you can still have your little voice. It's even possible to get wireless ones.
Now, I thought that was a bloody stupid idea, to be honest, because why would I want some very clunky Bluetooth device in my headband connected to my phone?
So I've got one which is on a wire, but it means I can listen to my podcasts and there's nothing actually in my ear. And of course, Mrs.
Cluley hopefully will not be irritated by any extraneous noise coming from whatever I'm recording.
Oh, of course, because I was just thinking about, you know, if someone, because you know how there's flexible plastics and flexible readers now.
You could actually— if you could put a speaker into that, you could actually just have it under your pillowcase, right?
Because my mom listens to podcasts— listens to radio all the time, right? She does it through— she has a tiny speaker that she puts underneath her pillow, right?
And then the sound comes through her pillow. Apparently it doesn't bother my dad at all, and because she doesn't things in her ear. So yeah, interesting. Well, that's cool.
Okay, yeah, I'll look into that.
You could actually— if you could put a speaker into that, you could actually just have it under your pillowcase, right?
Because my mom listens to podcasts— listens to radio all the time, right? She does it through— she has a tiny speaker that she puts underneath her pillow, right?
And then the sound comes through her pillow. Apparently it doesn't bother my dad at all, and because she doesn't things in her ear. So yeah, interesting. Well, that's cool.
Okay, yeah, I'll look into that.
Yeah. Thank you very much. You might want one. I think I might. Yeah. But yeah, just people, just take care of your ears, right? We want you to carry on listening to the podcast.
So look after them.
So look after them.
Yeah, right. There's not any other senses they can use, right?
Well, not for the podcast. Not for the podcast, exactly. No.
And if you do the podcast, be sure to go and give us a good review on something iTunes or Stitcher, or I don't know if you can give reviews on Google Play, but we're up there as well.
And if you do the podcast, be sure to go and give us a good review on something iTunes or Stitcher, or I don't know if you can give reviews on Google Play, but we're up there as well.
Have you guys learned how desperate Graham is for reviews? Have you gotten wind of that?
It's the only validation we get, Carole.
I get lots of validation.
Even our guests don't show up anymore.
Oh my, he didn't show up at all, did he? You're going to have to call him.
You're going to have to call him. I'll give him a call. But I hope that hasn't been too— hope you haven't missed out too much on this extra short edition of Smashing Security.
Carole, thank you for showing up. I showed up to every single episode.
Carole, thank you for showing up. I showed up to every single episode.
You have.
You've been very good. So have you.
Well done to you, Graham Cluley.
Do you remember that Vanja guy? Who? Go to www.smashingsecurity.com. You can leave us a comment up there.
You can find our email form as well if you want to drop us a line and a link to our Twitter. But until next time, toodle-oo, bye-bye.
You can find our email form as well if you want to drop us a line and a link to our Twitter. But until next time, toodle-oo, bye-bye.
Bye.
Update: AA apologises, and confirms customers’ partial credit card data *was* exposed
Judging by the years of junk mail I got from the AA after leaving them, they keep your info forever.
It's the deceit and denial that's the worst thing. The AA is obviously incapable of honesty. There are plenty of alternatives to this bunch of cowboys. Trust is a fragile commodity and the AA has trashed mine.
Tragically, this is a modern British disease in which high-ups constantly endeavour to control their customers by pulling the wool over their eyes. What they don't or won't get is that the customers are wise to this and become ever more cynical. A big part of the problem is that the high-ups are ignorant of technology and so adopt coping strategies such as resorting to deceit to preserve their jobs and muddle through. Our government and its ministers' inabilty to understand such matters as encryption is an example. This has been coming for more than forty years but the advent of the digital age has brought the issue of the incompetence of delusional high-ups into sharp focus. Dilbert's Pointy-haired Boss symbolises them.
I couldn't agree more. I wrote this yesterday on another Cluley article :-
It seems clear to me that the most important systems for society's infrastructure need to have the tightest and best-deployed security measures. NHS, ATC, and all sorts of other systems need the finest and most expert security implementations. However, because of the way these systems are tendered when created, they end up with the cheapest and most traditional solutions, which are inherently inert and difficult to change with the times. The people in charge of these tenders (usually public sector workers under the thumbs of council and other government officials) are some of the least technically-savvy people on the planet (their kids often know far more than they do about these matters!). They always fail to realise that the the most popular, or most traditional solutions are very often not the best to deploy, if increased security is what is required. Systems have to be using the most up-to-date ciphers, transport mechanisms, and DDOS-resilient hardware and software. This is a full-time job since the security landscape is constantly changing. That requires a full-time security team working with the systems on a day-to-day basis. Currently, we have a tender process that gives rise to systems which are often deployed once, managed intermittently and patched only when things have already gone wrong. Ad-hoc teams with no previous experience of that particular system, are then employed under incredible pressure to sort out problems only after the systems have been hacked or have gone wrong. This cannot continue. The government has to spend LOTS of money on this, or else, one day, important infrastructures will be brought to their knees permanently.
Reading this, gave me a little daydream; a roving team of hardcore geeks, fighting to improve user involvement & understanding, and fostering sensible IT equipment procurement policies and security awareness – going from department to department & town to town, making logical & sane decisions for long-term system functionality & enabling easy future upgradability, and acting in real-time, to get our systems into line with some simple, basic policies. #PipeDream
I listened to the Smashin' Security podcast in horror, as Graham described the AA's actions & attitude – it's unforgivable – never mind the foolish cause of the breach, the integrity of your actions after the fact, define you.
AA not able to keep their honesty. That is not good news for us.
I hope they are taking this seriously as they just failed PCI DSS compliance. Expiration Date of someones credit card must be protected to be compliant.